Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Ethical Hackers 2

In a follow up to my post about ethical hackers, I found an article about a Cyber Challenge which was looking into getting teenagers and young adults, who have are partial to hacking, interested in cybersecurity jobs. “In the eyes of the organizers of the Maryland Cyber Challenge and Conference, today’s hacker could be tomorrow’s cybersecurity hero.”  Realizing that there is a shortage of security professionals in the work force, those who ran the whole conference, intended to help those who attended see the great aspects of cybersecurity. The challenge itself was:

an all-day brain tester for eight high school and eight college teams. The college students had to hack into a computer, gain control, and rummage through files for valuable information. Meanwhile the high-schoolers were required to defend six computer servers against attacks by cunning computer professionals seated across the room.

It would seem that the “Ethical Hacker” is a much needed resource in this day and age.

Article: http://www.homelandsecuritynewswire.com/cyber-challenge-encourages-teen-hackers-seek-security-jobs

MEECES and Army Private First Class Bradley Manning

Army Private First Class Bradley Manning is at the center of one of the largest leaks of classified documents that the country has ever seen.  He is accused of using his privileged access to a classified government computer system to download sensitive documents, and distribute these documents to websites.

A quick read of his story on the Wikipedia website is a lesson in MEECES – the reasons for hacking.  MEECES stands for money, entertainment, ego, cause, entrance to social groups and status.  Here is a list of the MEECES examples from the Wikipedia website about PFC Manning:

Money – As there is no indication of compensation from WikiLeaks, it is unlikely that he did it for the money (I will concede that point).  As a note, WikiLeaks has donated $15,100 to a fund for his attorney’s fees (which has raised over $100,000).

Entertainment & Ego– If the statements can be attributed to him, Manning was getting satisfaction from the possible ramifications the documents to be leaked.  Allegedly, he told a writer at Wired magazine that Secretary of State Hillary Rodham Clinton “and several thousand diplomats around the world are going to have a heart attack when they wake up one morning, and finds an entire repository of classified foreign policy is available, in searchable format to the public.  Additionally, he was feeling superior as he cited “weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm …” leading to his assessment of “perfect example of how not to do INFOSEC”.

Cause – There are a couple of possible causes here.  The major cause cited was desire to publicize sensitive, classified documents pertaining to diplomatic and military affairs in the middle east.  Bradley felt that these documents needed to be placed in the public domain.  He thought that the public needed to know the truth.  In addition, Bradley was about to be discharged (for punching a female officer in the face), so revenge is apparently a motivator.

Entrance to Social Groups and Status – By initially posting the documents on-line, Bradley was able to communicate with writers for Wired magazine and the whistle-blower website WikiLeaks.  The attention from these prominent media is impressive for young techies.

The article on Wikipedia’s website is quite detailed, but obviously lacks Bradley’s opinions (since he is in jail, awaiting trial).  Time and trial by court martial will tell if Bradley is a criminal or a hero.  Right or wrong, the story posted on Wikipedia demonstrates the motivations of a hacker.

http://en.wikipedia.org/wiki/Bradley_Manning

Someone shut off the Internet!

Someone shut off the Internet! No I’m not kidding.

Yesterday, November 7th, 2011, the internet briefly ‘died’ for about 30 seconds. This event was witnessed by users and servers all around the U.S. in places ranging from highly populated areas such as Washington D.C., Los Angeles, San Francisco, Raleigh, N.C., Dallas, NYC, and some lesser known locations in the Midwest.

Obviously this affected individuals world wide. Servers and services hosted in the U.S. could no longer be reached by any client, regardless of their location.

Time Warner took responsibility for the massive outage with only a brief statement on their Twitter account.

@TWCableHelp: We appear to be recovering from a large but brief internet outage affecting most of our service areas. Please attempt to connect again.

This raises the question of how easy would it be to actually ‘turn off’ the internet in the event access could be gained to the systems Time Warner controls? Either that, or, how easy would it be to disable the systems preventing Time Warner’s customers from going offline?

Security is a huge issue here, because, if Time Warner has the power to disable the internet and adjacent services, at least the portion they control (which is massive! they had over 36 million subscribers as of 2009), then, potentially, other ISPs might have the same amount of incredible power. Could we be facing a state where a complete shutdown of the internet, ala Egypt or China, is feasible and a real threat to our freedoms as citizens?

What if an unscrupulous individual manages to take control of these systems and have an entire country’s internet at their fingertips? If a merchant like Amazon goes offline for even a few seconds, they potentially lose millions of dollars. Thirty seconds of downtime is a massive outage in any network administrator’s eyes. It is certainly unacceptable for such a large service provider conglomerate.

Sources:

• http://www.businessinsider.com/weird-the-internet-just-died-for-about-30-seconds-around-the-country-2011-11
• http://twitter.com/#!/TWCableHelp/status/133551519311216640
• http://en.wikipedia.org/wiki/Time_Warner_Cable

America will not provoke war!

This article ( http://www.wfaa.com/news/politics/Cyber-weaknesses-should-deter-US-from-waging-war–133493833.html ) explains that America is so weak to cyber attack that it would be too risky to initiate war. Many countries could hit us over the internet, a new tool of war, and have devastating effects. Even a battlefield can be harmed! If equipment just stops working then things would turn out pretty badly. It is simply too risky for us to go to war, and we are at huge risk of being attacked. Until we can fix our internet problem, we will be at a severe disadvantage to any opposing forces.

The good news is that now the network is becoming more secure. If we manage to make our internet infrastructure more secure then we might actually transition into a position of advantage over other weaker networks. But for now, we are in a no – attacking position and if we weren’t at such a risk for being attacked (like an unfair cold war) then I would feel pretty happy about our forced pacifism.

An apparent inside job in Brazil’s DNS cache poisining

Securelist.com reported that an employee at one of Brazil’s internet service providers is accused of tampering with the cache of a domain name server.  It is believed that the employee’s work redirected customers looking for Google, Gmail, YouTube, and Hotmail to websites that instructed users to unwittingly download Java programs containing trojans.  These trojans installed banking malware.

http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil

Once again, encryption and security protocols are defeated by vulnerabilities attributed to human elements.  Because of the ties to the banking malware, it suggests that this probably is not the work of just one person, acting by themselves.  It is troubling to think that elements of organized crime can gain access to the domain name servers of internet service providers.  We will have to wait and see if the employee was a willing participant or a coerced victim.

Of course it should not be too much of a surprise that it happened in Brazil.  According to Symantec’s latest Intelligence Quarterly Report, Brazil ranks #3 in the world for the source of malicious activity (behind #2 China and #1 USA).

 

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

• Information Gathering

• Goal: Employee Information

• Social Engineering

• Goal: Gain Employee Credentials by directly asking for them
• Goal: Enticing Users to a Website

• Phishing

• Goal: Internal Access via Employees

Source: http://blog.opensecurityresearch.com/2011/11/just-that-easy-real-world-pen-testing.html

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

Steps to take after the hack

I was reading an article recently on securityweek.com that listed some steps that should be taken from the view point of a systems administrator. Considering how many people in the class wish to pursue that particular career I decided to write about it. The first step which could very well be the most important is to make a call to IT and tell them “Do not shut down the system.” I know that the first thing to come to someones mind would usually be to shut it all down to stop the attack, however if you do that then there is no way that you can trace the hacker or find out what it was that they were trying to steal from the company that your work for. So I know it may be tempting, but do not disconnect.

Next step is to gather as much information as possible about the attack and the hacker. You should find out things from all the departments and examine all possibilities. Some of the questions your should be asking yourself while gathering this information includes: How large is the problem? Is it one computer, or the entire network, or somewhere in between. Has IT noted any peculiar employee behavior? Are any logs suggesting suspicious behaviors? Any employees dismissed recently? What was hacked? What was not hacked? Does it appear that the data was not touched, or was the data stolen, but left intact to look like it was not breached? Is the breach open? Is it spreading and from where?

The next step would be to call in some extra help. The best person to get a hold of would be the closest “white hat” that you can find. These guys know all the things and probably more than whoever broke into your network.  It is their job, 24 hours a day, to know the latest and to be experts in cutting edge technology. They will be able to help you find anything that you may have missed.

The final step you should take is to think about what your response should be in terms of reporting what happened to the company. You should think long and hard, depending on the seriousness of the situation, about whether or not to let your customers know what happened. If the attack was very serious and important information was compromised, like credit cards. The company should probably report it to the customers and try to ease their minds. Nothing reaps havoc on the mind like knowing if your credit card number is “out there” somewhere and in the hands of a shady character. Ways that you could help ease the person is by giving them a phone number to call that can help rebuild their credit and do flagging of unauthorized use of credit cards. . A company’s reputation, if founded on how customers are treated, will help soften the blow that may come to the company’s established reputation.