Security Week 47: {not} Hacked Tor, Gmail Warns About Decryption, Barcode Attack

November 20, 1985 the world first became acquainted with the operating system Windows. No not like this. With the Windows 1.0 operating system, a rather narrow stratum of people connected with IT, who exactly 30 years ago was much less than now, met. The press materials for the launch were printed on paper, with warm tube photographs of the interface taken from the monitor with a film camera. In an amicable way, Windows 1.0 and OSes cannot be called, most likely an add-on to MS-DOS. In a press release, Bill Gates is quoted as saying: "Windows gives users unprecedented opportunities today, and also is the foundation for development in the field of software and hardware for several years to come." And in general, he was right, so it all happened.

30 years later, Microsoft announces a major security initiative, and follower of Bill Gates and Stephen Ballmer Satya Nadella calls Windows 10 the most secure operating system. But you can argue with that, but the announced plans to improve the security of the platform are impressive: a new mobile security management system for companies (moreover, with iOS and Android support), expansion of experts inside the company, including analytics from millions of Windows machines all over the world. Most of the initiatives in the announcement are aimed at corporate security, but ordinary users are promised more protection against malware, password theft and other things.

How much the security situation will change, time will tell, this week Microsoft announced its plan rather than report the results. Despite the difference in technologies and capabilities, between Windows 1.0 and Windows 10 there is much in common not only in the name. Having survived a long-term period of an almost absolute monopoly, the Microsoft platform, like 30 years ago, is seriously competing with other operating systems. But in the field of security, everything has changed: from the very statement of the problem to the scale of the threats. There is not only Microsoft, but all software and hardware developers have work to do. Let's see what happened this week. All issues of digest - here .

Carnegie Mellon University either hacked, or did not hack Tor, and either received or did not receive a million dollars for it from the FBI
News Previous news . An analysis of Tor from the point of view of anonymity.
')
An excellent sample of news about security, which does not have a single gram of technology. Last week, a record was published on the Tor project site, at which Carnegie Mellon University was accused of a) that they tried to hack Tor with the help of “charged” transmitting network nodes b) they received (at least) $ 1 million from it FBI. This is a vulnerability that was made public and closed in the summer of 2014: the project management then reported that the modified attack nodes were observed on the network from February to July, and everyone who used Tor during this period was in theory somewhat less anonymous than expected.

At about the same time, at the Black Hat 2014 conference in August, Carnegie Mellon researchers were told about how Tor users can be de-anonymized for as little as $ 3,000. Long before the event, the application responds unexpectedly, the text of the announcement is removed from the Black Hat website. And this year, in the materials of the trial of the operator Silk Road 2.0 - a follower of the very drug supermarket and other lewdness - it is mentioned that it was possible to prove the connection between the accused and the server on which the underground store was spinning with the help of a “university-based research center”.



That same 1 million dollars, at the same time, is a pure guess based on information from sources "who wished to preserve anonymity." We know these sources. So why did this news last week and this one generate so much drama? Even without last year’s vulnerability in Tor, there are plenty of ways to uncover the identity of a particular user, although the Snowden leak says that this network is a real headache for law enforcement. Well, it was investigated, well, paid, and what? The claim of the Tor project is that a similar method of hacking the network - when many users are compromised at once, and then look for the necessary data in the received data - it’s not quite correct. To put it bluntly, this is another version of mass surveillance, not entirely ethical, and if the FBI don't give a damn about their reputation, it is not a well-known university. Therefore, criticized.

This week, a Carnegie Mellon spokesman tried to rectify the situation. It didn't work out very well: the three paragraphs of the official statement contained a fog and opaque hints that in some cases law enforcement agencies could use a court order to clarify the details of their research with the researchers. And the university has to obey them. We translate into human language: there was no million dollars, but the FBI did receive the necessary information. Not all experts and sofa experts agree, but further the discussion begins as to who pays what and how much for what - well, not at all interesting. An important thought was expressed by Tor Project Director Roger Dingledine. Carnegie Mellon researchers in theory represent the security industry, which must identify threats and help repair them. Law enforcement agencies need to help investigate threats, but to become their contractor and break protection with the help of the found vulnerabilities is not OK.



Carnegie Mellon researchers crossed this fine line or not — we do not know for certain, but an interest in this story shows that the question is really serious.

Google will warn GMail users about emails sent via unprotected channels.
News

A five-minute google phrase for “E-Mail is Dead” gives a lot of links to articles , pamphlets , creative sketches and news about whether email has died or not yet. This is one of the most ancient concepts of the Internet, many technical aspects of which were standardized back in the 70s (and prototypes that are similar at the level of ideas appeared in the 60s). Older than the web, much older than Facebook, noticeably even older than the personal computers themselves and their derivatives. Despite the fact that modern mail differs from the 1978 UUCP sample in the same way as Windows 1.0 from Windows 10, at the infrastructure level one does not have to dig deep to stumble upon some poorly configured server dinosaur forgotten in the far corner.

The key issue of email is security. Just about 10 years ago, the POP3 protocol, which does not involve any kind of data encryption, was a widely used method of transferring messages from server to user. Here we also write down the problem of identifying the sender: it is still quite simple to forge a message. GMail itself seems to be all right with protection, but other mail system operators are not necessarily the same. How bad is it? Google researchers found in a research paper . We took a million domains from the top of Alexa, identified 700 thousand unique mail servers and analyzed their security.

It turned out that's what. 82% of mail servers supported connection via TLS protocol, but only 35% of them were correctly configured. Those two-thirds of incorrectly configured servers can easily transmit messages in clear text, which means when mail is sent from them or through them to GMail or to another well-protected server, at a certain stage it still passes through open channels. If we read from the reports, then about a quarter of mail coming to GMail from servers outside the US was unencrypted. Especially the researchers noted a very bad situation in the mail in Tunisia, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho. For example, 96% of messages coming to GMail from Tunisian servers are unencrypted.


The study has some positive points.

As a result, Google plans to inform GMail users if the message that came to them passed through open channels in an unprotected form. Thus, hinting that this correspondence can be read by anyone. Like the previously announced DMARC initiative, this is a good innovation, especially since GMail (so far) does not promise to block these messages, throw them into spam, and so on. But the trend is interesting - a new look at the very fragmentation of the Internet, which many experts say . It only happens not for political reasons, but for technical reasons: if somewhere in the remote wilderness there is not enough knowledge and resources to properly set everything up, then sooner or later this wilderness may cease to have equal rights with other resources on the world wide web.

Barcode scanners can be hacked. Guess what
News Video demonstration of the researcher.

This week, Japan hosted the PanSec 2015 conference, at which researchers from the Chinese company Tencent showed an interesting way to hack barcode scanners. Using, as you probably already understood, barcodes. Specially modified barcodes allowed to execute arbitrary commands on the system with the scanner installed, something like this: open the console with one tricky code, and print commands into it with other tricky codes. It is noticeable on the video that hacking of this kind is a rather laborious task. You can’t write down a lot of data in the barcode, so the researcher has to scroll a pack of codes in front of the scanner in order to achieve a result. If suddenly this kind of attack turns out to be simplified, then theoretically a lot of things will be put at risk. For example, barcode scanners "find out the price" in stores - it is quite possible to assume that they are connected to a closed network with a lot of interesting information inside.

The moral of this story is: user input cannot be trusted, no , even if non-standard methods are used. Today we are talking about a barcode scanner, tomorrow we will probably discuss fingerprint scanners in cell phones. Regardless of the input format, we get the code at the output, and this code may well be executable.

What else happened:
Police DVRs are infected with the Conficker virus. Konficher, Karl! Worm 2008 release . All because of the outdated OS and the lack of basic security measures from the manufacturer. This is not the only example of this kind. In September, a Conficker-friendly vulnerability was discovered on a variety of medical computer devices in the United States. Video of the authors of the study:



An interesting study of standard encryption systems in iOS and Android. Brief summary: physical access to devices so far allows for this encryption to be circumvented, even if not by the most trivial methods.

Two new representatives of POS-malware - malware attacking malicious terminals and allowing to steal credit card data. Very few companies are facing this threat so far (according to our data, only 1%), but the consequences of even one successful attack on, for example, a large retail network can be very serious.

Antiquities:
Family "Brain"

It consists of two almost identical innocuous viruses: “Brain-Ashar” and “Brain-Singapore”. They infect boot sectors of floppy disks when they are accessed (int 13h, ah = 02). The continuation of the virus and the initial boot sector are located in sectors that belong to free disk clusters. When searching for these clusters, viruses have to analyze the file allocation table - FAT. In the FAT, these clusters are labeled as “bad” (so-called pseudo-broken clusters). The infected disk is set to a new label "(C) Brain". Viruses use the “stealth” mechanism: when trying to view the boot sector of an infected disk, the true boot sector is “substituted”.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 95.
By the way, in 2011, Mikko Hipponen from the F-Secure company specifically traveled to Pakistan to talk with the authors of the virus. It turned out to be difficult to find them, but quite real: the authorship was coded in one of the modifications. Brain is considered one of the very first viruses for the IBM PC platform. Discovered in 1986.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.