The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
March 6, 2017
You Know to Protect Your Data. Does Your Accountant?
It’s tax season and, this year, the Internal Revenue Service (IRS) is staking out an aggressive position against cybercriminals, especially those targeting tax preparers and accountants. The "Protect Your Clients; Protect Yourself" campaign aims to bring awareness among tax professionals and citizens alike about the real possibility, and increasing diverse range, of electronic tax fraud. In the latest scam, tax professionals are sent an email telling them to address “errors in your security details.” If an unsuspecting accountant responds, he or she is forwarded to a malicious website where they enter username and password – giving cybercriminals the credentials needed to steal client information. Another multi-phase phishing scam pretends to be from a client asking for help. When the accountant responds, he or she is sent a link and, once clicked, the accountant's computer or email account may be breached with a wide range of exploits. This scam has the benefit of flying under the radar since suspicious users are left alone and unsuspecting users are compromised.
- IRS Security Alert (Feb. 17): https://www.irs.gov/uac/newsroom/security-summit-alert-tax-professionals-warned-of-new-scam-to-unlock-their-tax-software-accounts
- IRS Security Alert (Jan. 11): https://www.irs.gov/uac/newsroom/security-summit-alert-new-two-stage-email-scheme-targets-tax-professionals
- "Protect Your Clients, Protect Yourself" Campaign: https://www.irs.gov/
IISP Analyst Stone Tillotson: “Phishing campaigns like this are never going to go away; they're only the newest twist on age-old confidence schemes. While there are technical approaches to mediate these problems, the best advice is to always be suspicious of a stranger asking for help or offering an unsolicited favor. If you do receive an email that's out of the ordinary, verify the provenance by calling the sender using only the phone number in your own contacts list, not what is included in the message. There is an inherent tension between data confidentiality and availability. Passwords and encryption are no help against an over-eager professional trying to help a client. The best defense is the unglamorous daily grind of vigilance and education from ordinary users, government agencies, and their public partners, emboldened by security professionals to broker in between."
Cloudbleed a Massive Oops, Not an Attack
Cloudflare, a domain name service and content delivery network (CDN) provider, announced in mid-February that data had been leaking from customer websites hosted on their servers. A vulnerability similar to the Heartbleed browser bug (revealed in 2014) caused HTTP requests to return random chunks of customer data from reverse proxies since September 2016, inspiring the nickname “Cloudbleed.” Due to the distributed nature and randomized selection of the data leaked, there’s no certainty of exactly which customers were affected, though it’s estimated over 5 million websites could be at risk. The investigation is ongoing, but it appears to only be a bug and not malware designed to exploit the vulnerability.
- TechCrunch: https://techcrunch.com/2017/03/01/cloudbleed-investigation-turns-up-a-million-leaks-but-no-signs-of-exploitation/
- Dark Reading: http://www.darkreading.com/attacks-breaches/cloudflare-leaked-web-customer-data-for-months/d/d-id/1328266
- Cloudflare Blog: https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/#skip
- Cloudflare Incident Report: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
IISP Analyst Joel Odom: “The Cloudflare problem interests me because it makes a good example of how multiple minor issues can cause a major security failure. According to Cloudflare’s excellent explanation of the problem, they are using the Ragel state machine compiler in their development process. The Ragel compiler uses an equality check (==) to detect the end of a buffer, but Cloudflare was misusing Ragel in such a way that the buffer position pointer skipped the memory bound tested by the equality check. If Ragel had used an inequality check (>=) to detect the unexpected possibility of reading past the end of the buffer, the bounds test would have been safer, preventing the data leak. If Cloudflare had not made a mistake in their use of Ragel, the equality check would have worked, preventing the data leak. If Cloudflare had used separate memory for different proxied connections, the leaked data would have been inconsequential. When we write software, we should try to employ security best practices, even if they are minor, because we never know which one will stop a failure chain. Kudos to Cloudflare for publishing an excellent incident report.”
IISP Analyst Holly Dragoo: “What Cloudbleed means, hypothetically speaking, is if I were accessing my banking website and you were accessing your local news site, the potential for you to accidentally see my banking login information or financial data (among your requested data) exists. (Yikes!!!) So far there has been no known personal health, financial or identification data, passwords or encryption key disclosure. Due to the severity of the vulnerability, however, it’s not safe to assume all is ok, especially since some of the leaked data has been cached by search engines, making leaked data potentially retrievable. Change your passwords for everything.”
State of Malware (Bytes)
Malwarebytes released an infographic summarizing the state of malware from June to November of 2016, covering 100 million Windows and Android devices and spanning 200+ countries. The coverage focuses on six threats: ransomware, ad fraud, Android malware, botnets, banking trojans, and adware. To summarize the summary, they see an increase in ransomware — particularly targeting enterprise networks; find ad fraud concentrated in the US, and large increases of botnet activity in Europe and Asia.
- MalwareBytes: https://www.malwarebytes.com/pdf/infographics/stateofmalwareinfographic.pdf
- Georgia Tech research paper: “Financial Lower Bounds of Online Advertising Abuse”: http://www.cc.gatech.edu/~ynadji3/docs/pubs/dimva16-sinkanalysis.pdf
- Georgia Tech research paper: “Beheading Hydras: Performing Effective Botnet Takedowns:” http://www.cc.gatech.edu/~ynadji3/docs/pubs/rza-ccs2013.pdf
IISP Analyst Yacin Nadji: “Another year, another state of malware report – this time in an easy to digest infographic. While light on information, some of the takeaways are interesting. First, 12.3% of enterprise malware detections are of ransomware, compared to only 1.8% for consumers. This seems surprising, but given that enterprises are more likely to have money and sensitive data (read: customer and financial records), I expect they are far more likely to pay out. Always keep backups of important data! Second, ad abuse is a serious problem amounting to hundreds of millions of dollars in damages, but the concentration in the United States seems surprising. My guess is there's simply more money to be siphoned off. Finally, the rise of previously disabled botnets suggests that taking them down without arresting the perpetrators simply doesn't work. In almost every case, the cyber criminals wait until things die down, then restart operations when no one is looking their way."
Attack Defeats Memory Protection on Pretty Much Everything
- VUSec: https://www.vusec.net/projects/anc/
- Wired: https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/
IISP Analyst Joel Odom: “This story should be of interest to technical Source Port readers, but it also is a good example of why security is hard and how security fails in unexpected ways. When I shared this news with a colleague, he remarked, ‘[the attack] demonstrates how security is hard. Mitigations must be seriously contemplated to be effective, and even when they are, the complexity of microprocessors deceives our understanding.’ Exactly."
Hijacking Celebrity Tweets Made Easy
A simple trick discussed by Belgian security researcher Inti De Ceukelaire shows how to "hijack" tweets without taking over the account. The trick works by abusing domains. Essentially, you find a tweet that contains a URL whose domain name has expired. By registering this domain, you can now alter what was linked in the original tweet. A simple trick, but one that seems widespread enough to provoke some laughs. Of the top 1000 Twitter accounts, he discovered 109 domains available for registration.
- Hacker Noon: https://hackernoon.com/how-i-hijacked-top-celebrities-tweets-including-katy-perry-shakira-fca3a0e751c6#.zgdfwamlq
- Georgia Tech research paper: “Domain Z: 28 Registrations Later:” http://www.cc.gatech.edu/~ynadji3/docs/pubs/domain-z-2016.pdf
IISP Analyst Yacin Nadji: “The hijacks described in the article center around an issue our lab has investigated in detail and centers around a domain's residual trust. Domains expire every day, but anyone can register these and maintain whatever reputation the previous domain and its owner had. For example, we identified cases of malware authors re-registering expired, benign domains to fool blacklists and reputation systems. This may seem to be an isolated case, but the problem is deeper than that. For example, if a bank closes, should its domain be carelessly tossed back into the domain pool to be abused by a financial fraudster? We don't think so and our paper demonstrates how to find these re-registrations at scale. We also suggest that domains belonging to critical infrastructure such as finance, government, and utilities not return to the general pool after expiration to prevent future instances of residual trust abuse."
It took almost 7,000 computer-years of work to complete the calculations, but Google has succeeded in finding the first SHA-1 collision -- meaning that a once invincible algorithm used as a cryptography standard by the National Security Agency no longer is secure. One of the security requirements of a cryptographic hash function is that it should be practically impossible to find two inputs that yield the same output. Starting with a theoretical technique published in 2013, Google was able to apply their vast computing resources to turn the theoretical weakness into an actual collision. Cryptographers consider a hash function completely broken once a collision is found.
- Google Security Blog: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
- Shattered: https://shattered.io
IISP Analyst Joel Odom: “When we consider whether or not a vulnerability is a real-world concern, economics comes into play. As the cost of an attack exceeds the benefit of success, the vulnerability becomes less of a real-world concern. The computing cost of this attack was enormous, so the real-world concern to most people is currently minimal, but computing power only gets cheaper and attacks only get better. There is a timeline (including some good commentary) at http://valerieaurora.org/hash.html that shows how popular hash functions started strong, but weakened until their eventual death. When you design a system that uses cryptography, it is important to design it in such a way that you can update all of the primitives over time, including the hash functions."
Is an Encrypted Phone Good Enough?
Cellebrite, an Israeli security company rumored to have helped the FBI decrypt the phones of suspected terrorists in San Bernadino, was itself the victim of a massive data breach and now the stolen data is circulating online. Included in the 900 GB of data exfiltrated were customer records and databases, but most ominously extensive, if not complete, data on their highly successful line of forensic tools for mobile phone investigations. As reported by Motherboard, the hacker that provided the data dump appears to be legitimate, with at least the leaked user accounts appearing to be genuine when verified against the Cellebrite website. The release of Cellebrite's forensic hacking tools is troubling to say the least. With the information and code that was stolen, any parties in possession would have access to a wide variety of polished and functional exploits for mobile devices that were previously considered secure.
- Motherboard (re: public data dump): https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
- Motherboard (re: original theft): https://motherboard.vice.com/en_us/article/hacker-steals-900-gb-of-cellebrite-data
- Cellebrite news release: http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach
IISP Analyst Stone Tillotson: “Dennis Hughes, first chief of the FBI's computer investigations unit, was once noted to say, ‘The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one.’ The only question is... can you get reception 20 feet down? Connected devices are now near ubiquitous, and the Cellebrite hack represents only the most recent episode in the now near-militarized field of mobile device forensics. Hacks like this, and a similar hack of the Gamma Group in 2014, place governments, companies, and regular people in the firing line. While having access to circumvention tools may feel comforting to law enforcement, breaches like this that empower adversaries and criminals make the case for reliable, strong security, even if it hampers investigations. That realization -- that circumvention approaches would be leaked -- was what ultimately sunk the mid-1990s NSA-designed Clipper Chip, and this analyst believes it's time for a replay of that conversation in the public discourse."