Information security round-up
Fresh from Black Hat USA and Defcon 24, iGB’s Technical Editor Justin Bellinger brings you the latest updates from the world of cyber security, which include some interesting insights and worrying trends revealed to the attendees at the Las Vegas events. First however he takes a look at the latest exploits, hacks and patches currently doing the rounds.
Linux has been found to have a bug that has been residing in the kernel of the npopular OS since version 3.6 of the kernel, or since 2012. Although not Android-specific, the flaw is known to have been present since the KitKat release and can still be found in the current developer release, Nougat, presenting a potential problem to the 1.4 billion users of Android phones as well as the billions of servers, smart TVs and other devices based on Linux. The flaw in the implementation of the TCP/IP stack allows an attacker to hijack a connection using spoofed packets between two known IP addresses and port combinations. There is a low technical threshold for this attack, meaning just about anyone can carry it out but the attack is unlikely to scale to infect multiple machines simultaneously. Google engineers are aware of the fault so are probably working on a fix for the wider open source community already.
Microsoft gave us only nine security bulletins during the August Patch Tuesday, five of which the company classed as critical.
Critical vulnerabilities are addressed in:
• MS16-095 Cumulative Security Update for Internet Explorer
• MS16-096 Cumulative Security Update for Microsoft Edge
• MS16-097 Security Update for Microsoft Graphics Component
• MS16-099 Security Update for Microsoft Office
• MS16-102 Security Update for MicrosoftWindows PDF Library
Important updates; MS16-098 (Windows Kernel-Mode Drivers), MS16-100 (Secure Boot), MS16-101 (Windows Authentication Methods) and MS16-103 (ActiveSyncProvider) should also be installed by you or your sysadmins as soon as possible.
Apple, since our last issue, has released two versions of iOS, taking us to version 9.3.4. As well as preventing the Pangu jailbreak from working, the update addresses potential memory corruption issues allowing for the chance of code executing at the privileged kernel layer. OS X El Capitan v10.11.6 has been released along with Security Update 2016-004, addressing over 60 common vulnerabilities and exposures in both El Capitan and Yosemite. Updates have also been release for watchOS – 2.2.2 and tvOS – 9.2.2, additionally for those of you who missed it AirPort base stations have received firmware updates 7.6.7 and 7.7.7.
Apple unveiled a new bounty programme at Black Hat 2016, paying the discoverer of any zero-day exploits up to $200k for their proof of concept, as well as smaller pay-outs for the discovery of other bugs in the OS. Although not as lucrative, Microsoft has a similar programme that it has been running for the last three years. Apple went on to reveal a lot more about their security ethos during the event, revealing the inner workings of iOS security features in both iOS 9 and iOS 10. Head of Security Engineering and Architecture, Ivan Krsti , walked the audience through a deep dive on how Apple protects its customer not only from miscreants but also from the company itself. Krsti revealed the concept of the company’s Secure Enclave Processor, which prevents attacks even if the main processor is compromised, and spoke about the company’s use of a ‘true’, rather than pseudo, random number generator. Maybe there’s something for our sector in there?
Network and hardware
Cisco, Fortinet and Juniper have all confirmed that they are vulnerable to attacks linked to Edward Snowden leaks. Hacking group Shadow Brokers have recently attempted to auction a set of tools that they have allegedly stolen from the US government-linked Equation Group.
All three vendors have confirmed that the vulnerabilities do exist in their firewall and networking products and have issued customer advisories, and in some cases patches or work arounds. As numerous products and technologies are affected you would be well advised to check regularly with your vendor on specific updates. SDN, or Software-Defined Networking, designed to be more dynamic and manageable than traditional hardware networking, came under scrutiny from Seungsoo Lee and Changhoon Yoon at Black Hat. The pair revealed two SDN specific attacks, the first of which involved them getting access to a SDN controller, enabling them to add a new malicious and unauthorised node to the network. Secondly, the pair demonstrated a hole which allowed them to control a SDN switch and throttle its performance to half speed, an attack that would certainly take most sysadmins quite a while to figure out.
Additionally, researchers Mauro Conti, Fabio De Gaspari and Luigi Mancini have recently published a paper describing how the very features that make SDN so dynamic and particularly manageable also allow potential attackers to gain valuable intelligence on the architecture of a SDN, making them ‘sniffable’ networks. The discovery phase of any attack is arguably the most important, as once a network is mapped out, with all its components, then an attack can be crafted to target the weakest points in the architecture.
As we continue to suffer from the unrelenting torrent of attacks, it was announced by security firm Imperva that the UK is now the second most targeted country in the world, unsurprisingly the US being the top. Admittedly, those on the US account for half of all attacks, with the UK suffering from a shade under 10% of the total, but the threat continues to grow exponentially. I have mentioned before that it is almost trivial now to acquire the technical know-how to carry out these attacks at a personal level. For those that don’t possess these skills, Imperva informs us that botnets can be rented for as little as $5 per minute.
A new concept in commoditising DDoS attacks has emerged in a white paper by Eric Wustrow and Benjamin VanderSloot. The pair propose the concept of DDoSCoin in the paper entitled: DDoSCoin: Cryptocurrency with a Malicious Proof-of- Work, malicious proof of work being the main point in the paper, where miners are rewarded in DDoSCoin for proving participation in an attack.
As with all blockchain environments consensus is required, and this mechanism, it is proposed, could be used in determining the miners’ target: “DDoSCoin allows miners to select the victim servers by consensus using a proofof- stake protocol. Rather than specify a single website or static list that DDoSCoin miners target, choosing them by consensus allows the choice of who is attacked to be made collectively and fairly by DDoSCoin participants.”
It will be interesting to see if this concept makes it into a practical distributed ledger system and how that would work in terms of preserving the anonymity of participants in the blockchain.
In the news
Cryptocurrency trading platform Bitfinex has suffered from the second largest heist in bitcoin history, losing over $70m to hackers. The company revealed in early August that some 120,000 bitcoins had been stolen from various accounts on the Hong Kong based exchange platform. The company faced liquidation but proposed to users of the platform that an across-the-board reduction of all participants’ investments of some 36% would see the company out of the woods. In exchange for this mandatory 36% reduction, Bitfinex are giving their customers IOU tokens they call BFX tokens. Stay tuned for the ensuing court cases, as this unorthodox move contradicts the terms and conditions that depository has signed their customers up to.
Ethereum has gone through the ‘hardfork’ and appears to be recovering from early losses suffered during the runup and immediate aftermath. That is, at least depending on which version you are running, as the blockchain network has split into two factions since the ‘hardfork’: ethereum (ETH) and a version that did not follow the fork, ethereum classic (ETC). Allthough a pragmatic move, allowing both purists and progressives to pursue the path which appeals to them most, this cannot ultimately be in the best interests of either side of the network.
Zero-day exploits are becoming a real commodity. As we read earlier about Apple announcing their bounty programme at Black Hat, they are in some respects late to the party as most other software houses offer similar programmes. For entrepreneurial hackers, revealing their proof of concept or fully fledged attack to their target manufacturer is not always the most profitable way forward, as there are a growing number of brokers for this information. Some of these are security companies who use the exploits for research, searching for potential profits in being the first to fix the exploit. Others trade the exploits to the highest bidders, who could be on either the defensive or offensive side of the security industry. Brokers such as Zerodium (Vupen) and Exodus are among a few firms that offer a subscription-based service to their arsenal of exploits. Controversially, our governments also seem to be in this market, stockpiling potential exploits without affording the manufacturer the chance to protect its cusmers, or their citizens, in other words. Maybe by harvesting these exploits, governments could be preventing them from falling into the hands of the hackers, or they may just be looking for the ingredients for the next Stuxnet?
Other news from Black Hat was that machine learning is set to become a big feature in the infosec arena over the coming months and years. Naturally, the target of much of this machine learning will be us, the weak link in the chain. Several talks focused on the social engineering techniques employed by hackers, from using machine learning to craft spear phishing email attacks through to the tried-and-tested technique of leaving USB keys containing malicious payloads in public places for the curious and gullible to pick up and use. ATM and point-of-sale attacks were also demonstrated, further emphasising the commoditisation of stolen card details and personal details, with bulk packages of this information trading for as little as 25c for a complete identity, including bank details. Amusingly, a malicious WiFi access point was discovered during the conference. Masquerading as a trusted network the victim’s device had seen before. 35,000 devices had connected to the network at the point of discovery!
As alway, keep safe, apply patches and update your software!