Top Infosec Reads

Top 5 #InfoSec Reads: May 12-18

Magic hashes, browser injection and "rich text" malware (Word Intruder), a USA Freedom Act that disappoints the Electronic Frontier Foundation, and Barclays to abandon dot com domains are this week's Top 5 #InfoSec reads.

Magic hashes  
(Or "why PHP developers should be using triple equals “===”) 

This WhiteHat Security's Robert Hansen describes how the use of the PHP equals-equals operator exposes web sites where password hashes are used to attack. Hansen explains that  password hashes in PHP are base16 encoded and thus begin with "0e" which causes the PHP equals-equals operator to interpret the entire string as a float not a string. Hansen then illustrates cases where “magic” strings are substantially more likely to evaluate to true when hashed given a completely random hash... and substantially more likely to evaluate to true when compared with a database of hashes, even if they don’t actually match and then demonstrates a practical attack based on the behavior of the operator. Hansen recommends using triple-equals "===" to mitigate this threat. WhiteHat offers a free check (with a trial account) but also points out that this vulnerability is easily identified using static code analysis. 

Exposing Rombertik - Turning the Tables on Evasive Malware

Rombertik is typically distributed via phishing email attachments. If executed, the malware compromises the local machine and the installed dropper downloads executables that inject hooks into Chrome, Firefox or Internet Explorer. The the browser injection code steals data that users submit through their browser. Rombertick is a great example of the myriad of ways malware writers incorporate obfuscation techniques into their malicious code. This Lastline Labs post and a complementing post at Cisco Blogs explain the obfuscation and evasion techniques including stalling code. These two blog posts are very instructional reads if you want to understand complex malware.

Because there's never enough malware and the attack vectors are seemingly boundless and the payoff prospects remain lucrative, we leave browser injection and move on to document based malware.  Or more correctly, a malware construction kit. This Sophos Naked Security post describes Microsoft Word Intruder (MWI), a kit with allegedly Russian origins that makes child's play of malware creation.  MWI has several interesting features: it's easy to use. It generates rich text format documents that exploit MS Word vulnerabilities that attackers can use to create both droppers (initial infecting code) and downloaders. And it has a  tracking feature (MWISTAT) which allows attackers to embed an unique URL for each generated RTF document. MWI has been used to distribute ZeuS banking trojans and Cryptolocker ransomware. Yet another reason to exercise care when opening attachments.

House Passes USA FREEDOM Act to Curb NSA Spying

The US House of Representatives passed H.R. 3361 which limits the scope of the surveillance by US agencies in several ways. The act sets a new process for FBI applications to the FISA Court that limit the scope of requests to tangible things identified by a specific selection term (simply, you can't ask for everything about everyone or everything, including call detail records). It also requires specific selection terms for pen registers and trap and trace and takes steps to reform FISA acquisitions targeting persons (located in or outside the US), similarly amends the National Security Letter to require specific selection term, and imposes transparency and reporting obligations onto the FISA court. Lastly, it aligns the sunset of the Patriot Act with the new provisions. While many are happy with the incremental "freedoms" restored, the EFF withdrew its support for the Act, asking Congress to strengthen its proposed reform of Section 215 asserting in its Op-Ed that "Congress must do more to rein in dragnet surveillance by the NSA" and urges Congress "to roll the draft back to the stronger and meaningful reforms included in the 2013 version of USA Freedom, which would acknowledge the Second Circuit’s opinion on the limits of Section 215 of the Patriot Act. 

Barclays confirms move away from .com to new gTLD

Barclays became the first financial institution to announce that it will abandon its domains in dot com and country code top level domains (TLDs) and will instead use its own: barclays and barclaycard. Non-transactional parts of Barclays have begun using the new TLDs. This is akin to saying, "Let the new games begin!", games of course meaning, criminals versus the financials. Barclays has played the opening gambit, and security practitioners will be keen to track how criminals respond: how will the threat landscape change? Will this migration mitigate phishing, redirection, bank domain or URL hijacking or other attacks directed at financials? Turn: criminals. Game clock is ticking. 

Top 5 #InfoSec Reads: May 4 - 11

Linux defect fixing, a tool that helps criminals erase evidence, a new ransomware, DropBox follows Twitter to Ireland, and a poster child for effective security legislation are this weeks top #infosec reads.

8 Linux security improvements in 8 years

Since 2007, developers have made considerable efforts to mitigate vulnerabilities in the Linux OS. Based on an Information Week review of the defect-fixing record of Linux, commercial and open source code, the effort has delivered exceptional results. Information Week reports that, "where one defect per 1,000 lines of code is considered quality, Linux in July 2014 had .55 defects per 1,000 lines. Linux also is better than most other open source projects." Much of this accomplishment can be attributed to static analysis verification, and since 2013 fixes to identified defects have accumulated faster than the number unfixed defects. There's a lesson here for commercial software and the open source community.

USBKill used to wipe clean criminal’s PCs

Criminals can now use a simple script to wipe incriminating data from their computers before they are seized to prevent law enforcement agents from conducting forensic investigations on their hard drives. The script, USBKill, thwarts a common practice of  investigators use when they discover a computer during a search and seizure: agents often insert a mouse jiggler or similar device to prevent a possibly encrypted system from logging off or shutting down. USB kill detect changes in USB ports status and immediately shuts the seized computer down. 

AlphaCrypt ransomware looks like TeslaCrypt, behaves like Cryptowall 3.0 

Ransomware is malware that installs on your computer, secretly encrypts your data, then pops up a window that threatens to destroy your data forever if you do not pay the ransom. AlphaCrypt is a recent variant that uses threat notifications like its predecessor TeslaCrypt and employs an encryption (recovery) key technique like Cryptowall 3.0 but defeats shadow volume measures and executes more stealthily. This malware is delivered as a Flash exploit and has frustrated AV detection until only recently. 

Accounts of Dropbox users living outside of NA now hosted in Ireland

First Twitter and now Dropbox have moved accounts of users who do not reside in North America to their facilities in Ireland. Why? Data stored in Ireland is not subject to the NSA court requests for data. If you're an American, Canadian or Mexican citizen, you can't opt in to the Ireland hosting. The Patriot Act is arguably the first domino in the path that's led us to this unhappy juncture, where we cannot honestly call America the Land of the Free.

Spam drops dramatically as Canada's Anti-Spam Legislation takes effect

US Congress should read Canada's Anti-Spam Legislation (CASL) and treat it as a promising model for effective cyber legislation. According to Cloudmark, spam originating from Canada has dropped 37% since CASL took effect, and the monthly volume of email in Canada has dropped 29%. Cloudmark speculates that this latter figure may be marketing email that does not satisfy the CASL's affirmative consent criterion.