Month: December 2014
In today’s world of agile software development and fast release cycles, developers increasingly rely on third-party libraries and components to get the job done. Since many of those libraries come from long-running, open-source projects, developers often assume they’re getting well-written, bug-free code. They’re wrong.
The major patching efforts triggered by the Heartbleed, Shellshock and POODLE flaws this year serve as examples of the effect of critical vulnerabilities in third-party code. The flaws affected software that runs on servers, desktop computers, mobile devices and hardware appliances, affecting millions of consumers and businesses.
However, these highly publicized vulnerabilities were not isolated incidents. Similar flaws have been found in libraries such as OpenSSL, LibTIFF, libpng, OpenJPEG, FFmpeg, Libav and countless others, and these have made their way into thousands of products over the years.
Among the reasons why these bugs end up in finished products is a belief by developers that the third-party code they choose to integrate is secure because it has already been used by many others.
The shallow bugs myth
“There is a myth that open source is secure because everyone can review it; more eyes reviewing it making all bugs shallow,” said Jake Kouns, CISO of Risk Based Security, a firm that specializes in tracking vulnerabilities. “The reality is that while everyone could look at the code, they don’t and accountability for quality is deferred. Developers and companies that consume third party libraries are not allocating their own resources to security test ‘someone else’s code.’ Right or wrong, everyone seems to think that someone else will find the vulnerabilities and what is published is secure.”
The reality is that many open source projects, even the ones producing code that’s critical to the Internet infrastructure, are often poorly funded, understaffed and have nowhere close to enough resources to pay for professional code audits or the manpower to engage in massive rewrites of old code.
OpenSSL is a prominent example of such a case, but far from the only one. After the critical Heartbleed bug was announced in April, it was revealed that the OpenSSL project had only one full-time developer and that the project was being primarily funded through contract-based work that other team members did in their spare time for companies in need of SSL/TLS expertise.
The developers of OpenBSD criticized OpenSSL for maintaining old code for platforms that few people care about and decided to fork the project to create a cleaner version of the library dubbed LibreSSL.
The flaws in open source libraries are often the result of one or more of these reasons: old code or low code maturity, insufficient auditing or fuzzing — a process of finding vulnerabilities by automatically feeding unexpected input to applications — and too few maintainers, said Carsten Eiram, the chief research officer of Risk Based Security. “We see that many vulnerabilities being found in these libraries are by researchers simply running some of the latest fuzzers against them, so it’s often something the maintainers or companies using said libraries could do themselves. Software vendors are quick to implement libraries into their products, but rarely audit or even fuzz these first or help maintaining them.”
It’s all marketing
The Heartbleed, Shellshock and POODLE vulnerabilities raised a lot of interest among software developers and system administrators, partly because of the attention the flaws received in the media. Some vendors are still identifying products affected by these flaws and are releasing fixes for them, months after they were first announced.
Eiram believes that the primary reason why these vulnerabilities stood out was not their impact, but the way in which they were advertised by their finders — with fancy names and logos. The sad truth is that flaws of similar importance are regularly found in widespread libraries, but manage to fly under the radar and are rarely patched by the software vendors who use them.
“A lot of vulnerabilities — 18 — have been addressed in OpenSSL since Heartbleed, and we haven’t remotely seen the same attention to issuing fixes quickly — or at all — from the vendors,” Eiram said. “We see fixes of varying severity to libraries on almost a daily basis, but rarely see vendors bundling these libraries in their products issue fixes, even though we know these libraries are heavily used.”
One example of that is a vulnerability discovered in 2006 by Tavis Ormandy, a security researcher who now works at Google. The flaw was among several that affected LibTIFF and were fixed in a new release at the time. It was tracked as CVE-2006-3459 in the Common Vulnerabilities and Exposures database.
“In 2010, a vulnerability was fixed in Adobe Reader, which turned out to be one of the vulnerabilities covered by CVE-2006-3459,” Eiram said. “For four years, a vulnerable and outdated version of LibTIFF had been bundled with Adobe Reader, and it was even proven to be exploitable.”
Adobe Systems has since become one of the software vendors taking the threat of flaws in third-party components seriously, Eiram said. “They’ve made major improvements to their process of tracking and addressing vulnerabilities in the third-party libraries and components used in their products.”
Another one of those vendors is Google. Aside from just keeping track of vulnerabilities in the third-party code it uses, the company’s researchers are actively searching for flaws in that code.
“We’ve seen two of Google’s prolific researchers, Gynvael Coldwind and Mateusz Jurczyk, finding more than 1,000 issues in FFmpeg and Libav, which is used in Chrome, and they’re currently looking at other libraries like FreeType too,” Eiram said. “OpenJPEG also seems to receive some scrutiny by Google at the moment, which is used in PDFium that in turn is used in Chrome. Obviously, Google also put a lot of effort into securing WebKit, when they started using that as the engine for Chrome.”
Making such contributions helps to improve the code maturity of those libraries for everyone, and is something that all software vendors should do.
If vendors would at least use fuzzing to test the libraries that they use and help fix the issues they find in the process, it would make a significant difference, Eiram said. Much more so than the bug bounty programs for critical Internet software, like those run by Hacker One or Google, which so far have had little effect at drawing researchers toward finding vulnerabilities in libraries, he said.
An accurate bill of materials
Unfortunately we’re a long way from that happening, as many software developers fail to even keep track of which third-party components they use and where, not to mention vulnerabilities that are later found and patched in those components.
Veracode, a security firm that runs a cloud-based vulnerability scanning service, found that third-party and open source components introduce an average of 24 known vulnerabilities into each application and that in the case of some enterprises, 40 percent of the applications they use have one or more critical vulnerabilities introduced by components.
“Most companies learned lessons from trying to patch Heartbleed and Shellshock,” said Chris Eng, vice president of research at Veracode. “One of the challenges was that it involved not only patching servers, but patching vulnerable hardware and software products. Answering the question ‘Which of my products rely on a vulnerable version of OpenSSL?’ was difficult for many organizations due to lack of visibility into the composition of their software products.”
“Having an accurate ‘bill of materials,’ so to speak, for all software projects is critical to the patching effort,” Eng said. “This has always been true, but Heartbleed and Shellshock both amplified the issue thanks to the ubiquity of both OpenSSL and Bash.”
For system administrators the situation is even more complicated, because they rely on software vendors for fixes and their response to flaws in third-party components varies greatly from fairly quickly to none.
“We do sense that the software industry has recognized the threat and is trying to deal with it — at least many major companies — but properly mapping libraries used in the code and tracking and triaging vulnerabilities in these requires significant resources,” Eiram said.
Be prepared for more
If there’s one thing that Heartbleed and Shellshock changed it is that researchers now have a model for advertising the flaws they find so they reach a wider audience. Even though many in the security industry don’t agree with this approach, because it tends to hype the risks, it does seem to put pressure on vendors to act. It also seems to attract the attention of even more researchers, leading to increased scrutiny of some libraries, even if for short periods of time.
“Researchers looking to find the most impactful vulnerabilities will naturally be drawn to software that is widespread and baked into a wide range of products,” Eng said. “I think this will continue, because many researchers are motivated — at least in part — by the media attention that comes with discovering high-profile bugs.”
From a business perspective, being forced to unexpectedly reallocate resources that are planned for something else in order to deal with flaws like Heartbleed, which involves identifying affected products and issuing patches, is likely a burden for software vendors. If faced with highly publicized flaws on a regular basis, vendors might naturally be pushed to adopt more proactive strategies that involve tracking, patching and even finding vulnerabilities in third-party components themselves as a matter of course.
“It does seem like more and more software companies are discussing the challenge of dealing with third party libraries and components, and have recognized how these are an Achilles heel,” Eiram said. “The vast majority of them still need to implement a proper policy and approach for dealing with this challenge.”
Companies should map which of their products contain third-party libraries, should define policies for who may add such components to products and how, should consider the security state of a library before using it by consulting the various vulnerability databases and should create an in-house vulnerability tracking solution or purchase a subscription to a commercial one with strong library coverage.
“Longer term we may see a shift, but developers may still view Heartbleed and Shellshock as isolated events rather than a trend,” Eng said. “On the other hand, automated solutions are now making it easier for enterprises to identify components with known vulnerabilities in their application portfolios, so I think we’ll see the proactive approach becoming a best practice over time.”
On the enterprise side, “Organizations need to recognize that bugs of the magnitude we’ve seen in 2014 will continue into 2015 and put the processes in place to quickly identify where they are vulnerable, have a sound procedure to prioritize the issues and efficient processes to patch systems when bugs are discovered to reduce risk of exploitation,” said Gavin Millard, technical director for EMEA region at Tenable Network Security. “When the next ‘Bug du Jour’ hits, the rapid response to deal with it needs to be a well oiled, tested and efficient machine.”
Check Point Software Technologies recently revealed a flaw in millions of routers that allows the devices to be controlled by hackers.
The company’s Malware and Vulnerability Group detected 12 million Internet-connected devices that have the flaw.
The vulnerability, which Check Point dubbed “Misfortune Cookie,” can be found in the code of a commonly used embedded Web server, RomPager from AllegroSoft. A system attacker can exploit it to take control of a router and use it to steal data from both wired and wireless devices connected to a network.
Fixes for the flaw have been available since 2005, but 98 percent of the devices using RomPager haven’t been updated and still contain the vulnerable version of the software.
Even if device makers had been on the ball and kept the embedded subsystems on their hardware up to date, chances are there still would be lots of vulnerable devices connected to the Net, observed Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.
“Most people don’t install upgrades to their firmware,” he told TechNewsWorld. “That’s why we believe this vulnerability will stay around for months and years to come.”
Infected routers aren’t a new attack vector for Net marauders. A widely reported incident early this year included routers in a malicious email campaign that flooded the Internet with 750,000 junk messages. Thousands of other gadgets also were used to disseminate the spam — things like home media centers, televisions, and at least one smart refrigerator.
Proofpoint, which discovered that caper, explained that it didn’t take rocket science to compromise the devices. Attackers simply exploited misconfigurations or factory-set passwords to crack them.
Billed as the first large-scale attack using the Internet of Things, the Proofpoint discovery may be a sign of things to come down the road.
“I don’t think this will be widespread in 2015, and we don’t expect that IoT devices will be main targets, but it will start to evolve next year,” said Cathal McDaid, head of data intelligence and analytics for AdaptiveMobile.
A number of things make IoT devices ripe for hacking. They’re not monitored by people as a phone or computer would be. They don’t get upgraded often, and they may reside in out-of-the-way locations.
Attacks on IoT devices in 2015 likely will mirror the Proofpoint incident.
“Next year, we may see some of these mobile IoT devices compromised to send spam,” McDaid told TechNewsWorld. “Spam generated might be email — or if they are able to send text messages, then spam SMS.”
Asleep in the Corner Office
Since the limelight has shone on information security at Sony, a multitude of sins have been exposed, including a tidbit about the company’s CEO, Michael Lynton, being regularly reminded in insecure emails of secret passwords for his personal and family mail, banking, travel and shopping accounts.
Security naivete isn’t limited to Sony’s corner office. Many CEOs are disconnected from the cyberthreats hurled at their companies every day.
For example, 80 percent of CEOs in corporate America don’t have any idea their company’s systems are being attacked on a regular basis, suggests a survey released earlier this year by Lancope and the Ponemon Institute.
Recent events at Sony may be changing that level of awareness, though.
“They are changing their behavior now, but it’s a painful process,” Lancope CTO Tim “TK” Keanini told TechNewsWorld.
Lack of awareness isn’t limited to the corner office, either — not when companies have to be told by outside parties that systems have been breached.
“Defenders need to detect a threat in its early stages, not when the Secret Service calls you — not when your source code is posted to Pastebin,” Keanini said. “If that’s your form of detection, we’ve got worse things coming.”
13,000 login details including payment card numbers an expiry dates have leaked from online services including Amazon, Xbox Live, Playstation Network and more, according to Tech Crunch.
The hackers posted a document with details of username and passwords, along with some credit card numbers and expiry dates to Ghostbin – a text storage website.
Websites affected included not only gaming related organisations such as Xbox, Playstation, Twitch, EA Games and Ubisoft, but also shopping chains such as Amazon and Walmart and TV streaming website Hulu Plus. Pornography websites were also included in the breach. Amazon, Sony and Microsoft have “yet to confirm whether the leak is legitimate”, according to Metro.
The wide-ranging mix of websites attacked has led the Daily Dot to suggest that not all of the websites have necessarily been breached, and that login information may have been acquired – at least in some of the cases – by “malware installed onto users’ personal devices or other nefarious methods.”
It has been a bad Christmas for gaming services, with this following swiftly on from the extended outages for the Xbox Live and Playstation Network online gaming services from DDoS attacks, as reported by We Live Security here. At the time of writing, Microsoft has reported that the Xbox Live service is back up and running, though Sony’s Playstation Network is still experiencing outages.
The news got worse for Sony, as the hackers leaking the log-in information – the Anonymous collective have taken credit, according to the Daily Mail – also claimed to have uploaded a pirate copy of ‘The Interview’, which has been in the news as the possible cause of the hacking of Sony Pictures.
A cross-site scripting (XSS) issue in Microsoft’s MSN online service has been discovered by a security researcher to allow launching of software installed locally by injecting commands via URI handlers.
Web browsers can be used by developers to call local programs in order to perform certain tasks. This is done via a URI (universal resource identifier) scheme that requests the specific program available on the computer it has been designed for.
Special method used to bypass filtering
In a conversation over email, Nicholas Lemonias, who found the glitch, said that a special method was used to bypass the filtering mechanism that would prevent regular XSS attacks to be executed through the website.
The launch of the targeted programs would be triggered on mouse over action on certain elements in the page, such as the list of videos in MSN; since there is no mouse click on the page, the is unaware of the initiation of the process.
By doing so, he was able to abuse a trusted URI scheme, like “mailto,” “callto,” “irc” or “skype” to launch programs associated with them and pass some parameters.
For instance, he managed to start a window of Outlook email client with the recipient field, subject line and message body already filled in. In the case of Skype, the program was launched and initiated a call.
When opening programs via a URI scheme, web browsers generally offer the user the possibility to repeat such future action without notifying them first. This aspect is important because the user won’t be informed if an installed application is launched without their consent.
Risk of redirection to a malicious site
Lemonias said that malicious actions could be carried out, such as sending out an email without the user noticing anything, but he did not provide evidence that would prove this possibility. As per the specifications of the “mailto” URI scheme, only a new message window is opened, with the address of the intended recipient already filled in.
However, he did provide proof that visitors of MSN could be redirected to a different website through the XSS attack. Given that MSN is a trusted website, it is safe to assume that an attacker would be more successful in achieving their goal by taking the visitor to a malicious location.
Another consequence stressed by the researcher in the event of such an attack was causing a denial-of-service condition on the application called through the URI scheme. It is important to note that Outlook or a different email client is not the only program affected.
Researcher promised to be added on hall of fame list
The researcher notified Microsoft about his findings and the company removed the security risk through an update to the service.
No monetary compensation has been received by Lemonias for disclosing the bug, but Microsoft asked for his details to include him on the Online Researcher Acknowledgement page for 2014. He is not listed at the moment of writing, but his name is expected to appear at the next update of the list.
More than 75 percent of organizations in the U.S. and U.K. have experienced at least one DNS attack, and 66 percent of organizations in the U.S. experienced a DNS attack within the last 12 months, according to new research undertaken by Vanson Bourne and commissioned by Cloudmark.
The DNS Security Survey is based on interviews with 300 IT decision-makers – 200 in the U.S. and 100 in the U.K. – who work for organizations with at least 1,000 employees in the financial services, IT, manufacturing and production, and retail, distribution and transport sectors.
Of those that experienced at least one DNS attack, 74 percent of respondents stated that their organization has been affected by a distributed denial-of-service (DDoS) attack aimed at causing an internet outage or service disruption, according to findings emailed to SCMagazine.com.
In a Tuesday email correspondence, Tom Landesman, a security researcher with Cloudmark, told SCMagazine.com that attackers are able to launch DDoS attacks through DNS amplifications and resource exhaustion.
“They set up a malicious domain with very large resource records with the goal of executing a DNS amplification attack,” Landesman said. “Once the malicious domain is created, queries going to open DNS resolvers with a spoofed IP are directed to a spoofed IP address of target servers causing a DDoS attack.”
Landesman said DDoS attacks are likely the number one DNS attack because of the minimal effort and resources required on the attacker’s end. He added that DDoS attacks create a scenario where the organization is focused on mitigation, while malware infections and data theft may be happening elsewhere on the network.
Of other types of DNS attacks, 46 percent of respondents said their organization experienced DNS exfiltration, or leaking data out via DNS; 45 percent said DNS tunneling, or using DNS to bypass network access or security controls, to create reverse tunnels allowing infiltration, or to bypass Wi-Fi billing; and 33 percent said DNS hijacking, or attempts to reroute DNS traffic to malicious domains or phishing sites.
As a result of DNS attacks, 63 percent of organizations experienced lost internet, 42 percent experienced more customer complaints, 34 percent experienced lost business-critical data and confidential customer information, and 30 percent experienced lost revenue.
Although respondents pointed to customer retention and brand reputation as the biggest concerns following a DNS attack, remediation and operational costs were also considered a burden. Landesman said that the strain DNS attacks put on an organization’s infrastructure and resources can lead to the lost revenue.
“Cybercriminals are able also to bypass Wi-Fi payments, as well as tunnel subscriber traffic through DNS to avoid roaming fees,” Landesman said. “Telecommunication providers may face revenue loss in the millions of dollars as a result.”
Nearly 70 percent of respondents said their organization has a DNS security solution implemented to protect against DNS attacks.
“It’s critical that organizations incorporate DNS protection into their overall security strategy,” Landesman said. “Just as all organizations have addressed traditional internet vulnerabilities with firewalls and anti-virus solutions, it is important that they protect their DNS infrastructure with a flexible, comprehensive solution that can stay ahead of the bad guys.”
The retail, distribution and transport sector experienced the most DNS instances, with 74 percent of respondents stating that their organization had experienced a DNS attack within the last 12 months.
A sophisticated group of cybercriminals has stolen more than $25 million by hacking into the infrastructure of numerous financial institutions in Russia and former Soviet Union countries, as well as into point-of-sale systems belonging to U.S. and European retailers.
Researchers from Russian cybercrime investigations firm Group-IB and Dutch security firm Fox-IT have dubbed the cybercriminal group Anunak, after the primary malware program in its toolset.
Unlike most cybercrime operations where attackers target the customers of financial institutions, the Anunak group targeted the institutions themselves, compromising their internal networks, workstations and servers. This access allowed them to transfer funds to accounts under their control and in some cases even to compromise ATMs, which they then used to withdraw money fraudulently.
“Since 2013 they have successfully gained access to networks of more than 50 Russian banks and 5 payment systems, and 2 of these institutions were deprived of their banking license,” Group-IB said in a report released Monday. “To date the total amount of theft is over 1 billion rubles (about 25 million dollars), most of it has been stolen in the second half of 2014.”
The Anunak attackers start by infecting the computers of regular employees with malware and then move laterally inside the network by compromising servers and active domain accounts. The group uses network scanners, keyloggers, password crackers, SSH backdoors, remote control programs and often the Metasploit penetration testing framework.
However, their primary tool is a computer Trojan dubbed Anunak, based on Carberp, a malware program designed to steal online banking credentials and whose source code was leaked online in June 2013. The Group-IB researchers believe that some members of the Anunak group were previously members of the Carberp gang which split up in 2013 following internal conflicts.
The attackers use several methods to infect computers with the Anunak Trojan. These include drive-by downloads through exploit kits (the group is believed to have injected malicious code in the php.net site in 2013 to attack its visitors), spoofed emails with malicious attachments that claim to be sent by the Central Bank of the Russian Federation and installation through other malware programs as part of pay-per-install agreements.
“The criminal group keeps in touch with several owners of large botnets that massively distribute their malware,” the Group-IB researchers said. “The attackers buy from these botnet owners the information about IP addresses of computers where the botnet owners have installed malware and then check whether the IP addresses belong to financial and government institutions. If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware.”
Starting in the second quarter of 2014, the Anunak group also targeted retailers in the U.S., Australia and Europe with the goal of infecting point-of-sale (POS) terminals with malware that can steal payment card data during transactions.
At least 16 possible breaches have been identified at retail organizations — 12 of them in the U.S. — and theft of credit card data was confirmed in three of those cases, the researchers said in their report. The group also compromised computers at three U.S.-based PR and media organizations, possibly with the intention of obtaining trading advantages on the stock market, they said.
“We have no evidence of compromises against banks in Western Europe or United States, but it should be noted that the attackers methods could be utilized against banks outside of Russia as well,” the researchers warned.
The Sony hack revealed Mark Cuban’s personal email address, as well as several confidential emails between himself and executives detailing his displeasure with a salary offered to him for ABC’s hit show Shark Tank.
On Sunday, the billionaire told CNN’s Reliable Sources that prior to the hack, he had already stopped using email to conduct confidential business interactions and had instead moved to his app Cyber Dust, which he has described as “What’s App meets SnapChat.”
Cuban was unequivocal about how the hack would affect Hollywood, which has been shocked by the hack, and if it would happen again.
Here’s what he had to say:
STELTER: Do you think that will profoundly change in Hollywood as a result of this hack?
CUBAN: Not until the next one. And there will be a next one.
STELTER: It takes one more to change…
CUBAN: Yes, because everybody will think, look, that’s not going to happen to me. It happens. Right. It can’t – that’s just the way people think.
And now that the hack has gotten so much notoriety and it’s had such an impact, you know, that’s a chip for any hacker. That’s a trophy hack, and people – hackers are going to want more trophy hacks just to put the trophy on their mantle.
“Whoever you send it to now controls that message.”
Cuban went on to make statements about the vulnerability involved in all major social media platforms:
STELTER: It seems like this hack might have been a good thing for you, because you’re using it as a chance to promote your app Cyber Dust.
STELTER: You say you’re in touch with Sony via this app now.
STELTER: So, you’re really negotiating them via an app.
CUBAN: Sony – well, actually, Mark Burnett’s people do most of the negotiations, right? And so but we also have to incorporate Sony into it.
What went from C.C.ing and Steve and Holly Jacobs and all the whole Sony crew has turned into, OK, I’m only doing it on Cyber Dust. But I started this before the hack, before there was any awareness of the hack. It wasn’t something in response to the hack. It something that I had already pushed them to do in the first place, knowing that, look, when you hit send on a tweet, a Facebook post, a text, or an e-mail, the minute you hit send, you lose ownership of it.
Whoever you send it to now controls that message. They can do whatever they want. They can put it anywhere they want in any context and you have no idea.