Old tricks will always work…

 Blog  No Responses »
Oct 172012
 

There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.

Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).

Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trick straight away. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where apple has fully integrated it with the latest OS X (10.8), then it is something to watch out for. Very often, the most crude and simple hacks are what work best.

Distributed Credential Protection

 Blog  No Responses »
Oct 152012
 

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server  (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview THERE

I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:

- Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise

- Why only applying this to passwords, what about documents/files?

- To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.

- Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)

It is definitely an interesting technology, which I hope to learn more about soon!

Wipe out/Factory Reset some Android’s phones

 Blog  No Responses »
Sep 252012
 

According to this FRENCH WEBSITE, a major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference  which affects some android handsets. It it is possible to reset those affected handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#

There are different methods known to date to push that code onto those handsets:

- SMS in Wap Push mode (where the user would have to click on a link)

- QR Code

- NFC Protocol

Or… if users go to some websites where either

<frame src="tel:*2767*3855%23" />

or

<script>document.location="tel:*2767*3855%23";</script>

is contained in the HTML page.
So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.
As Korben wrote on his blog, there might be some interesting browsing experience in store for those handsets owners in the coming days.

A Physical Solution to a Software Problem

 Blog  No Responses »
Jun 172012
 

Thinkst is a small security organisation and one of its member recently published a post on their blog regarding the security of an encrypted USB drive.  One of his friend lost the password to his USB Freecom Self Encrypted Drive (SED) drive and one of the protection in place was the need to power cycle the hard drive after every 5 bad attempts. This meant a brute force attack was impossible due to the time to plug/unplug the device.

Here comes ingenuity, although the author call this a “lame hack”, I actually really like it as he thought outside the box (pun intended). He basically build a new controller to automatically power cycle the drive, and managed to find the lost password after 500 attempts.

I don’t do electronics and am always impressed when hackers use it to bypass security barriers!

The article can be found here as well as a photo of there installation.

MD5 Security Flaws

 Blog  No Responses »
Jun 132012
 

In case you were in any doubts about the security flaws of MD5, in recent days, 2 implementations of MD5 have been shown to have severe security issues.

1) The md5crypt password scrambler used in many Unix based distributions has been deemed as “unsafe” by its author (in fact this has been known for some time now).

2) MD5 collisions were used in the recent Flame malware to bypass Microsoft Update signature certificates.

The sole use of MD5 as a security vector must be avoided.

An interesting timeline representation of the CloudFlare’s hack

 Blog  No Responses »
Jun 122012
 

CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamai because it provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.

In a nutshell, CloudFlare appears to be a service that can help optimise and protect any websites for no or little money.

What actually prompted me to look into that company, is a recent hacking incident they were the victim of. One that saw its founder’s gmail account compromised through a Google password recovery bypass, using a flawed AT&T voicemail redirection. This was used to leverage a Gmail Enterprise Account flaw in its dual Factor Authentication which resulted in the compromise of one of CloudFlare customer account. Although the hacker had a bit of luck as it needed a phone call to reset Google Mail account password to go to Matthew’s voicemail, it was a fairly sophisticated attack.

But what impressed me the most, and the reason why I see CloudFlare in a very positive light even after this successful hack, is how this company responded and how it disclosed the details of the attack. I really think the timeline as shown below (taken from the CloudFlare website) is a very effective way of representing an attack, its reasons of success and the countermeasures taken. You can read more details about this attack on the company’s blog.

[CLICK THE PICTURE TO ENLARGE]

Flame and the DEB93D trail

 Blog  No Responses »
Jun 062012
 

In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).

This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates to intercept Windows updates call. (Microsoft released more information here)

There are many more interesting aspects of this malware, such as its use of LUA programming language, looking like a state sponsored cyberweapon, etc, but I find the first 4 mentioned above the most interesting right now.

First, its aim appears to be stealing information. Data collected so far indicates that it did spread more in middle eastern countries and was acting as a sophisticated discovery tool. In fact, what I read made me think of certain discovery modules you can find in commercial Data Leakage Prevention software (DLP), where you want to discover certain type of information from a very high volume of data using keywords, patterns, formulas, etc… I wonder if the companies who are analysing this malware will look at how similar (or not!) the algorithms it uses are with those DLP solutions. Also, what I learnt from those discovery tools is that you get a lot of false positives and it requires a lot of man power and time to get through it before getting any value out of it.
I therefore suspect there is a team of “data analyst” also working along side whoever is coding, supporting, providing network expertise, etc.

This brings me to the second point of interest related to this malware, its longitivtiy. Especially how long it lived undetected. 5+ years is a vey long time for a piece of software that scans your computer and sends some data back “home”. With technology such as IDS, HIPS, and port scanners you should be able to detect it.
So, understanding why it was not detected sooner would be of great value to protect against future similar malware. My guess why it was not detected is because it was a targeted malware, mainly installing itself to some computers of interest (either location or maybe based on some other intelligence). If it tried to install itself on every computers on the planet it would have been detected much earlier. It also does not appear to try to install other common backdoors, which could have give the malware away when doing a standard vulnerability scan. There is still the question about the network traffic, I am amazed this was not spotted, but then again it may be tunnelling its network data as well as using some kind of threshold limiter to hide itself.

Another odd behaviour is the Delete or kill module, which appears to be removing every signs of of the malware presence apart from one file, ~DEB93D.tmp, why would it do that? why would a piece of malware who appears to be so sophisticated implements a delete function that leaves a file behind? making it easier to find out if a computer had been infected in the past. Could it be a bug? the result of some other complex deletion processes that require a file to be left at the end (I don’t know of any)… in any case, it looks to me as an odd type of signature worth investigating.

The final point of interest I mentioned was about a recently found new functionality in the malware modules. The fact it was able to leverage a man in the middle attack against windows update indicates it could have been used for more than just discovery of information and instead to keep a targeted computer either vulnerable to some unpatched security vulnerabilities or being uploaded with further backdoor/payload.
It also shows we haven’t heard the end of what this malware was capable of.

After many years of speculation that cyberwarfare could be more than just a subject for books and movies, those recent events make it very real and indicates it has in fact started for quite some time now. It begs a question though, in every wars there is collateral damage, in this war the population is everyone and every thing connected to the Internet: your computer, mine, hospitals, TV, cars, etc.
How long before we see one of those sophisticated malware missing its targets/countries/enemies and creating havoc!? Would it also be labelled as “friendly fire”?

Apple in Denial

 Blog  No Responses »
Apr 072012
 

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism  but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.

Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.

However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!

As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.

To check if your mac has been infected you can follow those STEPS.

It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN,  FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.

This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”

[youtube GQb_Q8WRL_g]

 

Satellite phones encryption attacked

 Blog  No Responses »
Mar 052012
 

About a month ago, Arts Technica ran an article about the encryption standards used by satellite phones that have been broken.

This is yet another exemple of a proprietary encryption system which appears to have been weakly designed and implemented.
Although they have only been able to break the communication from the Satellite to the phone and not the other way around, it should still be of concern for anyone using those phones to transmit sensitive information without additional security.
Even if the audio codec still needs to be reversed engineered, this should be the easy part of this attack!

Someone is likely to get a great PhD as the paper exposing this issue was co-written by such student.

Windows 8 Picture Password, great but…

 Blog  No Responses »
Mar 022012
 

After looking at the new features listed for Windows 8, one in particular caught my attention: The Picture Password Login.
It is a very refreshing approach to authentication!

You are presented with a photo at log in and instead of entering a password, you have to touch the image according to the “allowed” touch sequence you registered your user with. In some respect it is similar to the existing gesture based authentication mechanisms you can find on some smartphones (anyone remember that feature on the Palm V?!), but I think it is taken to the next step.
Microsoft is maybe trying to do to passwords what Apple did to the Walkman.

By providing you with a photo of your choice (i.e.: your own family picture), and a restricted number of gestures (point, draw a line and circle) it is easier to remember a sequence, more natural and more personal. For exemple, you would circle the head of your best friend, touch the feet of your child and stroke your dog…
It is simple, yet secure because there is a very large  number of possible combinations. Or is there?

I can see the appeal but I wonder about the following:
a) Could someone who know about you guess what you are likely to touch on that photo first, second and third, etc
b) It would be visually very easy to remember, for you… and also for anyone looking over your shoulder!

I am therefore not 100% convinced, but it would make hardware keylogers more difficult to design (softwares one should just work as well as now by providing a screenshot with logged gestures). And it could actually improve security over a complex password on a post-it or a very simple “hello” password. However, how would this work in an open office environment where everyone can see your screen?

In any cases, well done Microsoft! as stated at the beginning of this article it is a very refreshing approach to authentication and a bold one!

More information can be found in that article and below is a demonstration video of this feature.

[youtube p48DLz3JG8A]

 Older Entries  Newer Entries