Security Week 51-52: Custom Top News 2016

Well, again, no one expected, and the year ended abruptly. It's time to sum up, and for the third year in a row I prefer to do it outside the box. The only criterion for selecting news in the top is its popularity on the news site Threatpost . Yes, this is not the most objective way to assess the importance of an event. But not the worst: the Threatpost audience usually ignores outright politotyu and pays a lot of attention to events that need to be responded to either right now or with something to remember for the future.

Let me remind you that in the 2015 review we had vulnerabilities in the Internet of Things (well, in routers), data encryption , a serious vulnerability of Stagefright in Android and a hole in GLIBC , as well as complex attacks - Carbanak and The Equation . In 2014: POODLE 's SSLv3, Shellshock and Heartbleed vulnerability and, suddenly, steganography with PNG images.

This year, the “top five” of popular news looks partly similar: Apple’s case against the FBI, holes in GLIBC (again!) And in the Linux kernel, problems with OAuth, and the generation of reliable random numbers from unreliable sources.

Fifth place. The FBI did not put pressure on Apple in searching for ways to circumvent the lockscreen of the iPhone 5c.
News Digest Another digest with a detailed description of the case.
')


One political news in Top 5 is still there. In early 2016, an indicative dispute on the subject of cryptography took place between Apple and US authorities. It was about the phone of a terrorist who made a shooting in San Bernardino, California in 2015. Specifically, it was the iPhone 5c, which fell into the hands of the FBI unscathed, but blocked by a standard passcode. Part of the information from the phone of the deceased terrorist was obtained through the iCloud cloud storage, but long before the terrorist attack, synchronization with this service was interrupted. Apple demanded to provide the means to select the passcode by search, without the built-in limit on the number of attempts that inevitably turned the data on the phone into a pumpkin.

At that moment, when everyone was ready for a long, public judicial debate, when appeals to the public had already been posted, closed conference calls with the press were held (without names, without direct quotations), the FBI was able to bypass the lock without the manufacturer’s help. Nevertheless, this case was the first this year's journey of IT security in big politics - and, alas, not the last. The fact that in February it seemed an isolated dispute between the state and the manufacturer, in October, turned into almost a key element of political rhetoric. Cybersecurity is increasingly affecting seemingly completely “offline” interaction mechanisms within society, and this is not only about iPhones.

Although in them too. The natural reaction of Apple, despite the conditional victory, were successful attempts to deprive themselves of any means of circumventing the declared security system of their own devices. In the summer, a representative of Apple spoke at BlackHat, telling in detail ( slides ) about the innovations in the iOS data protection system (at that time - in the ninth version). This is an inconceivable level of openness for Apple: the company still prefers to keep the technical details of the work of their devices with them. Encryption began to be implemented more actively by messenger developers (for example, WhatsApp and Viber). On the other hand, the FBI continues to speak out against absolute privacy.


Dilbert on the topic.

But the problem is that there is no reliable cryptography with backdoor. From a technical point of view, this thesis, in general, is not discussed. But in fact, the security of our devices with you now depends not only on the speed of progress, but also on how the techies agree with the politicians. It also depends on the situation at the battle front between the castle and the master key: good cryptography does not equal data security at all. There is always a way around circumvention. There is always a way to make hacking as expensive as possible for an attacker. Be that as it may, 2016 has made it clear that the security of information systems has become more than ever dependent on its most unpredictable element: on the human factor.

Third and fourth places. Vulnerabilities in GLIBC and Linux Kernel
News News Digest about GLIBC.

In February of this year, a critical vulnerability was discovered in the GNU C Library (glibc), affecting all versions starting from 2.9, which was released in 2008. Guilty was the getaddrinfo () function, which is responsible for querying the DNS server. The problem is that an arbitrary code can be added to the response from the server, and, causing a buffer overflow, to execute it on the victim's system. The vulnerability was discovered by researchers at Google, and accidentally - their attention was attracted by the constant falling of the SSH client from the segmentation fault when accessing a specific server. That is, in order to conduct an attack using this vulnerability, you need to configure the DNS server in a certain way and somehow force the victim to make a request. This is not so difficult, and can be implemented, for example, during the man-in-the-middle attack, when, instead of a legitimate DNS server, the path of the request is fake.

A vulnerability in the Linux kernel (CVE-2016-0728), more precisely in the keyring module, was discovered in January 2016: it provides the possibility of local privilege escalation. Perception Point's experts who discovered the problem claimed that virtually all desktop and server versions of Linux based on the 3.8-4.2 kernel are vulnerable, and some Android devices (in the latter, SELinux implementation makes it difficult to operate the problem). Despite the great attention to this vulnerability, it turned out to be not the most dangerous (in-the-wild was never fixed), and not the only one in a year on the topic of local privilege escalation. Just last week, another one was discovered and closed.

Second place. OAuth 2.0 bypass.
News Digest Research

In November, at the European BlackHat EU conference, researchers from the University of Hong Kong showed examples of incorrect implementation of the OAuth 2.0 protocol, which, in some cases, can steal user accounts. The problem lies not in OAuth itself, but in its specific implementations. The need to implement Single-Sign-On systems not only for the web, but also for mobile applications (belonging not only to the owners of identification services like Facebook and Google, but also to a third party) led to the fact that the OAuth 2.0 standard began to be overbuilt by anyone in that much, not always following safety practices.

As a result, user authorization in some places happens as horrible: the study describes a situation when it is possible to log in on behalf of another user, knowing only his login (usually this is an e-mail). However, the described attack scenarios provide for a man-in-the-middle position, and are not always possible. Of the problematic applications discovered during the study, most work with the Chinese identity provider Sina, and of the 99 apps tested that support OAuth through Google and Facebook, only 17 are exposed. I’ll add that the study does not indicate the names of the affected applications, but one of them uses Google authorization and is a music app with over 800 million downloads. Hence, the number of susceptible users is presumably greater - more than a billion.

First place: Generation of random numbers using low-quality sources.
News Digest Research

A scientific paper published in May by researchers David Zuckerman and Eshan Chattopadhya from the University of Texas proves the possibility of generating high-quality random numbers based on two lower quality sources. To be more precise, this possibility was before - for example, about 10 years ago, the Belgian mathematician Jean Bourgein showed this. The problem with Burgeyne’s work was that these very “not very high-quality” sources were actually subject to rather high demands on the part of entropy, respectively, his research had a purely scientific value.

But in this case, the value can be quite practical: if it is simple, the new work will allow to get random numbers quickly and cheaply, reducing the chances of, say, hacking encrypted correspondence due to the vulnerability of the generation algorithm. The main requirement for two sources is the absence of correlations between them. In general, good (although extremely difficult to understand) news from the scientific front, which may well find application in cryptography, and not only in it. Reviews of scientific work in general are very positive, but, as correctly noted in this article by the BBC, the study does not offer anything fundamentally new. But the quality and speed of existing methods for generating random numbers can be improved.



This news was not only the most popular this year, but also, perhaps, the most difficult for perception. Facilitate (although, someone like) understanding of the topic will help the above video lecture Zuckerman.

What else happened (but did not make it to the Top 5):
An epic study on how to drop systemd using 48 characters. More in this digest.

The June botnet of IoT devices, responsible for the 400-gigabit DDoS attack. The Mirai botnet saga that lasted all autumn was still cooler.

Interesting, but not revealing, research about how a malicious program tries to escape from rewriters, who, in turn, are trying to run it in a virtual machine. More in this digest .

Another passod passod iPhone.

And, finally, an interesting study of the interception of control of wireless keyboards and mice. The authors of the work from Bastille Networks have been on a crusade all year against unsafe wireless input devices. Interesting work, but rather useless: as long as there are ways to attack a lot easier, it is unlikely to be put into service. And good.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.