Microsoft Sounds Zero-Day Warning

Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being actively exploited via in-the-wild attacks that target Windows Server 2008 and 2008 R2.

The Kerberos protocol is used to authenticate users and services on otherwise open and unsecured networks, using shared keys. But according to Microsoft’s new MS14-068 security alert, the Kerberos Key Distribution Center – which authenticates clients inside an Active Directory domain – is vulnerable to a privilege-escalation attack, which could allow an attacker to remotely gain administrator-level privileges. “An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers,” warns Microsoft, noting that it is “aware of limited, targeted attacks that attempt to exploit this vulnerability.”

The problem stems from a failure to properly validate cryptographic signatures, which allows certain aspects of a Kerberos service ticket to be forged. An attacker could abuse the cryptographic Kerberos ticketing system to gain access to normally off-limits parts of a network. Related attacks can also be launched by anyone in possession of valid domain credentials. “This is a really big issue, because anyone with a valid domain username and password can simply add a valid token – or as it’s called in Windows, a privileged access certificate – that then gives them the domain admin rights, and [then] it’s very, very easy to create another domain admin account, hide your tracks.

Caleb Martin

Patient Data Breached in Armed Robbery

Boston, MA – On September 24, 2014, A laptop and a cell phone containing patient data was stolen from a Brigham and Women’s Hospital physician. Even through both devices were encrypted, the assailants forced the physician to provide the pass codes to bypass the security measures. The press release issued on November 17 by the Brigham and Women’s  Hospitable indicted that 999 patients had some of the following information on the devices: names or partial names, medical record number, age, medications, or information about diagnosis and treatment. The patients received treatment at the hospitable between October 2011 and September 2014 and a small amount of the data were participants in research studies. The devices have not been recovered.

The Boston Police were notified immediately and the hospitable started an investigation and created a work group to deal with the incident. They are also reviewing policies and procedures  to better counter similar incidents in the future. The hospitable is also notifying the affected patients.

-David Mauriello

“Reign” Malware Spied on Companies and Governments in 10 Countries since 2008

Symantec Corp released a report on an advanced piece of malware known as “Reign”, an advanced backdoor-type Trojan. It infects target systems and links back to controllers, creating a powerful surveillance apparatus monitoring systems across the world.

“Reign” has been observed infecting private companies, governments, and research institutions. While confidentiality is key and names are withheld at this time, the following graph illustrates a rough estimate of companies affected:

[Source: Symantec Corp]
Reign-Targeted Companies
Graph of Reign Targeted Systems

Reign-Targeted Nations
Countries affected

“Reign” is one of the most advanced and complex pieces of malware ever analyzed. It is a multi-stage, modular threat, able to tailor itself to infect most any machine only as much as is necessary. Each stage is encrypted until use, making it tough to crack.

The technical competence and time required to develop malware of this caliber could have only been produced by a nation-state, Symantec says, and its similarities to the infamous Stuxnet worm point to a western source rather than the typical China/Russia. Considering not a single target of Reign resides on British or US soil, and most victims are located in Russia, Saudi Arabia, and Ireland, Britain is a likely source.


WordPress issue allows for compromised accounts; addressed, but not fixed

In the release of WordPress 4.0.1 on Nov. 20, 2014, eight security flaws were addressed. One of which is listed as:

An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.

While this is stated to be fixed, an in-depth description of the problem and solution reveal that it is still possible to compromise user accounts with this method.

Pre-2008, WordPress simply checked the password you used to log in against an unsalted md5 hash stored in the database. The lack of salt, of course, means that every distinct password will map to the same hash every time. In 2008, WordPress changed their hashing algorithm to not use md5, but still checked with the md5 algorithm in case the user had not yet logged in after the change was made (after the change, hashes stored in the database were changed over).

The way WordPress addressed the hash collision issue was very simple — rather than a direct check against the md5 hash, they changed over to a separate hash equivalence check algorithm that does not allow for collisions between the new hashes and the old. But despite this, WordPress did not actually do anything about the fact that pre-2008 accounts still used the old hashes and had them stored in the database. If you have not logged in since 2008, your password is still saved as an unsalted md5, which means it is extremely vulnerable to offline attacks on the database.

e-cigs can now give you malware

E-cigs, or e-cigarettes, seem to be the newest attack vector for infecting PCs with malware. According to an article in The Guardian, there has been a report of an e-cigarette user’s PC getting infected with malware by charging the e-cigarrete “The made in China e-cigarette had malware hardcoded into the charger, and when plugged into a computer’s USB port the malware phoned home and infected the system”. Rik Ferguson, security consultant for Trend Micro, says that the story is plausible  “Production line malware has been around for a few years, infecting photo frames, MP3 players and more”.

What this means for users of e-cigarettes is, take precaution when buying one, only buy from trusted manufacturers, and run up-to-date anti-malware.