November 27, 2015 at 13:43Security Week 48: Dell yearning for certificates, backdoor in modems, Truecrypt returns
Each time when another failure occurs in the security sphere, two eternal questions materialize from the air: what to do and who is to blame. And the first one is more important: more and more often we are dealing with incidents that are so simply impossible to solve with a patch or something like that. Unfortunately, this applies not only to super complex attacks. Fortunately, these are usually theoretical threats. Let's look at the main news of this week: - In laptops Dell discovered self-signed root certificates;
- In 600 thousand modems of the American company Arris found a backdoor;
- A German state agency undertook the audit of TrueCrypt, found nothing, but still no one trusts the encryption utility abandoned by the developers.
Nothing new. The first two stories - in general, from my favorite rubric “I've never had this before, and here it is again”. Dozens of software and hardware manufacturers are stepping on a special IT Security rake, and it seems that there will never be an end to this, or an edge. But there is a solution, and in today's digest I will try to explain in general terms which one. All episodes of the series are here .
On Dell laptops, they found a self-signed root certificate and private key. And then we found
The news . One more news . 2000+ comments on Reddit .
In February of this year, Lenovo laptops foundpre-installed Superfish program, which showed users some very targeted ads. Unpleasantly, not surprisingly, there was one nuance: to even more effectively display targeted advertising even on sites with a secure connection, the program “broke into” HTTPS traffic using its own root certificate. At first, Lenovo did not recognize the problem (“this is not a problem”), then they recognized it, apologized and deleted the program.
All is well? Not. Two months later, Dell laptops are on sale, in which the new manufacturer steps on the same rake: the root certificate eDellRoot, not from third-party software, but from the manufacturer itself, potentially allows you to carry out MiTM attacks, monitor the user, steal passwords and the like . How to find? A user who decided for some reason to look at the list of installed root certificates (you must admit, a rather atypical lesson) found eDellRoot and wrote about it on Reddit.
It is time for cool epics.
How did you react? And just like Lenovo in February. The first comment from Dell was that there is no problem, this thing is installed for the "more efficient" technical support work in the event of a customer’s request, and in general it’s all very strange. But something went wrong, Microsoft decided to “nail” the certificate using Windows Defender , and Dell apologized and intends to remove the certificate from existing laptops using the update, but no longer put on new ones.
Potential problems with eDellRoot would be less if the private key were not located on the affected machines. As it turned out later, in some Dell models you can find two more of the same pairs, although they come across less often, and the validity period of one of the newly discovered certificates has already expired. That is, it turns out that such an extremely unsafe practice is generally accepted, widespread, and (until now) have not been qualified by vendors as something bad.
Let me remind you another story on the topic.which our experts unearthed at the beginning of last year. Absolute Computrace software not only had the “recovery” function after a complete reinstallation of the system, it also used extremely unsafe methods of interacting with the server infrastructure, and it was probably activated by those laptop owners who never asked the anti-theft system developer to do this. So, this is a good example of how difficult it is to investigate such potential security threats. In 2009, some aspects of the work of Computrace were investigated by one company. Here are the experts at the Lab who decide to develop the topic and find even more problems. For this it is necessary: (1) to analyze the interaction of the BIOS and the installed software (2) to analyze the program code and the interaction with the server (3) to select several diverse laptops, Compare software and module versions, evaluate the configuration on each. It is desirable that the laptops are new - it was necessary to understand whether the module is activated by default. (4) Prepare a proof of concept showing how you can gain control of a laptop remotely.
The conclusion is clear: it all takes several months, if not years. Developer Response? "Everything is fine with us , there are no problems," and so on. The examples of Dell and Lenovo show that the first reaction is that it is always like that.
The main mistake that can be made against the backdrop of such events is to start dividing software and hardware companies into “good” (from a security point of view) and “bad”. This is a great way to replace the conversation about technology with politics, and ultimately nothing can be decided. But we need to actually change the security situation for the better, for all
Seriously, there are so many cybersecurity problems that the security industry in its current form is simply not able to identify and help solve all of them. Sooner or later, a responsible attitude to security will become for the vendors the same competitive advantage as now - environmental concern or charity. Here is such a bright future, to which we all, apparently, sometime will come. And when we come - 2015 will probably seem to us a dark Middle Ages, and 2001 - and indeed the Paleolithic.
Wait and see.
In American modems, Arris found a backdoor inside the
News backdoor . Researcher Blog Post .
"Something happened in the modems again." The aforementioned limitation of security industry resources makes the work of researchers similar to a military field hospital: both there and there you need to work quickly, a lot and, most importantly, prioritize. And while everyone is busy restraining hordes of cybercriminals who attack, as a rule, the obvious, massive and easiest to exploit holes, the forces to “protect the rear” are few. But in vain. Researcher Bernardo Rodriguez discovered a tricky vulnerability in Arris cable modems - these are standard pieces of iron that tens of thousands are installed by Internet providers when connecting services. In addition to standard vulnerabilities such as XSS and CRSF, he found an undocumented library that allows remote access via telnet or SSH. And then a whole bunch of default passwords is provided to the potential cracker, with inevitable full access to the settings.
A tweet from Rodriguez.
The post of the researcher mentions the reluctance to interact with experts, traditional for modem manufacturers, and the excessively long time needed to prepare the patch. There is no patch at the moment, but at least the work is underway. By the way, if the bright future drawn by me does happen, the role of such companies unprepared for the quick closure of vulnerabilities will have to try on themselves.
In Germany, TrueCrypt was examined again and no serious
news was found . BSI Study Report .
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or simply BSI) ordered the Fraunhofer Institute to audit the TrueCrypt utility to encrypt information in whole or in part. The question immediately arises why BSI needs this, if TrueCrypt is no longer being developed, and was generally abandoned by developers under very strange and suspicious circumstances. Is it true that in Germany government agencies use for encryption a program developed by no one knows who, and not how? The fact is that some TrueCrypt "elements" are used in Trusted Disk software.Sirrix AG, and this is an officially approved tool for encryption of important data.
In general, there is reason to see. TrueCrypt generally has a strange story. The unexpected demarche of developers who had previously remained anonymous raised reasonable suspicions that somewhere in the encryption system there might be a bookmark. The checks were carried out repeatedly, in April a group of OpenCryptoAudit comrades completed their work, and, in short, found nothing. Recently, TrueCrypt code found two dangerous vulnerabilities, but they also do not affect the encryption process itself. Now the Fraunhofer Institute, at the request of the BSI, conducted another study and also found nothing, in general,.
tl; dr of the Fraunhofer and BSI report.
More precisely, the report says that when the system is openly accessible to encrypted data (for example, the system disk is decrypted and the OS boots and runs from it), these same data are subject to common threats - keyloggers, trojans, and so on . In general, this is such a captain’s remark, but the “disconnected” encrypted volume is completely safe. Interestingly, we already have three fairly authoritative TrueCrypt audits. Direct research from the OpenCrypto team and from BSI confirms the absence of bookmarks and gaps in the encryption algorithm. Having discovered those very “unrelated” vulnerabilities, Google Project Zero gives a third, albeit indirect confirmation: for some reason, I’m sure that they were not looking for these vulnerabilities. And there was still no trust in TrueCrypt: after the events of May last year, it is unlikely that something will be able to restore it.
What else happened:
The latest, fourth version of the Cryptowall ransomware is now distributed using the Nuclear exploit pack. This is the same version that encrypts file names too, I wrote about it earlier .
We discovered another malware for POS-terminals. It is more complex and potentially more dangerous than its predecessors. Perhaps more importantly, they began to attack payment terminals much more often .
Antiquities:"Plastique-3004, -3012"
Erase the contents of the disks when running ACAD.EXE. Play tunes. Slow down the computer (idle cycle on int 8). At each 4000th press of a key, one sector with a random number is erased on the disk. They contain encrypted texts: “ACAD.EXECOMMAND.COM.COM.EXE”, “Program: Plastique 4.51 (plastic bomb), Copyright 1988, 1989 by ABT Group. Thanks to Mr. Lin (IECS 762 ??), Mr. Cheng (FCU Int-Center). " Intercept int 8, 9, 13h, 21h.
Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 35.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.