Security Week 15: Badlock is not impressed, more cryptographs, another vulnerability in iMessage

Suppose that there is no apocalypse. An incorrect approach to the security of new devices and software will not lead to a massive computer system failure: The Office Solitaire will not fall, the traffic lights will not go out, cars with autopilot will take people home without any problems. This does not mean that you can encode irresponsible: no one will die? A fabulous story last week was unearthed by Fusion editor Kashmir Hill. In 2002, the company MaxMind developed a new service that allows you to roughly determine the coordinates of the network destination by IP. During the development process, it was necessary to enter default coordinates. The point is not that it was required by customers. The article does not disclose this point, but it is quite possible to imagine that one of the developers decided this way, because everyone is doing so and is comfortable . So that the system does not fall from an empty variable and there is no division by zero.

The rounded (38.0000, -97.0000) coordinates of the US geographic center were scored into the constant and, in general, they quickly forgot about this routine episode. And after a while strange people began to come to the residents of the house near the town of Potvin in Kansas. Come soon. FBI agents came in uniform and in civilian clothes. Tax. Collectors. Angry owners of sites that received spam called and demanded to stop now. Someone even threatened, and in the alley near the house at night they put a broken toilet. The elderly owner of the house and tenants are not lucky to be in the center of the country rounded to degrees. All addresses, the coordinates of which the company MaxMind could not determine, pointed to the house in Kansas, more than six million IP. Kashmir Hill contacted MaxMind, and there were very surprised. The company, after all, always said that the coordinates are approximate , and they should not be used to identify specific addresses and houses. The problem is that absolutely everything, even medical professionals and the FBI, use them like this .

Suppose that there is no apocalypse. And it is very good that way. But technology increasingly affects our real life, sometimes in the most unpredictable way. Errors and vulnerabilities in software and hardware do not always lead to tragedies (although sometimes they do). Irresponsible development slowly and almost imperceptibly reduces our quality of life. And the further we go from the point "Now you can turn off the computer's power" to be constantly in the network environment, the more there will be new opportunities, but also problems too.
')
For Moscow IPs, by the way, the same base gives the coordinates of the Kremlin. And nobody lives in the geographical center of Russia . We turn to the news of the week. Previous issues here .

Pre-announced Badlock vulnerability in Windows and Samba is not as terrible as its marketing campaign
News Changelog Samba. Microsoft Advisory .

In the previous series, I mentioned this story twice, solely due to the presentation form: the researchers from SerNet approached the problem of conveying information about a software bug to the masses very responsibly. Namely: they made a mini-site , came up with a name and a logo, published everything, except information about the vulnerabilities themselves, three weeks before the release of the patches. I gave the pros and cons of this approach in the last issue, I will not repeat. On April 12, Microsoft released a patch that closes a vulnerability in the implementation of the SMB protocol in Windows, patches for the open source Samba appeared, and finally everyone knew what the trouble was.



In short, it turned out that not everything is so bad. Even not so: serious enough vulnerability slightly suffered from marketing activity. Or not? My opinion: PR does not happen much. You can love it or not love it, but it does not affect the technical side of this story. So, Badlock is a combination of vulnerabilities that allow access to data with some reservations: Active Directory is running on the system (Windows or Samba, it doesn't matter), and the attacker is already in man-in-the-middle position. These are not vulnerabilities of the Remote Execution class, they allow you to manipulate only calls inside the SMB protocol, and in the worst case they can cause a denial of service.

Patching is necessary, but experts, recognizing the danger of the discovered vulnerabilities, do not see in them anything so special: the RCE-hole in Internet Explorer closed by the same patch can be just as serious from the point of view of the admins. Personally, I would be interested to know the details of the story and try to understand how similar bugs were in Windows and in open source Samba, but researchers-pioneers do not speak about this (what could be the reasons), and generally prefer to talk less with the media ( This is not clear in the context of a public field covered beforehand). In any case, there is no single scale of threats in the industry; it is very difficult to create it, which is a pity. Operators of IT-systems such a thing could be useful.

Worm driven cryptococher: extortionists wipe ancient virus techniques from dust, and this makes them more dangerous. Or do not become.
News

That part of the story, in which there is actually news, I mentioned in the last digest. Cisco Talos discovered Samsam, which targets servers, not employees, and uses server vulnerabilities (specifically in JBoss software). This week, Cisco Talos released a report in which it projected its recent discovery into possible scenarios of development, ahem, of the cyber criminal industry. It turned out scary: if we consider that other Trojans use quite ancient methods of distribution (for example, macros in office documents), then at one point, will we face an epidemic of extortion comparable in scale to the epidemics of worms a la Conficker or Slammer?

Let me remind you, Conficker and Slammer are outstanding exhibits from the early 2000s, the main feature of which were self-propagation mechanisms. Indeed, now this technique is not used in cryptographs, and if it starts to be used? Now cybercriminals have to sow, spend time, time and money (cooperating with the owners of exploit packs for example), and if they pass this “duty” on the victims? It will turn out to be a uniform APOCALYPSE-REPENT-THE SINNERS-FOR- THING-GOING-THE-WORLD-EXTENSION !!! 11



Uh, no. The times are not the same, and in order to better understand the phenomenon of crypto-fiber, it is necessary to evaluate it in the context of a business. Extortionists first of all earn money. If the extortionists begin to spend time on the original technology, they stop making money. That is why the Petya Trojans and Samsam I mentioned two weeks ago are technically original, but very few are common. And why strain, if you can get a ransom using the most primitive Trojans on batch file ? In addition, the possibilities of cybercrime, although broad, are not limitless, and if it were possible to spread any malware under an epidemic scenario, it would have been used for a long time. I have already spoken about the apocalypse at the beginning of today's release: it is not necessarily coming, and the matter is not in it at all. So, Cisco Talos turned out the same way as SerNet and badlock: crypto-fiber is a really relevant and very dangerous topic. But not horror, horror. There are also working technologies of protection against extortionists, a question in implementation.

IMessage found another vulnerability but fixed it
News Bishopfox research.

In early March, Apple released an update for iOS to version 9.3, which not only broke the Safari browser, but also closed a serious gap in the crypto protection of the iMessage messenger. In the light of the then ongoing debate between Apple and the FBI, this was an important addition. Access to someone else's correspondence, if not impossible, is possible in two ways: either by intercepting data along the way, or by taking it from the end device. Progress in the encryption of correspondence with Apple and, for example, with Whatsapp and others, makes interception "on the road" very laborious, so the issues of access to correspondence on the device are of particular, I would say strategic, importance.

Proof of concept on video:


A new vulnerability in Mac OS X El Capitan, closed by update 10.11.4, just gives you the ability to intercept data on the end device. Researchers from the Bishopfox group found, in fact, a hole like cross-site-scripting: it is possible on behalf of the client to request data from the Apple server (for example, the history of correspondence). It is enough to send the user a specially formed Javascript URI and make it click. The story shows well how the cross-platform messaging of the new generation is gradually becoming a headache for developers. In this case, there was no problem with the chat on iOS, but they didn’t look at the computers. Interestingly, the developers initially "dug" in the direction of another messenger, and quite accidentally discovered that the proof of concept they developed works in iMessage too.

Antiquities:
Family "Sistor"

Non-resident viruses. Standardly infect .COM- and .EXE-files. Launch (except for “Sistor-1000”) a ball “prancing” around the screen, which is reflected from the symbols and borders of the screen. When a ball hits a text or pseudo-figure, they (signs) “fall” down. Intercept int 1Ch, 21h. They contain the text: “Sistor” (“Sistor-1000”, in addition - “Sistor & Co Present”).

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 45.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.