Thursday, March 15, 2018

Cyber Updates - 15th March 2018

Commercial  Disagreement leads to mass TLS certificate revocation

In a somewhat baffling story, 23,000 certificates sold by certificate reseller Trustico were suddenly revoked. It appears that Trustico wanted to move their customers to new certificates and saw this as a quick way of doing so.

Trustico requested that Digicert, the certificate issuer, revoke 50,000 certificates, citing some unspecified compromise. DigiCert refused without evidence of compromise so Trustico effectively created a compromise by emailing 23,000 private keys to DigiCert. At this point, DigiCert had no alternative under Certificate Authority rules other than to revoke these certificates meaning that visitors to these sites would potentially start receiving secure connection errors within 24 hours.

Key takeaways:

  • It is important to monitor the trustworthiness of your certificate provider. Let's Encrypt is a well respected, free and easy to automate certificate provider.
  • Never allow a certificate provider to generate or get access to your private key. You should always generate a Certificate Signing Request (CSR) and send that to the provider, see example instructions here.

Crypto-mining malware on UK and US government sites

Scott Helme, a UK based security researcher, discovered that various UK government sites were serving up JavaScript which used the browser to mine cryptocurrency, therefore causing significant CPU utilisation for the the end user. Further investigation indicated that a 3rd party called BrowseAloud who provide a script to read website content for blind/partially sited people, had been compromised. Their script had been altered to insert this crypto-mining script meaning that any site using their script would be infected by this.

Key takeaways:

  • If enterprises or consumers use anti-malware protection on web browsing, it would hopefully detect and block this script.
  • Web Site administrators can use Sub-Resource Integrity to monitor and block unexpected script changes.

Record DDoS attacks using memcached

A number of record-breaking DDoS attacks were seen in the last few weeks which utilised a service called memcached as an amplification vector. This occurs because when an attacker sends packets with a source spoofed to be the target's IP address to this particular service, it responds with a much larger response than the initial request leading to an amplification of up to 51,000x the size of the original request.

One high-profile victim was GitHub although they were able to continue operations with minimal disruption with help from their DDoS protection provider.

Key takeaways:

  • DDoS is a scenario you have to plan for in advance, if you don't have a plan by the time it starts, it is likely to take you offline.
  • DDoS protection for such a large attack will require the assistance of your upstream Internet provider and potentially a specialist service.
  • Comsec offers a DDoS readiness service where you can assess the ability of your systems to withstand this type of attack.

Josh Grossman
Senior Information Security Consultant and Team Leader

Tuesday, February 6, 2018

Cyber Updates - 6th February 2018

CPU vulnerabilities revealed 

After several days of intense speculation, an embargo was lifted on the disclosure of two classes of processor vulnerabilities, dubbed "Meltdown" (affecting Intel specifically) and "Spectre" (affecting multiple processor manufacturers). These vulnerabilities allow one process to read sensitive data from another process including passwords, session tokens and more. Three of the discovers presented a talk on the vulnerabilities at the BlueHatIL conference here in Israel a few weeks ago. 

As the vulnerabilities reside in the processors themselves, for now all that can be done is to apply patches to mitigate the issues however this process has not proceeded smoothly with Microsoft having to hold off on deploying patches until users updated their anti-virus software and culminating in Intel advising users to stop applying their patches until further notice.

Key takeaways:

  • Apply patches based on vendor advice and be sure to test patches in a staging environment before a mass deployment to production systems. This should be standard practice in any case.
  • These vulnerabilities have gathered a large amount of attention due to their branding and novelty although the CVSS scores of the vulnerabilities are a modest 5.6 due to the need to execute code locally. As such, this should be taken into account when prioritising efforts and there may be more serious issues which should be addressed first (see other items in this post).
  • If you are using antivirus software which no longer updates or a system without any antivirus software at all, it may no longer install any Windows updates due to the issue with antivirus noted above!

Remotely exploitable Cisco vulnerabilities

A much more serious vulnerability was reported in Cisco ASA and Firepower edge devices which could allow a remote authenticated, attacker to execute code on the devices. As these devices are designed to be exposed to the Internet, this merited a CVSS score of 10. As with the previous story, patching was not straightforward with Cisco having to issue an updated patch as the first patch was incomplete as well as complaints that it took Cisco too long to inform customers.

Key takeaways:

  • This issue should be patched as soon as possible on all affected edge devices. 
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of network edge protection, were suddenly disabled or bypassed.

Further Weaponisation of MS17-010 vulnerabilities

We have previously spoken about the increased risks of vulnerabilities of easily available exploits. We therefore wanted to highlight the news that a security researcher has ported some of the NSA exploits (EternalRomance/EternalSynergy/EternalChampion) which previously worked on certain Windows versions to run on any version since Windows 2000. These

Key takeaways:

  • If you have any version of Windows (server or desktop) from Windows 2000 onwards and it has not been patched with MS17-010, it can be remotely compromised wherever SMB is enabled.
  • Whilst it appears that MS17-010 can potentially be applied to Windows Server 2003 and Windows XP, it appears that Windows Server 2000 is not patchable.

The potential dangers of package managers  

A well written blog post called "I’m harvesting credit card numbers and passwords from your site. Here’s how." went viral a few weeks back which explained how it is possible to exploit the reliance on package managers in software development to insert malicious code into an application.

Liran Tal wrote an interesting rebuttal to the post where he points out that the premise of the post relies on blindly adding packages without consideration.

Key takeaways:

  • Clearly the scenario in the original post is possible although, as Liran says, this is more of an issue of developer awareness and due diligence with open source code.
  • R&D teams should be aware of the risk and have an inventory of what code libraries they are using and how they can verify where they have come from.

Josh Grossman
Senior Information Security Consultant and Team Leader

Tuesday, January 2, 2018

Cyber Updates - 2nd January 2018

Breach at PayPal subsidiary

PayPal disclosed at the start of December that the personal information of 1.6 million individuals may have been exposed when a subsidiary, TIO Networks which had been acquired in July 2017, was breached. It is not clear whether the breach occurred before or after the acquisition but TIO's systems had not yet been integrated into PayPal’s environment which was therefore not at risk. TIO had already suspended operations in November 2017.

Key takeaways:

  • Acquisitions are very and can expose a well-controlled technology environment to new and unknown security risks if the new subsidiary's network is less well controlled.
  • Security due diligence should be part of the pre-acquisition process and the new environment should be carefully reviewed before integration into the main environment (as appears to have happened in this case).

Serious Privilege Escalation bug in macOS

A very serious security flaw was discovered in High Sierra, the latest macOS. Specifically, if a user tried to authenticate as root (highest privileged user) with a blank password in certain situations, the first time it would not accept it but would silently set the root password to blank and therefore the second time it would allow the user to login as root. Apple subsequently release a patch to address this. A detailed technical write-up of this is here.

Key takeaways:

  • It is important to keep on top of patch management at all levels of the business including endpoints.
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of low privilege endpoint users, were suddenly disabled or bypassed.

Top Secret data left exposed in Amazon S3 buckets

A couple of examples recently of top secret US Department of Defense materials (including an entire virtual machine image) being found in unsecured Amazon S3 (Simple Storage Service) locations allowing anyone on the Internet who discovered the locations to download them.

Key takeaways:

  • Use of cloud services is becoming ubiquitous but each cloud service needs someone who is skilled with using the service to act as "security administrator" to ensure these types of error do not occur.
  • Part of this should be frequent technical audits of the cloud environment to look for security issues or misconfigurations.

Critical Vulnerability in Keeper password manager 

Tavis Ormandy discovered a critical flaw in the Keeper password manager (which comes bundled with Windows 10) which could allow an attacker to gain access to passwords stored using the tool. Whilst this was not a good situation, Keeper managed to make it worse by suing a news organisation which reported on it therefore guaranteeing themselves a flood of negative publicity in the Information Security world.

Key takeaways:

  • Whilst having a critical vulnerability reported in your software is not ideal, if reported responsibly then you have effectively received valuable assistance for free.
  • Be wary of the "Streisand Effect" when responding to any actual or perceived issue.

Bonus link - Empathy in Incident Response 

I wanted to put in this excellent blogpost from Tracy Z. Maleeff (@InfoSecSherpa) as well as it talks about a very important concept. If the security team wants users to help them and give them warning when something has happened, it is important that the user doesn’t feel scared to do so.

Josh Grossman
Senior Information Security Consultant and Team Leader