Custom Top Security News: January

    Hello! After a successful news digest for 2014, we decided to make the column regular, or rather, monthly. Today is the most important information security news for January. The methodology for selecting news has changed a bit. We still take the most visited news from our Threatpost website and try to understand why they received such attention. But there will be five in the monthly news digest. I remind you that at Threatpost we collect all the news from the information security industry. Lab’s own research is published on the Securelist website .

    Summary: Hole in glibc and why physicists are not friends with the lyrics, North Korean browser, charging keylogger and keyboard holes, cryptoclockers in general and, in particular, hacking WiFi with social engineering.

    5. Wifiphisher: hacking WiFi with a thick layer of social engineering
    News . Thematic thread on Stackexchange, where the problem was formulated three years ago.

    In the previous digest, we talked about the fact that the Internet is broken . So, of all that is broken on the Internet, or rather in computer networks in general, wireless networks are the most broken. We have consistently experienced the holy simplicity of the WEP protocol, have repeatedly seen that unprotected public wireless networks are bad , looked ata bottomless security hole called WPS. Now we are experiencing a tsunami of bugs in the firmware of the routers - either they will find the default password (or a similar hole ) in the firmware, then it will be crookedly written NAT, or something else. In short, only social engineering was lacking here.

    Not enough - get it. Everything is very simple: just create an access point with exactly the same SSID in the victim’s receiving area. When the victim tries to connect to it, we will ask the victim for the password for that real access point, and carefully save it. That's all, we have access and the ability to conduct a MITM attack. No, not all. First you need to persuade the victim's computer or smartphone to try to connect to our point. And we will do this by clogging the ether with de-authentication packets: they lead to disconnection of legitimate clients, which can then connect to a fake access point.



    Another discussion on Stackexchange makes it clear that the problem has long been known, and it (in terms of deauth packets) is treated poorly or not at all. What is the news then? And the fact that the process of stealing passwords by the specified method was automated, and the corresponding Wifiphisher utility was posted on Github. Morality of times: when someone or something asks for your password (no matter where), think twice before entering. Moral two: you can not defend against man-in-the-middle attacks, excluding the very possibility of their conduct. It cannot be ruled out, at least not on this Internet.

    By the way, at one time deauth-packages amusedMarriott hotel chain, using them to block the wireless access points that guests brought with them. And she received a decent fine for this from the American Roskomnadzor.

    4. Cryptoclockers. How is a hidden threat different from a clear one?
    The news . One more news . A detailed study of cryptoclockers as a species.

    I already wrote that if you interview companies with what type of cyber threats they face most often, then spam will most likely come first. But spam is such a thing, the damage from which is not obvious. He is, but it is difficult to count. And if it's difficult to calculate, then assessing how reasonable the cost of fighting spam is also not easy. Moreover, anti-spam technologies are well developed, distributed and accessible.

    Crypto lockers are a completely different story. Unlike spam, assessing the damage from them is easy. Your company is attacked, encrypted by important data, making it inaccessible, and require a ransom. You are losing money. You are wasting time. Moreover, a single incident can completely kill your company, an example is here . It is clear that it is necessary to protect oneself from crypto-lockers.



    From a crime point of view, crypto-lockers are living easy money. This is not a botnet, which must first be built, and then sold to someone else. Therefore, alas, crypto-lockers are actively developing, multiplying and spreading.

    And what's the news, actually? Yes, nothing special :) We described the main trends in the development of cryptoclockers last summer (and continue to study them). Almost all security vendors are doing the same, including, for example, Microsoft and Cisco. There is so much work that enough for everyone. For example, all modern technologies of hiding illegal activities are involved in ransomware: payment by bitcoins, communication via Tor and I2P, disguise from researchers.

    But this is not the point. Of greatest interest are technologies for penetrating a victim’s computer. A February Cisco study showed that the creators of one of the Cryptowall variants are betting on exploit kits. For business, this means that the weak link in the company's infrastructure is vulnerable software. Not that the opening of the century, but the topic is extremely important: the fact that almost every news about crypto-lockers is of great interest proves this once again.

    3. USB charging with built-in keylogger.
    The news .

    Another story about how difficult it is to control wireless communications began with the work of three researchers who decided to analyze the security of Microsoft wireless keyboards. Somewhere in the marketing materials for these keyboards it is probably written that the information flow between the device and the USB receiver is securely encrypted. Yes, but there are questions about reliability.

    In short, the key to the encrypted characters is the MAC address of the keyboard, which, firstly, can be spied, and secondly, to steal remotely using the features of the chip responsible for data transfer (and used in various devices, including oops medical). And you can not steal: the first byte of the MAC address for all keyboards is the same, which greatly facilitates brute force.

    It remains to understand how to get close to the keyboard enough to intercept keystrokes on a regular basis. And here, researcher Sami Kamkar proposed an original proof of concept. We take the usual USB-charging for smartphones-tablets, we insert into it the appropriately stitched Arduino and we get an electric Trojan horse. Which by the way works even if charging is not plugged in: a small battery also fits. The cost of the device is only $ 10, and it's good that this is (so far) only a concept.



    Microsoft did not comment on the study in any way; rather, it said that it was " investigating the problem ." And the problem is interesting: I doubt that a flashing will solve it (and that it is generally possible). Only replace the device. Interestingly, what if such an “incurable” bug is found not in the keyboard for $ 40, but in the car for $ 70,000? However, I was distracted.

    2. In the North Korean browser found a backdoor
    News .

    Impressed by the hacking story of Sony Pictures Entertainment, researcher Robert Hansen decided to carefully study the features of the North Korean Internet. Let me remind you that North Korea, presumably (attribution is a big problem at all), was the initiator of the attack, taking offense at the fact that perhaps the most stupid comedy of 2014 was shot about its leader.

    North Korea uses its own Linux- based operating system , known as Pulgynbööl Saönjöngchehe or simply “Red Star”. The browser is a fork of Firefox named Nenara (“My Country”). Examining the browser, Hansen found that with each boot, Nenar knocks on a local IP address in an isolated North Korean network. Moreover, the entire network of the whole country is organized as the company’s network is usually built: internal addresses, almost complete isolation from the outside world and communication with it only through a proxy. Probably with the ability to track all traffic, including encrypted one: the browser accepts a single certificate - the state one, probably also having some kind of romantic name.

    That is, all the necessary tools for tracking users in a country with a single provider are already built into the only available OS. And it happens in North Korea. Wow! Breaking News!



    Of course, the popularity of this news is solely related to the attack on Sony Pictures Entertainment and the likely involvement in this mega hack of North Korea. But not only. Robert Hansen revealed several tricks developed by those guys who actually know how to prohibit and restrict everything in general , not just the Internet. Especially the internet. Read it!

    1. Vulnerability in GLIBC or Why it is Important to Patch
    News . Record CVE . Advisory from Red Hat.

    Lyrical digression.One of the highlights of last year was the hole in OpenSSL, now known as Heartbleed. It was very interesting to observe the development of events: how an absolutely technical topic is first discussed in technical communities and publications, and then it is poured into completely non-technical media. And not in vain! The problem really affected everyone: business owners , admins, developers, users. In general, a huge number of people and companies. There was also a need to explain to a non-techie (for example, to the company owner or top manager) in a simple and clear way: what is the trouble and what now to do?

    And so you come to this non-technical person and say something like this: Heartbleed is important, because OpenSSL, in which a hole is detected, is used everywhere. Your site may be vulnerable, your infrastructure may be vulnerable, even your Yahoo mail may be vulnerable. What does “vulnerable” mean? They can steal your password and mail. May infect your site. May steal your sensitive data. What to do? Patch everything, check everything, change passwords, strengthen infrastructure protection, because this is not the first and not the last hole of this magnitude.

    And the humanist person penetrates, understands and says in response: where are you supposed, techies, you used to be? Why not beat the alarm? Did not give an advertisement in the Times and the newspaper Pravda? And in most cases it turns out that yes, they warned and discussed, and investigated. But in his own technical style. Seriously: in order to assess the scale of a particular vulnerability, you need to understand what, in fact, is a defense hole, to know what the attack scenarios can be, and to be able to assess the potential damage (what can be stolen and on what scale) . And these are such different tasks that, as a rule, different specialists are engaged in them, and even if they all manage to combine their efforts, they usually do not find time to explain the essence of the matter to a wide audience.

    So it turns out that for a non-technical person problems like Heartbleed arise as if from nowhere.
    So, the hole in the GNU C Library is now at a "technical stage." That is, they discovered the vulnerability, found out that it really affects the security, and even suggested some attack scenarios. But how it can turn in real life on real infrastructure, and what the damage can be - is not yet clear. In general, an unprepared person now sees a description of a vulnerability something like this:



    I will try to explain what happened in GLIBC, as simple as possible. I must say right away: I am not a programmer. My job is to explain complex things to just a wide enough audience. It is clear that Habr is not the place where you need to chew on the nuances of working with GLIBC. I would love to hear your comments on the text below. How would you solve the “easy to explain” task? What would you say differently? Did I explain everything correctly? :) Marketers have such a simple tool: they write some important idea three times: they make a very short text, one more authentic and one very long. And then, according to the circumstances, use one of them. So I'll try it like that.

    Short version:
    You need to regularly update the software on computers and servers, this increases security. Recently discovered a serious hole in Linux, and it also needs to be patched if you are using Linux.

    A little longer: The
    vulnerability in GLIBC affects almost all Linux-based systems, theoretically allows arbitrary code to be executed, and therefore quite dangerous. While there are no real and truly threatening attack scenarios, but this does not mean that they will appear in the future. Therefore, you must regularly update the software.

    And a very long version:
    GLIBC is the standard C library for all Linux-based operating systems. It contains a large number of programs that perform standard actions: display something on the screen, allocate a memory area for the application, and so on. That is, it is used by those who write programs for Linux: instead of writing their own code for each task, they “take” the necessary program from the GNU C Library. Thus, developers seriously save time and provide a standardized approach to solving common problems.

    That is, first of all, you need to understand that GLIBC affects a huge number of programs: if there is an error in the code stored in the library, then it can affect the performance of the program that uses this code. If the code has a vulnerability, then the programs that use it also become potentially vulnerable. Huh?



    We go further. This vulnerability was discovered in the gethostbyname function family. These are such small programs from the GLIBC collection that perform one simple task: receiving the site name (www.kaspersky.com) at the output gives its IP address of the form 123.123.123.123. If your program needs to carry out such an operation (and this is necessary for almost any program working with the network), you turn to this function.



    The problem is that the function does not check well enough what it is given at the input. As this usually happens: the program receives data at the input, wants to write it to a memory area of ​​a certain size specially allocated for this business. And it does not check at all whether the data will fit in this same area or not. What is it? Data is written outside the specified area. Why is that bad? Well, firstly, other data of the same or another program may be located outside the desired memory area, and the latter may stop working. Best case scenario. In the worst case, data is written instead of the code that needs to be executed. And if we manage to feed a piece of code to the “leaky” program and make it write as it should and where it is needed:we can run some kind of our program (more precisely, arbitrary code) on the computer without asking anyone .


    Yes, I really like this picture :)

    So, we have decided on the problem statement. What could be the attack scenarios? Qualys researchers have shown how arbitrary code can be executed using this vulnerability when Exim's mail program accesses the gethostbyname function. Thus, we theoretically can attack the company's mail server using Exim and execute arbitrary code on it. Will we be able to steal company mail or get access to important documents or somehow cause some real damage? In theorywe can. But given all the subtleties and reservations (not mentioned here), we are not yet able to assess the danger of using a vulnerability to steal data in the real world.

    And this is the difference between the GLIBC vulnerability and Heartbleed. There we had a clear and clear threat, here this threat is theoretical. Talking about the vulnerability, I omitted a lot of important caveats: the gethostbyname function itself is already outdated, and the conditions for creating a buffer overflow situation are very specific, and when we begin to “try on” the vulnerability for programs using this function, everything becomes complicated.

    But this is for now. It is likely that someone (and well, if it is a researcher, not a cybercriminal) will find a way to quickly and easily break a large number of Linux servers using this vulnerability. And only then will Forbes magazine, the newspaper Life, write about the vulnerability and remove the plot of Channel One. Everyone will tell that oh how so, a hole has existed since 2000 and no one noticed . But it will be too late. Therefore, the conclusion: Patch is Important. And it is important to close the discovered vulnerabilities on your own servers, even if there is no direct danger.

    Also popular now: