STE WILLIAMS

Don’t let the crooks ‘borrow’ your home router as a hacking server

We’ve written about the trials and tribulations of SSH before.

SSH, short for Secure Shell, is the probably the most common toolkit for remotely managing computers.

Windows users may be more familiar with RDP, or Remote Desktop Protocol, which gives you full graphical remote control of a Windows computer, with access to the regular Windows desktop via mouse and keyboard.

But almost every Linux or Unix sysadmin out there, plus many Windows sysadmins, use SSH as well as or instead of RDP, because of its raw power.

SSH is more generic than RDP, allowing you to run pretty much any non-GUI program remotely, so you can administer the computer automatically from afar via pre-written scripts, or open up a terminal window and control the remote system interactively by typing in commands live – or do both at the same time.

As a result, crooks who can figure out your SSH password have their own way into your computer, if not your whole network.

SSH also provides you with a feature called network tunnelling, whereby you use SSH to create an encrypted network connection or “tunnel” from computer A to B, and then create an onward connection from B to C to do the actual online work you want.

For security conscious users, that’s good – it makes it easy to “skip over” untrusted parts of the network, such as your coffee shop Wi-Fi router.

Indeed, an SSH server that lets you redirect network traffic can be thought of as a special-purpose VPN, or an encrypting proxy, handy for boosting security while you’re on the road.

So, crooks with your SSH password can also use your server as a stepping stone for the next attack – using you as a jumping-off point to hack other people, leaving the victims pointing their fingers at you.

The bad news is that you probably have an SSH server at home, whether you realise it or not, and whether you intended to or not.

That’s because many, if not most, home routers have a preconfigured SSH server built in for administrative purposes – perhaps even for your ISP’s benefit, so they can get in and look after your router for you.

Many home internet connections, notably those that don’t end in a regular phone line that you plug into, include an item of what’s called CPE (customer premises equipment) that doesn’t belong to you. The ISP’s own network terminates not at the phone jack on your wall, but at the LAN network ports on a router that’s loaned to you for the duration of your contract. Management of, configuration on and updates to the router may be handled remotely, as if your router were back in the ISPs own server racks.

Whether you have an SSH server that you manage yourself, or that’s used and managed for you by your ISP, doesn’t matter to the crooks.

SSH servers have cybercriminal earning potential, not only as a possible way to break in and steal data for resale, but also as a convenient and anonymous beachhead for new attacks.

That’s what seems to have happened in a recent mini-botnet attack, apparently found on several hundred fibre modems in Thailand and the Philippines by Chinese researchers at the 360 Netlab Blog.

This zombie malware, unpronounceably dubbed Gwmndy (after a server name it connects to) is surprisingly simple.

The part that runs on infected routers is just one small shell script to open up the needed holes in your system, plus a 170 kilobyte program that is there to “call home” to the crooks to tell them where to look.

If you don’t already have an SSH server for Gwmndy to use, it downloads an open source SSH server program called dropbear, a tiny, widely used and easily configured alternative to full-featured SSH software such as OpenSSH.

It then not only fires up the server but also quietly creates a new, root-level account with a password chosen in advance by the crooks.

(You can verify that the password is pldt123456 with the command openssl passwd -1 -salt .vb9HA2F pldt123456 – if you can think of any significance in the letters P-L-D-T, please let us know in the comments!)

According to 360 Netlab, this malware hasn’t been distributed widely – it’s not a virus, so it doesn’t spread by itself.

Presumably, this is a zombie network of SSH tunnels that the crooks are holding as part of their own stash of ready-to-use proxies in South East Asia.

What to do?

When crooks get into a server that you didn’t even realise was a server then it’s hard to know where to start.

According to 360 Netlab, the affected routers in this case are all of the Fibrehome brand (the shell script used by the malware includes reference to a directory called /fh, presumably short for the brand name).

1. If you have such a device, consider reflashing it with firmware downloaded directly from your router vendor.

Even if it takes you a while to reconfigure it how you had it before, you will at least be getting rid of any updates, tweaks or hacks left behind by the crooks, such as removing the secret admin user created by this malware.

Additionally, reflashing your router will help ensure you have the latest version, in case you’re months or even years behind by now.

2. Take the time to learn your way around your router’s configuration settings, assuming they’re accessible to you and not locked down by your ISP.

Many routers can be made reasonably secure, but typically ship with many security settings turned off by default to make them easier to set up.

3. If you do find any router features you aren’t sure about or don’t need, such as remote access for people outside your network, turn them off and see how well you can manage without them.

In particular, make sure you aren’t running UPnP, short for Universal Plug and Play, a system that’s designed help your computers and peripherals – devices like printers and network storage devices – find each other.

Unfortunately, UPnP may make your devices so easy to find that they’re automatically enabled for remote access, which is usually not what you want.

4. If you are technical yourself, or have techie friends, see if you can get them to check whether your router is accessible, both from inside your network and from the internet, using their favourite network scanning tools.

By the way, if you’re the techie in this equation, never probe someone else’s network without explicit permission each and every time.

In particular, this malware will give itself away with a listening SSH service on port 23455, something you wouldn’t usually expect to see.

5. If you have a router supplied or managed by your ISP, consider buying a router of your own and plugging your router into theirs, thus keeping your networks cleanly separated.

If you’re a techie, or have willing techie friends, you can even run the Sophos XG Firewall Home Edition 100% free as your own secure network gateway

You will need to provide your own hardware – a recent but retired laptop might do the trick for you – but you get all the product features for free, including email filtering, web filtering, a home VPN, and more.

LEARN MORE ABOUT DEVICE SECURITY AND UPNP

(IoT devices and UPnP security section starts at 13’30”)

Other ways to listen: download MP3, play directly on Soundcloud, or get it from Apple Podcasts.)

Featured image of shells thanks to Manfred Heyde on Wikipedia.The shells are from Shell Island, a coastal peninsula south of Harlech Castle in North Wales, UK.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5y3xxyh3DoA/

The Key to Enterprisewide Encryption

Security teams have been slow to embrace enterprisewide encryption, and for good reasons. But the truth is, it doesn’t have to be an all-or-nothing endeavor.

Enterprise security teams have long struggled with the complexity of encryption and key management. While integrated solutions are starting to make it easier to encode and decode critical data, the goal of enterprisewide encryption has greatly increased the time it takes for security teams to cover their bases. 

In fact, for many it could be a resource-sucking nightmare. 

“Most enterprise encryption products require investments in data compartmentalization, account management, and user training in order to be effective,” says Ryan Shaw, co-founder at Bionic. “Unfortunately, many organizations just can’t afford that investment.”

Add to that, most solutions don’t offer protection from an advanced and determined attacker — another reason why many organizations have not embraced enterprisewide encryption, Shaw says. It also becomes complicated due to competing priorities among the different lines of businesses, each with their own ideas of what serves the business objectives and yields the best return on investment.

Not So Fast
Despite these legitimate obstacles, enterprise encryption is still a mandate for many security teams — though it doesn’t have to be all or nothing.

Rather than taking an all or nothing approach, organizations should begin with the core elements of good cyber hygiene inherent in full disk encryption and transport layer security (TLS). Organizations that are not burdened with budgetary restraints are more likely able to make use of them for data at rest and for data in transit. 

“Cloud providers, such as Amazon and Microsoft, also have robust, well-tested solutions in place to secure data at rest,” Shaw says. “Additional authentication measures, specifically multifactor, to access critical systems and data are a step in the right direction and supported in most modern infrastructures.”

Implementing enterprisewide encryption requires teams to take many factors into consideration, including key management, access and authorization Dan Tuchler, CMO of SecurityFirst, says. Encryption is only effective if it is coupled with the policies around key storage as well as policies that ensure controlled access and proper key transmission. 

“Deploying encryption without an overall architectural plan can lead to a difficult and ineffective solution,” Tuchler says. What has worked effectively, though, is policy-based access control that limits data access to only valid users, organizations, and applications, he adds.

An overall architectural plan includes a process for reporting any suspicious access attempts to the threat analytics systems. In addition, Tuchler says, “Keys must be securely managed across the organization. Combining encryption with these elements, enterprisewide data protection is possible, and with the increasing regulations being enacted, there is more reason to do it now.”

Data, Data Everywhere
Most organizations are encrypting data in transit, which is fairly straightforward, according to Ameesh Divatia, CEO of Baffle. “It is end-to-end encrypted with SSL,” Divatia says. “Encryption in transit prevents somebody from being a man-in-the-middle or tapping the wire.”

Still, encrypting data in transit has its own challenges, particularly because the new version of TLS makes it nearly impossible to do man-in-the-middle, says Sean Frazier, advisory CISO at Duo Security. 

“In an ideal world, yes, you would want to encrypt everything, but the larger an organization gets, the harder it is to encrypt everything because of data spread,” adds Dylan Owen, senior manager for cyber services at Raytheon IIS. “You now have a lot more hurdles to overcome in order to do it across the board.” 

Organizations want to inspect traffic so that if traffic containing sensitive information comes across, they know whether to allow that to happen. Frazier says in order to see that data, security teams need to take apart the channels. 

“You have to be the man in the middle, which is what bad guys normally do, but you do that as an organization because you want to make sure that the right content is going across the wire and the wrong content isn’t,” Frazier says. 

The problem is that taking apart channels happens at the application layer. 

“Applications have to be modified to actually encrypt data and incorporate crypto into it,” Divatia says. However, users first need to understand how crypto works, and they need to have the original application developer around, lest they go messing with somebody else’s code. 

At-rest encryption — encrypting inactive data that is stored in any digital or physical form — is essentially borrowing from storage-based encryption. In transit and at rest is relatively easy to implement, but Divatia says it does not protect against breaches; otherwise, they would not be happening. 

The Key to Key Management
Because data encryption is only as strong as the key itself, key management becomes critical. Organizations need to have a key management strategy that includes policies for how to expire keys and how to use keys for data in a database where they have to decrypt and encrypt multiple times. The larger an organization, the more difficult key management becomes. 

“Key management is a pain,” Frazier says. “It’s always been a pain.”

That’s why organizations should first identify the data that actually needs to be encrypted. “If you are only going to encrypt a small amount of data, key management is easier. If you want to encrypt everything, it becomes harder because you have that many more devices to worry about providing a key to,” Owen says.

Security teams should consider their reasons for using encryption. Encrypting for the sake of best practice isn’t always good. Instead, Owens says to approach encryption from a protection perspective. “That helps you sort out how you do key management,” Owen says. 

Still, many organizations do need to encrypt a larger pool of data, which sets the groundwork for a complex key management situation. That’s where picking the right software procedures can help them handle encryption. It’s important to make sure the solution can manage all keys. 

“You don’t want to have a tool for your laptops, your mobile, your SaaS, and your cloud. Having as few tools as possible will help to manage keys,” Owen says. “The best practice is to see what you need to encrypt and what makes the most sense. Encryption is expensive, and it can be really difficult, particularly from the user perspective. For some organizations, enterprisewide encryption is not really practical.”

Of course, legal requirements and the internal business perspective will guide encryption decisions, but it’s also important to remember that encryption is not the easiest thing from a user perspective, and it creates a lot of barriers for them.

“In order to get them to do the right thing, you need to make encryption as easy as possible,” Owen says.

Related Content:

Image Source: agsandrew via Adobe Stock)

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/the-key-to-enterprisewide-encryption-/d/d-id/1335425?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Rethinking Website Spoofing Mitigation

Deception technology is evolving rapidly, making it easier for organizations to turn the tables on their attackers. Here’s how.

Website spoofing is a common problem that has doubled in the last year, resulting in $1.3 billion in losses, according to the 2019 Thales Access Management Index (registration required). In a high-profile example of website spoofing that has left the business world more than a little rattled, hackers successfully diverted about 500,000 customers visiting the British Airways website last summer to a realistic-looking but fraudulent site, without the airline having any idea it had been spoofed.

The spoof site gathered names, addresses, login information, payment card details, and other data. After a review by the EU’s Information Commissioner’s Office, British Airways faces a possible record-breaking fine for violating the terms of General Data Protection Regulation (GDPR), to the tune of £183.5 million — about 1.5% of the airline’s annual revenue. Because of website spoofing, not only does the airline suffer losses to its customers and its brand but the additional government-levied fines and financial pain.

This attack vector has been around for decades and continues to be popular because it’s difficult to detect until it’s too late. For a fairly small investment, adversaries can acquire all the tools they need on the Dark Web to set up highly convincing website-spoofing schemes, as part of a larger phishing campaign. Website spoofing works on all of the major Internet browsers and is not prevented by “secure” connections. The adversary can observe and modify all website pages and form submissions, even when the browser’s “secure connection” indicator is lit. The user sees no easily discernible indication that anything is wrong. Even sites protected by two-factor authentication cannot escape the assault.

Under Europe’s GDPR, multinational corporations must make every effort to provide “reasonable security” mechanisms to protect personal data. As the British Airways fine shows, “reasonable security” now extends to spoofed sites that the organization never even knew about. This incident should serve as a wake-up call that current methodologies aren’t effective enough. It’s time to rethink the way we approach detection and mitigation of website spoofing incidents.

Shift the Focus
To date, options for detecting when a website has been spoofed have largely relied on monitoring domain registrations and manual web searches. However, this approach is susceptible to human error and is only capable of identifying spoofed websites after the fraud occurs. A common approach for detecting website spoofing has been to search for brand images and relevant content from the copied site. But this approach leaves the attacked company with no insight into how many and which of its clients were potentially victimized and does nothing to deter the next attack.

Another familiar approach has been to train workers and consumers to be able to spot fakes. This is a good idea in theory because it educates and empowers individuals. It’s true that in some cases, spoofed sites can be detected because something “looks off” compared with the original website. However, the sheer volume of spoofs being created and the increased level of sophistication behind these attacks makes it quite difficult for the user to spot them with certainty. It also places an unfair burden on the victim of the attack, making them responsible for detection instead of the owner of the original website that’s been targeted.

Domain registration monitoring and training employees fail to help organizations detect spoofing early in the life cycle of an attack, before data is stolen. Further, these approaches cannot help businesses understand how long the fake site has been active, and most importantly, how many customers or employees may have been victimized. The two biggest challenges of all — who initiated the attack and deterring the adversary from trying it again — are completely left out of the mitigation process with these approaches.

Deceiving the Deceivers
A more sensible strategy is to focus on early detection and a smarter mitigation strategy called deception technology that is painful to the attacker and provides actionable data for organizations. (Disclaimer: Allure is one of a number of vendors that market deception technology products.) The idea is to flood the adversary with highly believable decoy credentials and personal information. This causes a great deal of doubt about what may have been stolen, making it hard for the fraudster to discern what is real and what is fake. The only way to know is to test all credentials at the real site, causing greater overhead costs for the adversary, and providing an opportunity to gather information about the attacker when decoy logins occur, such as endpoint IP addresses under his or her control.

Deception techniques could finally shift the advantage in favor of the legitimate businesses victimized by website spoofing. At Columbia, our Computer Science and IDS Lab has been conducting experiments to determine how certain deception techniques can bait adversaries with highly convincing but false credentials embedded with tracking mechanisms that are triggered when the attacker attempts to open or exfiltrate them. We called this the “BotSwindler,” and it aims to detect crimeware such as spoofing by deceptively inducing attackers into an observable action during the exploitation of monitored information injected into the guest OS. To entice attackers with information of value, the system supports a variety of different types of bait credentials, including decoy Gmail and PayPal authentication credentials, as well as those from large financial institutions.  

Whether the motivation is to spread fake news in pursuit of influence, steal customer login credentials or credit card numbers for financial gain, or break into cloud shares and networks to exfiltrate intellectual property, website spoofing has devastating effects on company reputation, consumer trust, and corporate revenues. It’s time to take a more modern approach to solving this pervasive security problem. Simply detecting IP anomalies isn’t enough. Deception technology is evolving rapidly and is well-positioned to detect website spoofing schemes sooner, giving organizations the ability to turn the tables on adversaries.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/rethinking-website-spoofing-mitigation/a/d-id/1335427?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Deja-wooo-oooh! Intel chips running Windows potentially vulnerable to scary Spectre variant

Spectre – a family of data-leaking side-channel vulnerabilities arising from speculative execution that was disclosed last year and affects various vendors’ chips – has a new sibling that bypasses previous mitigations.

Designated CVE-2019-1125 and rated moderate in terms of severity, the issue – limited primarily to Intel x86-64 systems running Windows – could allow a local attacker to work around protections like kernel address space isolation to read sensitive kernel memory. AMD’s 64-bit x86 processors running Windows are also affected, though to a much lesser extent.

All in all, this means, as usual, malware, malicious JavaScript in a browser, or rogue users on a vulnerable system could potentially swipe secrets such as passwords and encryption keys out of RAM. Applications can snoop on other applications, code in virtual machines can spy on other virtual machines, and so on.

Note that Spectre vulnerabilities are not, to the best of our knowledge, being exploited in the wild by any software nasties, mainly because they are too much of a faff to abuse when there are easier and better bugs to abuse. As such, this latest discovery is primarily another fascinating look into the world of processor design and its shortcuts and blunders.

According to security biz BitDefender, whose researchers found the flaw, a hardware fix isn’t viable and the issue has to be addressed at the operating system level. The outfit has dubbed the flaw “SWAPGS Attack,” and illustrated its inner workings here.

As Red Hat explains in its write-up, SWAPGS refers to a system instruction that, as its name suggests, “swap[s] the current user space value of ‘GS’ (a memory segment register) with the value intended to be used during kernel operations.” It’s available only in 64-bit mode on x86 chips.

SWAPGS doesn’t validate its value and therein lies the problem. “As a result,” Red Hat says, “it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations.”

Such mis-speculation may then be revealed through side-channel timing analysis, resulting in the gradual disclosure of kernel memory.

The vulnerability affects Windows, including virtual machines running on it. Linux is theoretically vulnerable in that it contains a gadget (a specific construction of machine code) that could be used in a potential attack. However, BitDefender notes that the gadget lies within the Linux kernel’s non-maskable interrupt (NMI) handler and would therefore be difficult, if not impossible, to attack. Apple hardware isn’t believed to be affected.

A ghost

Data-spewing Spectre chip flaws can’t be killed by software alone, Google boffins conclude

READ MORE

Microsoft quietly patched its Windows operating system on July 9, and on Tuesday this week published an advisory to that effect. Its software revision limits how the CPU speculatively accesses memory.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application,” Microsoft said in its advisory. “The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”

Red Hat – though it insists it isn’t aware of any way to exploit this vulnerability on Linux kernel-based systems – has patched its Enterprise Linux versions 5-8, Atomic Host, Enterprise MRG 2, OpenShift Online v3, Red Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform 4. The company insists its fix has only “a minimal performance impact” that doesn’t show up in current benchmarks.

Neither AMD nor Intel plan to issue microcode updates because they believe the vulnerability can be adequately addresses in software.

Intel, in a statement provided to The Register, said Microsoft’s patch resolved the problem, which applies to x86-64 chips since Ivy Bridge (2012). “Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft,” the chipmaker said. “It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft.”

AMD is even less concerned.

“Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS,” AMD said in a statement on its website. “For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.”

BitDefender’s white paper describes two attack scenarios: when SWAPGS is not getting executed speculatively though it should, and when SWAPGS is getting speculatively executed but shouldn’t.

Each of these has two variants: where the attacker tests if a value is located at a specific kernel address and where the attacker infers the value at a randomly selected kernel address. It’s only this second variant of the second attack scenario that pertains to AMD. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/intel_windows_spectre_swapgs/

They say piracy killed the Amiga. Know what else it’s killing? Malware sales. Awww, diddums

BSides LV Life’s tough as a malware developer. If the cops or Feds don’t collar you, your fellow scumbags will screw you over – or perhaps both will happen.

In a presentation at the Bsides Las Vegas hacking conference today, Winnona DeSombre, an analyst at threat-intelligence biz Recorded Future, detailed a year-long probe into dark and public web forums and chat rooms where malware writers hang out. What she saw, during the course of the investigation that ended May 2019, was a constant fight between people who write malware and those who crack it and sell it on themselves or just give it away.

Software nasties are pirated by crooks and redistributed just like legit applications, in other words. Malware development is not immune to piracy.

“Piracy is bad, you should never do it,” said DeSombre, somewhat tongue in cheek, as she explained how it‘s causing a headache for malware authors.

By way of example, she laid out the rise and fall of a trojan called AZORult, which harvests passwords, cookies, web browsing histories, and other personal data from infected Windows computers. It is typically used as a second stage – ie: it’s deployed once a computer is already compromised to thoroughly vacuum up information. AZORult could be purchased from its creator, and proved so popular that pirates weighed anchor and sailed off with a cracked version of it.

The first bootleg versions started to appear a few months after the initial release, when parts of the source code leaked. The original creator updated the software, adding new features and faster data exfiltration, but the pirates moved in again and released their own updated version, and finally the original seller quit the market.

Confession: I was a teenage computer virus writer

READ MORE

Cracked malware, as you can imagine, was rather popular on these underground forums, DeSombre said, and cut into the sales and revenue of professional malware writers who treated their malicious code to regular feature updates, bug fixes, and user support.

She also noted that malware writers exploit the media to push their products. She revealed forum postings advertising software nasties that linked to articles by security journalists reporting on that very malware. The developers of the devilish code hoped to use the news coverage to show off their creations’ influence and power. It was all part of the buzz-generation machine malware sellers used to flog their software.

Another popular tactic by malware vendors is search engine optimization (SEO). Sellers crafted packages or bundles of malware for SEO purposes, listing off as many components as possible to catch all the keywords and appear high in search results, even adding free code to sweeten the pot. It was, and still is, all about selling code to script kiddies as quickly as possible.

You may be interested to know that a lot of the ransomware, trojans, and similar gremlins discussed by hacker forums are old, in some cases more than three years old, and are defeated by installing the latest security patches from operating system vendors and other software makers. In other words, aging file-scrambling malware that rely on vulnerabilities for which patches have been available for months or years are pwning victims, and not elite zero-day-exploiting tools fresh out of the compiler.

A case in point is the njRAT trojan, which first surfaced in 2012. Despite its age, and the fact that most antivirus software kills it on sight, the malware is still immensely talked about and sold online.

“njRAT, for some reason, is going to be popular until the end of time,” DeSombre noted. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/malware_writers_piracy/

Deja-woooo: Intel, AMD chips running Windows potentially vulnerable to scary Spectre variant

Spectre – a family of data-leaking side-channel vulnerabilities arising from speculative execution that was disclosed last year and affects various vendors’ chips – has a new sibling that bypasses previous mitigations.

Designated CVE-2019-1125 and rated moderate in terms of severity, the issue – limited to AMD and Intel x86-64 systems running Windows – could allow a local attacker to work around protections like kernel address space isolation to read sensitive kernel memory.

That means, as usual, malware, malicious JavaScript in a browser, or rogue users on a vulnerable system could potentially swipe secrets such as passwords and encryption keys out of RAM. Applications can snoop on other applications, code in virtual machines can spy on other virtual machines, and so on.

Note that Spectre vulnerabilities are not, to the best of our knowledge, being exploited in the wild by any software nasties, mainly because they are too much of a faff to leverage when there are easier and better bugs to abuse. As such, this latest discovery is primarily another fascinating look into the world of processor design and its shortcuts and blunders.

According to security biz BitDefender, whose researchers found the flaw, a hardware fix isn’t viable and the issue has to be addressed at the operating system level. The outfit has dubbed the flaw “SWAPGS Attack,” and illustrated its inner workings here.

As Red Hat explains in its write-up, SWAPGS refers to a system instruction that, as its name suggests, “swap[s] the current user space value of ‘GS’ (a memory segment register) with the value intended to be used during kernel operations.” It’s available only in 64-bit mode on x86 chips.

SWAPGS doesn’t validate its value and therein lies the problem. “As a result,” Red Hat says, “it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations.”

Such mis-speculation may then be revealed through side-channel timing analysis, resulting in the gradual disclosure of kernel memory.

The vulnerability affects Windows, including virtual machines running on it. Linux is theoretically vulnerable in that it contains a gadget (a specific construction of machine code) that could be used in a potential attack. However, BitDefender notes that the gadget lies within the Linux kernel’s non-maskable interrupt (NMI) handler and would therefore be difficult, if not impossible, to attack. Apple hardware isn’t believed to be affected.

A ghost

Data-spewing Spectre chip flaws can’t be killed by software alone, Google boffins conclude

READ MORE

Microsoft quietly patched its Windows operating system on July 9, and on Tuesday this week published an advisory to that effect. Its software revision limits how the CPU speculatively accesses memory.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application,” Microsoft said in its advisory. “The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”

Red Hat – though it insists it isn’t aware of any way to exploit this vulnerability on Linux kernel-based systems – has patched its Enterprise Linux versions 5-8, Atomic Host, Enterprise MRG 2, OpenShift Online v3, Red Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform 4. The company insists its fix has only “a minimal performance impact” that doesn’t show up in current benchmarks.

Neither AMD nor Intel plan to issue microcode updates because they believe the vulnerability can be adequately addresses in software.

Intel, in a statement provided to The Register, said Microsoft’s patch resolved the problem, which applies to x86-64 chips since Ivy Bridge (2012). “Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft,” the chipmaker said. “It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft.”

AMD is even less concerned.

“Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS,” AMD said in a statement on its website. “For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.”

BitDefender’s white paper describes two attack scenarios: when SWAPGS is not getting executed speculatively though it should, and when SWAPGS is getting speculatively executed but shouldn’t.

Each of these has two variants: where the attacker tests if a value is located at a specific kernel address and where the attacker infers the value at a randomly selected kernel address. It’s only this second variant of the second attack scenario pertains to AMD. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/intel_amd_windows_spectre_variant/

Your mid-week infosec news bonanza: Cisco bugs, VMware-Nvidia guest escapes, KDE hijacking, and more

Roundup Before letting the IT staff clock out early this week, make sure they read up on the following security notices out this week.

Cisco warns of four flaws in small biz switch line

Organizations using Cisco Small Business 220 Series switches should make sure the firmware on the device is up-to-date with today’s update from the networking box maker. Switchzilla says the SMB switches are host to the following three serious flaws that could allow an attacker to remotely upload files to, execute code on, and inject commands into a vulnerable switch.

CVE-2019-1013 is a root-level remote-code execution vulnerability stemming from a buffer overflow. To exploit the flaw, an unauthenticated attacker must send a specially-crafted packet through the web management interface via HTTP or HTTPS. Credit for discovery was given to “bashis” via the VDOO Disclosure Program.

CVE-2019-1012 is an authentication bypass flaw that would result in the intruder being able to upload arbitrary files to the device. That bug can also be exploited via HTTP or HTTPS packets sent through the web interface. In this case, the flaw is due to incomplete authorization checks. Credit for reporting the bug was again given to “bashis” via the VDOO Disclosure Program.

CVE-2019-1014 is a command injection flaw in the 220 Series switches that acts more like an elevation of privilege. To exploit the bug, an attacker must have a valid web management interface login with level 15 privileges. If those requirements are met, a malicious request could be sent to kick off arbitrary shell commands run with root privileges. The flaw was found and reported by – you guessed it – “bashis” from the VDOO Disclosure Program.

Also patched was CVE-2019-1941, a cross-site scripting flaw in the web management interface for Cisco Identity Services Engine. An attacker that convinced a target to click on a malicious link would be able to perform actions or extract information in the context of the logged-in victim’s browser session with the device’s web-based management system. This bug was discovered internally during testing.

If you use JIRA… don’t make the same mistakes as these Fortune 500 companies and NASA boffins, and accidentally leak sensitive internal information to the internet. Shore up your configurations now!

Nvidia flaw makes VMware Workstation bug even worse

A vulnerability in VMware Workstation 15 can be amplified by flaws in Nvidia’s GPU software to allow malicious code within a virtual machine to take over the host system.

Cisco Talos senior research engineer Piotr Bania found and reported CVE-2019-5521, CVE-2019-5684, and CVE-2019-5685 in VMware and Nvidia’s software. The first flaw, CVE-2019-5521, is an out-of-bounds read error in VMware Workstation 15 that is triggered by a malformed pixel shader. When the flaw is exploited, it causes Workstation 15 to crash for most systems. However, when coupled with programming errors in Nvidia’s Windows GPU display driver, it potentially transforms into a potent guest escape.

On certain Windows machines fitted with particular Nvidia graphics processors, therefore, a malicious or malformed shader running within a Workstation 15 guest can potentially take CVE-2019-5521 one step further, and exploit CVE-2019-5684, a pointer-dereference bug in Nvidia’s Windows GPU driver, to gain arbitrary code execution on the host. That means software within a guest can escape to the host, and cause havoc, via a dodgy shader, Workstation 15, and Nvidia’s GPU drivers on Windows.

Similarly, CVE-2019-5685, again involving either an out-of-bounds write or unsafe pointer dereference in Nvidia’s GPU driver, can be exploited by a shader within a Workstation 15 guest on Windows to escape to the host.

These flaws could, for example, be used by malware to break out of attempts to quarantine the code within a virtual machine, and infect the underlying host. If you have an Nvidia card and/or run VMware software, it is worth taking the time to update your installations: see the above advisories for affected products and version numbers, and where to get suitable fixes.

It is possible to crash… vulnerable FreeBSD installations by sending them specially crafted IPv6 packets. Apply patches and reboot now, if you are affected.

KDE bug allows command injection without even opening a malicious file

Those running the KDE desktop environment on their Linux boxes will want to keep a close eye on their downloads following the disclosure of a particularly nasty bug for which no patch is currently available.

Researcher Dominik Penner revealed that a .desktop or .directory file can be crafted so that if it is simply parsed by KDE, commands within the file are automatically executed. This means if you download a malicious .desktop file, or one is included in a .ZIP archive that is unpacked, KDE will immediately parse its contents and automatically start running commands within the files.

You don’t have to explicitly open the booby-trapped files to trigger execution: KDE 4 and 5 will do that for you. This means KDE users can be tricked into downloading archives containing dot files that, when unpacked, cause further malware to be automatically downloaded and run, for instance.

“Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop,” Penner explained. “Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”

A fix is in the works. It is understood KDE was not warned of the vulnerability ahead of its public disclosure. “For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources,” a spokesperson for KDE tweeted. “Also, if you discover a similar vulnerability, it is best to send an email [email protected] before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it.”

Microsoft launches Azure Security Lab, gives Fancy Bear update

Microsoft wants more hackers to take a crack at breaking Azure security. The Redmond giant has opened up a new Security Lab for its cloud platform that will let researchers hammer away at isolated test servers. Anyone who can demonstrate a functioning guest escape exploit will be able to claim a bounty of up to $300,000.

“As well as offering a secure testing space, the lab program will enable participating researchers to engage directly with Microsoft Azure security experts,” Microsoft said.

“Accepted applicants will have access to quarterly campaigns for targeted scenarios with added incentives, as well as regular recognition and exclusive swag.”

Elsewhere in Redmond security happenings, Microsoft’s team has posted an update on the long-running Russian Fancy Bear operation. The Windows giant said the Kremlin-backed hacking crew are now targeting corporate Internet-of-Things devices. Microsoft says its team found signatures of the Fancy Bear, aka Strontium, gang in three network intrusions. In each case, it was an IoT device (a VoIP handset, a printer, and a video decoder, respectively) that functioned as the point of entry.

This infiltration did not, however, involve particularly sophisticated exploits. Rather, just bad opsec by the victims.

“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks,” said Microsoft. “In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.”

Google continues Advanced Protection rollout with Chrome option

Those who have opted into Google’s fancy Advanced Protection Program now have an additional layer of security: the Chocolate Factory has built extra filtering into Chrome that block exploit code in webpages, as well as drive-by downloads, for those enrolled in the program.

“Advanced Protection users already benefit from malware protections beyond Gmail’s standard, industry-leading safeguards,” Google said. “As a result, attackers are shifting their strategies to threaten Advanced Protection users outside of email with linked malware and ‘drive-by downloads’ where users unknowingly download harmful software onto their devices.”

This rollout comes just a week after Google also announced it would allow enterprise accounts to enroll in the Advanced Protection service via a beta test.

TMI from Timi – health upstart leaves data sitting out

Timi Health, a US-based healthcare startup building what it calls, sigh, a “blockchain powered ecosystem that allows for health data ownership,” has admitted it accidentally revealed some of its users’ health records to the public internet via a poorly secured web server.

After infosec journalist Zack Whittaker pointed out the privacy blunder, the biz admitted it had fumbled the medical records of “14” people – allegedly friends and family of its founding employees – who participated in a test program earlier this year:

Timi Health cofounder Will Lowe told El Reg his outfit was tipped off about the data leak by a pseudonymous bug-hunter about an hour before word of the cockup emerged on Twitter. Lowe says his developer team eventually traced the exposed web directory to a URL used by the Timi Health Android app during a test run. Regardless, the data was up on the internet, and now it is off the internet. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/07/security_midweek_roundup/

Ongoing Campaign Spoofs Walmart, Dating, Movie Sites

A new investigation detects more than 540 domain names linked to the Walmart brand and camouflaged as career, dating, and entertainment websites.

A newly discovered spoofing campaign has been discovered mimicking the Walmart brand and several career, dating, and movie and TV websites, with more than 540 domains detected so far.

Corin Imai, senior security adviser for DomainTools, was alerted to the activity about two weeks ago when the term “Walmart” was found spoofed in multiple domains. The flagged domain walmartcareers[.]us prompted her to research related terms and other suspicious domains.

Imai’s analysis led to the discovery of an email address linked to 184 other potentially risky domains with an average age of 190 days. Further investigation into these domains led to the discovery of a much broader campaign spoofing a range of websites related and unrelated to the Walmart brand. Of the 540-plus domains identified, only 181 have appeared on blacklists. Others have a high risk score, which Imai says indicates they’ll likely be blacklisted in the future.

The initial intent of this investigation was to analyze spoofing campaigns targeting Fortune 500 companies, she says, but researchers’ findings took them down an unexpected path. “Generally with phishing domains, we see things escalate between 24 and 48 hours,” Imai explains. Within two days of their analysis, researchers saw more of these suspicious websites being blacklisted.

Of the domains found so far, many appear to target job hunters and people using online dating and entertainment websites. It seems the attackers’ intent is to exploit this interest by creating fake sites designed to capture users credentials, going step-by-step to set up a credential page so they can verify they are who they claim to be, while at the same time scraping login data.

As of now, it seems the actor or group behind this campaign is solely after credentials; however, some of the spoofed pages seem to be spam. “It’s kind of an odd cross-section,” Imat says, pointing to the combination of spoofed career, dating, and movie and television websites. Other fake sites include cashgiftcards[.]us, captainmarvelmovie[.]us, and mcdonaldcareer[.]us.

Most of the IP country codes for detected domains are in the United States, Imai found, but registrant details indicate an address in Pakistan. “Right now it looks like the same actor,” she says. “There’s nothing pointing to it being multiple actors, based on historical information.”

While spoofing is not a new threat, Imai says the number of domains in this campaign, coupled with the attackers’ ability to mimic the look and feel of target websites, signifies a group with both the resources and sophistication to launch a large campaign. There is sufficient traffic to these sites to warrant a further investigation into how many people are submitting their data. Security pros may be likely to check the domain of a suspicious- page, but consumers may not.

Imai plans to continue this investigation, which will include sandboxing suspicious websites to see whether they’re after more than credentials and further researching the campaign’s full scope and intent. She plans to publish ongoing updates to her blog post.

DomainTools’ team isn’t the only group to unearth a recent spoofing campaign targeting a major retailer. Security company Segasec monitored Amazon in the days before and after Prime Day to watch for suspicious activity; researchers found 4,000 potential attacks between July 10 to 21. In one campaign, attackers used Amazon-related domains in a phishing scam targeting PayPal customers.

Imai advises businesses to seek domains that may be attempting to mimic their brands. Many of these malicious domains haven’t been blacklisted, meaning customers can still be affected. Organizations should also consider their takedown processes and see whether they can be accelerated.

For consumers, she recommends checking a website’s legitimacy by taking a peek at the URL to ensure it’s not suspicious before entering personal information or payment data.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/ongoing-campaign-spoofs-walmart-dating-movie-sites/d/d-id/1335459?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Russian Attack Group Uses Phones & Printers to Breach Corporate Networks

Microsoft spotted Strontium, also known as APT28 or Fancy Bear, using IoT devices to breach businesses and seek high-value data.

Microsoft reports Russian state-sponsored attack group Strontium, also known as APT28 and Fancy Bear, is using popular Internet of Things devices to breach enterprise networks and elevate privileges.

Back in April, researchers with the Microsoft Threat Intelligence Center noticed infrastructure belonging to Strontium communicating with, and attempting to compromise, external devices including a voice-over-IP phone, office printer, and video decoder across multiple customer locations. “These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” the Microsoft Security Response Center team writes in a blog post.

Once on the network, the actor could do a network scan to seek other insecure devices that let them move across the environment in search of more privileged accounts and higher-value data. With access to each of these devices, they ran tcpdumpto sniff network traffic on local subnets. Microsoft also saw them noting administrative groups to further broaden their access.

As they moved throughout target networks, actors would drop a shell script to establish persistence so they could continue their exploration. The devices they compromised were seen communicating with an external command-and-control server, researchers report. However, because the attacks were identified early, they have not determined Strontium’s motivation for this activity.

In the last 12 months, Microsoft has issued nearly 1,400 nation-state alerts to victims of Strontium activity. While 20% of these notifications related to attacks on non-governmental institutions, 80% of Strontium’s attacks are focused on the government, IT, military, defense, medicine, education, and engineering sectors.

Read more details here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/russian-attack-group-uses-phones-and-printers-to-breach-corporate-networks/d/d-id/1335461?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US Air Force Bug Bounty Program Nets 54 Flaws for $123,000

The Air Force brought together 50 vetted hackers to find the vulnerabilities in the latest bug-bounty program hosted by a branch of the US military.

A six-week bug-hunting contest netted the US Air Force information on 54 security vulnerabilities in its Common Computing Environment (CCE), a branch-wide cloud platform that aims to serve up online applications, program management firm Bugcrowd said on August 6.

The bug bounty program, in which 50 vetted hackers participated, resulted in $123,000 in prizes, or an average of $2,460 per participant. The number and severity of the issues reported to the US Air Force show the strength of the crowdsourced model, says Casey Ellis, Bugcrowd’s chief technology officer and founder.

“If you got people building software, building environments, they are also going to make mistakes, and that is the stuff you want to catch and provide feedback on,” he says. “This is about making hackers part of the solution and figuring out how to engage them in activities for government cybersecurity.”

Bug bounties have become much more popular as an inexpensive way of finding vulnerabilities in specific products and services. In addition to the US Air Force, every branch of the US military has run significant bounty programs against some part of their information infrastructure. In November 2016, the US Army launched a “Hack the Army” event, netting 118 valid vulnerability reports from 371 eligible participants. And, at last year’s DEF CON conference in Las Vegas, the US Marine Corps had a live nine-hour hacking event, in which it paid out $80,000 in prize money for 75 vulnerabilities.

As the US government moves toward increasing its use of the cloud, the military is looking to test the security of its cloud infrastructure as well. The CCE is the US Air Force’s cloud-based platform that currently hosts 21 applications as of April, according to the Air Force. The military branch has spent $136 million on the cloud platform since 2015 but has saved on operations and management issues, according to statements from the US Air Force.

As an initial validation to an organization that might be new to crowdsourced security, the bug bounty program was a success, says Ellis. The next step it to regularly use bug bounties to systematically improve infrastructure security.

“We are at the point, after initial validation, where we are as an industry is figuring out how to incorporate feedback from the hacker community into how we build our stuff securely,” Ellis says. “That is going to be different for every organization.”

In 2018, bug bounty programs had another growth year. Both Bugcrowd and HackerOne announced record-setting revenues. HackerOne paid more than $19 million for information on more than 100,000 vulnerabilities in the software and systems of its clients. Bugcrowd helped its clients launch 29% more programs in 2018, and had 92% more submissions, according to its “Priority One: The State of Crowdsourced Security in 2019” report.

The average payout from the US Air Force program was $2,460, very close to the average bounty of $2,442 for vulnerabilities in 2018, according to Bugcrowd’s report. The most lucrative bounties, more than $8,550 per bug, were paid for vulnerabilities found in Internet of Things devices. Overall, Bugcrowd found that the bounty for vulnerabilities increased 83% in 2018 compared with the previous year.

“While the vulnerabilities in IoT devices — refrigerators and DVRs — capture our attention for their novelty and fear factor, they are still and by far outnumbered by vulnerabilities in web applications,” the company stated in the report. “In fact, web application vulnerabilities have always been the top submitted vulnerabilities across our programs and correspondingly account for the highest percentage of awards paid.”

While the US Air Force’s bug bounty program seems impressive, the rewards from such programs tend to benefit relatively few people. Because there were 50 researchers, the average researcher only saw a single reward. In reality, the majority of the prizes likely went to a handful of researchers. An academic paper published last year found that bug bounties tend to have skewed rewards

While every military branch is now on board, getting to this point required overcoming significant hurdles, Ellis says. “The idea that the DoD and the Air Force would accept the help of the external hacker community — that’s not an intuitive thing,” he says.

Related Content

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/us-air-force-bug-bounty-program-nets-54-flaws-for-$123000/d/d-id/1335460?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple