Security Week 33: disabling Secure Boot, sorting recipients in GMail, consequences of TCP-bug in Linux

This week, a river of politics spilled over the threat landscape. The topic of security is already politicized to the point, but if you suddenly think that it’s already a bit much, then I’m in a hurry to upset you. It's only begining. On August 13, anonymous names hiding under the pseudonym ShadowBrokers put up for sale an arsenal of tools allegedly used in The Equation's cyber-spyware campaign. Let me remind you that the research of this attack was published in February last year by the experts of the Lab, calling it the "Death Star from the malware galaxy." There was a reason: the duration of the campaign (since 2001, and maybe earlier) is impressive, as well as the complexity and wide functionality of tools for hacking and data theft. Well, the technical level is at the same time, up to placing malicious code in the firmware of hard drives.

The sale is organized according to the best standards of commercial paperwork: "send money, and we will think." But in addition to promises, a set of files was thrown into the network, clearly cut out from someone's development environment: a little code, a little scripts, documentation, and so on. If you don’t be led by the media, which have been discussing versions of the authorship of the leak all week, that a priori is impossible to confirm with facts, we can definitely say the following about ShadowBrokers. Firstly, the implementation of the RC5 and RC6 encryption algorithms in the leak coincides with that of The Equation. This allows us to say with a certain degree of certainty that there is a connection between, strictly speaking, the code found on the network now and a couple of years ago. More details with examples here. Secondly, the leak revealed real vulnerabilities in Cisco devices (written in great detail on their blog ) and Fortinet .

Everything else on the topic can be reduced to one word "incomprehensible." The ShadowBrokers leak can be put on a par with HackingTeam ’s last year’s hack : in both cases, dangerous malicious tools were published. Even the most complex and expensive developments of such a plan have a tendency to quickly cheapen and fall into the wrong hands. The only way to prevent this is, if possible, not to create cyber weapons, regardless of goals. Malicious code is enough.

All digest editions are here .

Hackers discussed the vulnerability of the Secure Boot mechanism with Microsoft. Hackers: "Everything is bad." Microsoft: “It's OK”

The news .

Secure Boot is a concept that provides for the launch of only authorized code at the most critical stage of system boot - after the BIOS. In this case, we are talking about the implementation of Secure Boot by Microsoft - it was first released in production along with Windows 8 in 2012. Then MS received another batch of curses from open-sourists: using Secure Boot, you can block the launch of third-party OSs (if you would n’t believe them then about Ubuntu inside Win10 ). Actually, this was done on Microsoft ARM-devices, and as for ordinary PCs, officially the solution remains with the vendor. There were no cases of aggressive violation of Linux rights over four years, but Richard Stallman is still against it .

You can read more about Secure Boot on the Microsoft website , or better, see here.in the Fedora documentation. Actually, the main objective of Secure Boot is not to oppress freedom-loving coders, but to protect it from malware, specifically from bootkits. Here, even Stallman agrees that yes, such protection is necessary. Two hackers, known as my123 and slipstream, examined the Secure Boot working methods and found something strange: when developing Windows 10 Redstone, new rules were added, with code checks disabled (for a certificate and / or binding to a specific device). The change was made to the bootmgr.efi file code. Through this hole, you can either drag unauthorized code or disable Secure Boot completely. In two patches (MS16-094 and MS16-100) they tried to solve the problem by recalling certain versions of this file, but according to hackers, the problem was not completely resolved. Perhaps it will never be solved, because, according to the researchers, Microsoft will not be able to ban absolutely all bootloaders, for example, due to the need to maintain the operability of certain system images. More details in the report.here (take care of your eyes and ears, there is music and typesetting from 1994, and the letters are jumping).

Microsoft's stand on research is restrained. Researchers have made it clear that this is not considered a vulnerability. In a commentary to Threatpost, the company noted that exploiting the “problem” requires physical access to ARM devices and does not apply to enterprise systems. In general, they are right: so far, based on what we know, this is not the worst vulnerability in the world. Therefore, the main thing in this story is not texture, but morality. If the Microsoft developers really made a mistake, then the problem is not a mistake, but the very possibility of making it. Security systems should ideally be designed so that there are no backdoors, even legal ones, so that in principle there is no way to lose something, accidentally or as a result of theft. It’s also a late argument for the February dispute between Apple and the FBI.. Then the position of the federals was that they did not even need to know the method of hacking the iPhone, Apple enough to develop and apply it. According to Apple, the very fact of developing a master key already posed a great danger. Secret always becomes apparent.

Vulnerability in TCP Implementation Affects Linux Systems and 80% of Android Devices

The news . The second news . Scientific research .

What could be worse than a vulnerability in the kernel of the operating system? Only vulnerability in the implementation of one of the fundamental protocols. But no, not only. Even worse, when the vulnerability is in the protocol specifications. Apparently, this is exactly what happened with the RFC 5961 specification .aimed at improving the security of the TCP protocol. In the Linux kernel, these innovations have been implemented since version 3.6, released in 2012. Researchers from the University of California under the leadership of Yui Cao found a way to exploit the only feature of the implementation of the new specification in Linux - the general limit for packages like Challenge ACK. A detailed attack scheme is beyond my cognitive abilities, so please refer to the original study for details. Here I’ll just show a picture from there:


I understand everything.jpg!

The vulnerability has enormous potential: it becomes possible to determine that two destinations on the network transmit TCP packets to each other, initiate a break in communication between them and even intercept data (or implement their own in the transmission process). All this is with a high probability of success and with low time requirements for creating conditions for operation (tens of seconds). To implement the attack, you also do not need to take the position of man-in-the-middle, it is enough to know the addresses of the sender and recipient and to be able to replace their own IP. In addition to desktops and servers on Linux (a patch has already been released for the kernel), vulnerabilities have been affected by up to 80% of Android devices. Moreover, in this case, ironically, the old smartphones turned out to be unsupported (with Android 4.3 and earlier versions). The new ones are susceptible to everything, including the beta version of Android 7.0.

We are waiting for updates.

GMail begins to identify untrusted senders

The news . Google Blog Announcement .

Add a moment of positive. In the near future, Google will begin to inform users that the sender of the letter should not be trusted. For such messages, a non-standard icon will be displayed next to the sender address, something like this:


Prerequisite for loss of trust: non-compliance with Sender Policy Framework and DKIM standards. I don’t think that the icon with a question mark will stop an unlucky user from reading and responding to a tricky phishing email, but judging by Google’s tactics, unchecked messages will be filtered out more and more actively in the future. In addition, GMail has implemented the safe surfing feature, which has long been used in Chrome browsers, which warns of suspicious and malicious links.

What else happened

The rather trivial method of address line spoofing turned out to be susceptible to Chrome and Firefox.

Lab experts talk about the targeted Operation Ghoul campaign, with victims mostly in the Middle East.

Several hotel chains in the United States report credit card leaks through hacking POS terminals.

Another interesting method of stealing data from air-gapped systems: through hard disk buzzing analysis (everyone smoothly switches to SSD).

Antiquities:
"Printer-778"

A dangerous resident virus, it usually infects .COM and .EXE files, except for COMMAND.COM. For COM files, replaces the beginning with the commands: MOV BX, Loc_Virus; JMP BX. When working with a printer (int 17h) translates the information displayed on it into ASCII-7 code (resets the most significant bit). As a result, the printer refuses to “speak” Russian and print pseudographics. The virus intercepts int 17h, 21h.

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 80.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.