Tag Archives: encryption

Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

 

 

Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker

 

Sources:

  1. https://www.instantssl.com/ssl-certificate-products/https.html
  2. https://info.ssl.com/faq-what-is-a-private-key/
  3. https://www.instantssl.com/ssl-certificate.html
  4. https://twitter.com/svblxyz/status/969220402768736258
  5. https://twitter.com/Manawyrm/status/969230542578348033
  6. https://twitter.com/cujanovic/status/969229397508153350
  7. https://twitter.com/ebuildy/status/969230182295982080
  8. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BLvabFwcJqo
  9. https://gbhackers.com/google-announces-final-distrusting-symantec-ssl-certificates/
  10. https://www.trustico.com/news/2018/symantec-revocation/certificate-replacement.php
  11. https://bitkan.com/news/topic/69234
  12. https://gbhackers.com/23000-ssl-certificates-revoked/

Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert

 

Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.

http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach

  • Gavin Millikan

Smart Watch Security Threats

As with any piece of new technology, the introduction of smart watches come with new threats to security. A recent study was conducted on these watches and to no ones surprise, many vulnerabilities were found. A few of the vulnerabilities listed include, a lack of transport encryption, lack of user authentication, privacy problems, and firmware problems. It was also found that communications were easy to interfere with and intercept. This means that as of right now, if sensitive data is being transmitted over the watches, anyone could get a hold of it.

Experts recommend to protect sensitive information with strong passwords and to make sure you are controlling your communications to avoid middle man attacks. Another suggestion they make is to manage your transport layer security settings and make sure they are in good shape for protecting you. The biggest concern however seems to be the vulnerabilities of the apps rather than the watch itself. Previously there have been attacks on apps for the iPhone and such so the experts say it wouldn’t be surprising to see attacks on the smart watch apps.

The bottom line is to approach these new smart watch products with care and to focus more on the security of the apps than the watch itself. Additionally, as time goes on, more apps for increased security will be released. Apple has already released several since the release of their Apple Watch.

-Thomas Coburn