What is the way forward?

Bradley Manning to Snowden, GCHQ to NSA,CISCO to Huawei, Private to Government over the past one year we have been regularly hearing news about snooping, bug implants, government agencies trying to collect sensitive information about different agencies across the world, Private vendors spying on its customer etc. such news  are quite worrisome for individuals, customers, corporate, for someone who is from the information security industry. 

Few important questions arise from such incidents:

• How do we protect ourselves from such incidents?
• Whom do we trust?
• What is the way forward?
• Should be move back to traditional security practices?
• Where do we find the balance?

In recent news president Obama would be not staying at Waldorf Astoria hotel for the UN General Assembly. Traditionally this hotel has housed all the presidents from Hoover till today but recent acquisition by a Chinese owner has put concerns over security.

Another report was about Cisco routers shipped with backdoor implanted and similar news was about well-known Chinese manufacture Huawei whose devices were reported to have backdoor. Which reports are right or wrong, who is to blame for all this is a different debatable topic all together but the question of the hour is how do we protect ourselves? 

Should corporates invest more time and money and start investing in manufacturing their own hardware devices? Should we stop trusting everyone? Should an individual move to exchanging hand written cryptographic letters?

I would really like to hear thoughts and solutions from the security community about such events and way forward for a SAFER & BETTER Internet!!!

P.S.- Our next post is about an ISP failing to implement security controls and leaking sensitive information.

Sources:-

• http://edition.cnn.com/2015/09/11/politics/obama-waldorf-astoria/
• http://arstechnica.com/security/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/
• https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
• http://www.zdnet.com/article/former-pentagon-analyst-china-has-backdoors-to-80-of-telecoms/
• http://blogs.wsj.com/washwire/2013/08/21/what-bradley-manning-leaked/
• http://www.bbc.com/news/world-us-canada-23123964

Linked(in)-Engineering

Social Engineering is the term associated with security since the early 1800’s one of the most iconic personal was Samuel Williams who used to con people of their personal valuables by simply asking to keep it with him. He was termed as the “confidence man” by the tabloids in that era, another such example is of Joseph Weil who ran various scams with help of social engineering and one of his famous scam was to con the great Benito Mussolini for over $ 2 Million.  In today's world movies such as “Catch me if you can” & “Identity Theft” highlight the damage that is possible via such attacks and are great examples of what is information is to be kept private & what information to be kept public.

With the passage of time the tools for information gathering/engineering have changed drastically, while one might say technology has come a long way in dealing with such attacks but there is also other side of it. In this age of information sharing with likes of Facebook, Instagram, Whatsapp, Twitter, Linkedin etc. the art of social engineering has gone to a different level. There is tremendous amount of personal information that is shared with the world on such websites & applications. It has become now much easier for people to perform identity theft as private information of personals is right at their fingertips.  Such information is quite a threat to an individual as well to an organization one such example is the recent security breach that happened at RSA. RSA claims that phishing emails were sent to a group of few targeted employees to gain access into the company’s network. This breach put a question on the RSA- Two factor authentication token algorithm as confidential information regarding it was compromised. It not only affected RSA but several other companies who were using RSA authentication infrastructure/mechanism, it cost them over $ 70 million to recover from this attack.

Social Engineering Simplified

Among these information sharing, networking platforms one such popular platform is Linkedin.  Linkedin is professional networking platform with over 350 million users. It is widely used by industry professional to connect with other and exchange informative data.  From a attackers perspective this can be quite a useful platform to mine important information. It can be also used to attack or target a specific individual or an organization.  Keeping this in mind we did a bit of sniffing among our own Linkedin network & about 15 mins of sniffing were astonished with the results that we got. 

 Profile of Chief of Staff

Information Security Professionals Sharing Their Personal Info

Higher Authority at World Bank Sharing Family Pictures

 The above images are just a small highlight of the heap of information that we could gather. One could collect information regarding the Office of President, decision makers at World Bank sharing their private family pictures , people at various levels in different organizations sharing their personal contact details , there are discussions in groups were people are discussing/sharing confidential company information or issues. All this put togather can be very useful intel and can cause serious damage to individual or an organization ,personally as well as professionally.

Most of you by now would be thinking that your organization has specific training & guidelines put into place which stops such vital information from being shared i.e. where PRIVACY is addressed. Well hold your horses right there well don’t you think the president’s office,world bank etc. wouldn’t have such guidelines or training in place? Most of the organizations around the world have some or other training program or guidelines for their employees which address the issues of information sharing & privacy, but the problem comes with regular evaluation. Only a handful of organizations undertake the task of evaluating the information shared by its employees at regular intervals or rather evaluating their learning from the training or guidelines provided to them. If such regular evaluation process is put into practice it will be very difficult for an attacker to carry out social engineering attacks as well as individual & organizational privacy will be maintained.

Note: This blog post is not targeted against any individual or organization and is strictly for informational purposes. If you find any offensive or objectionable material relating yourself/organization kindly write to us info@securitytheorem.com. And we shall take necessary steps. 

Logjam: All you need to know

Over the past couple of years the industry is regularly presented with SSL/TLS vulnerabilities and each of them has a unique name/buzzword to it. Some of the past buzzwords have are BEAST, FREAK, POODLE, LUCKY THRITEEN & The latest being “Logjam”. In this post we shall explain as to what exactly is Logjam? Is it actually a threat or just another vulnerability jargon? And lastly we shall explain you how to check if you are vulnerable & mitigate the vulnerability.

Logjam –The Vulnerability

The Logjam vulnerability is a TLS vulnerability found in the “Diffie-Hellman-Merkle” cipher. The attack is much similar to the recent FREAK attack in which the client & server are tricked into using a downgraded export cipher. As mentioned above in our case client-servers using 512 Bit -DHM export grade ciphers are vulnerable. So now we need to understand what is an EXPORT GRADE cipher? Technically speaking none of the ciphers are export as during a connection end to end encryption is being used as well as necessary protocols are put into place. But the cryptographic keys that are used into the ciphers are deliberately weakened so that they can be cracked upon later when required. 

In the 90’s government agencies used to sell software to its enemies using such keys (Export grade) which when need they could crack and monitor their enemies. Later in the year 2000 the US government abandoned the use of such ciphers, but by that time they had already flourished into the industry and where used in many products at different levels. So organizations also had to keep providing support for the ciphers. The problem with export grade is that over the years the computational power increased but the key lengths were not increased.

Why “Logjam”?

The DHM algorithm that is exploited by the vulnerability uses mathematical calculations known as discrete logarithms, short for which are “logs”. The attack uses special logs to jam bogus messages into the data to crack the communication, hence the name “Logjam” was derived.

Logjam - What it takes to launch a successful attack?

One of the most important things to exploit this vulnerability is to have or be able to generate exceptional computing power which can be equivalent to government security agencies or the computational power available at big universities. Let us assume that we have the request power available at our disposal, nevertheless still there are many scenarios which need to be in place for this attack to successful:

• The attackers must select the target beforehand and must be listening to their traffic before performing the attack.
• It is also necessary for the attacker to be already having established the “Man in the Middle” connection or be able to immediately establish once the targets start talking to each other. For e.g. if the attacker is at a coffee shop and listening to the traffic, if his targets are not yet decided or is still not in a position to establish a “Man in the Middle” connection the possibility of finding the same target again is quite rare.
• The attacker needs to have pre computed values that the client will be using or need to have exceptional computational power.

Are you “Vulnerable”?

There are various free tools and website which will help you test your servers, browsers etc. against this attack :

• Keycdn - https://tools.keycdn.com/logjam
• Weakdh - https://weakdh.org/
• Qualys Labs - https://www.ssllabs.com/ssltest/index.html

Open source software’s such as OpenSSL or Nmap can also be used to detect the vulnerability. The commands for them are:

• Open SSL:  openssl s_client -connect www.[yourwebsite/server].com:443 -cipher "EDH" | grep "Server Temp Key"

In the above case if the key is less than 2048 than one should consider themselves to be vulnerable as now a days even 1024 bit keys can be cracked. If the connection fails in the above command than it would mean that there is no support for the DHM on the server and you are safe. 

Now another check that is to be done with open SSL is to check if there is support for export grade ciphers disabled:

• Command : openssl s_client -connect www.example:com:443 -cipher "EXP"

In this case if the connection is successful than it means export grade is enabled and one needs to disable it.

For Nmap users the command would be:

• Nmap : nmap --script ssl-enum-ciphers -p 443 www.example.com | grep EXPORT

The researchers who found this vulnerability have come up with a good guide to securely implement the DHM algorithm and defend against the Logjam vulnerability:

• https://weakdh.org/sysadmin.html

Our Take

We understand that you might be vulnerable to Logjam. But we would recommend you not rush into patching this vulnerability. William Murray a well-known information assurance trainer as nicely said in his recent article “Not all vulnerabilities are problems; not all problems are of same size”.  It might be easy for a security agency to crack a 512 or 1024 Bit key but it is also quite expensive for them. When thinking of patching your systems keep in mind the 3rd rule of Adi Shamir “People do not break crypto, they bypass it.” 

Sources: 

• https://nakedsecurity.sophos.com/the-logjam-vulnerability-in-tldr-format/
• http://security.stackexchange.com/questions/89773/how-to-check-if-a-server-is-not-vulnerable-to-logjam
• http://www.techrepublic.com/article/logjam-tls-vulnerability-is-academic-not-catastrophic/
• http://www.bankinfosecurity.com/logjam-vulnerability-x-facts-a-8249/op-1
• https://weakdh.org/sysadmin.html

Android Backup Path Traversal Attack

A vulnerability found by Imre Rad and reported almost 10 months ago came to light before a week. All the android devices running versions below 5.0 are vulnerable to the attack that we shall be discussing further.

ADB stands for Android Debug Bridge which is a command line interface used to communicate with your android device. Using ADB one can add files,views files, delete data,give certain system commands etc. One such command that is used widely is the backup command.  With adb backup a complete back up of your android device is created and stored on your computer. And with the adb restore  command user can restore the full backup when needed.

A vulnerability was found in the way debug bridge handles the storage and retrieval process of the backup. In ADB this process is handled by Backup Manager Service, when a backup is created it is stored with .TAR extension.

If the header of the TAR file is modified and given a path of a malicious file. Then when a backup is restored it the original file will be over written and user shall have a malicious file on the device. To have a better understanding an example is:

Original File Header Path:

Original Value

Apps/com.andriod.settings/foo

Changed Header:

Apps/com.andriod.settings/foo/../../../data/system/hacker.txt

Malicious Value

In the above example we have added  “../../” and the file path to the original header. 

To restore we need to first pack our .tar file with the following command:
java -jar abe.jar pack [tar filename][backup filename]

Our tar file packed

Now restore the backup with following command:
adb restore [filename]

Backup restore

Backup Restore Message in Device

Now on restoration of backup the malicious file will be loaded on to the system.

However there are certain pre conditions for the exploit to work :

• The header checksum must match.
• The partition on which the retrieval is taking place must be mounted as a writeable partition for e.g. /System would not work but /data would work as it is a writeable partition.
• The files will not overwrite if it owned by root. This is because the process which is restoring is running as the same user as the package and Andriod packages do not run.
• With the introduction of new system hardening process for ignoring non system agent packages in Andriod Open Source Project (AOSP) 4.3 it is not possible to overwrite the file in later versions. However is the device is running custom ROM or is rooted and running higher versions such as 4.4 or higher than mostly likely it is possible to overwrite the file.
• All the pre AOSP 4.3 versions are exploitable without any additional conditions. In this case it is possible to overwrite any file or package that is installed on the system.

Make sure that your devices have the latest patches and security policies installed onto them. We would also like to thank Imre & folks at exploit db for presenting us with such a beautiful exploit. If you have any queries feel free to write to us at info@securitytheorem.com or simply leave a comment below.

Soruce: https://www.exploit-db.com/exploits/36813/