Author Archives: eric

Thundertrike: the first bootkit for Mac OS X

Posted on by
Reply

At CCC 2014 winter session, Trammel Hudson disclosed the first known proof of concept of a bootkit for Mac OS X.   Bootkits are a special category of rootkits that stealthily infect the master boot record or volume boot record.  In other words, it is a rootkit that installs itself in the boot system of the machine.

His exploit uses several weaknesses in the boot system of Mac OS X.

  1. The integrity of the boot ROM (which is indeed an EEPROM, to allow an upgrade) is protected by a CRC32 rather than by a cryptographic signature.  Unfortunately, the purpose of CRC is to check whether the software is not corrupted (i.e. no mistake),  CRC does not verify whether a software was altered.  He knows now that he may alter the boot process software.  He now had to find a smart way to do it.
  2. The firmware, to upgrade with Extensible Firmware Interface (EFI), is RSA 2048 signed.  However, the check is done by the boot software that can be impaired.  EFI is the replacement of BIOS. At this point, he knows that he may load his own firmware at boot using EFI.  But how could it provide the firmware to the targeted machine?
  3. He used a trick that was demonstrated in 2012.  At boot time, EFI asks externally connected devices via PCIe if they have any Option ROMs to execute.  Thunderbolt port allows thus to load an arbitrary firmware from a connected device.
  4. He fooled the boot firmware by replacing Apple’s public key with his own public key letting Apple software taking care of checking his malware.   Later, this key is written down in the ROM thus preventing any Apple legitimate upgrade to occur . Only upgrades signed by his private key will be accepted.

The potential attack is to have a forged thunderbolt device with the malware as Option ROM.  The attacker needs physical access to the target, boot it with the connected thunderbolt device, and then the attacker owns the machine.  It is fast.

This only a proof concept and no field attack have been yet discovered.  Apple is preparing fixes that do not allow Option ROM during a firmware upgrade.  The patch is already available for new Mac Mini and Retina.  It will be available soon for all Thunderbolt models.

He mitigates the error of Apple for using CRC32 rather than crypto by stating:

In actuality, any software-only validation is doomed to fail since if an attacker can get code into the ROM, they can just skip that software validation. Either by always returning true or by returning a cached value computed over the boot  ROM. Without some sort of hardware cryptographic signature checks or an actual, unchangable mask ROM, this sort of software-only attempt is futile.

His presentation, which he retranscripted on his site, is an excellent description of the work of a reverse engineer.  He shows some tricks such as looking for strings (too often there are printf remaining in the code), look for hexadecimal sequences on the Net to find corresponding tool signature, …  An excellent reading.

Lesson:  Law 1: attackers will always find their way (even on Mac)

Tribler: a (worrying) P2P client

Posted on by
2

triblerTribler is a new P2P client that made the headlines last month.   It was claimed to make bitTorrent  unstoppable and offer anonymity.   I had a look at it and played with.

This is an open source project from the University of Delft.  It has been partly funded by the Dutch Ministry of Economic Affairs.  The project started in January 2008.  Tribler is worrying to both content owners and users.

To content owners, Tribler is worrying with its features.

  •  Tribler is more convivial than other P2P clients.   It integrates in the client several functions.  First, it allows to search torrents from the client user interface within its currently connected clients.  In other words, it does not need a central tracker to keep the torrents pointers.   Thus, it is more robust and also easier to use than other clients.  If the expected content is popular, the likelihood to find it within the connected community is high.  Thus, it is unnecessary to leave the application to find torrents on trackers. Of course, it can import torrents from any external trackers such as mininova.  Thus, when content is not available in the community, the user may use traditional trackers.
    The second interesting feature is that it emulates video streaming using standard torrents.  In this mode, it buffers the video and starts to play it within the application after a few seconds.  From the user point of view, it is similar to streaming from a cyberlocker (with the difference that, once viewing completed, there is a full copy of the content on the user’s computer).
    These features are not new (emule allowed to search within it, Bittorrent Pro offers an HD player inside it…).  However,  Tribler nicely packages them.  The user experience is neat.
  • Tribler promises anonymity.  It uses a Tor-like onion structure to access the different peers.  Or at least, it should do in the future.  With the current version, it is clearly announced that it is still beta.   Furthermore, all the current peers were directly connected.  Only an experiemental torrent used the feature.  However, once validated and activated, it should become harder to trace back the seeders.

To users,Tribler is worrying for its security.  Tribler promises anonymity.  Unfortunately, this is not the case.  “Yawning angel” analyzed the project.  Although his analysis was not thorough, it highlighted several critical flaws in the used protocol.  As it is possible to define circuits of arbitrary length, it would be possible to create congestion and thus create a kind of DoS.  More worrying there are several severe cryptographic mistakes such as improper use of ECB mode, fixed IV in OFB…  His conclusion was:

For users, “don’t”. Cursory analysis found enough fundamental flaws, and secure protocol design/implementation errors that I would be reluctant to consider this secure, even if the known issues were fixed. It may be worth revisiting in several years when the designers obtain more experience, and a thorough third party audit of the improved code and design has been done.

Lessons:

  • P2P seems not yet dead.  Streaming emulation may change the balance with streaming cyber lockers.
  • Be very cautious about claimed anonymity.  Developing a robust Tor-like solution requires an enormous effort and deep knowledge of cryptography and secure protocols.  Tor is continuously under attack.
  • Universities may finance projects that will facilitate piracy.  “Openess of the Internet” to fight censorship does not mandate to watch content within the client.  The illustrating screenshot of Tribler on the Delft university page clearly shows some copyrighted movies offered to sharing.

Some notes on Content Protection Summit 2014

Posted on by
Reply

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

Internet Wide Scanning

Posted on by
Reply

AT Usenix 2014, Alex Halderman, Zakir Durumeric and Michael Bailey, from the University of Michigan, presented an interesting study of the new landscape of wide scale Internet scanning.  Scanning the Internet for finding vulnerable targets is an old practice that is used by both academics, security research companies and black hats.   Nevertheless, the practice has changed during this last decade.

First of all, new tools have appeared: ZMap and masscan.  Provided they have access to a huge bandwidth, they can explore the full IPv4 address space in a few minutes from one point.  There is no more the need to use a botnet with tools such as nmap.   This team knows well ZMap as it is an open source project developed by the University of Michigan and at least two authors of this paper.

The type of ports that are scanned has also evolved during the past decade.   The big winner is port 445 for SMB-IP.  Interestingly, HTTP, HTTPS and SSH are mainly scanned by academic driven studies.

2004 2010 2014
HTTP (80) SMB-IP (445) SMB-IP (445)
NetBIOS (135) NetBIOS (139) ICMP Ping
NetBIOS (139) eMule (4662) SSH (20)
DameWare (6129) HTTP (80) HTTP (80)
MyDoom (3127) NetBIOS (135) RDP (3389)

Table describing Temporal differences in targeted protocols

They studied also three use cases.  I had a lot of interest in the use case related to Linksys router backdoor. After the public disclosure, 22 hosts completed 43 scans targeting port 32764 (the backdoor) of the IPv4 address space.  The first one was Shodan in less than 48 hours. Within one week, other ones tarted with two academic, 3 security firms but the reminder were unidentified hosts!

For the HeartBleed, same story

In the week following the disclosure, we detected 53 scans from 27 hosts targeting HTTPS. In comparison,
in the week prior to the disclosure, there were 29 scans from 16 hosts.

The lessons is that this environment is extremely dynamic.  New point of interests appear regularly and shift with time.   New tools appear.   Thus, be proactive to stay secure.

Who is monitoring your baby?

Posted on by
Reply

Data Watchdog announced that a Russian website featured a database listing of about 73,000  streaming IP webcams or CCTV whose owners are not aware that their webcam is broadcasting the video. The webcams are located all over the world. They are used for offices, baby monitoring, shop’s monitoring, pubs, etc.  All major manufacturers were present amongst the breached webcams.  The webcams were discovered by Internet scanning and trying the default password.  This is a good illustration of Law 8: If you watch Internet, Internet is watching you.  The UK Information Commissioner’s Office recommends changing the default password of the camera and when not needed disable remote access.

The site claims to do that for educational purpose.   This is what the site claims when accessing it.  It seems that it is efficient, as there are less and less listed feeds.

Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all internet users. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.

Several interesting lessons:

  • As usual, default password are incriminated.  Users, and even professionals as it seems that CCTV are also listed, do not change the default password.  Manufacturers may not want to enforce the change of the default password, as it creates issues when users forget their password, but they should at least propose it the first time the user boots the device.
  • People are not good with security.  With the Internet of Things (IoT), there will be more and more connected devices.  This means that there will be more and more vulnerable devices on the Net.  IoT may make the Internet more brittle.
  • Who will inform the owners of these spied webcams that they are spied?  The remedy is simple, but the victims should at least be aware that they should apply this remedy.

By the way, did you change the default password of all your devices?  If not, I plead you to do so.

When DRM sends personal information in the clear…

Posted on by
Reply

Adobe proposes an eBook reader called Digital Editions.  Current version is 4.  So far, so good.

Unfortunately, on 7 October, the website “The Digital Reader” reported that Digital Editions 4.0 collected information about the reading usage.  The announced gathered data were eBooks that were stored in the reader, eBooks that have been opened, pages that were read, and the order.   This information was sent back to the server  adelogs.adobe.com in the CLEAR.  Thus, this version had two issues regarding privacy:

  • It collected information without informing the end user.
  • It sent personal information in the clear.  Any sniffer could extract this information.

Adobe answered

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy

Obviously this answer is not satisfactory.   Last week, Adobe published a revised version 4.0.1 that sent back the information using SSL.  Furthermore, in a note published on October 23, 2014, Adobe listed the collected information:

  • User ID
  • Device ID
  • App ID
  • Device IP
  • Identification of the book
  • Duration for which the book was read
  • Percentage of the book read

The information is collected only for DRM protected eBooks.  The aim of this data gathering is used for potential clearing house.  Some business models of publishers may be based on the actual consumption.

The lesson is that technologists never learn from the past errors. It is not anymore acceptable that private information is sent over the Internet in the clear.  HTTPS is an easy solution to transfer secure data and servers scale properly in our days.

New job

Posted on by
Reply

sonypictureslogo
Since yesterday, I am VP media & content security at Sony Pictures. This new affiliation should not have any impact on this blog. Regular readers of this blog know my, hopefully balanced, position regarding copyright and content protection.