Apr 20

Heartbleed strikes again… according to respected security consulting firm Mandiant, one of its corporate customers’ SSL VPN appliances was compromised by attackers using the Heartbleed vulnerability.  The attackers were able to hijack logged in sessions and thus access the organization’s network.  The key to detecting hijacked sessions is to look for log entries which show sessions switching between two different IP addresses at short intervals.  Mandiant isn’t telling which vendor’s SSL VPN is vulnerable, but Cisco,  Juniper, and the open source OpenVPN project have all issued security advisories related to Heartbleed.   Infosec people should be checking for new VPN vendor patches and scanning logs for telltale IP address changes.

 

 

Apr 18

13470965718If you are using Google Chrome to surf the series of tubes we professionals cal the Interwebs, you need to take action to reduce the risk of getting scammed by compromised SSL certificates.  According to this post over at Net craft

However, most Google Chrome users are left in the dark, as Chrome performs neither type of check for non-EV certificates by default. Instead of conventional revocation checks, Google Chrome relies on an aggregated list of revocations, dubbed CRLSets, which are compiled by Google. The revocations from GlobalSign’s CRL have not yet appeared in Google’s CRLSets and hence Chrome users will not be warned if presented with a potentially compromised, but revoked, CloudFlare certificate.

The CRLSets deliberately do not cover all CRLs in an attempt to reduce the total size of the aggregated list. In effect, Google has traded the completeness of their revocation checking for a speed advantage over rival browsers as downloading CRLs or making OCSP requests imposes a performance penalty.

Google Chrome setting to enable revocation checking.

However, it is possible to configure Google Chrome to check for revocation. There is a checkbox in the Advanced settings menu to “Check for server certificate revocation”.

 

 

Apr 18

Oh, come on, already!

Think your sites are safe from Heartbleed related sploits?  Not so fast, sunshine…

According to one pen tester, many of the tools which purport to detect servers vulnerable to the Heartbleed bug are buggy themselves, leading to false negative results, and in turn, a false sense of security allowing vulnerable sites to stay vulnerable.  According to his testing, Qualys SSL Labs site is the most accurate “big name” source for checking your servers.   He has also released a script called Cardiac Arrest, which he claims is more accurate than other Heartbleed tests.  If you have already “cleared” your sites using the tools released right after the bug was announced, you might want to double check your results using one of these tools just to be sure.

It also turns out that certificate authorities are not the only ones profiting from Heartbleed.  Because many, many organizations are busily revoking potentially compromised digital certificates, the certificate revocation lists (CRLs) which browsers download in order to avoid trusting these out of date certs have been ballooning in size, from just a few kilobytes to megabytes.  These CRLs get downloaded from the CAs millions of times a day, leading to additional bandwidth charges from their ISPs.  So now we have two sections of the Internet economy benefiting from Heartbleed.

Finally, the Canadians have arrested a teenaged hacker in connection with an attack on the Canadian Revenue Authority’s e-filing website which resulted in around 900 taxpayers’ personal information being disclosed.

Apr 14

Aaaand we now have our first confirmed breach of data tied to Heartbleed – the Canadian Revenue Authority has reported that the social insurance numbers of about 900 Canucks were downloaded by attackers using Heartbleed.  Canada’s equivalent of the US IRS had shut down their e-filing website last week when the bug was announced.

Akamai (whose network carries almost a third of the Internet’s traffic) was also in the Heartbleed news this AM… it turns out that their patch to correct their servers’ vulnerability had a bug in it.  They are revoking their certificates and issuing new ones in the wake of patching the patch.

Stay tuned… I am sure there is more to come

Apr 13

heartbleedIt seems like Heartbleed is going to be keeping  infosec people busy  for a while.

First, multiple people have succeeded in extracting the private signing keys of a website’s SSL certificate using Heartbleed.  This is not good news, since it makes it possible for attackers to set up sites with phony baloney SSL certificates which look and act like the real McCoy.    I think we’ll be seeing a lot of revoked and reissued certificates this week.  Nobody is likely to be happy about this except for CAs, who stand to profit from this debacle (although, since they had nothing to do with causing the problem, can we blame them?)

Obviously, any site which was Heartbleed vulnerable needs to get new certs toot sweet.  But what about sites which were not vulnerable?  From a technical point of view, if you never ran one of the vulnerable versions of OpenSSL, you really don’t need to buy a new certificate.  However, given the fact that Heartbleed was around for 2 years, site owners will have to think back to whether they were ever running vulnerable software in combination with their current certificates.    Hope you had good version control on your site!

And its not just web servers we need to worry about.  Other, non port 443 services like email, databases, directory services, APIs and the like also use OpenSSL to protect their communications in transit.  We may be hearing about Heartbleed attacks on these services in the coming weeks and months.

And the good news just keeps on coming – there’s a lot of client and embedded device software out there running vulnerable OpenSSL code.   At least one expert thinks that malicious servers can be set up to exploit clients and extract passwords and crypto keys from devices which connect to them.   While Apple’s OS X and iOS products are Heartbleed-free, Android version 4.1.1 (said by Google to be in use on millions of devices) is vulnerable to the bug.

Finally, I think it is safe to assume that phishers are going to make the most of Heartbleed – fake “password reset” notices will be filling our inboxes, trying to make the most of Heartbleed hysteria to steal credentials in a low tech fashion.

So, expect Heartbleed related heartburn for the foreseeable future, folks…

 

Oct 04

Another attack on the iPhone 5s TouchID sensor… a German security firm has claimed to be able to use an iPhone 4s camera to grab a fingerprint image and then make that image into a fake finger mold.  It still takes a bit of effort, but one barrier to entry (hi res camera) has been removed.

In addition, the same company claims to have defeated the Activation Lock feature which cripples lost/stolen phones by:

Getting a good photo of the target’s fingerprint

Making a fake finger mold

Putting the device into airplane mode

Going to another computer and requesting a password reset on the target’s Apple ID

Unlocking the phone with the fake fingerprint

Turning airplane mode off just long enough to receive the password reset email and resetting the password on the account.

Once this is done, the attacker would have the ability to unlock the phone.  The key to this attack is getting the phone into airplane mode, which can be done from the lock screen if Siri and/or the Control Center are enabled on the Lock Screen.  I would again recommend that 5s users turn off access to Siri and Control Center from the Lock Screen.

The same webpage includes a video showing the fake fingerprint technique used successfully on another phone as well as on a Lenovo laptop.

It is starting to look like fingerprint based authentication on corporate/consumer devices is still a work in progress and CISOs in organizations with BYOD policies need to do a risk analysis to determine whether the convenience of fingerprint authentication is outweighed by the potential risks.  This is not a “one size fits all” calculation and really depends on the profile of your attackers.  For some organizations, this is easy – I would hope that a defense contractor targeted by nation states would not use fingerprint authentication.  For small businesses or consumers who are mostly concerned with device loss and non targeted theft, fingerprints may be good enough (especially if devices were not protected with passcodes in the past.  Unfortunately most businesses fall somewhere in the middle of these two cases.

PS – One small positive item I left out from my previous posts on this topic… if you power off your 5s altogether or have not authenticated to the phone for 48 hours, you will be required to enter your passcode to access the phone.

Sep 25

Some interesting insight on security and Apple’s TouchID fingerprint sensor from a quite comprehensive review of the 5S by Andrew Cunningham over at Ars Technica…

For my part, what Touch ID did do was make me more comfortable with using a complex passcode to protect my phone. I protected my previous iPhones with a standard four-digit passcode and by turning the “wipe phone after 10 unsuccessful unlock attempts” option on (which we recommended if you’re using a simple passcode, since otherwise a determined attacker will eventually be able to input the correct code from one of the 10,000 possible combinations). Previously, a complex passcode was too inconvenient for me to bother with, since it made quickly unlocking my phone too difficult. Now, Touch ID makes it so that you only need to input that passcode in a limited number of scenarios—if your phone has just rebooted, if you haven’t unlocked your phone in 48 hours, or if you’re trying to change your phone’s security settings.

You can set a complex passcode by going into Settings/General/Passcode lock.

Sep 24

We all knew this would happen, although I was a little bit surprised as to how quickly The Chaos Computer Club’s recent unveiling of a technique to bypass the fingerprint sensor on the iPhone 5s followed the introduction of the new must have mobile.  (I wonder if they were using a blingy gold iPhone for their hack).  So what does this hack mean for the average user and corporations using the iOS platform?

According to security guru Bruce Schneier

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN –something that a lot of iPhone users don’t even bother with — with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

I mostly agree with Bruce, but the fact that a person with my unlocked iPhone has access to my email account and could reset passwords on many critical web accounts including my bank account, does sort of make the iPhone a bank account withdrawal device.  So, let’s take a look at the problem and what we smartphone users can do about it.   This post is a work in progress and I will be updating it as new information becomes available.

While the process for making the fake fingerprint is not rocket science,  pulling off this hack does require a number of things to be successful.

The attacker must act quickly if they are physically taking the phone.  IOS 7′s beefed up “Find My iPhone” feature allows users not only to track their wayward devices and erase data from them, but also to prevent the phone from being reactivated without entering their Apple ID and password.  Hopefully, this will discourage opportunistic thefts of iPhones, since their resale value will be nil (unless someone hacks the activation lock feature as well).

The attacker needs access to a good quality enrolled fingerprint from his or her victim.  The phone screen could be a source of this, as could a drinking glass or other smooth surface.  However, a clever iPhone user could make the attacker’s life a bit harder by not enrolling their thumbprint (the most obvious finger to use).  Using another finger (preferably on your non dominant hand) will make it less likely that the attacker gets a good print image.  Wiping your phone’s screen before placing it somewhere other than your pocket or purse would also be an easy way to make the attacker work a bit harder – I would think most attackers are going to hope for a print on the phone screen.  I can also foresee fingerprint resistant screen protectors as a growth industry.

The attacker has just 5 tries to get it right.  If their fallacious fingerprint fails authentication 5 times in a row, the fingerprint sensor will lock out and require the user to enter the four digit passcode which they created during device setup.  At this point, we are back to the same security level and mechanism as in IOS 6.

So what to do?   Here are some initial thoughts for the paranoid…

Physically secure your device.  If you have physical control of your device, the bad guys don’t.  If you think you have lost your device or it has been stolen, log in to “Find My iPhone” and wipe and disable it.  If it turns up later, restoring your data and apps from a backup is not too difficult.

Don’t use your thumb as an unlock finger for the iPhone.  Getting thumb prints is pretty darn easy, while finding good prints of your ring and pinky fingers on your non dominant hand will be more difficult for the attacker.  Be creative.

Don’t enroll all of your fingers.  Be random.  Enroll a finger from your significant other as a backup (if you trust them).

Remember that there are also some other lock screen related security flaws in IOS 7… You need to address these as well.  If you leave Siri enabled from the lock screen, an attacker can use that to put the phone into Airplane Mode so that they can work on breaking in without “Find My iPhone” shutting them down.  If you leave the Control Center enabled from the lock screen, attackers will be able to access your photos and send emails, tweets and Facebook updates without your PIN or fingerprint.  They will also be able to make calls from your locked phone.  The fix for this is to go to the Settings app, choose Control Center and turn off the “Access on Lock Screen” toggle.   Apple is working on fixes for these issues and will most probably release a software update pretty quickly.

Keep things in perspective.  If an attacker has physical control of your <insert mobile device here>, there is a chance that they will be able to compromise it.  Passcodes, fingerprints and the like are speed bumps which give you time to fully secure your lost or stolen device by remotely wiping and locking it.

For most individuals, passcodes, fingerprints and keeping track of where your phone is will provide a good balance between security and usability.  If your current phone has no passcode, the fingerprint authentication will be a definite improvement.

Should companies using iPhones or with BYOD policies be more concerned about the 5S than older iPhones?  For most organizations, I don’t think so.  There are a lot easier ways to get into your employees’ email (malware for example) than by stealing a phone.  Physical theft has a much greater risk of being caught than using techniques like malware.  Most device theft is opportunistic and aimed at reselling the phone, rather than getting at data.

These are my initial thoughts on this whole brouhaha – I’ll update this post as more information becomes available.

Stay tuned.

Jul 12

For your social engineering reading pleasure…  the take aways?  First, operational security is important – this scam worked (at least for a while) because the scammer was able to speak the language of her victims, as she was familiar with Lowes procedures and systems.  Documentation and information capable of making an outsider seem like an insider or which gives a technical hacker names of systems, IP addresses and the like needs to be protected from unauthorized access.  Second, educating your users to be suspicious of out of the ordinary requests from (seemingly) internal sources should be a key part of your security awareness strategy.

 

FOR FURTHER INFORMATION CONTACT
AUSA VICKIE E. LEDUC or
MARCIA MURPHY at 410-209-4885
June 24, 2013
FOR IMMEDIATE RELEASE

http://www.usdoj.gov/usao/md

 

WOMAN PLEADS GUILTY TO DEFRAUDING LOWE’S STORES BY FRAUDULENTLY OBTAINING GIFT CARD CREDIT
Defrauded Lowe’s of at Least $250,000 by Calling Lowe’s stores and Pretending to be from Lowe’s IT Department


Baltimore
, Maryland – Lucerte “Lisa” Abellard, age 35, of Dobbs Ferry, New York, pleaded guilty today to conspiracy to commit wire fraud in connection with a scheme to defraud Lowe’s stores.

The guilty plea was announced by United States Attorney for the District of Maryland Rod J. Rosenstein and Acting Special Agent in Charge Lisa Quinn of the United States Secret Service – Baltimore Field Office.

According to her plea agreement, Abellard called employees at Lowe’s stores around the United States, pretending to be from the “IT department” at Lowe’s headquarters, telling the Lowe’s employee that she received a report there were problems with a register at the Lowe’s store.  She would then ask the employee to run a series of diagnostics on the register, often pretending to be able to see the tests remotely.  The purported diagnostics ended with a “test” transaction that put a credit on a Lowe’s gift card – usually about $3,000 to $4,000.  In reality, this “test” transaction put a credit onto a Lowe’s card possessed by Abellard or her co-conspirators. Abellard was usually successful in deceiving employees into believing she was calling from Lowe’s IT department because she was very familiar with Lowe’s internal procedures and systems – including the names of systems and databases routinely accessed by Lowe’s employees.

Abellard received a portion of value on the gift card she fraudulently credited from the co-conspirators to whom she sold the cards.  After obtaining the fraudulent credit, Abellard would contact the co-conspirator that had paid her for the card, advise that person of the credit and that the card needed to be used quickly before Lowe’s detected the fraud.  Phone records connect Abellard and her co-conspirators to the fraudulently obtained gift cards, and confirm that Abellard made most or all of the fraud calls to Lowe’s stores.

The total loss to Lowe’s as a result of the scheme was more than $250,000.  The government contends that Abellard was the leader of the scheme and will offer evidence to prove that at sentencing

Abellard faces a maximum sentence of 20 years in prison and a fine of $250,000.  U.S. District Judge Ellen L. Hollander scheduled his sentencing for September 26, 2013, at 10:00 a.m.

Today’s announcement is part of efforts underway by President Obama’s Financial Fraud Enforcement Task Force (FFETF) which was created in November 2009 to wage an aggressive, coordinated and proactive effort to investigate and prosecute financial crimes. With more than 20 federal agencies, 94 U.S. attorneys’ offices and state and local partners, it’s the broadest coalition of law enforcement, investigatory and regulatory agencies ever assembled to combat fraud. Since its formation, the task force has made great strides in facilitating increased investigation and prosecution of financial crimes; enhancing coordination and cooperation among federal, state and local authorities; addressing discrimination in the lending and financial markets and conducting outreach to the public, victims, financial institutions and other organizations. Over the past three fiscal years, the Justice Department has filed more than 10,000 financial fraud cases against nearly 15,000 defendants including more than 2,700 mortgage fraud defendants. For more information on the task force, visit www.stopfraud.gov.

United States Attorney Rod J. Rosenstein thanked the U.S. Secret Service for its work in the investigation.  Mr. Rosenstein praised Assistant U.S. Attorney Justin S. Herring, who is prosecuting the case.

 


 

Jul 12

Another day, another Android vulnerability which allows malicious actors to inject malicious code into Android applications without triggering cryptographic safeguards.   And another reason to refrain from using app stores other than Google Play for the time being.

Tagged with:
preload preload preload