Non-standard top security news: January
Hello! After a successful digest of news for 2014, we decided to make the rubric regular, more precisely, monthly. Today is the most important information security news for January. The method of selecting news has changed a bit. We still take the most visited news from our site Threatpost and try to understand why they have received such attention. But in the monthly news digest there will be five. I remind you that at Threatpost we collect all the news of the information security industry. Lab’s own research is published on the Securelist website.
Summary : The hole in glibc and why physicists are not friendly with the lyricists, the North Korean browser, charging-keylogger and holes in keyboards, crypto-fiber in general and, in particular, hacking WiFi with social engineering.
5. Wifiphisher: WiFi hacking with a thick layer of social engineering
News Thematic thread on Stackexchange, where the problem was formulated three years ago.
In the previous digest we said that the Internet is broken . So, of all that is broken on the Internet or rather on computer networks in general, wireless networks are the most broken. We have consistently experienced the holy simplicity of the WEP protocol; we have repeatedly seen that unprotected public wireless networks are bad ; we glanced into a bottomless security hole called WPS. Now we are experiencing a tsunami of bugs in the firmware of routers - then the default password (or a similar hole ) in the firmware will be detected, then crookedly written NAT, then something else. In short, only social engineering was lacking here.
')
Not enough - get it. It's very simple: just create an access point with the exact same SSID in the victim reception area. When the victim tries to connect to it, we will ask the victim for the password to that real access point and carefully save it. Well and everything, we have an access and an opportunity to carry out MITM attack. Oh, no, not all. First you need to persuade the victim’s computer or smartphone to try to connect to our point. And we will do this by stuffing the air with de-authentication packets: they lead to the disconnection of legitimate clients, which can later be connected to the fake access point.
Another discussion on Stackexchange makes it clear that the problem has been known for a long time, and it (in terms of deauth packets) is treated poorly or not at all. What is the news then? And the fact that the process of stealing passwords by this method was automated, and the corresponding Wifiphisher utility was laid out on GitHab. Moral of the times: when someone or something asks you for a password (no matter where), think twice before entering. There are two morals: it is impossible to defend against man-in-the-middle attacks, excluding the possibility of their holding. It will not turn out to be excluded, at least - not in this Internet.
By the way, the network of hotels Marriott used to indulge in deauth-packages in due time, using them to block the wireless access points brought by the guests. And she received a decent fine for this from the American Roskomnadzor.
4. Cryptolochers. What is the hidden threat is different from the explicit?
News Another news . A detailed study of cryptographs as a species.
I already wrote that if you interview companies with what kind of cyber threats they encounter most often, then spam will most likely end up in the first place. But spam is such a thing, the damage from which is not obvious. He is, but it is difficult to count. And if it is difficult to calculate, then it is also not easy to assess how reasonable the costs of combating spam are. Moreover, anti-spam technologies are well developed, distributed and accessible.
Kryptolokery is another story. Unlike spam, it’s easy to assess the damage. Your company is attacked, encrypted important data, making it inaccessible, and require a ransom. You are losing money. You lose time. Moreover, a single incident can kill your company altogether; there is an example here . It is clear that it is necessary to defend against cryptographs.
From the point of view of crime, crypto-fiber is a living easy money. This is not a botnet that you first need to build and then sell to someone else. Therefore, alas, cryptographs are actively developing, multiplying and spreading.
And what's the news, exactly? Nothing special :) We described the main trends in the development of cryptoscopes last summer (and continue to explore them). Almost all security vendors do the same, including, for example, Microsoft and Cisco. There is so much work there to be enough for everyone. For example, all modern technologies of hiding illegal activities are involved in extortionists: payment by Bitcoins, communications via Tor and I2P, disguise from researchers.
But this is not the main thing. The greatest interest is the technology of penetration into the victim's computer. A February Cisco study found that the creators of one of the Cryptowall variants are betting on exploit whales. For business, this means that the weakest link in the company's infrastructure is vulnerable software. Not that the discovery of the century, but the topic is extremely important: the fact that almost every news about cryptographs is of great interest, proves once again.
3. USB charging with built-in keylogger.
News
Another story about how difficult it is to control wireless communications began with the work of three researchers who decided to analyze the security of Microsoft's wireless keyboards. Somewhere in the marketing materials for these keyboards it is probably written that the flow of information between the device and the USB receiver is securely encrypted. Yes, but there are questions about reliability.
In short, the key to the encrypted characters is the MAC address of the keyboard, which, firstly, you can pry, and secondly, it can be stolen remotely, using the features of the chip responsible for transferring data (and used in different devices, including medical). And you can not steal: the first byte of the MAC address of all keyboards is the same, which greatly facilitates brute force.
It remains to understand how to get close to the keyboard close enough to intercept keystrokes on a regular basis. And here, researcher Sami Kamkar proposed an original proof of concept. We take the usual USB-charging for smartphones, tablets, insert into it an appropriately stitched Arduino and get an electric Trojan horse. Which by the way works even if the charging is not inserted into the outlet: a small battery also fit. The cost price of the device is only $ 10, and how nice it is (for now) only a concept.
Microsoft did not comment on the study in any way, or rather said that it was " investigating the problem ." And the problem is interesting: I doubt that a flashing will solve it (and that it is possible at all). Only replacement device. Interestingly, what if such an “incurable” bug is found not in the keyboard for $ 40, but in a car for $ 70,000? However, I digress.
2. In the North Korean browser found a backdoor
News
Impressed with the Sony Pictures Entertainment hacking story, researcher Robert Hansen decided to carefully study the features of the North Korean Internet. Let me remind you, North Korea, presumably (attribution is generally a big problem), was the initiator of the attack, offended by the fact that, probably, the stupidest comedy of 2014 was shot about its leader.
In North Korea, it uses its own Linux- based operating system , known as Pulgynböl Sayedzha Undchekhege or simply "Red Star". As a browser - Firefox fork named Nanar ("My Country"). Exploring the browser, Hansen found that every time the Nanar was downloaded, he was knocking on the local IP address in an isolated North Korean network. Moreover, the entire network of the whole country is organized in the way the company's network is usually built: internal addresses, almost complete isolation from the outside world and communication with it only through a proxy. Probably with the ability to track all traffic, including encrypted: the browser accepts a single certificate - the state one, which probably also has some romantic name.
That is, all the necessary tools for spying on users in a country with a single provider are already built into the only available OS. And it happens in North Korea. Wow! Breaking News!
Of course, the popularity of this news is connected exclusively with the attack on Sony Pictures Entertainment and the likely involvement of this North Korean mega-hacker. But not only. Robert Hansen revealed several techniques developed by those guys who actually know how to prohibit and restrict everything , not just the Internet. Especially the internet. Read!
1. Vulnerability in GLIBC or Why Patches Are Important
News CVE Record. Red Hat Advisory .
Lyrical digression. One of the important events of the past year was a hole in OpenSSL, now known as Heartbleed. It was very interesting to observe the development of events: as an absolutely technical topic is first discussed in technical communities and publications, and then it spills out into completely non-technical media. And for good reason! The problem really affected everyone: business owners , administrators, developers, users. In general, a huge number of people and companies. There was also a need to explain to a netechnary in some simple and understandable way (for example, to the owner of the company or to the top manager): what is the real trouble and what should we do now?
And here you come to this non-technical person and say something like this: Heartbleed is important because OpenSSL, in which a hole is found, is used everywhere. Your website may be vulnerable, your infrastructure may be vulnerable, even your personal mail on Yahoo may be vulnerable. What does "vulnerable" mean? Can steal your password and email. Can infect your site. Can steal your sensitive data. What to do? All patching, checking everything, changing passwords, enhancing infrastructure protection, because this is not the first or the last hole of such a scale.
And here the humanist penetrates, understands and says in reply: where are you, techies, before ? Why not beat the alarm? Did not advertise in the Times and the newspaper Pravda? And in most cases it turns out that yes, they warned and discussed and investigated. But in its technical style. But seriously: to assess the scale of a particular vulnerability, you need to understand what, in fact, is the security hole, know what the attack scenarios may be, and be able to assess the potential damage (what can be stolen and to what extent) . And these are such different tasks that, as a rule, different specialists are engaged in them, and even if they all manage to combine their efforts, they usually do not find time to explain the essence of the matter to a wide audience.
So it turns out that for a non-technical person, problems like Heartbleed arise from nowhere.
So, the hole in the GNU C Library is now at a “technical stage”. That is, they discovered the vulnerability, found out that it really affects security, and even suggested some attack scenarios. But how it can turn in real life on a real infrastructure, and what damage it can be is not yet clear. In general, an unprepared person now describes the vulnerability in the following way:
I will try to explain what happened in GLIBC as simply as possible. I must say: I'm not a programmer. My job is just to explain difficult things to just a fairly wide audience. It is clear that Habr is not the place where you need to chew the nuances of working with GLIBC. I would really like to hear your comments on the text below. How would you solve the “easy to explain” task? What would you say differently? Did I explain everything correctly? :) Marketers have such a simple tool: they write an important idea three times: they make a very short text, one more authentic and one very long one. And then, according to circumstances, use one of them. So I'll try it.
Short version:
It is necessary to regularly update the software on computers and servers, this increases security. Recently discovered a serious hole in Linux, and it also needs to be patched if you are using Linux.
Bit longer:
Vulnerability in GLIBC affects almost all Linux-based systems, theoretically allows for the execution of arbitrary code, and therefore is quite dangerous. So far there are no real and really threatening attack scenarios, but this does not mean that they will appear in the future. Therefore, it is necessary to regularly update the software.
And a very long version:
GLIBC is the standard C language library for all Linux-based operating systems. It contains a large number of programs that perform standard actions: display something on the screen, allocate memory for the application, and so on. That is, it is used by those who write programs for Linux: instead of writing their own code for each task, they “take” the necessary program from the GNU C Library. Thus, developers both seriously save time and provide a standardized approach to solving typical problems.
That is, first of all, we must understand that GLIBC affects a huge number of programs: if there is an error in the code stored in the library, then it can affect the performance of the program using this code. If there is a vulnerability in the code, then the programs that use it also become potentially vulnerable. Yeah?
We go further. The vulnerability was discovered in the gethostbyname family of functions. These are small programs from the GLIBC collection that perform one simple task: receiving the site name (www.kaspersky.com) as an input gives its output to the output in the form 123.123.123.123. If your program needs to carry out such an operation (and almost any program that works with a network needs this), you are accessing this function.
The problem is that the function does not adequately check what is given to it at the input. As it usually happens: the program receives data at the input, wants to write it into a specially allocated area of ​​memory of a certain size. And in general, it does not check whether the data will fit into this very area or not. What is the result? Data is written outside the specified area. Why is that bad? Well, firstly, other data of the same or another program may be located outside the desired memory area, and the latter may stop working. Best case scenario. At worst, the data will be written instead of the code that needs to be executed. And if we manage to feed a piece of code to a leaky program and make it write as it should and where it is necessary: we can run some kind of our program (more precisely, an arbitrary code) on the computer without asking anyone .
Yes, I really like this picture :)
So, with the formulation of the problem decided. What could be the attack scenarios? Researchers from Qualys showed how to execute arbitrary code using this vulnerability when Exim mail program accesses the gethostbyname function. Thus, theoretically, we can attack the company's mail server using Exim and execute arbitrary code on it. Will we be able to steal the mail of the company or get access to important documents or somehow cause some real damage? Theoretically we can. But considering all the (not mentioned here) subtleties and reservations, we are not yet in a position to assess the risk of vulnerability to data theft in the real world.
And this is the difference between GLIBC and Heartbleed. There we had a clear and distinct threat, here this threat is theoretical. Talking about the vulnerability, I dropped a lot of important reservations: the gethostbyname function itself is already outdated, and the conditions for creating a buffer overflow situation are very specific, and when we begin to “try on” vulnerabilities to programs using this function, everything becomes difficult.
But it is - bye . It is likely that someone (and well, if it is a researcher, not a cybercriminal) will find a way to quickly and easily break a large number of Linux servers using this vulnerability. And only then about the vulnerability will write the magazine Forbes, the newspaper "Life", and remove the story "First Channel". Everyone will tell that oh how so, the hole has existed since 2000 and no one noticed . But it will be too late. Therefore, the conclusion: Patching Important. And it is important to close the detected vulnerabilities on our own servers, even if there seems to be no direct danger.
Summary : The hole in glibc and why physicists are not friendly with the lyricists, the North Korean browser, charging-keylogger and holes in keyboards, crypto-fiber in general and, in particular, hacking WiFi with social engineering.
5. Wifiphisher: WiFi hacking with a thick layer of social engineering
News Thematic thread on Stackexchange, where the problem was formulated three years ago.
In the previous digest we said that the Internet is broken . So, of all that is broken on the Internet or rather on computer networks in general, wireless networks are the most broken. We have consistently experienced the holy simplicity of the WEP protocol; we have repeatedly seen that unprotected public wireless networks are bad ; we glanced into a bottomless security hole called WPS. Now we are experiencing a tsunami of bugs in the firmware of routers - then the default password (or a similar hole ) in the firmware will be detected, then crookedly written NAT, then something else. In short, only social engineering was lacking here.
')
Not enough - get it. It's very simple: just create an access point with the exact same SSID in the victim reception area. When the victim tries to connect to it, we will ask the victim for the password to that real access point and carefully save it. Well and everything, we have an access and an opportunity to carry out MITM attack. Oh, no, not all. First you need to persuade the victim’s computer or smartphone to try to connect to our point. And we will do this by stuffing the air with de-authentication packets: they lead to the disconnection of legitimate clients, which can later be connected to the fake access point.
Another discussion on Stackexchange makes it clear that the problem has been known for a long time, and it (in terms of deauth packets) is treated poorly or not at all. What is the news then? And the fact that the process of stealing passwords by this method was automated, and the corresponding Wifiphisher utility was laid out on GitHab. Moral of the times: when someone or something asks you for a password (no matter where), think twice before entering. There are two morals: it is impossible to defend against man-in-the-middle attacks, excluding the possibility of their holding. It will not turn out to be excluded, at least - not in this Internet.
By the way, the network of hotels Marriott used to indulge in deauth-packages in due time, using them to block the wireless access points brought by the guests. And she received a decent fine for this from the American Roskomnadzor.
4. Cryptolochers. What is the hidden threat is different from the explicit?
News Another news . A detailed study of cryptographs as a species.
I already wrote that if you interview companies with what kind of cyber threats they encounter most often, then spam will most likely end up in the first place. But spam is such a thing, the damage from which is not obvious. He is, but it is difficult to count. And if it is difficult to calculate, then it is also not easy to assess how reasonable the costs of combating spam are. Moreover, anti-spam technologies are well developed, distributed and accessible.
Kryptolokery is another story. Unlike spam, it’s easy to assess the damage. Your company is attacked, encrypted important data, making it inaccessible, and require a ransom. You are losing money. You lose time. Moreover, a single incident can kill your company altogether; there is an example here . It is clear that it is necessary to defend against cryptographs.
From the point of view of crime, crypto-fiber is a living easy money. This is not a botnet that you first need to build and then sell to someone else. Therefore, alas, cryptographs are actively developing, multiplying and spreading.
And what's the news, exactly? Nothing special :) We described the main trends in the development of cryptoscopes last summer (and continue to explore them). Almost all security vendors do the same, including, for example, Microsoft and Cisco. There is so much work there to be enough for everyone. For example, all modern technologies of hiding illegal activities are involved in extortionists: payment by Bitcoins, communications via Tor and I2P, disguise from researchers.
But this is not the main thing. The greatest interest is the technology of penetration into the victim's computer. A February Cisco study found that the creators of one of the Cryptowall variants are betting on exploit whales. For business, this means that the weakest link in the company's infrastructure is vulnerable software. Not that the discovery of the century, but the topic is extremely important: the fact that almost every news about cryptographs is of great interest, proves once again.
3. USB charging with built-in keylogger.
News
Another story about how difficult it is to control wireless communications began with the work of three researchers who decided to analyze the security of Microsoft's wireless keyboards. Somewhere in the marketing materials for these keyboards it is probably written that the flow of information between the device and the USB receiver is securely encrypted. Yes, but there are questions about reliability.
In short, the key to the encrypted characters is the MAC address of the keyboard, which, firstly, you can pry, and secondly, it can be stolen remotely, using the features of the chip responsible for transferring data (and used in different devices, including medical). And you can not steal: the first byte of the MAC address of all keyboards is the same, which greatly facilitates brute force.
It remains to understand how to get close to the keyboard close enough to intercept keystrokes on a regular basis. And here, researcher Sami Kamkar proposed an original proof of concept. We take the usual USB-charging for smartphones, tablets, insert into it an appropriately stitched Arduino and get an electric Trojan horse. Which by the way works even if the charging is not inserted into the outlet: a small battery also fit. The cost price of the device is only $ 10, and how nice it is (for now) only a concept.
Microsoft did not comment on the study in any way, or rather said that it was " investigating the problem ." And the problem is interesting: I doubt that a flashing will solve it (and that it is possible at all). Only replacement device. Interestingly, what if such an “incurable” bug is found not in the keyboard for $ 40, but in a car for $ 70,000? However, I digress.
2. In the North Korean browser found a backdoor
News
Impressed with the Sony Pictures Entertainment hacking story, researcher Robert Hansen decided to carefully study the features of the North Korean Internet. Let me remind you, North Korea, presumably (attribution is generally a big problem), was the initiator of the attack, offended by the fact that, probably, the stupidest comedy of 2014 was shot about its leader.
In North Korea, it uses its own Linux- based operating system , known as Pulgynböl Sayedzha Undchekhege or simply "Red Star". As a browser - Firefox fork named Nanar ("My Country"). Exploring the browser, Hansen found that every time the Nanar was downloaded, he was knocking on the local IP address in an isolated North Korean network. Moreover, the entire network of the whole country is organized in the way the company's network is usually built: internal addresses, almost complete isolation from the outside world and communication with it only through a proxy. Probably with the ability to track all traffic, including encrypted: the browser accepts a single certificate - the state one, which probably also has some romantic name.
That is, all the necessary tools for spying on users in a country with a single provider are already built into the only available OS. And it happens in North Korea. Wow! Breaking News!
Of course, the popularity of this news is connected exclusively with the attack on Sony Pictures Entertainment and the likely involvement of this North Korean mega-hacker. But not only. Robert Hansen revealed several techniques developed by those guys who actually know how to prohibit and restrict everything , not just the Internet. Especially the internet. Read!
1. Vulnerability in GLIBC or Why Patches Are Important
News CVE Record. Red Hat Advisory .
Lyrical digression. One of the important events of the past year was a hole in OpenSSL, now known as Heartbleed. It was very interesting to observe the development of events: as an absolutely technical topic is first discussed in technical communities and publications, and then it spills out into completely non-technical media. And for good reason! The problem really affected everyone: business owners , administrators, developers, users. In general, a huge number of people and companies. There was also a need to explain to a netechnary in some simple and understandable way (for example, to the owner of the company or to the top manager): what is the real trouble and what should we do now?
And here you come to this non-technical person and say something like this: Heartbleed is important because OpenSSL, in which a hole is found, is used everywhere. Your website may be vulnerable, your infrastructure may be vulnerable, even your personal mail on Yahoo may be vulnerable. What does "vulnerable" mean? Can steal your password and email. Can infect your site. Can steal your sensitive data. What to do? All patching, checking everything, changing passwords, enhancing infrastructure protection, because this is not the first or the last hole of such a scale.
And here the humanist penetrates, understands and says in reply: where are you, techies, before ? Why not beat the alarm? Did not advertise in the Times and the newspaper Pravda? And in most cases it turns out that yes, they warned and discussed and investigated. But in its technical style. But seriously: to assess the scale of a particular vulnerability, you need to understand what, in fact, is the security hole, know what the attack scenarios may be, and be able to assess the potential damage (what can be stolen and to what extent) . And these are such different tasks that, as a rule, different specialists are engaged in them, and even if they all manage to combine their efforts, they usually do not find time to explain the essence of the matter to a wide audience.
So it turns out that for a non-technical person, problems like Heartbleed arise from nowhere.
So, the hole in the GNU C Library is now at a “technical stage”. That is, they discovered the vulnerability, found out that it really affects security, and even suggested some attack scenarios. But how it can turn in real life on a real infrastructure, and what damage it can be is not yet clear. In general, an unprepared person now describes the vulnerability in the following way:
I will try to explain what happened in GLIBC as simply as possible. I must say: I'm not a programmer. My job is just to explain difficult things to just a fairly wide audience. It is clear that Habr is not the place where you need to chew the nuances of working with GLIBC. I would really like to hear your comments on the text below. How would you solve the “easy to explain” task? What would you say differently? Did I explain everything correctly? :) Marketers have such a simple tool: they write an important idea three times: they make a very short text, one more authentic and one very long one. And then, according to circumstances, use one of them. So I'll try it.
Short version:
It is necessary to regularly update the software on computers and servers, this increases security. Recently discovered a serious hole in Linux, and it also needs to be patched if you are using Linux.
Bit longer:
Vulnerability in GLIBC affects almost all Linux-based systems, theoretically allows for the execution of arbitrary code, and therefore is quite dangerous. So far there are no real and really threatening attack scenarios, but this does not mean that they will appear in the future. Therefore, it is necessary to regularly update the software.
And a very long version:
GLIBC is the standard C language library for all Linux-based operating systems. It contains a large number of programs that perform standard actions: display something on the screen, allocate memory for the application, and so on. That is, it is used by those who write programs for Linux: instead of writing their own code for each task, they “take” the necessary program from the GNU C Library. Thus, developers both seriously save time and provide a standardized approach to solving typical problems.
That is, first of all, we must understand that GLIBC affects a huge number of programs: if there is an error in the code stored in the library, then it can affect the performance of the program using this code. If there is a vulnerability in the code, then the programs that use it also become potentially vulnerable. Yeah?
We go further. The vulnerability was discovered in the gethostbyname family of functions. These are small programs from the GLIBC collection that perform one simple task: receiving the site name (www.kaspersky.com) as an input gives its output to the output in the form 123.123.123.123. If your program needs to carry out such an operation (and almost any program that works with a network needs this), you are accessing this function.
The problem is that the function does not adequately check what is given to it at the input. As it usually happens: the program receives data at the input, wants to write it into a specially allocated area of ​​memory of a certain size. And in general, it does not check whether the data will fit into this very area or not. What is the result? Data is written outside the specified area. Why is that bad? Well, firstly, other data of the same or another program may be located outside the desired memory area, and the latter may stop working. Best case scenario. At worst, the data will be written instead of the code that needs to be executed. And if we manage to feed a piece of code to a leaky program and make it write as it should and where it is necessary: we can run some kind of our program (more precisely, an arbitrary code) on the computer without asking anyone .
Yes, I really like this picture :)
So, with the formulation of the problem decided. What could be the attack scenarios? Researchers from Qualys showed how to execute arbitrary code using this vulnerability when Exim mail program accesses the gethostbyname function. Thus, theoretically, we can attack the company's mail server using Exim and execute arbitrary code on it. Will we be able to steal the mail of the company or get access to important documents or somehow cause some real damage? Theoretically we can. But considering all the (not mentioned here) subtleties and reservations, we are not yet in a position to assess the risk of vulnerability to data theft in the real world.
And this is the difference between GLIBC and Heartbleed. There we had a clear and distinct threat, here this threat is theoretical. Talking about the vulnerability, I dropped a lot of important reservations: the gethostbyname function itself is already outdated, and the conditions for creating a buffer overflow situation are very specific, and when we begin to “try on” vulnerabilities to programs using this function, everything becomes difficult.
But it is - bye . It is likely that someone (and well, if it is a researcher, not a cybercriminal) will find a way to quickly and easily break a large number of Linux servers using this vulnerability. And only then about the vulnerability will write the magazine Forbes, the newspaper "Life", and remove the story "First Channel". Everyone will tell that oh how so, the hole has existed since 2000 and no one noticed . But it will be too late. Therefore, the conclusion: Patching Important. And it is important to close the detected vulnerabilities on our own servers, even if there seems to be no direct danger.
Source: https://habr.com/ru/post/250331/
All Articles