Firefox Master Password Security Issues

A lot of people use the save password feature in browsers so that they don’t have to be bothered to enter their passwords on websites they visit often. Firefox offered users the option of implementing a master password, so that the user would need to enter that password in order to use their bank of saved passwords.

What was just brought to light is that Firefox uses a very low standard of encryption that can be cracked in just a few seconds if the hash is found. SHA-1 hashes were used, which are very insecure as they are easily broken. Although a salt was used, according to the article, 1 iteration count is considered very low, and makes it easy for hackers to obtain the master password through brute force. For comparison, the article provides information that 10,000 iterations is considered the minimum acceptable value, and other password managers, like LastPass, use 100,000 iterations.

What is strange is that someone reported this bug nine years ago, and the Mozilla team just never fixed the issue. They did not provide a reason that they did not fix it, but used the chance to generate excitement for its upcoming password manager called Lockbox. According to the post on the bug report, a solution of switching to the Argon2 library for hashing passwords would be more secure than SHA-1, but based on the above comments it does not seem like Mozilla wants to invest any resources into fixing this issue. In order to protect themselves, users can stop using the Firefox password saving feature and turn off their master password and store their passwords in a third party password manager, such as KeePass, 1Password, Enpass or LastPass.

– Justin Stein



New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio


Russian Government Cyber Attacks Targeting Critical US Infrastructure

In this modern, technology-run day-and-age, the use of cyber hacking by one nation against another is an increasingly frequent method of attack. The United States Computer Emergency Readiness Team in joint with the DHS and FBI recently released a report outlining specific types of attacks they have identified being used by the Russian government targeting the U.S. government as well as “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. They have also confirmed that these attacks have been ongoing since at least March of 2016.

One type of attack uses spear phishing emails containing Microsoft Word files loaded with a malicious script. These script first installs some credential-harvesting tools like Hydra and CrackMapExec. Then, it attempts to retrieve a file on a server via SMB request. By doing so—whether or not the file exists—an authentication request is typically prompted to the user before continuing. At this point, the script will capture the hash of the user’s credentials, and make an attempt to extract the full username and password using the aforementioned tools installed on the machine.

Another type of attack again used phishing to obtain credentials via a link in a falsified .pdf contract agreement. Users were directed to follow a link in the document to enter their email address and password in order to agree to the service contract. Once the credentials were in hand, attackers used them to attempt to gain access to the internal systems of these important infrastructure institutions. A back-door was installed to allow persistent access, and attackers could then modify firewall settings and Windows registry keys.

The release of this information is significant in two ways. First, it is just another example as to the extreme importance of vigilant cyber security awareness and practice. Both of these attacks rely on the ignorance and thoughtlessness on the side of the end-user to gain access into the system. Whether it’s opening unsolicited Microsoft Word documents or agreeing to unfamiliar (and unofficial) contracts, both scenarios rely on users divulging their credentials without suspicion as to whether the requesting source is legitimate.

Second, it is another example of the changing landscape of cyber security and cyber hacking as it continues to be used more frequently by governments as a weapon against other nations. Now more than ever is cyber security conversation and awareness important for all people as we enter an age of online warfare.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing

Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Memcached and DDOS Attacks

Memcached and DDOS Attacks
Remember the DDOS attack on Github? Yeah this has to do with that. [1] That attack and another that was detected by Arbor Networks on March 5th had to do with a new trick involving a server that implements memcached. memcached is a system that caches data from database calls to speed up subsequent database calls. The practical outcome is that pages that rely on databases load faster.

Why are attackers leveraging memcached servers?
The problem is not memcached inherently, but with a possibly weak default configuration that was being utilized improperly. [1] What attackers could do was amplify/reflect traffic off of the improperly configured memcached servers. This nifty trick not only turns every misconfigured memcached system into a tool, but also multiplied the amount of data that was being sent towards the target. Every year, the amount of data required to successfully deny service to a target service or page gets larger. [1] This trick using memcached allowed hackers to execute record breaking DDOS attacks. Arbor Networks detected a peak traffic load at 1.7 terabits per second.

What’s going on?
A reflection attack typically happens when an attacker sends traffic that looks like it was from the attacker’s target. This prompts a response that is then sent from the queried server to the target. In this case, it’s called an amplification attack because the attacker can send a very small amount of fake traffic which results in a larger response being sent to the target. [2] Attacks involving memcached were researched further after the discovery and it was found that the amplification factor could be as large as 51,200[2].This means, in theory, that for every bit sent from the attacker, there would be about 50Kb sent to the target.

What do we do about it?
Part of the problem is the default configuration. memcached is open-source, and in 2008 Facebook made the contribution that added support for UDP. There was no implementation of authentication for the UDP version of this service, so it was assumed that the administrators would properly auth and secure this [1]. Many did not. The solution is to disable the UDP support or otherwise lock down this public facing port/socket. The open-source project has already been updated so that future implementations of memcached have UDP disabled by default. Firewalls and rate limiting are also valuable tools; cloud service providers have been rate limiting the UDP port 11211(used by memcached) to minimize any abuse on their lines.

If by chance you watch over an implementation of memcached, this guide will show you how to check if your device is ready to become a reflector:

-Matthew J. Harris