Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Twitter Can Give You A Virus & It’s Not the Avian Flu…

Twitter, people either love it or hate it. I view Twitter as a “Diet Facebook”, I still know what people are doing and thinking at every second of the day, I just don’t get Farmville notifications to go with it.

Recently, Twitter users have been the target of a new Trojan infiltration scheme. A Twitter user will receive a DM, direct message, from a supposedly trusted source with a nondescript but tantalizing message. The messages usually reference a supposed elicit picture or video of said user, with a link that will, supposedly, take the user to the referenced content.

According to reports, users are taken to “YouTube”, please note the quotes. They are then prompted that an update is needed to view this video, with a link to download a file titled “FlashPlayerV10.1.57.108.exe”. In reality, people are actually downloading a Windows compatible Trojan application, right to their computer. Simple social engineering. What makes this so easy is not only the promise of discovering embarrassing content about yourself on the internet, but the fact that a URL shortening service is being used to disguise the actual target URL. Using URL shortening services on Twitter is not uncommon, so to the average Twitter user, there is no apparent cause for alarm when receiving one of these messages.

This should go without saying, but, if your Twitter account happens to be the one sending out these false messages, change your password immediately. If the information is coming from a friends account, it is recommended that you alert them, and recommend that they change their password too. People just need to remember to be safe, make sure what you are receiving is real content. If you’re unsure about a link, don’t click it, or at least verify it with the sender.

Happy Tweeting.

Information Sources:

http://www.nbcnews.com/technology/technolog/direct-messages-twitter-link-malware-1B6095619

http://www.informationweek.com/security/attacks/twitter-direct-messages-disguise-trojan/240007914

Picture Source:

http://media.smashingmagazine.com/images/twitter-tips/twi.jpg

Willingly allowing to be tracked?

An American citizen (unsure if he was American-born or naturalized) named Hasan Elahi had returned to U.S. soil after leaving the country for a while and was questioned intently by the FBI for over 6 months over his whereabouts, his storage locker in Tampa, FL and if he may have had connections to Al Qaeda, Islamic Jihad, Hamas or Hezbollah. It appears that he did not, and he had several pieces of evidence that he, in fact, did not. He willingly cooperated above and beyond what the FBI requested to the point when after he was cleared, he willing gave the FBI his personal information (ex: where he was when he left the country, account information, call logs, pictures of his current locations etc). He did this as a symbol to show the FBI he was not trying to do anything fishy, and believed if he did this, the FBI wouldn’t consider him a suspect for anything else in the future.

Hasan’s belief is that this would not work if every American citizen did this, because the FBI would have to hire some 300-million extra employees to keep up with that data coming in, and felt his act was more symbolic then anything.

But his final point correlates what he was doing to what people do every day and may not even realize it.  When we post where we are, what were doing, who we are with, check in to locations on social networks like Twitter, Facebook etc, how is that any different to what he was doing with the FBI willingly? Ultimately, the only difference is the information isn’t being directly supplied to the FBI. The FBI could, however, get that information easily by contacting Facebook, for example, subpoenaing information if needed.

I admit I do use Facebook (the only social network I use), however I never was into telling the world where I was, or what I’m doing or who I’m with. Not strictly because I don’t want people to keep tabs on me,  but for the most part I don’t think most people care to know “Oh, he’s at Wal Mart with John Doe. Ok?” But you never know who does want to know. Your jealous ex-girlriend or ex-boyfriend may want to know.

For me, I’ll stick to posting random sarcastic comments, sports posts and miscellaneous comments here and there.

 

http://www.nytimes.com/2011/10/30/opinion/sunday/giving-the-fbi-what-it-wants.html?_r=1&pagewanted=all

Facebook Security and Privacy Issues

http://www.foxnews.com/story/0,2933,353121,00.html

Above I have posted a link to a cyber security article about the security risks and privacy issues people may encounter while using social media websites, such as Facebook, Myspace, Twitter, etc.. Many individuals that use Facebook feel safe and secure, because they have their profiles set to the privacy setting, which, therefore, they believe that nobody could access any or all of their personal information and data.  However, this is untrue because, whenever a user decides to download an application on Facebook, they are therefore allowing its developers to view all of their access information.  This causes a problem though:  Since it poses several privacy issues, all of Facebook’s users are having all of their information looked at and are now getting targeted based on that information.  Also, people are going to have a false sense of safety while using social networks, when really they are actually facing several security risks without even knowing it.  In my opinion on this topic, individuals using social media websites are being taken advantage of and are now going to be potential victims of cyber security crimes and computer viruses, and I believe that the best thing that people can do to stay protected is to not post any personal information out onto the web that can lead to potential endangerment.

Enhanced by Zemanta