Cloud services as Command and Control

Cloud services are increasing the surface of attack of corporate networks.   For instance, we  associate usually to file sharing services the risk of leak of confidential information.  This is a real threat.  These services may also present another more lethal threat: become Command and Control channels (C&C).   C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox.  In his paper, he explains the genesis of this tool.  It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests).  The interesting part of the story is that he succeeded to infect an employee’s home computer.   The employee used this home computer to work on corporate documents using his dropbox account.  Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer.   If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel.  What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted!  Furthermore, the likelihood that Dropbox is whitelisted is high.  Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C!  It was used to target Taiwanese government agency.

 

A few lessons:

  • When a researcher presents an attack, it does not take long to appear in the wild.  Never downplay a disclosed attack.
  • Cloud brings new threats and we are just seeing the tip of the iceberg.  Worst to come.

 

PS: the same attack may be used on any file sharing service.  Dropbox as used due to its popularity and not because it is vulnerable.   The vulnerability resides in the concept of (uncontrolled) file sharing.

Social engineering and catastrophes

Recently, I visited a security company. They presented their new impressive Security Operational Centers. The security analysts had a continuous update of the sanity of their networks, the most prominent threats and the a wealth of other useful security indicators on three huge displays. In the bottom right corner, info channels, as well as selected tweets were continuously updated. They explained that it was key to be aware of breaking news as they may impact the threat environment.

They are right. A good social engineer may use the current breaking news and the morbid curiosity of users. With the advent of social networks and its vector to disseminate latest news, news have been common tools of attacks. For a few years, every major catastrophe has seen mushrooming spams and fake sites pretending to collect charities for the victims of the catastrophe. In 2014, it even started to become a vector for Advanced Persistent Threat (APT).

On 2014 March 8, Malaysian authorities announced that they had no news of the flight MH370 to Beijing. It took several weeks before having confirmation that this flight crashed in the sea. Meanwhile, this topic was used for spying political instances. Two days later, members of a government of the Asian Pacific region received a spear phished mail with an attachment titled “Malaysian Airlines MH370.doc”. Of course, this document was empty but contained a Poison Ivy malware]. It was sent by Admin@338″: a Chinese hacking group. The same attacking group sent on 2014 March 14, a different spear-phished email to a US think tank with an attachment titled “Malaysian Airlines MH370 5m Video.exe”. Once more, the attachment was a malware.

Many other malwares used the same catastrophe without being part of an APT, but rather generic random attacks. Some phishing sites, mimicking Facebook look, were used to collect data from spoiled users. The sites supposedly presented a video of the supposed discovery of the missed plan. Before viewing the video, the site proposed the users to share the video with their friends. After the site asked the users to answer some questions such as age. In other words, the phishing sites scammed the curious tricked users.

This trend exists since a few year and uses every widely covered catastrophe. Thus be aware, charity may be a threat vector.

Target and FireEye

Beginning of December 2013, US retail Target suffered a huge leak of data: 40 million valid credit card information were sent to Russian servers. This leak will have serious financial impact for Target as there are already more than 90 lawsuits filed against Target.

Target is undergoing deep investigation to understand why this data breach occurred. Recently, an interesting fact popped up. On the 30th November, a sophisticated, commercial, anti-malware system FireEye detected the spreading of an unknown malware within Target’s IT system . It spotted the customized malware that was installing on the point of sales to collect the credit card number before sending them to three compromised Target servers. Target’s security experts based at Bangalore (India) reported it to the US Security Operation Center in Minneapolis. The alert level was the highest from FireEye. The center did not react to this notification. On 2nd December, a new notification was sent without generating any reaction.

The exfiltration of the stolen data started after the 2nd December. Thus, if the Security Operation Center would have reacted to this alert, although it may not have stopped the collection but at least it would have stopped the exfiltration to Russian servers.

As we do not have the details on the daily volume of alerts reported from Bangalore to the Security Operation Center, it is difficult to blame anybody. Nevertheless, this is a good lesson with the conclusions:

  • Law 10: Security is not a product but a process. You may have the best tools (and Fire Eye is an extremely sophisticated one. It mirrors the system and runs the input data within the mirror and analysis the reactions in order to detect malicious activities). If you do not manage the feedback and alerts of these tools, and take the proper decision, then these tools are useless. Unfortunately, the rate of false error is too high to let current tools take such decisions
  • Law 6: You are the weakest link; The Security Operation Center decided not to react. As FireEye was not yet fully deployed, we may suppose that the operators may not fully trust it. The human decision was wrong this time.

CCC hacked Apple’s TouchID

One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?

 

On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.

More interestingly, the official announcement of CCC highlights two major limits of biometrics:

  • It is not secure; Most of the systems can be lured.
  • Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!

 

Nevertheless, some comments to mitigate these comments:

  • Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
  • Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
  • As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.

Has NSA broken the crypto?

With the continuous flow of revelations by Snowden, there is not one day without somebody asking me if crypto is dead.  Indeed, if you read some simplifying headlines, it looks like the Internet is completely unsecure.

 

Last Friday, Bruce Schneier published an excellent paper in the guardian : “NSA surveillance: a guide to staying secure.”  For two weeks, he has analyzed documents provided by Snowden.   From this analysis, he drives some conclusions and provides some recommendations.  In view of the security profile of Bruce, we may trust the outcome.  I recommend the readers to read the article.

My personal highlights from this article.

  • The documents did not present any outstanding mathematical breakthrough.   Thus, algorithms such as AES are still secure.
  • To “crack” encrypted communications, NSA uses the same tools than hackers but at a level of sophistication far higher.   They have a lot of money.  The tricks used:
    • Look for used weak algorithms
    • Look for weak passwords with dictionary attacks
    • Powerful brute force attacks
  • The two most important means are:
    • Implementing back doors and weakening commercial implementations (poor random generator, poor factors in Elliptic Curve Cryptosystems (ECC), leaking keys…).   The same is true for hardware.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.

    • Compromising the computer that will encrypt or decrypt.  If you have access to the data before it is secured, then you do not care about the strength of the encryption.

These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

His recommendations are common sense.   The most interesting one is to avoid using ECC as NSA seems to influence the choice of weak curves and constants in the curve.

 

His final statement

Trust the math.

is OK, but I would add “Do not trust the implementation.”  Always remember law 4: Trust No One.

Toilet DOS

A humorous news today as we are in holiday period.

imageJapanese toilets are known to be extremely sophisticated.  Company LIXIL sells Bluetooth powered toilets under the brand name SATIS.  There is even an application (My Satis) available on Google Play that drives your toilet from your android phone.You can select the music played by the toilets, open or close the lid, and managed many other features. 

 

Where is the relation with security?  Security company, Trustware Spiderlabs, issued on August 1 a security advisory about LIXIL Satis Toilet!  The application uses a hardcoded PIN at ‘0000’.   In other words, any body with the application and in the range of the toilet can take control over the toilet.   I let you imagine interesting hacking scenarios…  According to the security advisory,

Attackers could cause the unit to unexpectedly open/close the lid, activate
bidet or air-dry functions, causing discomfort or distress to user.

In other word, a new breed of Denial Of Service… Sarcastic smile

What I would like to understand is how a security analyst decided to have a look at the security of a toilet?  Nevertheless, it shows that security is not taken seriously today in most of consumer devices, although they are more and more connected.  As a proof, LIXIL did not react to this advisory for more than six weeks.

Thanks to MY for the pointer Open-mouthed smile

Favor helps

If you do favor to one person, will this person more likely comply to your request? Dennis Regan studied this question in 1971. The purpose was to validate:

  • Subject is more likely to respond your request favorably if he likes you
  • Subject is more likely to answer your request favorably if you just did him a favor

The experiment is complex.  As usually, it uses a confederate.   In a first phase, the confederates manipulates liking: becoming either pleasant or unpleasant (depending the way he answers a phone call).  Then, they have to participate to a common experiment.   Then, the confederate manipulates favor.  For positive favor, he offers a soda to the subject.  For no favor, he does not offer a soda.   For irrelevant favor, another person offers a soda both to the confederate and to the subject.

Then the experiment measures the compliance to a request.  Thus, the confederate proposes the subject to purchase some cheap raffle tickets.  The amount of purchased ticket is the metric.

The experiment measures also the liking by asking, among many other questions, to rate how the subject felt toward the confederate.

Following are the average purchased raffle tickets depending on the experimental conditions

  Favor Irrelevant Favor No Favor
Pleasant confederate 1.91 1.50 0.80
Unpleasant confederate 1.60 1.00 0.80

The experiment shows that a favor increases the likelihood to comply with a request.  It seems that the Reciprocity principle applies here.  The normative pressure to return the favor is stronger than the attitude.

Of course, good social engineers use this trick.

D.T. Regan, “Effects of a favor and liking on compliance,” Journal of Experimental Social Psychology, vol. 7, Nov. 1971, pp. 627–639.