Old-Crate-241-Design-psd4933UPDATE 06/03/2015 – Microsoft have released a statement that their Secure Channel (Schannel) SSL implementation is vulnerable to the FREAK attack across all implementation of Microsoft Windows. You can find details on the Microsoft advisory here: https://technet.microsoft.com/en-us/library/security/3046015

It’s been less than two weeks since we were here last, telling tales of woe about SSL Man-in-the-Middle attacks that leaves all your data open for malicious users to view, and lookie, here we are again.

Let me set the scene for you; it’s the 1990s, and crypto for the masses is on the rise; not least of which is PGP for your emails and Netscape Corporation conjuring up SSL, as a means of encrypting data for secure communication.

The US government, now unable to read everyone’s shopping list, decrees that strong encryption is a munition, and any encryption systems exported from the US must utilise deliberately weakened encryption keys [1]. In the case of RSA encryption, this specified that the key length must not exceed 512 bits.

Yup that’s right, these were specifically engineered to be breakable. (Cue legions of activists travelling from the US with the PGP source code tattooed on their body parts).

As of course as we are aware, SSL performs a negotiation to allow clients capable of stronger encryption methods to use those over the weaker ones. US clients connected to the servers with strong ciphers – everyone else used the weakened ‘Export’ grade ciphers, and had to put up with the NSA knowing their favourite breakfast cereal.

Roll on the end of the 90s and early 00s, the export restrictions are lifted and ‘secure’ SSL comes to us all (well, mostly all), so surely these weak ciphers are all disabled and removed by software updates into non-existence right?……Sure.

EXPORT Ciphers

So these are old and broken ciphers, and we now have a negotiation process that prefers stronger and secure ciphers, so what’s the issue? Only those who can’t use proper crypto would be victims, right? The masses in the still taboo countries on the restricted list, and a few million corporate users browsing their Internet banking from work on IE6.

So, given that (in theory) no modern clients would ask for export ciphers, and no servers should support them, and cryptanalysis is haaaaard, there shouldn’t be a problem.

So let’s jump into these points, starting maybe a bit unusually with the second point, that the number of servers actually supporting Export grade cipher suites is very small. Details emerging today show that over the IPv4 address space, 26.3% (at time of writing)[2] supported at least one RSA-Export grade Cipher Suite.

The excellent blog article by Matthew Green[3] identifies a number of interesting (worrying) sites supporting EXP ciphers, including notable content providers (presumably to avoid support calls when people couldn’t access their customers’ sites using archaic browsers).

Other notable sites included nsa.gov, tips.fbi.gov and connect.facebook.net. The latter of these is the source of the well-known Facebook ‘like’ button which is on SSL Sites all over the world, MITM that connection and you have injection opportunities almost everywhere… just one example.

Ok so that’s point two sorted, lets backtrack and check out point one again, thanks to the wonderful research done at INRIA, Microsoft Research and IMDEA we know that there is a bug in several modern TLS clients, namely OpenSSL and SecureTransport (Apple)[4]. This bug allows the client to accept a response containing an RSA-Export key, regardless of the RSA grade initially requested. So presuming you can sit between a vulnerable client and a server that will serve an Export-grade cipher, this can be used to effectively downgrade an SSL communication to its lowest level.

The Attack

Suppose you’re in the position to perform a MITM attack, you’ve got a vulnerable client and a server that will support RSA-Export, what is the workflow here, how does the attack work?

Well here’s how Matthew Green describes it, in excellent terms:

  1. In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
  2. The MITM attacker changes this message to ask for ‘export RSA’.
  3. The server responds with a 512-bit export RSA key, signed with its long-term key.
  4. The client accepts this weak key due to the OpenSSL/SecureTransport bug.
  5. The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
  6. When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
  7. From here on out, the attacker sees plaintext and can inject anything it wants.

Hey it’s not all bad, at least the attacker is going to have to factor the RSA key for every connection which is going to make this one heck of a tedious attack to perform…..

Nope.

Generating an RSA key is a fairly complex process, uses a notable amount of system resources while it’s being done, so what do the majority of web servers do to counter this problem? Well they just generate one, and re-use it. See the problem?

Break it once and you’re golden until the server goes down and a new key is generated.

Ok… Now what?

OpenSSL has very quietly released a patch in the latest version that corrects this. Apple is ‘working on it’ and the big CDNs such as Akamai are rolling out patches to remove the Export grade ciphers. Facebooks are gone, who knows what the NSA and FBI are doing.

The conclusions for this are fairly straightforward, upgrade your clients where possible, patch your servers, and purge RSA-Export from the internet.

And you Mr G-Man lurking in the corner, learn from your mistakes, stop trying to build backdoors into encryption before it bites you (and us) in the ass……again.

[1] https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
[2] https://freakattack.com/
[3] http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
[4] https://www.smacktls.com/


Written by
Emma McCall
Security Consultant
Corsaire

limecrime

You may have heard of some of the big name hacks that happened this past year, SingleHop has posted a great blog article highlighting some of the industries and companies that were affected [1]. But you may not have heard about some of the smaller companies that were breached, because let’s not forget that no company is too small to be a target for a black hat. In fact – smaller companies with weaker security policies, and potentially no security process, may even be a better target for hackers who are looking for a quick and easy target.

A great example of this is popular independent makeup company Lime Crime [2]. This month they announced their website had been compromised, however the breach took place as early as October 2014. This has resulted in their customers not only having their usernames and passwords compromised, but those who opted to pay for their purchases directly through Lime Crime’s website, and not Pay Pal, also had their card details stolen. They are now the victims of credit card fraud.

Thanks to sites like Reddit [3], you can easily see the effect that this breach has had on the company and the backlash they’ve received from the indie, and even the mainstream, makeup community. People who loved their products no longer feel secure purchasing from the company and those people who would be clients are now advising other potential buyers of “dupes” (duplicates) for beloved Lime Crime products.

Despite the tragedy that the hack was, there is a lesson that can be learnt here. Never forget that no company is too small or insignificant to be the target of cyber crime.

Small business owners: Are you keeping your customers data safe?
[1] https://www.singlehop.com/blog/5-industries-devastated-by-data-breaches-in-2014/
[2] http://limecrime.com/security
[3] http://www.reddit.com/r/MakeupAddiction/comments/2w0g44/lime_crime_deletes_ig_photo_after_being/


Written by
Panda-frame

Amanda McKinney
Project Coordinator
Corsaire

Credit Card SecurityOwing to the BEAST and POODLE attacks, the case for using SSLv3 hasn’t looked good in a while, and if you’re in the Payment Card Industry (PCI), the case is looking bleaker still. The PCI Security Standards Council has released its impending revisions to the Data Security Standards (DSS) of the PCI and payment applications (PA) in [1], in which they have determined SSLv3 is no longer an acceptable way to safeguard data. This means that no version of SSL is cryptographically “strong” according to PCI DSS due to inherent weaknesses in the protocol.

New versions (v3.1) of PCI DSS and PA-DSS will soon be published to tackle this subject, which will be effective immediately, and will hopefully address currently-listed applications, as well as future ones. As of now, there’s no way to resolve the weaknesses in the SSL protocol, but advice is out there, even from us here

[1] https://www.pcisecuritystandards.org/pdfs/15_02_12_PCI_SSC_Bulletin_on_DSS_revisions_SSL_update.pdf


Written by
Rowena-frame
Rowena Harrison
Security Consultant
Corsaire

SuperPhish!

Posted: 19 February 2015 in Uncategorized

Once again we have a new entry to the long list of InfoSec dumb ideas; hardware manufacturer and retailer Lenovo have been caught installing adware-injecting browser plugins to their new laptops.

The ‘Superfish Visual Discovery’ browser add-on, which  comes preloaded onto new Lenovo laptops, injects adware into pages to aid users when identifying products. A Lenovo spokesperson describes this as:

“The Superfish Visual Discovery engine analyses an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.” [1]

Great when trying to buy a new sofa, not so great when it’s just unsolicited, vendor installed adware.

However, what is even more concerning is the identification of an unrestricted trusted root certificate installed by SuperFish, which effectively allows snooping on any secure connections. Your SSL Google for example…. or maybe your bank.

Case in point the certificate was caught intercepting legitimate certificates, and signing sites such as the Bank of America:

cert1

As shown above, the certificate is a deprecated SHA 1 certificate, the key for which is only a 1024 Bit RSA key. The key is installed into the system certificates as an unrestricted trusted root certificate. Put into context, this gives it the same level of trust as the Microsoft root certificate, allowing it to be used for signing virtually any secure communication.

cert3

It has been further identified by Chris Palmer of Google security that the certificates are all sharing the same Private Key[2] allowing anyone that can extract these keys to attack users vulnerable to this issue with no warning or notice.

Once again the security community has come together and combined their collective brainpower to develop a page similar to those created for high-profile bugs such as HeartBleed, to assist you in identifying if you are at risk from this issue – It’s always a good idea to check manually though. You can find the utility at: https://filippo.io/Badfish/

[1] https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882
[2] https://twitter.com/fugueish/status/568258997578371072
[3] Screenshots thanks to @semenko @kennwhite @fugueish on Twitter


Written by
Emma McCall
Security Consultant
Corsaire

Yet another instance of suspected National Security Agency spying on the world has been brought to light in the past few days.  The Russian security software company Kaspersky Labs issued a report yesterday detailing their discovery and analysis of a group of malware called the Equation group which hinted that the “Equation group and the Stuxnet developers are either the same or working closely together”[1]. This revelation was down to one of the group’s malwares, the Fanny Worm created in 2008, which used zero-day exploits which were later discovered with Stuxnet in 2010 -the NSA cyber-attack responsible for damaging the Iranian nuclear program.

The Equation group has the ability to infect and re-write hard drive firmware in hard disk drives (HDD). What’s interesting is that this form of attack has only been hearsay and an unproven theory up until now and what’s more, it has been found to affect several different HDD brands including Seagate, Samsung, IBM and Western Digital in over 30 countries.

The attack is shown in the figure below. After the web-based exploitation of the target, a Trojan called DoubleFantasy is installed onto the target which validates if the target is the one it actually wants. If it is, this malware is upgraded to a fully-featured espionage platform which can perform the infection of the HDD firmware. The most up-to-date platform is GreyFish, which sets itself up in the registry. Another form of this malware is EquationDrug.

Karpersky

Figure 1: The web-based attack life-cycle. Figure from [1].

These malwares reflash the HDD, install Equation group payloads to give the attackers full control over the operating system and provide an API into hidden data storage on the disks. This allows the malware to persist on the disk even after disk reformatting or re-installation of the operating system and allows invisible and persistent data storage inside the hard drive.

The Equation group has been active since 2001, infecting hosts via self-replicating worms, CD-ROMs and USB sticks, but attack vectors based on web-based exploits is now a worrying feature. An example of these exploits are compromised forums with malicious PHP scripts injected into them perform target validation as well as exploitation. These scripts validate whether a user is authenticated or unauthenticated and if they come from specific IP address ranges. If certain conditions are met (i.e. the user is authenticated and comes from a region other than Turkey, Jordan or Egypt), the PHP scripts creates an exploitation URL to exploit the user.

The Equation group is a sophisticated yet extremely dangerous collection of malware, able to hide from anti-virus products and survive after eradication attempts. A formidable espionage weapon, able to steal, communicate and lock away data, which will, no doubt, keep us up at night.

[1] http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf


Written by
Rowena-frameRowena Harrison
Security Consultant
Corsaire

Zoning-in-for-the-kill

Organisations are adopting a risk management methodology when dealing with security vulnerabilities. One prevalent approach is for companies to choose to accept the risk or to focus on mitigating security issues at a certain level. For instance, some organisations’ have rules that projects with high risk vulnerabilities are not allowed to go LIVE, while most low risk security vulnerabilities are ignored.

One could argue that low risk vulnerabilities are typically low hanging fruits with minimal impact most of which cannot be directly exploited or executed. There are however consequences in choosing not to remediate such low risk vulnerabilities.

Let’s imagine you are a target for a potential attack by a hit squad.

Once the target is identified, the hit squad typically comes up with a plan of action to take out the target, or in some instances the squad already have one. Devising a plan of attack would involve studying, researching and trying to understand the target; standard reconnaissance work. Everything is under strict and constant surveillance, to gather as much information as possible. This is done to increase the success rate for the planned attack.

The scenario above should give you an idea of how low risk vulnerabilities could potentially be utilised by an attacker to exploit systems.

Deciding to leave low risk vulnerabilities is equivalent to handing the information, typically gathered from the reconnaissance/surveillance phase, to the attacker yourself. To contextualise this, a common issue usually highlighted in security assessments is software versions disclosed by the hosts. By disclosing this information, the attacker knows the server is running Tomcat (for instance) and would focus on sending exploits specific to the Tomcat application server.

Not only has the potential marginal success rate been increased but also the effectiveness of the intrusion detection or prevention system has been decreased. In the latter, if the attacker was still at the surveillance stage, initial packets would be sent for different application servers (IIS, Apache, and Nginx, etc.) in an attempt to identify which web application server is being used on the target host.  Such malicious packets intended for a different application server should trigger, and get picked up by, an intrusion detection system (if available and adequately configured).

In conclusion, if you were the target of an attack, you would attempt to be quiet, giving out the least possible noise or information. Every information system you have has the potential to be attacked.  So, yes please, remediate the high risk findings but do not neglect the low findings as you would probably be handing your attacker the arsenal required to take you out! (What irony!)

PS: It is important to note that while risk ratings are in most cases aligned to industry standards, there could be deviations due to environmental conditions, knowledge of the specific target and the security consultant’s view, for example.



Written by
Chioma-frameChioma Nwabuko
Security Consultant
Corsaire

newclothes

The expectation of absolute-security from data and systems is the naked emperor of the Internet generation. As a simple contrast, if you went into the street and canvassed people for their opinion on the security offered by a traditional safe, I bet you would be hard pressed to find more than a handful of people that would believe that a safe could be secure under all circumstances.

It is just so obvious that given the right tools and enough time, any metal box is going to be opened eventually. In fact, safes are even marketed on the basis that they are fallible! Each safe is rated based on the time and tools required to open them. The more you pay, the greater the complexity and duration required to get at your valuables inside.

The way that the safe manufacturer will arrive at these numbers is through empirical testing. They break into their own products, gather meaningful data, and then they publish their results. Makes sense, doesn’t it?

Meanwhile, back in the realms of hardware and software, vendors are making amazing claims as to the infallible security of their products, generally with absolutely no supporting data. What is more amazing though, is that otherwise-sophisticated buyers are still handing over their hard-earned money for them!

Accept it, the emperor is naked. Just try not to stare…


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire