Here’s another security related video… this one about the intersection between hackers and black magic practitioners in the African nation of Ghana.   It is about 20 minutes long and worth watching as it provides some interesting insights into the motivations, methods and aspirations of the guys trying to convince you that they can make you wealthy, if only you would pay a “small processing fee” and turn over your bank details.  C’mon… what’s the worst that could happen?

The Sakawa Boys: Inside the Bizarre Criminal World of Ghana’s Cyber-JuJu Email Scam Gangs

SSL certificates are supposed to provide users with assurance that the sites they are browsing are legitimate. When you go to your online banking web site via https and see the reassuring lock in the address bar which tells you that the site is really your bank, it is the SSL certificate system which provides this indication. Each certificate is signed by a series of trusted authorities which vouch for its authenticity.

When you buy an SSL certificate, the registrar from which you make the purchase is supposed to make sure that you are, in fact, who you say you are. For example, if I were to order a cert for www.consolidatedamalgamated.com, the registrar would require me to provide some evidence that I was in fact representing Consolidated Amalgamated and that CA was a legitimate company. Only after doing this due diligence would the signed certificate be issued, thus providing users with assurance that the sites they are visiting are, in fact legitimate.

The fragility of this system for supporting trust on the Internet was spotlighted on March 15th, when an attack on the SSL certificate system resulted in a number of fraudulent certificates being issued for sites which millions of people worldwide use every day.

The attack was detected by Jacob Applebaum, a third party security researcher who noticed that Mozilla and Google had pushed out patches to the Firefox and Chrome browsers revoking the validity of a number of SSL certificates issued by an affiliate of Comodo, one of the Certificate Authorities empowered to issue certs. Comodo (and other CAs) typically subcontract the sales and verification of SSL certs to other companies called Registration Authorities or RAs. The attackers appear to have gotten access to credentials used by one of Comodo’s RAs to request new certificates once the checks were complete. They used this information to request 9 different certificates for well known communications related domains such as yahoo.com, google.com, skype.com and live.com.

So why would an attacker do this? Primarily to be able to intercept credentials and communications between users and the web sites for which they spoofed certificates by enticing users to visit the fraudulent web sites instead of the legitimate ones. Once a user has logged on to their Yahoo Mail account via a site with one of these spoofed certs, they would see the familiar lock icon telling them that they were really talking to Yahoo and that their communications were secure, when in fact, the attackers were routing all of their traffic through systems under their control. The attackers would be able to harvest credentials and read the victims’ emails without tipping them off to the attack. The attackers also registered a certificate for “addons.mozilla.com” which would have allowed them to trick users into installing malicious browser extensions for Firefox. To top off the attack, they also registered a certificate for a new certificate authority called “Global Trustee” which would have allowed them to issue legitimate looking certificates on their own.

The Comodo attack appears to have originated from an IP address located in Iran, which raises an interesting question. Were the attackers simply run of the mill cyber criminals who wanted to use the information gathered for profit, or was this a state sponsored attack aimed at compromising the communications of opponents of the Iranian regime? Given the recent unrest in the Middle East and the key role played by social media, the Iranian government would probably be really interested in reading the mail or listening to the Skype calls of opposition figures. Of course, the attackers might have been located somewhere else and used Iranian proxy systems to make the attacks look like they were coming from Iran.

The attack points out a number of issues with the current SSL web of trust. First, the delegated nature of the system means that it is only as strong as the weakest link – in this case the security of the registration authorities. Second, the mechanism for revoking certificates has some serious drawbacks. There are basically two ways for registrars to let users’ browsers know that certificates are invalid – one method is called Certificate Revocation Lists and the other is called Online Certificate Status Protocol. In theory, browsers use these protocols to check the validity of each certificate they receive. In theory. In reality, in their default configurations, browsers will allow certificates to be used even if they are unable to get certificate status for them – this is a “fail open” situation. Should an attacker combine the creation of fraudulent certificates with a denial of service attack against a CA’s CRL or OCSP infrastructures, millions of users browsers would happily accept the fake certs without a peep.

In order to provide users with protection against this attack, the browser vendors had to issue updates to their software which included the bad certificate numbers in the local Certificate Revocation Lists. This puts the onus on the user, and I have seen enough users who don’t bother to update browser software to wonder just how many people are still vulnerable to this attack.

Requiring CAs to maintain robust infrastructures for OCSP and CRL checking by browsers and configuring browsers to require positive CA validation of certificates would go a long way towards fixing this issue in the short term, but such a solution has its own price in terms of privacy. As a result of their certificate checking functions, CAs would become able to track the web browsing habits of millions of internet users. Such a fix would also require a significant investment in infrastructure by the CAs, which could lead to higher prices for certificates.

The Internet was a very different animal when SSL was invented. Today’s internet is at the core of economic and social life and it needs to be protected in a way which is in line with that role. Hopefully, this incident will spur development of a new, more robust trust infrastructure for the internet.

One way to get stuff out of an iPhone without the passcode...

Apple’s iPhone and iPad have been phenomenally successful in the consumer sector and have been making inroads into the corporate world as well.  However, the iOS platform has been dogged by concerns around the security of information stored on these devices. This week, a group of researchers supported by the German government released a paper and video demonstration (see below) which once again highlights serious weaknesses in the security of iOS.

The group, from the Fraunhofer Institute for Secure Information Technology, wanted to see whether they would be able to extract user passwords from a locked iPhone or iPad without knowing the device’s passcode.   What they found was disturbing.   By jailbreaking the device and installing a script which takes advantage of weaknesses in Apple’s Keychain password storage system, the researchers were able to extract a variety of passwords in under six minutes.

Corporate applications did not fare well under this attack.  The research team found that they could extract passwords for LDAP, Microsoft Exchange, VPN connections, voicemail, and WIFI credentials quite easily simply by having physical possession of the phone and low to moderate levels of technical skill.   They also found that passwords for Gmail accounts set up as Exchange servers were easily accessible.

The underlying problem that allows this attack to succeed has to do with how iOS encrypts information.  They key used to do the encryption has nothing to do with the user’s passcode; it is made up of information present on the device.  This means that an attacker who has physical possession of an iPhone, iPod, or iPad has access to the key used to encrypt the data.  Not a good thing.

So, what are the takeaways from this?

First, the iOS platform is still not ready for prime time when it comes to corporate use.   Apple still has not gotten the security features needed to keep sensitive information confidential right.  Using the iPhone or iPad in a corporate environment still requires add on software with strong encryption and secondary user authentication to sandbox and secure corporate data.

Second, users should not rely on the passcode to protect their phones or tablets in case of loss or theft.  If your device has gone missing, you need to change your sensitive passwords which were stored on that device as well as any passwords which you have used on multiple systems.  While using Apple’s “Find My iPhone” feature to remotely erase your device provides some protection, you can’t really count on this to guarantee the safety of your passwords.

It seems to me that the iOS passcode is in some ways an anti-security feature.  Most unsophisticated users probably see the passcode as guaranteeing that nefarious people can’t access their sensitive data.  In fact, it is in some ways an instance of “security theater,” which provides a false sense of security and encourages users to take risks with their device and the information on it.

If Apple is serious about making iOS devices ready for the corporate market they need to get with the program and build real security features into iOS.

Not sure if this particular printer is a threat...

You probably don’t give much thought to the printers on your network, at least from a security point of view.  Well, some recent research presented at the ShmooCon hacker conference in Washington DC last week, provides some insight into how HP printers can be used in a quite surprising way.

It turns out that HP’s networked printers all have some storage built in to them in the form of RAM disks.  Normally, this storage is used to load fonts onto the printers.  Well, Ben Smith of the security research group remote-exploit.org got to thinking about that storage and how it might be put to use.

Smith described a toolsuite he designed called PrintFS, which takes the storage on all of those networked printers and aggregates it into a hidden file system, accessible only to those in the know.  PrintFS makes the printer storage look like a hard disk to computers with the software installed.

A program called PFScanner is used to find all of the printers on the network suitable for use with PrintFS.  According to Smith, PFScanner was written to evade signature based intrusion detection systems by varying the order in which it carries out its scanning steps.

When files are written to the virtual printer disk, they are compressed, encrypted and given randomly assigned file names which are mapped to a table stored on the computer running PrintFS.  Each file is stored on two separate printers, so that if a printer is turned off, rebooted or removed, the files in its memory are not lost.

PrintFS could provide attackers with a valuable tool for evading detection.  In many cases, attackers who gain access to networks spend a lot of time finding the information of value, packaging that information, storing on a staging server, and then exfiltrating the data.  One of the ways that these long term attacks are discovered is when an alert system administrator finds the attacker’s cache of data waiting for transmission off the network.  By hiding the data in a virtual disk which is off the radar of most system administrators, the attackers gain more time to exploit the network.

PrintFS has another advantage for the attacker… if their presence on the network is detected, one of the tools in the suite provides a “panic button” which they can use to reboot all of the printers which make up the virtual hard drive.  Since the data is stored in the RAM of the printers, pushing the panic button will remove all of the data and leave no forensic evidence behind.

Given that PrintFS is a hacker tool, it is not surprising that Smith included some other functionality… for example, the PrintJack module which serves as a GUI for the scanner also allows the mischievous attacker to change the messages on printers’ status displays to something of their own choosing, say “Insert a quarter to print.”  The tool also has a denial of service mode which can either simply prevent jobs from being accepted by the printer or cause the printer to print black pages continuously, exhausting the supply of paper and/or toner.

I think what is most important about PrintFS is how it takes devices on our networks which we don’t give much thought to and uses them in a way which exploits their “dullness” to mask our ability to see what the attackers are up to.  While I hope that HP comes up with a patch to prevent this attack from being successful on newer printers, it is very likely that the majority of the millions of HP printers out in the field will remain vulnerable, since upgrading printer firmware is not on the top priority list for most IT departments.

It seems to me that the way to detect attacks like PrintFS is to get a good baseline of the traffic on your network and to look for anomalies involving the amount of data transferred between IP addresses and the times of those transfers.  If your office hours are nine to five and you start seeing megabytes of traffic flowing from a workstation to a printer at 3 AM, this is a good time to put on your investigator hat and find out why.

PrintFS is scheduled for release in the next week or two at www.remote-exploit.org.  It is written in the Python scripting language, which means that it will run on a variety of platforms (Windows, Linux and Mac).

PrintFS is just one of a number of interesting tools and techniques discussed during ShmooCon 2011.  I’ll be be posting more about what I learned at ShmooCon over the coming weeks.

This post is a transcript of a piece I did for broadcast on IGTV – the weekly video broadcast of New York Metro InfraGard.

You're going to need a better pocket protector than this...

2011 is looking to be the year when mobile malware comes into its own.  Why?  First off, the devices we carry in our pockets are morphing from phones to true computers.  They can run sophisticated software, and multitask, allowing evil code to lurk in the background and do its dirty work.  Secondly, our phones are increasingly becoming repositories of interesting and valuable information.  Mobile payment applications such as Square and even Starbucks’ “pay for your coffee” app mean that there’s gold in them thar phones for attackers.

Researchers in Hong Kong and Indiana have provided us with a preview of things to come with their Soundminer proof of concept app for Android.  Soundminer and its companion app, Deliverer, listen for spoken or touch toned credit card numbers during phone calls.  The recordings are converted into typed numbers and then delivered (by Deliverer) to the central control server.  This is pretty sophisticated stuff.  Converting the recordings to text on the phone is a neat trick – and the authors found a really clever way to get around Android’s restrictions on sharing information between apps.  Both of the apps require fewer privileges than many legitimate Marketplace apps.  You can read more about this project and see a video demo here.

While Soundminer is a proof of concept, there have been some instances of mobile malware found in the wild.  Another Android trojan called Geinimi appeared on Chinese app stores in 2010.  Geinimi is meant to be packaged with legitimate applications.  Geinimi appears to be able to send information about SMS messages and contacts to a remote server, make phone calls and download files, according to an analysis conducted by Lookout, a purveyor of anti malware software for Android phones.

I think that over the next year, having an antimalware program on your phone or tablet will be the status quo… Lookout seems to be the market leader in the Android world at the moment, but industry leaders Norton and McAfee have both released Android apps as well.  I have a feeling that this is going to be a profitable market segment – and the source of security woes for many smartphone users.