November 1, 2014

Presentation on how to break Tor removed from Black Hat schedule

Tor project logo(LiveHacking.Com) – A highly anticipated briefing about a low-cost technique for de-anonymising Tor users has been removed from the Black Hat 2014 talk schedule for as-yet unknown reasons. The talk, which would have presented a method on how to identify Tor users, was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers.

The spokesperson for the conference, which is running in Las Vegas on August 6-7, said that a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the material he would reveal has not been approved for public release by the university or by the Software Engineering Institute (SEI).

The Onion Router (TOR) Project network was originally developed with the US Naval Research Laboratory as part of an investigation into privacy and cryptography on the Internet. Tor re-directs Internet traffic through a set of encrypted relays to conceal a user’s location or usage from anyone monitoring their network traffic. Using Tor makes it more difficult for online activity to be traced including “visits to Web sites, online posts, instant messages, and other communication forms.”

According to Roger Dingledine, one of the original Tor developers, the project did not “ask Black Hat or CERT to cancel the talk. We did (and still
do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” He went on to say that the project encourages research on the Tor network along with responsible disclosure of all new and interesting attacks. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he added.

Security researcher Alexander Volynkin was scheduled to give the talk titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ at the Black Hat conference. It would have outlined ways that individuals can try to find the original source of Tor traffic without the need for large amounts of computing power.

Chip and PIN bank cards have serious vulnerabilities

chip-and-pin(LiveHacking.Com) – A new research paper [PDF], by a group of security experts from the University of Cambridge, has proven that current implementations of the EMV protocol (named after its original developers, Europay, MasterCard and Visa), which is more commonly known as “Chip and PIN”, has serious vulnerabilities. These weaknesses might leave customers at risk of fraud. The most devastating aspect of the new research is that it reveals vulnerabilities which make it possible to create clone chip cards which look like the real thing to the bank.

“Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card,” wrote Steven J. Murdoch.

If the terminal, which is processing a Chip and PIN transaction, has a bad random number generator or the communications back to the bank can be modified, then an attacker can use a cloned card rather than the original. Both of these weaknesses (bad random numbers and modified communications) have been seen in the wild.

As part of the research, the team identified a weak random number generator in an ATM which was made up of  a 17 bit fixed value where the lower 15 bits were simply a counter that is incremented every few milliseconds, cycling every three minutes. This was back in 2012. The team followed a responsible disclosure policy and informed bank industry organisations so that the ATM software could be patched. Only now are they able to reveal the results of their research.

According to the paper, “The first flaw is that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce. This exposes them to a “pre-play” attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically. Card cloning is the very type of fraud that EMV was supposed to prevent.”

The good news is that because of the research the banks have started working on a certification program for random number generators in Chip and PIN terminals. However the bad news is that attacks that tamper with the random number generators or communications are harder to prevent and have yet to be addressed.

NSA denies it knew about Heartbleed, says it is in the national interest for it to disclose vulnerabilities

odniIt looks like the ramifications of the Heartbleed bug in OpenSSL will be felt for quite a while to come. While security analysts are asking if the NSA had prior knowledge of the bug, cyber criminals are at work stealing data from sites which haven’t patched their servers and changed their SSL certificates. The Canadian Revenue Agency has said that the Heartbleed bug was the reason why an attacker was able to steal 900 social insurance numbers, and British parenting website Mumsnet said that username and password data used to authenticate users during log in was accessed before the site was able to patch its servers.

As for the NSA, the Director of National Intelligence has issued a statement saying that the NSA was not aware of the Heartbleed vulnerability until it was made public. The statement went on to say that the Federal government relies on OpenSSL the same as everyone else to protect the privacy of users of government websites and other online services.

However, what is even more important is that the statement categorically says that had the NSA, or any other of the agencies and organizations which make up the U.S. intelligence community, found the bug they would have reported it to the OpenSSL project.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the statement issued by the ODNI Public Affairs Office. The statement also said that when Federal agencies discover a new vulnerability “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

The Office of the Director of National Intelligence also said that in response to the President’s Review Group on Intelligence and Communications Technologies report that it had reinvigorated an interagency process for deciding when to share vulnerabilities.  According to the report, “The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of  encryption technology for data in transit, at rest, in the cloud, and in storage.” Such a statement is important following the accusations that the NSA tried (and succeeded) in weakening certain encryption standards.

The report also says that, “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In  rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

This “rare” use of zero-day vulnerabilities was reiterated by the ODIN statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

UK government to investigate Huawei’s involvement in the Cyber Security Evaluations Centre

Huawei-Logo-300x300The Intelligence and Security Committee, a group established by the British government to examine the extent of foreign involvement in the UK’s Critical National Infrastructure and its implication for national security, has raised questions about the independence of staff employed at the Cyber Security Evaluations Centre, or the Cell as it is commonly called.

Part of the work at the cell is to test equipment from Huawei for security vulnerabilities and ensure that the equipment doesn’t have any back-doors or easily exploitable weaknesses.

According to the report the Cell was formed due to a big contract win for Huawei from British Telecom (BT). The UK government engaged directly with Huawei UK and suggested the establishment of the evaluation center to increase confidence in the security of Huawei products.

Although staffed by security cleared UK personnel, the Cell is funded entirely by Huawei and remains under Huawei’s control. The report questions whether the staff, 34 who are paid and employed by Huawei, are sufficiently independent of Huawei to provide the necessary level of assurance about the company’s activities.

The Cell tests all updates to Huawei’s hardware and software for high-risk components before they are deployed on UK networks, however the center was only due to become fully operational at the end of 2011 (six years after Huawei won the BT contract). But now in 2013 the center is working at a reduced capacity, both in terms of staffing and remit, and witnesses have conceded that it is too soon to tell how effective it is.

Huawei’s trouble stem from the fact that the company was founded by Ren Zhengfei, a former officer of the People’s Liberation Army. Most of the concerns surrounding Huawei relate to its perceived links to the Chinese State. Due to these concerns a government committee in the US published a harsh assessment of Huawei’s reliability. The report concluded that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests”. In Australia the Government decided to exclude Huawei from any involvement in their National Broadband Network on national security grounds.

Huawei has denied having close connections to the Chinese government and has stressed that the company is 98.6% owned by its employees.

58% of vulnerabilities which exploit kits try to use are over 2 years old

solutionary-logo(LiveHacking.Com) – A new report from the security company Solutionary, has revealed that 58% of the vulnerabilities targeted by the top exploit kits are at least two years old. In total the company looked at 26 of the most common exploit kits and found exploit code from nine years ago. The fact that code from 2004 is still in the kits implies that old vulnerabilities are still fruitful for cyber criminals.

Further analysis showed that 58% of the vulnerabilities targeted are over two years. Solutionary also say that number of newly discovered and disclosed vulnerabilities has declined since 2010.

It seems as if Russia the center for exploit development with 70 percent of kits released or developed there. Following Russia comes China and Brazil. Of these kits BlackHole 2.0 continues to be the most often-used exploit kit while the lesser known Phoenix 3.1 exploit kits offers the highest number of vulnerabilities.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” said Rob Kraus of Solutionary. “Exploit kits largely focus on targeting end-user applications. As a result, it is vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

The popularity of BlackHole was also confirmed when Solutionary saw that 30% of the malware samples are indirectly linked to BlackHole exploit kit, while 18% of the malware samples directly attributed to BlackHole.

On the effectiveness of anti-virus solutions, the report found that anti-virus and anti-malware software cannot detect 67 percent of malware being distributed.

Top malware threats of last year included autorun and malicious Javascript

usb-flash-drive(LiveHacking.Com) –  ESET has released a new report looking back at the top attack vectors used by malware to infect PCs in 2012. The top three vectors where the autorun.inf file, obfuscated Javascript and iframe injections. Together these three accounted for almost 15% of the ways that malware found its way onto PCs.

Autorun.inf is a special file placed on removal media (like USB flash disks) that tells Windows what file to run when the media is inserted into the computer. Many different types of malware copy themselves onto any removable media present and change the autorun.inf file to make sure that the malware is run when the media is inserted into a machine. It is a popular way for malware to infect computers that are not connected to the Internet. A recent report by the USA’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that two power generation facilities became infected with malware via USB flash drives that were being used inside the plants. It is also the method believed to have been used to infect Iran’s nuclear program with Stuxnet. In total 5% of malware infections detected by ESET’s Live Grid was spread via the autorun.inf file.

Although Microsoft disabled Autorun on Windows XP and Vista, to prevent malware infections, nearly two years ago (back in February 2011), ZDNet’s  Dancho Danchev is hypothesizing that the number of infections that happen via Autorun is still high because of software piracy. Basically users are running a pirated/outdated version of Windows. These installations aren’t being updated because of Microsoft’s Genuine Advantage program and so remain with Autorun enabled. The piracy problem was also reiterated by Symantec when it speculated that “the lack of patching due to piracy may be a contributory factor to high infection rates in those countries.”

Another 8% of infections came via hacked webpages with some kind of malicious intent. When a web page is hacked the attacker can alter the HTML to insert Javascript or an iframe that redirects the browser to a URL where malware is hosted or to start a drive by download. Normally any injected Javascript is obfuscated.

“Since poisoned web sites and scripts are an ongoing and regrettable but inevitable part of the threatscape, it’s not surprising that HTML/Iframe.B and HTML/Scrinject.B are still with us…” wrote David Harley, a senior research fellow at ESET.

Malware found in U.S. power plants, should America be worried?

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

ENISA tells banks to assume that all customer PCs are infected with malware

(LiveHacking.Com) – The EU’s cyber security agency ENISA (European Network and Information Security Agency) has released a report in response to the “High Roller” cyber-attacks. These attacks targetted corporate bank accounts and, according to a  report recently published by McAfee and Guardian Analytics, are responsible for the loss of tens of millions dollars.

As part of the recommendations, ENISA has told the banking industry to  assume that all PCs are infected with malware. The  “High Roller” cyber-attacks used the infamous Zeus malware, which isn’t universally detected by anti-malware programs and as such it is safer for banks to assume that all of its customers’ PCs are infected.

The report also mentions that basic two factor authentication does not prevent man-in-the-middle attacks on transactions. Therefore, ENISA recommends that banks cross check with their customers the details of certain types of transactions. These  cross checks can be performed via SMS or a telephone call.

ENISA also calls on the different national Computer Emergency Response Teams (CERTs) and law enforcement agencies to cooperate closer to help bring down the command and control servers used by the criminals.

The recommendations have been published due to the  nature of the “High Roller” attacks. First, these attacks are highly automated making them fast and easily missed. Second, the attacks are sophisticated with the ability to bypass two-factor authentication and fraud detection. Thirdly, the attacks are highly targeted.  Only PCs from users with corresponding high balances were targeted.

Congress Warned That Foreign Spies Penetrate US Military Networks

(LiveHacking.Com) – It should be assumed that foreign spies have penetrated the US military networks was the message sent to American’s politicians last week when security experts testified at hearings held by the US Senate Armed Services Committee on cybersecurity. The committee was told that enforcing a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated. Instead, the committee was told, cyberdefence should be about protecting data not controlling access.

“We’ve got the wrong mental model here,” said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. “I think we have to go to a model where we assume that the adversary is in our networks.”

As part of a prepared statement to the committee Dr. Peery said “A silver bullet for solving the ‘cyber problem’ for DoD, DOE, dot-gov or the private sector does not exist. It is impossible to make an absolutely secure information technology (IT) system.

Dr. Peery

Dr. Kaigham Gabriel, current head of the Defence Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.  The DoD oversees 15,000 networks that connect about seven million devices which presents numerous security challenges to the DoD. These challenges include:

  •  Attackers can penetrate our networks: In just 3 days and at a cost of only $18,000, the Host-Based Security System was penetrated.
  • User authentication is a weak link: 53,000 passwords were provided to teams at  Defcon; within 48 hours, 38,000 were cracked.
  • The Defense supply chain is at risk: More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries.
  • Physical systems are at risk: A smartphone hundreds of miles away took control  of a car’s drive system through an exploit in a wireless interface.
  • The United States continues to spend on cybersecurity with limited increase in security: The Federal Government expended billions of dollars in 2010, but the  number of malicious cyber intrusions has increased.

With regards to cyber offense (rather than defense) Dr. Gabriel wrote: “DARPA’s belief is that the Department must have the capability to conduct offensive operations in cyberspace to defend our Nation, Allies, and interests. To be relevant, DoD needs cyber tools to provide the President with a full range of options to use in securing our national interests. These tools must address different timescales and new targets, and will require the integrated work of cyber and electronic warfare at unprecedented levels.”

Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a shortage of talent. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.