Everyday cyber crime

Thursday, November 2nd, 2017 | Mark Bedford | Comments Off on Everyday cyber crime

I recently discovered a very good TED presentation by James Lyne, it is definitely a goodie. In his presentation, “Everyday cybercrime – and what you can do about it” https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it he provides an excellent introduction into internet security. His entertaining style fits well with the content and the 17 minute presentation covers key material. This should be on everyone’s play list as he debunks common myths about cybercrime. A Sophos page with some helpful followup tips can be found over at https://sophos.com/wifi with the emphasis wifi services.

Increase in Office Documents Using DDE to Distribute Malware

Thursday, October 26th, 2017 | Mark Bedford | Comments Off on Increase in Office Documents Using DDE to Distribute Malware

I note from our monitoring that we have seen an uptick in tainted Office attachments or inline RTF documents that use DDE to launch malware or a downloader. The edge email gateway is now detecting the current batch of these as “Troj/DocDl-xxx” and Sophos end point is detecting these as “Torj/DocXX-xxx”.

Most people are “macro” savvy but DDE (which has been around for a long time) is a new method of propagating malware.

So if you receive an Office attachment via email and when you view it or open it you get a warning such as:

Clicking No will prevent the DDE attack from launching.

For those who click “Yes” at the first dialog then you will get another dialog warning that a command is about to be started similar to:

The “No” option is the way to prevent the attack.

If you do get documents that contain these, you should validate the senders email address and use an alternative method (not email) of contacting the sender to confirm their intent in sending the DDE documents.

Sophos Security Facebook video (no authentication required to view) https://www.facebook.com/SophosSecurity/videos/10155119823700017/

Naked Security article on the DDE attack https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/

Also this Microsoft article on how to view all email messages as plain text https://support.microsoft.com/en-ca/help/831607/how-to-view-all-e-mail-messages-in-plain-text-format

 

KRACK WiFi Vulnerability

Tuesday, October 17th, 2017 | Mark Bedford | Comments Off on KRACK WiFi Vulnerability

You may have heard about a recent WiFi security problem nicknamed KRACK which was uncovered by a group of researchers early 2017. They discovered that there is a problem with the way WiFi devices negotiate their encrypted connections and this leads to some serious issues, so you should be worried but don’t panic. Your wireless password is safe as it is not disclosed (as long as it is not used elsewhere).

The issues are present in ALL devices that use the WiFi WPA protocol and include Android, Apple iOS, OSX, Windows, Linux, IoT devices. Because the vulnerability can only be exploited by an attacker in your WiFi coverage area you wont be attacked by a bad actor from the other side of the world at 3:00 am but you might by your local neighborhood hacker.

Patched or un-patched, if you use HTTPS or SSH (or anything with SSL/TLS encryption), whatever you send is secure and cannot be plainly seen or intercepted (as far as this vulnerability goes). An attacker will see that there is traffic but not the contents of the traffic. If you use a VPN (no NOT Hola or its ilk) then traffic traversing the VPN is also secure. So there maybe some privacy issues here but not confidentiality issues. In many ways this is no different than using an open WiFi network at the airport or hotel, assume that your traffic is being watched therefore sensitive information should be protected with encryption. Note for Otago VPN users, only the traffic to/from Otago is secure, other traffic may not be.

There is only one remediation at present, patch your device with the security update for this specific vulnerability when it becomes available. Vendors are currently working on patches, or have already released them. This includes lots of devices that are still working after many years of active service (the vulnerability is some 10 years old). Many older devices will never receive security updates so if you continue to use these devices you should assume that all of your traffic is being spied on and potentially altered. Time to dispose of them responsibly and upgrade them to a newer supported device.

For those wanting a more technical discussion, here is a Information Security blog article https://blogs.otago.ac.nz/infosec/2017/10/17/wpa2-krack-technical-notes/

 

Is my home Wifi network ok?

Tuesday, October 17th, 2017 | Mark Borrie | Comments Off on Is my home Wifi network ok?

What is it KRACK?

You may have heard about the latest security problem with wifi networks and be wondering what this is all about.

Yes this is a serious problem, and YES your home network is vulnerable. Every network is currently vulnerable to this new issue. More importantly, you computers, laptops, phones and other devices are also vulnerable.

What impact is there?

Potentially this impacts an extensive range of devices including Apple, Android, OpenBSD, Linux, Microsoft, smart computers, smart phones, access points, IoT devices etc. The attack cannot be executed remotely; the attacker must be within range of your wireless network ie physically near your Wi-Fi.

So what can happen? An attacker can insert themselves into your network conversations and listen to what is going back and forth. They could also potentially start changing things. If you are communicating over an encrypted link such as using https then an attacker cannot see your information. This means that your passwords will continue to stay secure.

At this time, there is no evidence that an attack tool exists in the wild but they will come sooner rather than later. Until then the attack will only be possible from a skilled attacker, however once easy-to-use tools are available the skill factor is no longer a barrier . Expect to see your neighbourhood hackers attacking your old iPhone or Android device.

What to do about it?

With this in mind you should patch all of your devices soon.

If you have an older device then the manufacturer may not release patches for this issue. This is a problem and you will need to consider upgrading your device to one that is supported.

If you need to ensure the privacy of your network usage then use a VPN to encrypt all your traffic. VPN is a protocol for encrypting all network traffic between two network points. The University has a VPN service that allows staff to connect to the internal University network from most places on the Internet. You will need to find a suitable VPN service for you.

The Bleeping Computer site is keeping an up to date list of patched devices at https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

Summary

KRACK is an issue for all wireless networks. You should apply the security patches as soon as they become available.

Older devices may not receive security updates and are now at risk of becoming a gateway into your network and privacy. As such, sensible disposal is the preferred approach.

For devices where no patch is available you should assume that all traffic from that device can be spied on and potentially altered. Using a VPN to help mitigate this for you.

WPA2 “KRACK” – Technical notes

Tuesday, October 17th, 2017 | Jim Cheetham | Comments Off on WPA2 “KRACK” – Technical notes

KRACK (Key Reinstallation Attacks) is an effective attack on the WPA2 802.11i protocol used for protecting WiFi networks, published on October 16 2017 .

Because it is an attack on the protocol itself, every piece of equipment that can communicate over WiFi is affected. The attack must be carried out by a device that is in range of the network; i.e. this is a local attack, not a remote one.

TL;DR

Be WORRIED, but there is no need to PANIC. If there is a PATCH for your device, apply it as soon as possible. Otherwise, worry until there is.

KRACK tricks your wireless devices into resetting their encryption sessions to a known state, after which the attacker can read everything that they do, and can inject their own data into the network (i.e. a Man-in-the-Middle attack). This effectively turns your “private, secure” WPA2 network into a “public, insecure” one.

If you are safe operating your device on a public insecure network (e.g. airport or coffee-shop WiFi), then you will be equally safe operating it on a compromised WPA2 network.

KRACK does NOT steal your WiFi passwords or credentials.

The only effective fix for KRACK is on your client devices. PCs and laptops are likely to be patched quickly, mobile phones much more slowly if at all, and IoT devices are at serious risk.

KRACK References

  • KRACK website, https://www.krackattacks.com/
  • Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, https://papers.mathyvanhoef.com/ccs2017.pdf
  • CERT CVEs, http://www.kb.cert.org/vuls/id/228519
    • CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
    • CVE-2017-13078: reinstallation of the group key in the Four-way handshake
    • CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
    • CVE-2017-13080: reinstallation of the group key in the Group Key handshake
    • CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
    • CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
    • CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
    • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
    • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
    • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

Timeline

In early 2017 the researchers were finishing off another security publication when they realised that part of the OpenBSD network code for WiFi that they were discussing had a potential problem. By July 2017 a wide range of systems had been confirmed with this problem, and the CERT/CC co-ordinated a wider notification to OS and device vendors in late August. The public announcement was made on 16 October 2017.

Many vendors have made announcements and released patches already, more will be coming soon. OpenBSD patched early due to their relationship to the original discovery, some other vendors seem to have issued patches already but many important ones are yet to patch.

Patches

At the moment I’m getting my information from the CERT/CC and the Bleeping Computer website, but I’ll verify from original sources as soon as I can. https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

No Patches

If you have a device using WiFi, and there are no patches for it, you should assume that all traffic from that device can be spied on and potentially altered. If you are encrypting your communications with TLS/SSL or something equivalent like OpenSSH, then all you are at risk from is a lack of privacy. However, you might need to consider implementing a VPN if you rely on plaintext or easily spoofed protocols.

Further Questions

If you have any further questions, please get in touch with the Information Security Office through the usual channels.

 

Information Security Tips

Thursday, September 7th, 2017 | Mark Bedford | Comments Off on Information Security Tips

I came across the SANS Security Awareness Tip of The Day recently. It includes a daily tip that explains how people can better protect themselves in a digital world with suggestions on what your social media privacy setting should be to guidance on technology rules for visiting children.

So why not add it to your bookmarks or your RSS reader

Email “Virus” Outage Incident Report

Tuesday, March 7th, 2017 | Jim Cheetham | Comments Off on Email “Virus” Outage Incident Report

Summary

On Thursday 2 March 2017, email to and from the Internet between approximately midnight and 7am was being incorrectly classified as containing a virus, and this caused some messages to be permanently lost. Inbound email was described as having been quarantined, but this was not correct; the original messages had not been preserved.

Between 7am and midday on the 2nd, the email service was effectively shut down for investigation and repair. By midday, all services had been restored. All email sent from 7am onwards would eventually be delivered normally.

Although not yet officially confirmed by the vendor, the cause of the problem was a corrupt or absent antivirus update to the edge email servers.

Timeline

Thursday 2 March 2017

  • Midnight to 1am : Inbound email is increasingly being marked as [PMX:VIRUS] and notification versions of the originals are being delivered to end-users.
  • 2:30am : outbound email is now being marked as infected, and is rejected (i.e. the senders are being notified that their messages are not being sent out).
  • 6:30am : The Information Security Office becomes aware of the issue, and halts all of the inbound and outbound email services in order to investigate.
  • 7:15am : Vendor documentation describes the error that is being seen, but the recommended fix does not work.
  • 8:10am : Our external support partner pro-actively contacts ISO to inform them that there is a current issue affecting multiple customers globally.
  • 8:30am : First ITS Service Notice published – updated with current information at 10:30, 11:30, 12:30 and 3:30
  • 10:00am : Announcement “Email delivery issues” emailed to all-depts@ and CITSP@
  • 10:20am : Outbound email services are restored, but only by disabling the normal antivirus checks. This is not a suitable choice for inbound email, however; this remains shut down.
  • 11:50am : Vendor supplies a working update to the antivirus; testing confirms that this fixes the problem properly.
  • 12:15pm : Inbound email services restored. All email sent to us since 6:30am will eventually be delivered normally.
  • 3:20pm : efforts to restore original copies of the incorrectly-marked inbound email are unsuccessful, and are halted. A further announcement “Re: Email delivery issues” is sent to all-depts@

Remediation

We will review the vendor’s incident report when this is published in order to identify any improvements we need in our configuration.

We will investigate the failed quarantine action that caused the mis-categorised email to have been lost.

We will discuss this incident within the context of Disaster Recovery and Business Continuity Plans, to see if any improvements need to be made to these.

Who looks at your data? Evernote, for a start.

Thursday, December 15th, 2016 | Jim Cheetham | Comments Off on Who looks at your data? Evernote, for a start.

Evernote is a great app that helps you create and keep track of notes and synchronise them across the various devices you own – so you can take a photo from your phone, label it, and use it in a document on your PC simply.

It’s also a great example of a “Cloud” service; in order to get that photo from your phone to your PC, it is first copied up to Evernote’s servers, and then your PC copies it down again. You can also access your data directly from a web browser from any computer, if you need it immediately.

However, Evernote does not do anything to encrypt the copy of the data that they store on their own servers. They have a privacy policy to promise to be good, of course … but that’s just changed.

The latest privacy policy goes into effect in January 2017, and as well as the perfectly necessary exceptions for things like court orders and malware incidents, they have now added a clause that says that employees of Evernote will access your data “to maintain and improve the Service”. That’s a very imprecise and broad statement. How will your data be used to improve their service? What is their service? Is it “anything the company does” or only “synchronising your files”?

Here’s a set of articles and longer discussion of some of the issues around this :-

* http://arstechnica.com/tech-policy/2016/12/evernotes-new-privacy-policy-raises-eyebrows/
* http://www.forbes.com/sites/thomasbrewster/2016/12/14/worst-privacy-policy-evernote/
* https://techcrunch.com/2016/12/14/evernotes-new-privacy-policy-allows-employees-to-read-your-notes/

If you are storing data which you believe to be sensitive in any way, you need to be aware of these policies, and when they change. While Cloud-based services offer many conveniences and a low cost to get started, the long-term costs are sometimes unacceptably high.

Remember, “The Cloud” means nothing more or less than “Someone else’s computers”, and there is often no enforceable contract of any kind.

Update:

The CEO of Evernote is now clarifying that the wording of their Policy was misleading; he states that “Human beings don’t read notes without people’s permission. Full stop.”

So, does that mean that you’re all OK to carry on using Evernote, that you can relax and the emergency is over?

You tell me – it’s your data. If you need to control access to your data, and you’re not able to do this completely because “it’s in the cloud” (where the provider changes their terms, conditions, ownership and even physical location without consulting or informing you), then perhaps you should be doing things differently.

https://www.fastcompany.com/3066680/the-future-of-work/evernote-ceo-explains-why-he-reversed-its-new-privacy-policy-we-screwed-u

Checking SHA256 OpenSSH fingerprints

Wednesday, December 7th, 2016 | Jim Cheetham | Comments Off on Checking SHA256 OpenSSH fingerprints

Many people using recent versions of ssh are now seeing SHA256 fingerprints by default when connecting to a new server, and finding it difficult to verify the fingerprint because the server itself doesn’t seem to have the right versions to tell you!

For example, here’s the client trying to connect …

$ ssh galathilion
The authenticity of host 'galathilion (10.30.64.220)' can't be established.
RSA key fingerprint is SHA256:8DpA4frlTxKnZ5GJXkORq8QQlLn4eCx4nZf51g55vYc.

The correct thing to do here is to check this fingerprint, by connecting to the target server over something that isn’t ssh. Then you run the ssh-keygen command to see the fingerprint …

# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 d3:c6:fa:83:03:f4:ed:44:a4:3e:80:e1:b1:7b:ca:42 /etc/ssh/ssh_host_rsa_key.pub (RSA)

But that’s the wrong format – the MD5 version of the fingerprint, not the SHA256 version. That’s probably because the server version of the openssh tools doesn’t support SHA256 at all. And you can’t work out what the SHA256 fingerprint will be if all you have is the MD5 fingerprint data.

No problem; you can just ask your client ssh to display the server’s fingerprint using the old MD5 presentation :-

$ ssh -o FingerprintHash=md5 galathilion
The authenticity of host 'galathilion (10.30.64.220)' can't be established.
RSA key fingerprint is MD5:d3:c6:fa:83:03:f4:ed:44:a4:3e:80:e1:b1:7b:ca:42.

So that works a treat, and you can validate the connection. Regardless of the scheme used to present the fingerprint to you, it’s the same server public key, so validating the MD5 presentation is the same as validating the SHA256 version.

As an alternative, you can use standard command-line tools to generate the SHA256 fingerprint on the server itself, even though openssh doesn’t do that for you.

# cat /etc/ssh/ssh_host_rsa_key.pub \
  | awk '{print $2}' | base64 -d | sha256sum -b \
  | awk '{print $1}' | xxd -r -p | base64
8DpA4frlTxKnZ5GJXkORq8QQlLn4eCx4nZf51g55vYc=

That mouthful produces the same output as the openssh tool.

Here’s a worked-through example of how this command chain works. I can reproduce the original machine’s data here, because this is a public key. Remember to carefully check what data you are publishing online!

# cat /etc/ssh/ssh_host_rsa_key.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3R3I0dJxyg61jKuAqY3wJ/gwHzzEVg73sVqqJnzzEGWEkpjEYsIBk1NWh/Ur2q9CnR1KPk8Av22fNgeQay6dm9FcGK7TImiD3ZZfZjfHPzwkcoXyQPuJHW9pT8rlktkihdpTNJqlHHibVUz481AntmptypGqPKdg22EjvjrHk5Q4Op/ahZjgkSoFPphH1gWZcCC2xSPi/mk6nu9DF4Jyr1dJq+hJMPuvQ10ozOpzhemUKD9dGoXIh9g78/+M9Y8/naOW+UxZAy8BGrcpjM27sLHU0K+qxLRFw36Xlgur2+lEiSVt0F2iPpbAiJug3hUQTx2K3gkMG36auVsgrWvK9Q==

This file has a single line, with two (or three) values space-separated. The second field is the Base64 representation of the public key itself, which we’re extracting using awk '{print $2}' (although we could have done this with other commands, such as cut -d' ' -f2). Once we have that field, we convert it from Base64 back into raw binary with base64 -d. Then we pass the binary key through sha256sum, which will produce two fields, a hex-encoded fingerprint and the filename (which is just ‘-‘ for standard input), and through awk again to select just the first field. xxd is used to convert the hex-encoded data back to binary again, and finally base64 gives us the same encoding that the openssh tools present.

Why bother with all that? Well, remember that the requirement to verify a server’s ssh fingerprint should not be carried out over ssh itself. I get my servers to write their ssh fingerprints into the /etc/issue file, and this is displayed on the server console by default along with the login prompt. So I can always validate the ssh keys using something that isn’t ssh …

Can my light bulbs DoS me?

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Can my light bulbs DoS me?

Denial of Service (DoS) attacks are situations where an IT system is deliberately overwhelmed to a point where normal activity is no longer possible. A DoS attack usually comes from a single source. Where the attack comes from many sources we call this a Distributed DoS, or DDoS.

DDoS traffic is usually sent from many computers from around the world. These computers will have been hijacked and grouped together into a botnet which are then controlled by the bad player. These computers usually have been compromised because security patches have not been applied.

For some time InfoSec people have been wondering what impact the Internet of Things (IoT) will have on things like DDoS. The IoT generally refers to all those everyday objects that can now connect to the Internet. Think CCTV, toys, nappies, cars, door bells etc.

At the KiwiCon conference last year in Wellington, and at other conferences,  some of the presentations talk about the security of various IoT devices. Some of the findings were

  • Certain brands of car immobilisers could be activated by other people by attacking the website where the device was registered. This was particularly concerning for those vehicles that could have the fuel system shut down. Imagine suddenly running out of fuel while in the middle lane of a motorway doing 110 km/hr!
  • Home security devices being sold in NZ could be controlled by other parties.
  • Baby monitors can be listened into, and worse.
  • Barbie Dolls are relatively hard to take over.

So are the IoT really a problem? In late September a DDoS attack was launched against a well known security writer. The attack forced his website off line for a time by the huge volume of traffic sent to it. What is interesting is that most of the devices involved in the attack were on line cameras (it is estimated that about 1.5 million cameras were involved).

The security issues with the IoT may well turn out to be a bigger problem than Y2K. When preparing for Y2K it was possible to identify likely systems that needed fixing, and then update them. In the end a Y2K disaster was avoided since we understood how to fix the problems.

The problem with IoT is that we cant identify and/or fix most of the devices. Few manufacturers of an IoT device include options for efficiently getting updates onto the device. Almost no one will commit to providing support for any set time. For most devices, if there is a significant security issues with them, it will be a case of throwing them away.

So this comes back to the original question. Can my light bulbs DoS me?

Well, the current versions probably cannot launch a co-ordinated network attack, which is good. However, a bad player may well be able to take control of your light bulbs. Think about the result of all your lights coming on at 3 am. Perhaps we should call this a DoSl (Denial of Sleep).

What to do? Some of the functionality of some IoT devices is truly exciting. We are going to see more and more options out there. When buying these devices we need to start thinking about the impact if things go wrong. Ask the retailer about security updates. If updates are available ask for how long support will be provided.

Finally, be prepared to throw the device away. This may end up your only option.

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.