Security Week 33: disabling Secure Boot, sorting destinations in GMail, consequences of TCP bug in Linux

This week, a flood of politics spread across the landscape of threats. The topic of security is already utterly politicized, but if you suddenly feel that it’s already somehow a bit too much, then I hurry to upset you. It's only the beginning. On August 13, anonymous hiding under the pseudonym of ShadowBrokers put up for sale an arsenal of tools allegedly used in The Equation cyber spy campaign. I recall a study of this attack was published in February last year by experts of the Laboratory, calling it the "Death Star from the malware galaxy." It was for that: impressive as the duration of the campaign (since 2001, and perhaps earlier), and the complexity and wide functionality of tools for hacking and data theft. Well, the technical level at the same time, up to the location of the malicious code in the firmware of hard drives.

The sale is arranged according to the best standards of commercial office work: “send money and we will think about it”. But besides promises, a set of files, obviously cut from someone else's development environment, was thrown into the network: a little bit of code, a little bit of scripts, documentation, and so on. If the media, which have been discussing versions of leakage authorship all week long, isn’t conducted by something that is a priori impossible to confirm with facts, the following can definitely be said about ShadowBrokers. First, the implementation of the RC5 and RC6 encryption algorithms in the leak coincides with that of The Equation. This makes it possible to say with a certain degree of confidence that there is a connection between, strictly speaking, the code detected on the network now and a couple of years ago. More details with examples here . Secondly, the leak discovered real vulnerabilities in Cisco devices (written in great detail on their blog ) and Fortinet .

Everything else on the topic can be reduced to one word "not clear." ShadowBrokers leaks can be put on a par with last year’s burglary from HackingTeam : in either case, dangerous malicious tools were published. Even the most complex and expensive development of such a plan has a tendency to quickly cheapen and fall into the wrong hands. The only way to prevent this is, if possible, not to create cyber weapons, regardless of the goals. Malicious code is enough.

All issues of digest - here .
')

Hackers discussed the vulnerability of the mechanism of Secure Boot with Microsoft. Hackers: "Everything is bad." Microsoft: “It's OK”

News

Secure Boot is a concept that involves running only authorized code at the most critical stage of system boot - after the BIOS. In this case, we are talking about the implementation of Secure Boot by Microsoft - it was first released in production along with Windows 8 in 2012. At the same time, MS received another portion of curses from the open-sors supporters: with the help of Secure Boot, you can block the launch of third-party operating systems (you would not believe them about Ubuntu inside Win10 ). Actually, on the ARM-devices Microsoft has done so, and as for conventional PCs - officially, the decision rests with the vendor. There were no cases of aggressive violation of the rights of Linuxers in four years, but Richard Stallman is still against .

You can read more about Secure Boot on the Microsoft website , or better yet, see the Fedora documentation here . Actually, the main task of Secure Boot is not oppression of freedom-loving coders, but protection against malware, specifically from bootkits. Here, even Stollman agrees that yes, such protection is necessary. Two hackers, known as my123 and slipstream, investigated the methods of Secure Boot and found strange: when developing Windows 10 Redstone, new rules (policies) were added, with code checks disabled (for a certificate and / or associated with a specific device). A change was made to the bootmgr.efi file code. Through this hole, you can both drag through unauthorized code or disable Secure Boot completely. Two patches (MS16-094 and MS16-100) tried to solve the problem by withdrawing certain versions of this file, but according to hackers, the problem was not solved completely. Perhaps it will never be solved, because, according to the researchers, Microsoft will not be able to ban absolutely all the downloaders, for example, because of the need to keep certain images of the system working. Read more - in the report here (take care of your eyes and ears, there is music and layout from 1994, and the letters jump).

Microsoft's position on the research is restrained. Researchers made it clear that this is not considered a vulnerability. In a comment for Threatpost, the company noted that the operation of the “problem” requires physical access to ARM devices and does not extend to corporate systems. In general, they are right: so far, based on what we know, this is not the worst vulnerability in the world. Therefore, the main thing in this story is not the texture, but morality. If the Microsoft developers really made a mistake, then the problem is not the error, but the very possibility of it being committed. Security systems should ideally be designed so that there are no backdoors, even legal ones, so that in principle there is no possibility of losing something, accidentally or as a result of theft. This is also a late argument to the February dispute between Apple and the FBI . Then the position of the feds was that they do not even need to know the method of hacking the iPhone, Apple just need to develop and apply it. According to Apple, the very fact of developing a master key already posed a great danger. Secret always becomes clear.

Vulnerability in TCP protocol implementations affects Linux systems and 80% of Android devices

News The second news . Scientific research .

What could be worse than a vulnerability in the kernel of the operating system? Only vulnerability in the implementation of one of the fundamental protocols. But no, not only. Even worse, when the vulnerability is embedded in the specifications of the protocol. Apparently, this is exactly what happened with the RFC 5961 specification, aimed at improving the security of the TCP protocol. In the Linux kernel, these innovations have been implemented since version 3.6, released in 2012. Researchers from the University of California, under the leadership of Yui Cao, have found a way to exploit the only feature of the implementation of the new specification in Linux - the total limit on Challenge ACK packages. The detailed attack scheme is beyond my cognitive abilities, so please refer to the original research for details. Here I will just show a picture from there:


I understood everything.jpg!

The potential of the vulnerability is enormous: it is possible to determine that two recipients in the network send TCP-packets to each other, initiate a break in communication between them, and even intercept data (or implement their own in the transfer process). All this - with a high probability of success and with low time requirements for the creation of conditions for operation (tens of seconds). To implement the attack, you also do not need to occupy the position of man-in-the-middle, it is enough to know the addresses of the sender and recipient and to be able to substitute your own IP. In addition to desktops and servers on Linux (a patch has already been released for the kernel), up to 80% of Android devices were affected. And in this case, ironically, old smartphones (with Android 4.3 and earlier versions) were not affected. New are all subject, including beta versions of Android 7.0.

We are waiting for updates.

GMail begins to identify untrusted senders.

News Announcement in the Google blog.

Add a moment of positive. In the near future, Google will begin to inform users that the sender of the letter should not be trusted. For such messages, a non-standard icon will be displayed next to the sender's address, something like this:


Condition for loss of trust: non-compliance with the requirements of the Sender Policy Framework and DKIM standards. I don’t think that the question mark icon will stop the hapless user from reading and responding to a crafty phishing email, but judging by Google’s tactics, unchecked messages will be more and more actively filtered out in the future. In addition, GMail has implemented a safe surfing feature that has long been used in Chrome browsers that warns of suspicious and malicious links.

What else happened

Chrome and Firefox have been exposed to a rather trivial method of spoofing the address bar.

Experts of the "Laboratory" talk about the targeted campaign of Operation Ghoul, with victims mainly in the Middle East.

Immediately, several hotel chains in the US report leaks of credit card data through hacking POS-terminals.

Another interesting method of data theft from air-gapped systems is through hard disk buzz analysis (all are smoothly transferred to SSD).

Antiquities:
"Printer-778"

Dangerous resident virus, standardly infects .COM and .EXE files, except COMMAND.COM. For COM files, replaces the beginning with commands: MOV BX, Loc_Virus; JMP BX. When working with a printer (int 17h), it translates the information displayed on it into ASCII-7 code (clears the high bit). As a result, the printer refuses to "speak" in Russian and print pseudographics. The virus intercepts int 17h, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 80.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.