« April 2015 | Main | June 2015 »

May 2015

Wednesday, 27 May 2015

Top 5 #InfoSec Reads: May 19-26

Imperfect Forward Secrecy, DDoS made simple, Richard Stallman takes issue with abusive developers, malware spikes during holidays and a US Freedom Act smackdown are this week's Top 5 #InfoSec reads.

Logjam is latest security flaw to affect secure communication protocols

Vulnerability investigators and exploit kit developers are exposing critical flaws in secure communications protocols at an alarming rate  in 2015. GHOST, JASBUG, FREAK, and VENOM all reveal flaws in protocols that employ TLS. Weakdh.org has identified yet another vulnerability, Logjam, which takes advantage of weaknesses in Diffie-Hellman key exchange implementations. These force a downgrade of negotiated encryption to 512-bit export grade, which can be defeated in a man-in-the-middle attack to allow passive eavesdropping. The investigators suggest that such MITMs could be used to support state actor surveillance as well as criminal activities. A detailed report,  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice is available from weakdh.org.

Storm Kit - Changing the rules of the DDoS attack

Distributed denial of service (DDoS) attack kits have until recently provided administrative "consoles" to manage the potentially very large numbers of infected ("botted") computers that generated the attack traffic. Storm Kit provides an even simpler management experience for DDoS attackers, allowing them to launch DDoS attacks with very high volume from a smaller (manageable) set of compromised servers or rented virtual private servers (VPS). Storm kit supports volumetric and resource depletion attacks including SYN/UDP/HTTP flood, DNS or NTP amplification.

Malware isn't only about viruses: companies preinstall it all the time

Richard Stallman is exorcised over the widespread abuse he sees in software that embeds functionality that does not benefit users but exposes them to disclosure of personal information without notice or consent or otherwise mistreats users. I agree with Richard but I'd prefer that we refer to this 'ware as abuseware so that we can at least attempt to distinguish criminal activity from infuriating-close-to-criminal activity. I also love Richard's missive to us all:

"We can resist:

"Individually, by rejecting proprietary software and web services
that snoop or track.

"Collectively, by organising to develop free/libre replacement systems and web services that don’t track who uses them.

"Democratically, by legislation to criminalise various sorts of malware practices. This presupposes democracy, and democracy requires defeating treaties such as the TPP and TTIP that give companies the power to suppress democracy."

Malware infections spike on Memorial Day in DC

DcmalwareMalware infections increased nearly 51% on Memorial Day in Washington, DC.  As this graphic from Federal Times illustrates, this statistic is an outlier among the already dramatic uptick in infection rates on US holidays in general. Enigma Software bases these findings using infections detected by their consumer security suite software, which is not used in government systems.  A lesson from this report? Relax during your holiday time off but remain diligent to avoid being phished or infected. 

 

Senate votes down USA Freedom Act, putting bulk surveillance powers in jeopardy

The US Senate voted down USA Freedom Act. Barring (un)heroic efforts by supporters like Mitch McConnell, it is likely that many Patriot Act powers will automatically expire on June 1. How unpopular had the US Freedom Act become? Imagine any other issue where the American Civil Liberties Union (ACLU) and the Tea Party Patriots would cooperate to create a TV advertisement, warning Americans, They've gone too far!

   

Posted at 11:17 AM in Music, Top Infosec Reads | | Comments (0)

Wednesday, 20 May 2015

Top 5 #InfoSec Reads: May 12-18

Magic hashes, browser injection and "rich text" malware (Word Intruder), a USA Freedom Act that disappoints the Electronic Frontier Foundation, and Barclays to abandon dot com domains are this week's Top 5 #InfoSec reads.

Magic hashes  
(Or "why PHP developers should be using triple equals “===”) 

This WhiteHat Security's Robert Hansen describes how the use of the PHP equals-equals operator exposes web sites where password hashes are used to attack. Hansen explains that  password hashes in PHP are base16 encoded and thus begin with "0e" which causes the PHP equals-equals operator to interpret the entire string as a float not a string. Hansen then illustrates cases where “magic” strings are substantially more likely to evaluate to true when hashed given a completely random hash... and substantially more likely to evaluate to true when compared with a database of hashes, even if they don’t actually match and then demonstrates a practical attack based on the behavior of the operator. Hansen recommends using triple-equals "===" to mitigate this threat. WhiteHat offers a free check (with a trial account) but also points out that this vulnerability is easily identified using static code analysis. 

Exposing Rombertik - Turning the Tables on Evasive Malware

Rombertik is typically distributed via phishing email attachments. If executed, the malware compromises the local machine and the installed dropper downloads executables that inject hooks into Chrome, Firefox or Internet Explorer. The the browser injection code steals data that users submit through their browser. Rombertick is a great example of the myriad of ways malware writers incorporate obfuscation techniques into their malicious code. This Lastline Labs post and a complementing post at Cisco Blogs explain the obfuscation and evasion techniques including stalling code. These two blog posts are very instructional reads if you want to understand complex malware.

Because there's never enough malware and the attack vectors are seemingly boundless and the payoff prospects remain lucrative, we leave browser injection and move on to document based malware.  Or more correctly, a malware construction kit. This Sophos Naked Security post describes Microsoft Word Intruder (MWI), a kit with allegedly Russian origins that makes child's play of malware creation.  MWI has several interesting features: it's easy to use. It generates rich text format documents that exploit MS Word vulnerabilities that attackers can use to create both droppers (initial infecting code) and downloaders. And it has a  tracking feature (MWISTAT) which allows attackers to embed an unique URL for each generated RTF document. MWI has been used to distribute ZeuS banking trojans and Cryptolocker ransomware. Yet another reason to exercise care when opening attachments.

House Passes USA FREEDOM Act to Curb NSA Spying

The US House of Representatives passed H.R. 3361 which limits the scope of the surveillance by US agencies in several ways. The act sets a new process for FBI applications to the FISA Court that limit the scope of requests to tangible things identified by a specific selection term (simply, you can't ask for everything about everyone or everything, including call detail records). It also requires specific selection terms for pen registers and trap and trace and takes steps to reform FISA acquisitions targeting persons (located in or outside the US), similarly amends the National Security Letter to require specific selection term, and imposes transparency and reporting obligations onto the FISA court. Lastly, it aligns the sunset of the Patriot Act with the new provisions. While many are happy with the incremental "freedoms" restored, the EFF withdrew its support for the Act, asking Congress to strengthen its proposed reform of Section 215 asserting in its Op-Ed that "Congress must do more to rein in dragnet surveillance by the NSA" and urges Congress "to roll the draft back to the stronger and meaningful reforms included in the 2013 version of USA Freedom, which would acknowledge the Second Circuit’s opinion on the limits of Section 215 of the Patriot Act. 

Barclays confirms move away from .com to new gTLD

Barclays became the first financial institution to announce that it will abandon its domains in dot com and country code top level domains (TLDs) and will instead use its own: barclays and barclaycard. Non-transactional parts of Barclays have begun using the new TLDs. This is akin to saying, "Let the new games begin!", games of course meaning, criminals versus the financials. Barclays has played the opening gambit, and security practitioners will be keen to track how criminals respond: how will the threat landscape change? Will this migration mitigate phishing, redirection, bank domain or URL hijacking or other attacks directed at financials? Turn: criminals. Game clock is ticking. 

Posted at 09:24 AM in Top Infosec Reads | | Comments (0)

Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories