SecWorX – InfoSec Year In Review – 2014

Hi folks, I’ve compiled some of the more popular InfoSec stories and links on each topic– just a quick year in review summary for you. This year has been extremely eventful and there are no signs of slowing down as we enter 2015. Read it and weep, or, if you work in InfoSec, read and smile that you are still employed with plenty of work on the horizon 🙂

Total PWNage

Sony Cyber Attack The biggest, baddest and juiciest story of them all broke in late November and will continue to be a treasure trove well into 2015. This cyber attack was reminiscent of an old school cheesy hacker movie. Here is the image of what many Sony employees saw showing up on their screens. Gotta love the scary skull pic! GOP

The FBI is pointing the proverbial finger at DPRK. I’m holding back judgment until the InfoSec community has had a chance to review the technical analysis. Seth Rogan is one person that must be pretty stoked about the Sony attack which was spun into an awesome promotional tool for “The Interview” movie going into the holiday season. I admit that I bought into the hype. My review…a few good laughs but far from a blockbuster!

The leak was BRUTAL!
– entire databases exfiltrated
– unpublished movie scripts
– contract negotiations
– data dump posted to torrent sites, pastebin and reddit (amongst others)
– full dump claimed to be 10s of Terabytes

Brian Krebs is covering this one pretty well!

Celebrity Nude Photo Leak This story broke over Labour Day which must have set records for female A-lister search queries looking for a download link for the files. The series of nude pics for allegedly 101 celebs (names below) are making the rounds on file sharing sites, referred to as ‘The Frappening’. The attack was a garden-variety brute force attempt against iCloud accounts: a huge breach in privacy where the attacker was able to steal nude photos from right under the nose of these celebrities straight off the cloud. The photographs were then posted to online forums and soon spread like wild fire. Reports suggest the hack consists of the cumulative use of a Python script named “iBrute” that was posted on Github, along with a vulnerability found in the ‘Find my iPhone’ app. The vulnerability provided unlimited chances for an attacker to brute force the passwords due to the lack of rate limiting or account lockout.

The alleged list:
AJ Michalka, Alyson ‘Aly’ Michalka, Allegra Carpenter, Abigail Spencer, Alana Blanchard, Alexa Jane, Angelina McCoy, Anna O’Neill, Ashley Blankenship, Aubrey Plaza, Abigail ‘Abby’ Elliott, AnnaLynne McCord, Avril Lavigne, Amber Heard, Rebecca ‘Becca’ Tobin, Brie Larson, Brittany Booker, Candace Smith, Candice Swanepoel, Cara Delevingne, Carley Pope, Carmella Carcia, Carrie Michalka, Cat Deeley, Carly Foulkes, Chloe Dykstra, Clare Bowen, Dove Cameron, Elena Satine, Elle Evans, Ellenore Scott, Emily Browning, Emily DiDonato, Emily Ratjkowski, Erin Cummings, Erin Heatherton, Farrah Abraham, Gabrielle Union, Gabi Grecko, Hayden Panettiere, Hope Solo, Heather Marks, Hilary Duff, Jacqueline Dunford, Janelle Ginestra, Jennifer Lawrence, Jessiqa Pace, Jessica Dunford, Jessica Riccardi, Jesse Golden, JoJo, Joanna Krupa, Jennifer ‘Jenny’ McCarthy, Josie Loren, Joy Corrigan, Kaley Cuoco, Kaime O’Teter, Kate Upton, Kate Bosworth, Kelly Brook, Lauren ‘Keke’ Palmer, Kim Kardashian West, Kirsten Dunst, Krysten Ritter, Lake Bell, Laura Ramsey, Lea Michele, Leelee Sobieski, Leven Rambin, Lisa Kelly, Lisalla Montenegro, Lindsay Clubine, Lizzy Caplan, Mary-Kate Olsen, Mary Elizabeth Winstead, McKayla Maroney, Melissa Benoist, Meagan Good, Megan Boone, Michelle Keegan, Mikayla Pierce, Misty Treanor, Nina Stavris, Rachel Nichols, Rihanna, Sarah Shahi, Sahara Ray, Sarah Schneider, ScarJo, Selena Gomez, Shannon McNally, Tameka Jacobs, Teresa Palmer, Uldouz, Vanessa Hudgens, Victoria Justice, Wailana Geisen, Winona Ryder, Yvonne Strahovski, Alison Brie, Dave Franco.

User lessons
1. Use strong passwords and enable two-step verification.
2. Review the contents that are copied to the cloud. Delete backups or whatever else that you do not want on there.
Business lessons
1. Always implement a rate limiting/account lockout feature on web apps.
2. Bug Bounty programs are a good thing.

I’m still waiting for a story to break that points to Kim Kardashian as being the real hacker for this one! Wouldn’t that make the gossip mags a fortune in 2015?

Here are links to three good posts on the story.
Sources: Forbes – Link1, Link2 Mail Online – Link  

Retail Card Breaches Cont’d This type of attack came on the radar a year ago with the disastrous Target breach but was soon trumped by Home Depot resulting in the largest breach of its kind on record. Cyber Criminals using custom-built malware that lingered on the network for approximately half a year (April to September) were able to steal card data and customer email addresses. The numbers speak for themselves:
– 56 Million customer credit/debit card accounts
– 53 Million customer email address

Krebs broke the story on Sep 2, 2014, and has done a fabulous job at posting detailed updates. Thanks again Brian!

Lesson learned: – Fear the phrase “PCI Compliant”!!!!

Bugs

Heartbleed and ShellShock The two most popular bugs making the media rounds were tagged with the coolest monikers: Heartbleed & ShellShock.

Heartbleed is an OpenSSL bug disclosed in April, 2014 and hit the mainstream media with full force given the enormity of websites that use it. OpenSSL is the open-source implementation of SSL/TLS, used for communication security and privacy over the internet; for applications such as web, email, IM and some VPNs. Shall I now scream, “THIS IS IMPORTANT!”? Vulnerable versions of OpenSSL are open to data leakage by a coding flaw that allows for a buffer over-read by crafting a malformed heartbeat designed to access more data than what should be allowed. Major sites have since patched their servers, however rest assured there are many that still remain vulnerable.

The Sophos Naked Security news site posted my favorite technical article for Heartbleed.

Real World Example – Western University student charged with extracting data from the Canada Revenue Agency resulting in a major tax-time disruption

ShellShock is a GNU-Bash shell bug disclosed in September of 2014. The flaw dates back to versions of Bash from the early days circa 1989 through to v.4.3. While still widely publicized, it did not seem to garner the same coverage in the mainstream media as did Heartbleed. Shellshock is a far more significant vulnerability with a National Vulnerability Database severity rating of 10/10. The sheer length of time of the bug’s existence leaves many lingering questions such as, who knew of this vulnerability and for how long? Bash is an enormously popular *nix shell and is the default shell on popular operating systems such as Linux and Mac OS X. The sheer footprint of Bash found on public web servers and on internet of things (IoT) devices running embedded Linux with Bash (e.g., home routers and NAS gear) has cause for great concern with the seemingly limitless attack possibilities. The ShellShock bug allows for remote arbitrary code execution via a specially crafted environment. Many companies have since patched their critical servers, but relaying this message to the consumer will prove difficult. Getting the average consumer to take action and patch devices that sit on the shelf would be hard even if a one-click update option was available. Any fix or workaround requiring more technical savvy will go well beyond the comfort level of many customers who purchase these solutions without even realizing the impact or ramifications of security vulnerabilities.

Check out these four great articles to further your understanding about this very serious vulnerability. Sources: US-Cert, CloudFlare, FireEye, Troy Hunt

Real World Example – Several botnets have been leveraging the ShellShock bug. Botnet agents have been found with port scanning, backdoor and DDoS capabilities. One of the first reported botnet attacks was a DDoS against Akamai and US DoD networks.

Operations

Dark Markets Online marketplaces used for illegal activity are still active even with aggressive pursuit by law enforcement agencies worldwide. The infamous Silk Road is just one of many online underground markets that use the TOR network for anonymity and digital currencies such as Bitcoin to hide the money trail. Existing in what has been termed the ‘deep web’ or ‘darknet’, these sites have been used as a conduit for a wide range of illicit activities operating in a virtual black-market. Investigations have uncovered illegal vices such as moving contraband, money laundering, stolen credit cards, false identification, weapons dealing and contract killing, all linking back to various dark market sites. A massive international investigation was launched targeting these sites called ‘Operation Onymous’. The crackdown involving the FBI, Homeland Security and Europol lead to 17 arrests, asset seizures and took down many black market sites. There are still plenty of others that have managed to elude law enforcement and remain operational in the underground economy. The investigation has also caused a stir amongst TOR users leaving them to question the actual strength of providing true anonymity.

Snowdon Revelations 2014 Call him former government contractor, traitor, whistle-blower or patriot, but those in InfoSec call him, “the gift that keeps on giving”. Since Ed Snowdon fled the USA, stopping in Hong Kong and eventually landing in Russia, he has released a treasure trove of documents on privacy and surveillance that has left audiences captivated. He even landed a feature interview from abroad that aired on CBS’s 60 Minutes. The revelations kept coming strong throughout 2014. Al Jazeera created an amazing interactive timeline. You can scroll over to the beginning of 2014 if you want a recap. The collection reveals the NSA’s true power and vast international spy grid. Other articles cover the various techniques used by agencies like the NSA and GCHQ for tracking and data collection. Articles on facial recognition technologies and quantum computing provide readers a window into the future.

All of these stories give credence to the fact that InfoSec has some big challenges ahead. I could continue writing until the clock strikes midnight in 2015, but I am on holidays after all so I’ll sum it all up in just four words; Nothing can be trusted!!!

Advertisements

WiFi Security – Time to turn off WPS

I recently read some interesting slides posted online by Swiss security specialist Dominique Bongard regarding refined attacks against WiFi Protected Setup (WPS), reducing the length of time to crack a WiFi network’s WPA passphrase within seconds. It suddenly dawned on me that I probably forgot to disable this feature when I swapped out my old Linksys for a DLink Gateway around two years ago.

What is WPS?

  • It is a protocol aimed at easily connecting to WiFi networks
  • Gives the WPA passphrase to stations providing the right PIN
  • Two main modes: Push Button and 8 digit PIN code

Sure enough I logged on the D-Link Gateway interface and found that it was in fact enabled. Needless to say, I turned it off immediately as WPS has been found to be a troubled protocol dating back to when researcher Stefan Viehböck reported an implementation flaw that makes brute-force attacks against WPS feasible.

Wikipedia has a good summary

The vulnerability centers around the acknowledgement messages sent between the registrar and enrollee when attempting to validate a PIN. The PIN is an eight-digit number used to add new WPA enrollees to the network. Since the last digit is a checksum of the previous digits,[7] there are seven unknown digits in each PIN, yielding 107 = 10,000,000 possible combinations.

When an enrollee attempts to gain access using a PIN, the registrar reports the validity of the first and second halves of the PIN separately. Since the first half of the pin consists of four digits (10,000 possibilities) and the second half has only three active digits (1000 possibilities), at most 11,000 guesses are needed before the PIN is recovered. This is a reduction by three orders of magnitude from the number of PINs that would have to be tested. As a result, an attack can be completed in under four hours (183 minutes to be precise). The ease or difficulty of exploiting this flaw is implementation-dependent, as Wi-Fi router manufacturers could defend against such attacks by slowing or disabling the WPS feature after several failed PIN validation attempts.[4]

Given the seriousness of the WPS vulnerability that leaves you open to brute-force attacks by anybody within the vicinity of your network,  I was curious about the number of AP’s around me that have WPS enabled. I fired up Kali and performed a scan using the wash command:

wash2

The results after a brief scan show that there are four machines within range that are vulnerable to “reaver” attacks. Reaver is an open-source tool specifically designed to exploit the WPS security flaw and is available in Kali Linux. As stated on the Google code site for reaver-wps:

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Yikes! I strongly suggest to check your WiFi Gateway settings and turn off WPS. Here is a screen shot of where it is found on my DLink.

WPSDlink

While you’re at it, double check your WiFi security level. The minimum security standard should be WPA with a strong passphrase known as the Pre-Shared Key (PSK).