Cybersecurity News & Commentary - March 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

March 6, 2017


You Know to Protect Your Data. Does Your Accountant?

It’s tax season and, this year, the Internal Revenue Service (IRS)  is staking out an aggressive position against cybercriminals, especially those targeting tax preparers and accountants. The "Protect Your Clients; Protect Yourself" campaign aims to bring awareness among tax professionals and citizens alike about the real possibility, and increasing diverse range, of electronic tax fraud. In the latest scam, tax professionals are sent an email telling them to address “errors in your security details.” If an unsuspecting accountant responds, he or she is forwarded to a malicious website where they enter username and password – giving cybercriminals the credentials needed to steal client information. Another multi-phase phishing scam pretends to be from a client asking for help. When the accountant responds, he or she is sent a link and, once clicked, the accountant's computer or email account may be breached with a wide range of exploits. This scam has the benefit of flying under the radar since suspicious users are left alone and unsuspecting users are compromised.

IISP Analyst Stone Tillotson: “Phishing campaigns like this are never going to go away; they're only the newest twist on age-old confidence schemes. While there are technical approaches to mediate these problems, the best advice is to always be suspicious of a stranger asking for help or offering an unsolicited favor. If you do receive an email that's out of the ordinary, verify the provenance by calling the sender using only the phone number in your own contacts list, not what is included in the message. There is an inherent tension between data confidentiality and availability. Passwords and encryption are no help against an over-eager professional trying to help a client. The best defense is the unglamorous daily grind of vigilance and education from ordinary users, government agencies, and their public partners, emboldened by security professionals to broker in between."


Cloudbleed a Massive Oops, Not an Attack

Cloudflare, a domain name service and content delivery network (CDN) provider, announced in mid-February that data had been leaking from customer websites hosted on their servers. A vulnerability similar to the Heartbleed browser bug (revealed in 2014) caused HTTP requests to return random chunks of customer data from reverse proxies since September 2016, inspiring the nickname “Cloudbleed.” Due to the distributed nature and randomized selection of the data leaked, there’s no certainty of exactly which customers were affected, though it’s estimated over 5 million websites could be at risk. The investigation is ongoing, but it appears to only be a bug and not malware designed to exploit the vulnerability.

IISP Analyst Joel Odom: The Cloudflare problem interests me because it makes a good example of how multiple minor issues can cause a major security failure. According to Cloudflare’s excellent explanation of the problem, they are using the Ragel state machine compiler in their development process. The Ragel compiler uses an equality check (==) to detect the end of a buffer, but Cloudflare was misusing Ragel in such a way that the buffer position pointer skipped the memory bound tested by the equality check. If Ragel had used an inequality check (>=) to detect the unexpected possibility of reading past the end of the buffer, the bounds test would have been safer, preventing the data leak. If Cloudflare had not made a mistake in their use of Ragel, the equality check would have worked, preventing the data leak. If Cloudflare had used separate memory for different proxied connections, the leaked data would have been inconsequential. When we write software, we should try to employ security best practices, even if they are minor, because we never know which one will stop a failure chain.  Kudos to Cloudflare for publishing an excellent incident report.”

IISP Analyst Holly Dragoo: “What Cloudbleed means, hypothetically speaking, is if I were accessing my banking website and you were accessing your local news site, the potential for you to accidentally see my banking login information or financial data (among your requested data) exists. (Yikes!!!) So far there has been no known personal health, financial or identification data, passwords or encryption key disclosure. Due to the severity of the vulnerability, however, it’s not safe to assume all is ok, especially since some of the leaked data has been cached by search engines, making leaked data potentially retrievable. Change your passwords for everything.”


State of Malware (Bytes)

Malwarebytes released an infographic summarizing the state of malware from June to November of 2016, covering 100 million Windows and Android devices and spanning 200+ countries. The coverage focuses on six threats: ransomware, ad fraud, Android malware, botnets, banking trojans, and adware. To summarize the summary, they see an increase in ransomware — particularly targeting enterprise networks; find ad fraud concentrated in the US, and large increases of botnet activity in Europe and Asia.

IISP Analyst Yacin Nadji: “Another year, another state of malware report – this time in an easy to digest infographic. While light on information, some of the takeaways are interesting. First, 12.3% of enterprise malware detections are of ransomware, compared to only 1.8% for consumers. This seems surprising, but given that enterprises are more likely to have money and sensitive data (read: customer and financial records), I expect they are far more likely to pay out. Always keep backups of important data! Second, ad abuse is a serious problem amounting to hundreds of millions of dollars in damages, but the concentration in the United States seems surprising. My guess is there's simply more money to be siphoned off. Finally, the rise of previously disabled botnets suggests that taking them down without arresting the perpetrators simply doesn't work. In almost every case, the cyber criminals wait until things die down, then restart operations when no one is looking their way."


Attack Defeats Memory Protection on Pretty Much Everything

Researchers from VU Amsterdam have demonstrated a timing attack that defeats a common security measure in modern microcomputer architectures: address space layout randomization (ASLR).  ASLR is a technique to randomize the memory layout of a computer program so that flaws in the program's memory management are difficult to exploit. Unlike most attacks that exploit a software or firmware vulnerability, what VU Amsterdam found will exploit the physical hardware, affecting processors produced by technology giants such as Intel, Samsung, AMD, and Nvidia currently inside millions of products. The attack, which the researchers call the “AnC Attack,” exploits timing data leaked by memory management units on all of the computers they tested.  The flaw stems from the fundamental design of modern architectures, and is exploitable from JavaScript running on untrusted web pages.

IISP Analyst Chris M. Roberts: As stated in the article, these findings indicate that an entire class of exploits, which were deemed ineffective due to ASLR, must once again be treated as higher levels of threat. The problem lies in the fact that JavaScript code running on a website can write to that cache and monitor how quickly the memory management unit is working. “By monitoring the MMU very closely, the JavaScript can find out about its own addresses, which it’s not supposed to do,” Gras of VUSec says. While software changes may be able to deter these type of attacks, they cannot be guaranteed to completely mitigate them.  A full fix will ultimately require replacing hardware with new architectures that prevent this key information from being leaked out of the processor’s cache. Chip manufactures are predictably downplaying the implications of these findings, and the role their processor architectures play in them. Manufacturing chipsets is prohibitively expensive, with years of research, testing, and fabrication required to produce a commercial-grade component, let alone one implementing what may be a radicle architecture change. VUSec is an excellent example of how a well-designed system can still leak critical information through side-channels.  While collecting data and making sense of that information is often challenging, once that process is defined and refined, execution is often reduced to relatively simple code which can be easily deployed; in this case, javascript running on a browser.”

IISP Analyst Joel Odom: “This story should be of interest to technical Source Port readers, but it also is a good example of why security is hard and how security fails in unexpected ways. When I shared this news with a colleague, he remarked, ‘[the attack] demonstrates how security is hard. Mitigations must be seriously contemplated to be effective, and even when they are, the complexity of microprocessors deceives our understanding.’ Exactly."



Hijacking Celebrity Tweets Made Easy

A simple trick discussed by Belgian security researcher Inti De Ceukelaire shows how to "hijack" tweets without taking over the account. The trick works by abusing domains. Essentially, you find a tweet that contains a URL whose domain name has expired. By registering this domain, you can now alter what was linked in the original tweet. A simple trick, but one that seems widespread enough to provoke some laughs. Of the top 1000 Twitter accounts, he discovered 109 domains available for registration.

IISP Analyst Yacin Nadji: “The hijacks described in the article center around an issue our lab has investigated in detail and centers around a domain's residual trust. Domains expire every day, but anyone can register these and maintain whatever reputation the previous domain and its owner had. For example, we identified cases of malware authors re-registering expired, benign domains to fool blacklists and reputation systems. This may seem to be an isolated case, but the problem is deeper than that. For example, if a bank closes, should its domain be carelessly tossed back into the domain pool to be abused by a financial fraudster? We don't think so and our paper demonstrates how to find these re-registrations at scale. We also suggest that domains belonging to critical infrastructure such as finance, government, and utilities not return to the general pool after expiration to prevent future instances of residual trust abuse."


R.I.P. SHA-1

It took almost 7,000 computer-years of work to complete the calculations, but Google has succeeded in finding the first SHA-1 collision -- meaning that a once invincible algorithm used as a cryptography standard by the National Security Agency no longer is secure. One of the security requirements of a cryptographic hash function is that it should be practically impossible to find two inputs that yield the same output. Starting with a theoretical technique published in 2013, Google was able to apply their vast computing resources to turn the theoretical weakness into an actual collision. Cryptographers consider a hash function completely broken once a collision is found.

IISP Analyst Joel Odom: “When we consider whether or not a vulnerability is a real-world concern, economics comes into play. As the cost of an attack exceeds the benefit of success, the vulnerability becomes less of a real-world concern. The computing cost of this attack was enormous, so the real-world concern to most people is currently minimal, but computing power only gets cheaper and attacks only get better. There is a timeline (including some good commentary) at that shows how popular hash functions started strong, but weakened until their eventual death. When you design a system that uses cryptography, it is important to design it in such a way that you can update all of the primitives over time, including the hash functions."


Is an Encrypted Phone Good Enough?

Cellebrite, an Israeli security company rumored to have helped the FBI decrypt the phones of suspected terrorists in San Bernadino, was itself the victim of a massive data breach and now the stolen data is circulating online. Included in the 900 GB of data exfiltrated were customer records and databases, but most ominously extensive, if not complete, data on their highly successful line of forensic tools for mobile phone investigations. As reported by Motherboard, the hacker that provided the data dump appears to be legitimate, with at least the leaked user accounts appearing to be genuine when verified against the Cellebrite website. The release of Cellebrite's forensic hacking tools is troubling to say the least. With the information and code that was stolen, any parties in possession would have access to a wide variety of polished and functional exploits for mobile devices that were previously considered secure.

IISP Analyst Stone Tillotson: “Dennis Hughes, first chief of the FBI's computer investigations unit, was once noted to say, The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one. The only question is... can you get reception 20 feet down? Connected devices are now near ubiquitous, and the Cellebrite hack represents only the most recent episode in the now near-militarized field of mobile device forensics. Hacks like this, and a similar hack of the Gamma Group in 2014, place governments, companies, and regular people in the firing line. While having access to circumvention tools may feel comforting to law enforcement, breaches like this that empower adversaries and criminals make the case for reliable, strong security, even if it hampers investigations. That realization -- that circumvention approaches would be leaked -- was what ultimately sunk the mid-1990s NSA-designed Clipper Chip, and this analyst believes it's time for a replay of that conversation in the public discourse."