October 25, 2014

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Target CEO resigns five months after data breach revelation

Target_logoAt the end of December last year, during one of the busiest shopping seasons, the US retailer Target revealed that payment details from up to 40 million credit cards had been stolen after being used on  card-swipe machines at 1,797 of its stores.  The attack started just before Black Friday and continued for about two and a half weeks.

Five months on from the announcement of the data breach, Target’s board of directors has decided to remove Gregg Steinhafel as chairman and chief executive, saying it wanted new leadership to help restore consumer confidence. The official text from the board of directors thanks Steinhafel for his “significant contributions and outstanding service throughout his notable 35-year career with the company” but blames the CEO directly for the data breach, “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable…” And now it looks like that accountability has lost him his job.

After the attack occurred details started to emerge that showed that Target could have prevented the attack. According to Bloomberg, Target had invested $1.6 million installing a malware detection tool from FireEye.

Target used a team of security specialists in Bangalore to monitor its network. On Saturday, Nov. 30, the hackers uploaded malware to Target’s network so that they could copy the stolen credit card details. FireEye spotted the malware along with some suspicious activity and the Bangalore team alerted their bosses in Minneapolis. But it appears that the security team in Minneapolis did nothing.

Since the breach, Target has faced at least 90 lawsuits and been forced to spend at least $61 million to settle them. According to Brian Krebs, Target does not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Krebs also estimates that the cyber criminals probably made somewhere around $53 million from the sale of stolen credit card details.

It is thought that details of up to 3 million cards were successfully sold on the black market and used before the issuing banks managed to cancel the whole batch of 40 million cards.

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

Malware used on point-of-sale terminals to steal details of 40 million credit cards

Target_logoA few days before Christmas the US retail giant Target revealed that payment details from up to 40 million credit cards could have been stolen after being used on  card-swipe machines at 1,797 Target stores.  The breach started just before Black Friday and continued for about two and a half weeks.

Target CEO Gregg Steinhafel revealed in a CNBC interview yesterday that the cyber-thieves stole the credit card numbers, CVV numbers and encrypted PIN codes of 40 million customers by installing malware into the  point-of-sale devices used in the Target stores. This same malware also allowed the thieves to take personally identifiable information, including postal addresses and phone numbers, on a total of 70 million shoppers.

At the time of the breach, Brian Krebs revealed that sources at credit card payment processing firms had told him about the data-stealing malware but this is the first time that the existence of the malware has been confirmed by Target itself.

“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”

The security breach was discovered on December 15th, but Target didn’t go public until December 19th. As a result the company is coming under increasing pressure to justify the four day delay in notifying its customers. According to Steinhafel  the sequence of events from the 15th were as follows:

  • Day 1 – Breach discovered and malware removed from POS registers.
  • Day 2 – Initiating the investigation work and the forensic work.
  • Day 3 – Setting up the call center and preparing store employees for customer queries.
  • Day 4 – Public disclosure.

Target was not the only US retailer to suffer a security breach in the run up to Christmas. Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be made publicly. According to people familiar with the situations these three retailers were attacked using similar techniques as the ones used on Target. There is speculation that the perpetrators of the Target attack may also be responsible for these other security breaches.

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Adobe Acrobat source code stolen along with 2.9 million customer records

adobe-logo(LiveHacking.Com) – Adobe has suffered what it is calling a series of “sophisticated attacks” on its network, resulting in the theft of customer information as well as source code for numerous Adobe products including Adobe Acrobat.

It is currently thought that the attackers stole Adobe customer IDs and encrypted passwords as well as personal and financial information relating to 2.9 million of its customers. The data stolen includes customer names, encrypted credit or debit card numbers and expiration dates.

As a result of the breach Adobe has reset all the  relevant customer passwords, and notified the customers whose credit or debit card information was taken. Adobe is also offering the customers, whose card information was taken, the option of a one-year complimentary credit monitoring membership. Adobe has also notified the banks that process its customer payments and have contacted the relevant federal law enforcement agencies.

In what is being seen as a related incident, Adobe is investigating the unauthorized access of source code for Adobe Acrobat, ColdFusion and ColdFusion Builder.  Brian Krebs, a former reporter for The Washington Post and renowned security expert spotted a 40 GB source code dump stored on a server used by some known cyber criminals. The dump contained huge repositories of uncompiled and compiled code that appeared to be for ColdFusion and Adobe Acrobat. Krebs told Adobe about the source dump, Adobe then revealed to Krebs that the company has been investigating a security breach into its networks since Sept. 17, 2013.

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” said Adobe’s Chief Security Officer Brad Arkin. “We’re still at the brainstorming phase to come up with ways to provide higher levels of assurance for the integrity of our products, and that’s going to be a key part of our response. We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Adobe isn’t aware of any zero-day exploits targeting any Adobe products. However, as always, it recommends that customers use only supported versions of its software and apply all available security updates.

In an unrelated announcement, Adobe confirmed it will it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Belgium’s largest telecommunications company victim to a nation-state sponsored spying campaign

belgium_flag_mapThe Belgium government has revealed that a foreign state has been spying on its largest telecommunications company Belgacom. The company, which is a top tier carrier for voice traffic in Africa and the Middle East, was hacked by an intruder with significant financial and logistic means.

According to the Belgian daily newspaper De Standaard, the NSA is responsible for the attack and the agency has been monitoring international telephone traffic through Belgacom for two years. It is thought that the NSA was primarily interested in Belgacom’s subsidiary BICS, which provides international phone lines for Africa and the Middle East.

“This fact, combined with the technical complexity of the hacking and the scale on which it occurred, points towards international state-sponsored cyber espionage,” Federal prosecutors said in a statement.

The government of Belgium, which has a majority stake in Belgacom, condemned the intrusion but did not actually accuse the USA directly. The hack was performed using malware with advanced encryption techniques. Belgacom has now removed the unknown malware from its internal systems.

These latest accusations come in the midst of further revelations about the NSA’s actvities thanks to documents released by Edward Snowden. According to the Brazilian television network Globo, the NSA has been spying using the computer systems of companies including Google Inc. and the Brazilian state oil firm Petroleo Brasileiro. It is also alleged that the NSA hacked into France’s Foreign Ministry and has been snooping through international financial transactions made via the Belgian-based international banking cooperative SWIFT.

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

Four-star General under investigation for leaking details of Stuxnet attack

circuitboard(LiveHacking.Com) – New reports are suggesting that the FBI is starting a new investigation into the public leak  about the Stuxnet worm. According to NBC a retired four-star general US Marine, who had a close relationship to President Barack Obama, is under investigation for leaking details of the cyber-attack.

Gen. James Cartwright, who was the former vice chairman of the Joint Chiefs of Staff,  has been told he is under investigation for allegedly disclosing details the USA’s cyber-attack on Iran’s nuclear facilities. The original FBI investigation looked into possible White House sources, however now the agency has turned its investigation towards possible military leaks including Cartwright.

When the worm first escaped the confines of Iran’s Natanz plant and starting infecting computers across the global, the origin and purpose of the malware was unclear. Over time more and more details of the worm’s activity were analysed and finally thanks to an internal leak in the US Government, it was confirmed (but not publicly) that the National Security Agency had developed Stuxnet in tandem with the Israelis.

According to the  New York Times report on 1 July, 2012, Stuxnet was created under a project known as “Operation Olympic Games” as part of an American and Israeli effort to undermine Iran’s nuclear program.

Stuxnet was designed to destroy the centrifuges used in Iran’s uranium enrichment program and targeted Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes at the Natanz enrichment facilities.

Chevron claimed it also had trouble with Stuxnet, once it had gone global, as it too uses SCADA based systems. However Chevron says none of its equipment was damaged.

There is likley to be other cases of Stuxnet infections in industrial plants across the U.S. and mainland Europe that have been unreported for reasons of security or to avoid embarrassment.

China suspected to be behind U.S. Army Corps of Engineers database hack

dam(LiveHacking.Com) – U.S. intelligence agencies are treating a recent cyber attack and subsequent intrusion into a database belonging to the U.S. Army Corps of Engineers as a cyber attack from China. According to the Free Beacon, U.S. intelligence agencies have traced the hack to the Chinese government or military cyber warriors.

The compromised database belonged to the U.S. Army Corps of Engineers and held data about dams. The National Inventory of Dams (NID) contains information on possible vulnerabilities of some 8,000 dams across the United States. In a worst case scenario the attack is a preemptive move by China in preparation for future cyber attacks against the nations electrical infrastructure.

“The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” said Pete Pierce, a Corps of Engineers spokesman.

Upon discovering the unauthorized access the Corps of Engineers revoked the user’s access to the database.

The database collects information about dams which are either large (those that exceed 25 feet in height or exceed 50 acre-feet storage) and those that have a hazard classification because of the loss of human life that would result if the dam failed. The database was started in 1972 when laws came into effect that required cooperation between the Corps and the Federal Emergency Management Agency. These laws were updated in 2002 and 2006 to recognize that dams are part of critical U.S. infrastructure and require protection.

In January, a report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, revealed that the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.