Security Week 09: DROWN attack, HackingTeam returns, impressions from RSA Conference 2016

Today in San Francisco, one of the important events in the information security industry is ending - the RSA conference. More than 400 companies present their decisions here. Everything is here: from point solutions for VPN protection and encryption to complex security systems. One of the key topics of the conference was the evolution of cyber threats and the actual development of the infrastructure that is supposed to be protected from them. Among familiar, but still relevant topics is the protection of cloud systems (in any sense of the term), and among the new ones is the protection of the Internet of Things, ecosystems where we will soon deal with billions of separately-low-powered devices, but in aggregate unprecedented computing power.



But IoT is a topic, albeit the nearest, but the future, and the most serious practical topic was protection against targeted attacks. Why is it important? We are talking about targeted attacks on specific companies. If the traditional malware "hits the squares", here we are talking about attempts to hack a pre-selected victim. So, in such attacks, intelligence and the use of unique infrastructure features are no less important than the actual attack tools. The latter may be unique for each individual victim, as is well illustrated by the example of the Poseidon campaign.



There are thousands of ways to break into the same company. Identify and close all potentially vulnerable points impossible. But it is necessary to do something, and then each manufacturer offers its own methods. General point: it is required to collect and process a huge array of information and identify suspicious activity that is different from the normal network activities of employees. At the Lab, we showed our solution at the conference - the Kaspersky Anti Targeted Attack Platform - you can read more about it here . Meanwhile, new threats appear without interruptions and weekends, and the key event of this week is the DROWN attack. Let's talk about it in more detail. All editions of the digest are available by tag .



DROWN attack: up to a third of secure HTTPS connections can be decrypted in case of interception

News Research

')

Remember the news about a study on collisions in SHA-1? Last year, the SHA-1 hashing algorithm was found to be theoretically vulnerable, and this was a sufficient reason for browser manufacturers to begin to massively refuse to support it. The reason for this was a scientific work, and not implying any real threat to your data here and now. Someday in the future - maybe. So, the DROWN attack shows us (for another topic, but also related to encryption), how theory turns into practice. And the time lag between the first and second is very decent.



The essence of the vulnerability is this. For encrypted connections, the TLS protocol is now widely used, replacing the similar SSLv3 and SSLv2 protocols, which are quite vulnerable by current standards. When you connect to a website using the HTTPS protocol, this is the very same TLS inside. There are no problems with him, but there is a nuance. Quite a few servers on the network support the outdated SSLv2 protocol. Well, support and okay, if someone comes to mind to use it to establish a connection (in a standard browser, you will not be able to do this unintentionally), then that’s what he needs. But it turned out that using this very support for SSLv2 can be decrypted and normally encrypted traffic using TLS.







Attack, if not much to go into detail, is as follows. The attacker intercepts the victim’s protected traffic. It then makes a series of requests to the server using SSLv2 in such a way that the server gives it enough data to decrypt TLS traffic. In two different attack scenarios, decryption takes time, but quite a bit — either a few hours on a powerful server (or $ 440 renting processor capacity on Amazon), or even a minute on a powerful PC. In the second case, the “export”, that is, deliberately weakened cryptography, “helps” with a fairly large number of servers. That is, there are few requirements for an attacker: small computing power, direct hands and the possibility of intercepting other people's traffic. This is really a dangerous thing.



And trouble came again, from where they didn't call. Decrypted traffic can produce the data needed to break into the corporate network, and it is completely impossible to foresee such threats in advance - no matter how steep the protection of your perimeter is, there will always be the most cunning cracker. Therefore, the industry is trying to maximally accelerate the identification of successful attacks, when penetration has already occurred, but the damage has not yet been done. What does the story have to do with it? The researchers, who discovered the vulnerability, refer to the work of a certain Daniel Bleichenbacher, who in 1998 found a similar problem in another encryption system. And then it was a completely theoretical work, as it was (and is now) talking about tens of thousands of connections to the server, which are necessary for the attack. At that moment it seemed unreal, now it is quite possible. This is how scientific research turns into the harsh everyday life of a safeguard, even 18 years later.



Hacking Team returns with new exploits

Research "Laboratories".



HackingTeam hacking is a big event in 2015. From a company that is notoriously famous for its work on state structures and supplying them with tools for the "legitimate" hacking of computer systems, a lot of information has flowed away, and very dangerous, including several zero-day vulnerabilities. Given the specifics of the work of HackingTeam, no one even sympathized with the company, but the organizers of this ethically questionable business were not going to give up.



And recently, a new malicious module was discovered, designed to infect and steal data from computers running Mac OS X. For the first time, a backdoor was described by Objective-See researchers, and our experts gave more information about its real functionality. Specifically, the malware can take screenshots, steal information from the system and applications, record the victim using a webcam and microphone, determine the location of the PC, and even steal SMS messages from the phone if it connects to the infected computer.







We, like many other vendors, detect and block this module. It does not matter for what purposes the malware is used. It does not make it any less harmful.



What else happened:

Another important discussion at the RSA Conference: almost all market players agree that hacking in response to hacking is a very bad idea. Both at the level of individual companies (they may accidentally take revenge not on those who attacked), and at the level of states and special services.



The battle between Apple and the FBI continues. It came to congressional hearings, and the RSA Conference also raised the topic in every second report. Experts are almost unanimous on the side of Apple (for example, the representative of Microsoft officially expressed his support). Opponents only say that the FBI chose an immaculate case to attack not only Apple, but also the approach of "techies" to encryption in general.



In cars with cyber security, things are not very good . We did not doubt.



Antiquities:

"Nina-1600"



A resident very dangerous virus, infects .COM-, .EXE- and .SYS-files that it searches in the current directory for each call to int 21h. .COM- and .EXE-files infect standard. When infecting .SYS files, appends its body to the end of the file and modifies the Interrupt and Strategy programs of the driver being infected.



It is activated only in the absence of anti-virus blockers. When you try to pass the virus codes with a debugger, it deletes some of the data on the disk. It contains the texts: “Dear Nina, you make me write this virus; Happy new year! ”," *: \ COMMAND.COM ".



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 41.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.