Koobface, The dangerous game of naming and shaming

 Blog  No Responses »
Jan 242012
 

There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.

The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.

I am slightly uncomfortable with this approach.

It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right persons; but what if all those blogs/researchers made a mistake!? It would have been nothing more than a smear campaign that could have affected the lives of some innocent internet users.

This tactic is used by the police in some countries, so they can catch “real” criminals on the run. They name and shame, appealing for help from the public and thus making it more difficult for them to cary on with their illegal activities.
By “real” I mean criminals in the traditional sense of the term, who have broken the law physically as opposed to virtually. But as our lives become more and more entangled with the virtual world, criminal activities “there” can and do have an impact “here”.

Where I think there is a difference, is that the police conducts a thorough investigation before naming and shaming, more importantly they follow an established, documented and legally sound process to conduct such investigation. Although those security researchers are experts in their own right (pun intended), it is a dangerous game to become a vigilante…

To conclude, I am not fundamentally against this practise but I am concern it could spiral out of control. It also highlights how difficult it is to bring hackers to stop their activities as, this, is some kind of last resort solution.

 Tagged with: ,

Most websites are vulnerable to a hash collision DOS attack

 Blog  No Responses »
Jan 032012
 

By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.

This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!

Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.

The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A Hash list is a type of data structure that is very popular because it stores and accesses data in a list very quickly. Before an object is inserted into a hash list, it is first hashed using a hash function to provide a “unique” hash reference which is then used to access and store the object in the list. To simplify, it replaces the usual [i] of a standard list with a [hash reference]. (“i” being an integer).

In reality those hash references are not so unique and collisions do occur. When it happens the objects with the same hash reference are daisy chained. The longer the chain and the least efficient hash lists become. Under normal operation it does not happen often and this is not a problem.

But as first highlighted by Scott Crosby and Dan Wallach in 2003, data/object stored into hash lists can be manipulated so collisions do happen more often. So much more in fact, it can degenerate the hash list resulting into the server’s CPU going overdrive and bringing the server to its knee in the process.

Alexander and Julian explained at 28c3, as shown in this video, that for Perl the issue was located in how the DJBX33A (PHP5) and DJBX33X (PHP4) functions were generating hashes. Other languages were also vulnerable because they were using very similar functions to generate their hashes.

With the help of CERT they communicated an advanced advisory to the relevant vendors and organisations in early November 2011, after they successfully implemented an attack for most of the languages used by Web Applications. They received different responses, some more satisfactory than others…

Ruby reacted very quickly and has a patch ready, Microsoft has issued a temporary work around for ASP.Net by limiting the number of parameters, PHP and Python needs more time and Oracle, although they have provided a patch for Tomcat and will in a near future do the same for Glassfish, stated that it isn’t an issue for Java. If you watch the 28c3 video you can easily understand they are wrong (clue for Oracle, go to the 32d minute or so). Therefore we should expect a Java patch for the HashTable and HashMap functions soon, albeit too late.

To conclude, this is a serious issue that has now a practical and known way to exploit it, with a global scope and high performance impact. Microsoft in a Technet article has provided a snort signature to detect this type of attack against ASP.Net, it should be fairly easy to adapt for other languages.

The recommendation is to both monitor for a patch related to your web applications (and implement it quickly when available) and to also monitor your network for such attacks (and try to block its source IP if not coming from a distributed attack). You should be reviewing what are the versions of the languages used by your Internet facing web applications and probably also ask your 3rd party partners what they plan to do about it!

A nice summary is also available on Arstechnica.

PS: Thanks to Thierry for pointing the story to me in the first place!

 Tagged with: , , , , , , , , , ,

Encrypting DNS queries with DNSCrypt from OpenDNS

 Blog  No Responses »
Dec 272011
 

OpenDNS has just release a beta software to enable encryption of DNS queries called: DNSCrypt.

Not encrypting DNS queries can lead to two main type of attacks, as described by OpenDNS:
First, it prevents man-in-the-middle attacks which can cause malicious DNS responses to be used to trick you into visiting a dangerous website or send traffic to an unintended third party. Second, it prevents snooping by your ISP or any other intermediary who might want to sniff your DNS traffic to see what domains you are resolving.

DNSCrypt can significantly increase a user web security as until now there was no way to encrypt DNS queries. As stated by OpenDNS, DNSCrypt should be seen as complementary to Domain Name System Security Extensions (DNSSEC) because the later is not use to encrypt DNS queries, but to provide authentication and  chain of trusts.

DNSCrypt is not the answer to every DNS related threats though, as OpenDNS still acts as a relay to the real website’s IP to be accessed, and if the DNS servers it got some of its information from are compromised OpenDNS will still serve you the compromised IP. Also, one of the great advantage of OpenDNS is its ease of use, the fact you just have to point your Router to their DNS servers, with DNSCrypt you need a software to be installed on each machine you want to protect. It would be great to see future routers supporting/integrating DNSCrypt so it is seamless and would also protect any devices connected to that router, including smartphones, tablets, etc.

Nonetheless, this is definitely a step in the right direction! And although it is only available as a MAC Beta, a PC version should be coming up soon. Will it stay a free service, is also something that remains to be seen…

 Tagged with: , , , , ,

Twitter helping with Android’s Security

 Blog  No Responses »
Dec 242011
 

Twitter has just announced they will be opening the technology from Whisper Systems they just acquired. This is good news for Android users, and Google. Their technology allows text messages to be encrypted as well as providing full disk encryption, the later will only be made available, well, later!

This has the potential to bring security enhancement to the Android’s mass.

The source code is now available here: GitHub

 Tagged with: , ,

My take on SANS 660, The HexFactor and Netwars

 Blog  No Responses »
Dec 152011
 

I have just attended the SANS 660 course in London, it is one of the most advanced course SANS has to offer and it did not disappoint!

Its bootcamp format means you will start your day at 9am and finish it at 7pm! The last two hours being called a “bootcamp”, basically 2 hours of exercises linked to the content of the day that really helps understanding the different techniques that were discussed.

Speaking about content, although they state that previous programming experience is “recommended”, it is not, is it mandatory!

And for the last 2 days you really need some understanding of x86 assembly to get a chance to follow the fast pace. I have to admit that the last day I was lost after lunch!

But what do you get if you buckle up and go on the ride? You get an incredible amount of information as it goes into a great level of details on how to identify and write your own exploits. But it also allows you to get a better appreciation of what to look for when reviewing the security of a network, an application, a website or a system. This is not just a “hacking” course, and the “ethical” at the end of the full course name is there for a reason.

The lecturer, Stephen Sims, is quite inspiring. Of all the lecturers I have met in the different courses I have taken those last 15 years, he is probably the one who knew his subject the most! It is also great that he is always willing to help his students understand what they are doing wrong during exercises. And it is apparently not just computer hacking that he is good at, being a core member of a signed music band going by the name of a modern hard-disk.

The highlights of the course for me were:

  • The different techniques to attack a network with the consequences of badly, or shall I say commonly, configured routers;
  • Ways to get out of a locked down desktop;
  • What to do with a buffer overflow, how to locate/change/utilise those different address pointers and defeat canaries and use gadgets.

Although at the end it will feel like you need a larger brain and many more weeks to assimilate this new information, you will also get a sense that you have only barely touched the surface of all those techniques…

Then of course, after each of those hard days working you can relax at the next door pub… and if you didn’t have enough, this is where you can take part in a hacking challenge, the Hex Factor challenge. It is basically a “capture the flag” contest where you setup a team, or go at it solo, and are faced with a number of different challenges:

  • 2 quizzes
  • 3 hacking challenges (i.e.: breaking into a network, a server, etc)
  • 3 reverse engineering challenges (i.e.: bypassing a password in an executable)
  • 3 forensic challenges (i.e.: recovering data hidden somewhere)

This is really a great environment, not only to meet like minded people (although some may say it is a bad thing! ;), but also to actually practise your newly acquired skills. It is also good that each of those challenges have different level, allowing anyone to participate, from the manager to the engineer! This event takes place in a number of conferences and is organised by volunteers. So I’d like to congratulate everyone who was involved to make it such an entertaining event!

Finally, this year there was the Netwars challenge. It has a similar format as the HexFactor one and ran for 2 days (after the Hexfactor was finished). It is an individual hacking contest with increasingly more difficult challenges. The fact you see the top 10 scores on a big screen live, the buzz of having a large room full of people hacking away, the organisers making sure everything is going smoothly and that everyone feels confortable really made those 2 nights special.

To conclude I will say that, again, SANS did not disappoint. It was a top quality course part of a great conference with huge opportunities to network and practice your skills. So I can happily recommend for anyone to attend the 660 class, and also, if you really want to make the most of it you have to stay in a close by hotel, be ready not to sleep too much and embrace the geekiness around you :)

SANS, Stephen, Thank you very much!

 Tagged with: , , , , , ,

Carrier IQ, an interesting story of deception or what we could call the Facebook syndrome

 Blog  No Responses »
Dec 022011
 

It all started with some findings published by Trevor Exkhart on his website a few weeks ago.

He found that a Californian based company called Carrier IQ (CIQ) had develop a software that was acting as a *key logger* and was installed by default on many different mobile devices: Android, Blackberry, Nokia Phones, iPhones (iOS 3.x to 5.x), and also tablets.

The important point here, is that this software is intentionally installed/provided by the devices manufacturers or network carriers. It is quite amazing how widespread the use of that spying software is (the BBC reported 140 Million devices). This is not limited to only one type of device or provider. What they collect might be different (apparently much less on iOS than Android), but it shows a systemic desire from companies who make and sell those devices to gather usage and user information.

This is what I would call, the Facebook syndrome!

The official stance from CIQ was that their software was only used for improving the “network experience” by providing some information back to carrier and phone manufacturer such as signal strength, network information, etc.
They explicitly stated that they “do not and cannot look at the contents of messages, photos, videos, etc., using this tool”.

This is not what you would say from a software that logs all the key pressed on your device…

Again, it is important to note that by default their software is not hidden (there is a visible check-mark in the status bar) but this can be modified by 3rd parties. And it is being modified!

One example given by Trevor is Verizon in the US, although you can opt out, by default the phones they sell will record and transmit (?) the following personal user information: any URL accessed, including potential search queries and the location of the device. This is what could be considered as a significant personal privacy invasion.

So how did CIQ reacted to Trevor’s post?
By sending him a Cease and Desist letter on the 16th of November!

They claimed Trevor was in copyright infringement (because of some of their publicly available training material having been referenced) and making false allegations.

As reported on The Register on the 24th of November, they eventually withdrew their legal threats thanks to the legal help of the EFF, who nicely summarizes the case on their website, and also to a new post showing exactly what Trevor meant by calling CIQ software a “root kit” (I called it a “key logger earlier”, but root kit is more accurate and also has wider security implications).

Trevor’s second CIQ article, goes into details as to why CIQ software is indeed a root-kit. With a video showing the different steps required to reproduce his tests. It also describes how the data is collected even if you are off the network and, at least on an HTC phone, the data is not really anonymised.

Since then, another mobile phone hacker has published some findings about CIQ, this time confirming that Apple has included CIQ software in all its iOS version from iOS3 to the latest iOS5. However, it seems that the information logged on the Apple devices is much less than what is logged on Androids’: no URL nor SMS and the location is only sent if you have allowed for it to be, furthermore, that information is not transmitted by default but only if the user manually choose to send diagnostic information to Apple.

All this has generated an increasing level of noise and attention:

As pointed out in a ViaForensics article, it is not clear when and if the data CIQ logs on the phone is always transmitted or just remains on it. And if transmitted, to where? But if it is being transmitted, I have a little story for you…

A few years ago I went on holiday and decided to take an international data plan, I had an iPhone 3G at the time, and I did monitor my data consumption every day with the built-in iOS bandwidth statistics. I stopped using data on my phone when I reached 90% of my allowed and pre paid consumption.

I was therefore very surprised when I was charged for going over my data allowance by a good margin! How could I have miscalculated my data consumption by so much!? After complaining to my provider they eventually claimed that the built-in iOS bandwidth statistics were only showing average figures and were not accurate. I also read in some forum at the time, that Apple claimed their figures should be taken as an estimate only. With that in mind, I decided not to pursue further, accepted to pay the extra fee and promised myself never to use data roaming again.

Now, it would be interesting to know if all the network data generated by CIQ is counted in those mobile OS network bandwidth statistics or if, like the information it gathers, they are also hidden from view.
After all, if the provider goes at length to hide the data they collect from you, they probably don’t want you to see that sealed fat envelop leaving your phone!

If that’s that case, how legal is this?! not only spying/gathering user information is questionable but doing so could be at the expense of the user! Couldn’t it be considered as a hidden cost to their service? could it explain the unexplainable extra fee I had to pay?

So I have three final comments to make:

  1. Mobile device companies are like any others, they want users’ personal information, but unlike others, they have full control of the device you discuss you life on.
  2. Opting for usage statistics, should be just that, an optional choice! and it should be made clear that it could result in extra cost, especially when roaming!
  3. If CIQ data consumption is also hidden from mobile OS(es) statistics then this is an extra hidden cost to the user
Now, where have I kept my 10 years old beloved Nokia 8210?
UPDATE, 12th of December 2011: CarrierIQ has responded to the issues discovered by Trevor through a 19 pages document. Not sure I find it very convincing.
 Tagged with: , , , , , , ,

A job at GCHQ?

 Blog  No Responses »
Dec 012011
 

If you ever wanted to work for a UK secret intelligence organisation, GCHQ, they are running a contest until the 11th of December, where you need to decipher some code to get a password. Once submitted, that password will redirect you to their recruitment website.

The password is probably “ifyoudon’twanttoworkforuswewillfindyou”…

If you fancy your chances, here is the site: http://www.canyoucrackit.co.uk/

 Tagged with: , ,

Next Generation Firewall

 Blog  No Responses »
Dec 012011
 

There is a good article on TECHNET on Next Generation Firewall (NGF) and the fact that most, if not all, companies accept port 80 in/out meaning traditional F/W are less and less effective against malware using this port as a mean to call home or come in.

The Article nicely summerize the need to look for more than IP/PORT/PROTOCOL but also for the type of Payload going through.

Although not a new technology, the evolution of Malware is a growing issue which makes that technology more and more relevant.

 Tagged with: , ,

iOS 5 Vulnerabilities for iPad2 and iPhone 4S

 Blog  No Responses »
Oct 272011
 

Two vulnerabilities in iOS5 have recently been discovered, one is affecting the iPad2 and the other the new iPhone 4S. In both cases it allows anyone to bypass any lock/passcode to gain unauthorised access to the device.

1) iPad 2 + iOS5 + SmartCover = Anyone can unlock your iPAD
This only affects iPad2 with iOS5 and the smart cover set to automatically lock the device.
With a locked iPad2, keep pressing the power button until you see the screen telling you to swipe to turn off, close the smart cover, reopen it and push the CANCEL button.
This will give you access to the latest application that was used. It means that if you were on the application listing screen you will be able to see all the applications installed on the iPad, but you will not be able to open any other applications. This is because you are in the “finder”/”Explorer” application.
But it also means that if before you closed your smart cover to lock your device you were in the mail application, using this technique would give you full access to the mail app and your emails.

To fix the issue you need to disable the smartcover autolock feature, until Apple fixes this bug.

2) iPhone 4S + SIRI
With SIRI enabled, even if you have locked your phone with a passcode, you can hold the HOME button and SIRI will be activated allowing you to speak commands such as call someone, send a text or an email, etc.
Although you cannot open applications this way, you can still do unauthorised actions as mentioned above.

To fix this issue you need to disable SIRI, until Apple fixes this bug.

What is somewhat surprising is that it is taking so long for Apple to fix these issues, They have been know for more than a week…

 Tagged with: , ,

I used to have one password…

 Blog  No Responses »
Oct 142011
 

I used to have one password. It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.

There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.

I would start with a different password for every login… and to change them from time to time.

 Tagged with: ,
 Older Entries
© 2011 Encryptsolutions Suffusion theme by Sayontan Sinha