Is there a bug with McAfee

 Blog  No Responses »
Nov 192012
 

There is something quite surreal with what is happening with John McAfee; the author of the popular McAfee Antivirus and who is rich, lives in Belize and has recently been accused by the authority to have murdered his neighbour. Instead of being with the police he has fled, arguing this was a conspiration and that the police (or someone) was after him. This on itself is already a bit odd, but his subsequent actions are even more bizarre…
You would think that someone who believes the whole system is corrupted would try to flee the country, but no. John McAfee is staying in the same city, posting a blog about his escape, offering $25K to anyone who can help him catch the “real” killer and even describing the numerous disguise he has used to approach his house and the police around it, doing his own investigation…

Well, at least it makes for an interesting reading!
http://www.whoismcafee.com/

Security Onion and seeing through HTTPS

 Blog  No Responses »
Oct 262012
 

Security Onion is an Open Source Linux distribution that makes deploying an IDS/NSM a very easy task indeed and I highly recommend you try it at home. Especially since you can do everything in a VM…
If you have ever been through a Snorby installation yourself, you will appreciate this distribution even more as everything is done for you. The installation process only asks a couple of questions and you should be ready to monitor your network, analyse data through full packet capture within 15 minutes!

The latest beta is even better, and lets you use your own Ubuntu flavoured distribution if you prefer not to use the default one provided. It runs on Ubuntu 12.04 and comes with Snort, Suricata, Bro, Elsa, Sguil and more.
This video below gives a great summary of what this is all about (it is an hour long, but like any good movie you won’t see the time fly ;)



The author and presenter, Doug Burks, also answers an interesting question near the end of the video about HTTPS traffic and how it could be handled as part of an IDS solution. Specifically, he gives the following advice: to use viewssld or bro.

Viewssld, is a tool that can intercept and decrypt HTTPS traffic, but only to sites you own as explain HERE, because you need the private RSA key of the traffic you want to intercept and analyse.

Being able to see https traffic to sites you own is good, but really, what you need is to see all Https traffic. Especially since that traffic could be from a malware calling home or a mean to bypass corporate web filtering solutions.
There are other (expensive) interception proxy solutions available, which can intercept all https traffic, but I always though that by basically implementing a Man in the Middle HTTPS proxy it would mean users get certificate validation warnings every time they try to access something like https://www.example.com and get instead a certificate back from https://my_interception_proxy.com.

Having said that, there is a great paper that was published by Dell back in March during Blackhat 2012. It describes how the use of a public root SubCA (if you can get one!) in Interception proxies can help make this process less visible/disruptive to the user. They also describe the use of Transitive root trust to achieve a similar goal.

But back to Doug Burks/Security Onion’s video, where he also mentions the use of Bro and leveraging its network anomaly monitoring capability. I see that as a quick win and one that is easy to implement for free!
The idea is that malware or hackers are more likely to use self issued certificates and by analysing anomalies in https traffic through bro, you should be able to identify https traffic which do not follow certificates standards and are not fully trusted. Therefore, even if you still can’t see what is being transmitted you would at least get some indication something is wrong and where to look further (i.e.: IP source, further pattern analysis, etc).

My hat off to Doug Burks and all the other Security Onion contributors!
PS: For more info on SSL and how it really works, there is also a great READ HERE.

Is that the holy grail for critical systems?

 Blog  No Responses »
Oct 182012
 

Kaspersky Lab just announced they are working on their own Operating System for critical systems.

This is something that is increasingly needed, but is Kaspesrky the best entity suited to produce such OS? To contribute/review it, certainly. But to drive its development? I am not so certain. I would have thought that developing an OS requires more specific skills than just security ones. One could argue that making security the core skill used in developing that OS should make it more secure but I would argue back it could also introduce performance issues… And performance is a health/security risk on its own, especially when speaking about critical systems such as process control environments.

Kaspersky Labs is engaging with different vendors and ICS operators, so they should get some kind of expertise on what their systems require. Another interesting point is how Eugene Kaspersky ends his blog announcement, that “there will be some details that will remain for certain customers’ eyes only”. Should a truly secure environment be closed rather than open source?

Then there is the question of support and its backend infrastructure, longevity of the company, etc…

To conclude, this is a great initiative but creating an OS is not just like creating a new application…

Old tricks will always work…

 Blog  No Responses »
Oct 172012
 

There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.

Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).

Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trick straight away. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where apple has fully integrated it with the latest OS X (10.8), then it is something to watch out for. Very often, the most crude and simple hacks are what work best.

Distributed Credential Protection

 Blog  No Responses »
Oct 152012
 

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server  (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview THERE

I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:

- Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise

- Why only applying this to passwords, what about documents/files?

- To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.

- Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)

It is definitely an interesting technology, which I hope to learn more about soon!

Wipe out/Factory Reset some Android’s phones

 Blog  No Responses »
Sep 252012
 

According to this FRENCH WEBSITE, a major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference  which affects some android handsets. It it is possible to reset those affected handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#

There are different methods known to date to push that code onto those handsets:

- SMS in Wap Push mode (where the user would have to click on a link)

- QR Code

- NFC Protocol

Or… if users go to some websites where either

<frame src="tel:*2767*3855%23" />

or

<script>document.location="tel:*2767*3855%23";</script>

is contained in the HTML page.
So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.
As Korben wrote on his blog, there might be some interesting browsing experience in store for those handsets owners in the coming days.

An interesting timeline representation of the CloudFlare’s hack

 Blog  No Responses »
Jun 122012
 

CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamai because it provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.

In a nutshell, CloudFlare appears to be a service that can help optimise and protect any websites for no or little money.

What actually prompted me to look into that company, is a recent hacking incident they were the victim of. One that saw its founder’s gmail account compromised through a Google password recovery bypass, using a flawed AT&T voicemail redirection. This was used to leverage a Gmail Enterprise Account flaw in its dual Factor Authentication which resulted in the compromise of one of CloudFlare customer account. Although the hacker had a bit of luck as it needed a phone call to reset Google Mail account password to go to Matthew’s voicemail, it was a fairly sophisticated attack.

But what impressed me the most, and the reason why I see CloudFlare in a very positive light even after this successful hack, is how this company responded and how it disclosed the details of the attack. I really think the timeline as shown below (taken from the CloudFlare website) is a very effective way of representing an attack, its reasons of success and the countermeasures taken. You can read more details about this attack on the company’s blog.

[CLICK THE PICTURE TO ENLARGE]

Flame and the DEB93D trail

 Blog  No Responses »
Jun 062012
 

In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).

This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates to intercept Windows updates call. (Microsoft released more information here)

There are many more interesting aspects of this malware, such as its use of LUA programming language, looking like a state sponsored cyberweapon, etc, but I find the first 4 mentioned above the most interesting right now.

First, its aim appears to be stealing information. Data collected so far indicates that it did spread more in middle eastern countries and was acting as a sophisticated discovery tool. In fact, what I read made me think of certain discovery modules you can find in commercial Data Leakage Prevention software (DLP), where you want to discover certain type of information from a very high volume of data using keywords, patterns, formulas, etc… I wonder if the companies who are analysing this malware will look at how similar (or not!) the algorithms it uses are with those DLP solutions. Also, what I learnt from those discovery tools is that you get a lot of false positives and it requires a lot of man power and time to get through it before getting any value out of it.
I therefore suspect there is a team of “data analyst” also working along side whoever is coding, supporting, providing network expertise, etc.

This brings me to the second point of interest related to this malware, its longitivtiy. Especially how long it lived undetected. 5+ years is a vey long time for a piece of software that scans your computer and sends some data back “home”. With technology such as IDS, HIPS, and port scanners you should be able to detect it.
So, understanding why it was not detected sooner would be of great value to protect against future similar malware. My guess why it was not detected is because it was a targeted malware, mainly installing itself to some computers of interest (either location or maybe based on some other intelligence). If it tried to install itself on every computers on the planet it would have been detected much earlier. It also does not appear to try to install other common backdoors, which could have give the malware away when doing a standard vulnerability scan. There is still the question about the network traffic, I am amazed this was not spotted, but then again it may be tunnelling its network data as well as using some kind of threshold limiter to hide itself.

Another odd behaviour is the Delete or kill module, which appears to be removing every signs of of the malware presence apart from one file, ~DEB93D.tmp, why would it do that? why would a piece of malware who appears to be so sophisticated implements a delete function that leaves a file behind? making it easier to find out if a computer had been infected in the past. Could it be a bug? the result of some other complex deletion processes that require a file to be left at the end (I don’t know of any)… in any case, it looks to me as an odd type of signature worth investigating.

The final point of interest I mentioned was about a recently found new functionality in the malware modules. The fact it was able to leverage a man in the middle attack against windows update indicates it could have been used for more than just discovery of information and instead to keep a targeted computer either vulnerable to some unpatched security vulnerabilities or being uploaded with further backdoor/payload.
It also shows we haven’t heard the end of what this malware was capable of.

After many years of speculation that cyberwarfare could be more than just a subject for books and movies, those recent events make it very real and indicates it has in fact started for quite some time now. It begs a question though, in every wars there is collateral damage, in this war the population is everyone and every thing connected to the Internet: your computer, mine, hospitals, TV, cars, etc.
How long before we see one of those sophisticated malware missing its targets/countries/enemies and creating havoc!? Would it also be labelled as “friendly fire”?

Apple in Denial

 Blog  No Responses »
Apr 072012
 

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism  but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.

Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.

However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!

As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.

To check if your mac has been infected you can follow those STEPS.

It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN,  FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.

This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”

[youtube GQb_Q8WRL_g]

 

Satellite phones encryption attacked

 Blog  No Responses »
Mar 052012
 

About a month ago, Arts Technica ran an article about the encryption standards used by satellite phones that have been broken.

This is yet another exemple of a proprietary encryption system which appears to have been weakly designed and implemented.
Although they have only been able to break the communication from the Satellite to the phone and not the other way around, it should still be of concern for anyone using those phones to transmit sensitive information without additional security.
Even if the audio codec still needs to be reversed engineered, this should be the easy part of this attack!

Someone is likely to get a great PhD as the paper exposing this issue was co-written by such student.

 Older Entries