Thursday, February 12, 2015

Justification for Your Paranoia

There have been some weird events with my family lately, so it's been quite a while since I've done one of these. The past few weeks have been pretty fun for security: Anthem got hacked, TurboTax shutdown due to tax fraud, and Obama announced the creation of a new cyber security agency. I'm not going to talk about any of those things though, because the mainstream news has them covered. Here, instead, are some things a little farther afield.


1) A Skeleton Key
Network monitoring software or abnormal user behavior are two ways to detect an attacker within your network, but new malware dubbed "Skeleton Key" can evade both. The malware lets an attacker log in as any user, without needing to know or change the user's password, and doesn't raise any IDS alarms.
The new malware, discovered by Dell SecureWorks, can bypass Active Directory systems that only use single-factor authentication. Skeleton Key is deployed as an in-memory patch on a victim's AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. So the attacker can pose as any user, without needing to steal the user's log-in credentials, and without changing the user's password, thereby soon alerting the helpdesk to a problem when the real user cannot log in.
The Skeleton key malware allows the adversary to trivially authenticate as any user using their injected password. This can happen remotely for Webmail or VPN. This activity looks like, and is, normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy. Another thing that makes Skeleton Key difficult to find is that it creates no network traffic, and is therefore not going to be detected by network-based monitoring systems.
Skeleton Key does have a few key weaknesses though. For one, before an attacker can deploy it, they must already have admin access to the network. Skeleton Key's other main drawback is that it does not use any persistence methods. So it must be redeployed any time the domain controller is restarted. However, deployment of Skeleton Key does trigger domain controller replication issues that researchers say eventually required a reboot to resolve. The lack of a persistence mechanism means that a reboot would effectively kick out the malware; but it could be redeployed later using remote access malware already installed within the organization.

2) Ghosts in the Shell
From skeletons to ghosts now (because undead are a great naming scheme). On January 28th, researchers at Qualys found a vulnerability in the gethostbyname() function of glibc (the GNU C Library) that allows a buffer overflow condition in which arbitrary code may be executed. This vulnerability is referred to by the name "GHOST".
To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system. 
This hole exists in any Linux system that was built with glibc-2.2, but was actually patched in a minor bug fix released in 2013, but was never flagged as a security issues so many stable LTS releases never received the patch. Linux systems that are liable to attack include Debian 7, RHEL 5, 6, and 7, CentOS 6 and 7, and Ubuntu 10.04 and 12.04. Fixes have been released for Red HatUbuntu, CentOS, and Debian core.
After patching it, you should then reboot the system. Linux rarely needs to reboot, but since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd, you want to make absolutely sure that all your system's running programs are using the patched code.
If that doesn't sound fun enough for you, according to Sucuri Researcher Marc-Alexandre Montpas, a version of the bug also probably affects PHP apps, including everything built on WordPress, since they also use gethostbyname().

3) Because everything needs to be smart, right?
In the last one of these I talked about cheap devices that can intercept and decrypt all of the keystrokes on your wireless keyboard. Well, now for a conceptual wireless keyboard that might actually help with your security, rather than hindering it.
In a publication for the American Chemical Society titled Personalized Keystroke Dynamics for Self-Powered Human–Machine Interfacing scientists describe a self-cleaning, self-powered smart keyboard that can identify computer users by the way they type, which they hope could help prevent unauthorized users from gaining direct access to computers.
Georgia Tech Professor Zhong Lin Wang and colleagues developed a "smart keyboard" that can sense typing patterns that can accurately distinguish one individual user from another. So even if someone knows your password, he or she cannot access your computer because that person types in a different way than you would. 
By analyzing such parameters as the force applied by key presses and the time interval between them the keyboard could provide a stronger layer of security for computer users. Every punch of the keys produces a complex electrical signal that can be recorded and analyzed. To evaluate the authentication potential of the keyboard, the research team asked 104 persons to type the word “touch” four times, and recorded the electrical patterns produced. Using signal analysis techniques, they were able to differentiate individual typing patterns with low error rates.
The self-powered device generates electricity when a user’s fingertips contact the multi-layer plastic materials that make up the device. In addition to providing a small electrical current for registering the key presses, the keyboard could also generate enough electricity to charge a small portable electronic device or power a transmitter to make the keyboard wireless. An effect known as contact electrification generates current when the user’s fingertips touch a plastic material on which a layer of electrode material has been coated. Using the triboelectric effect, a small charge can be produced whenever materials are brought into contact and then moved apart.
The new device is based on inexpensive materials that are widely used in the electronics industry. As part of the study, his research group evaluated the keyboard under challenging conditions, including application of moisture, dirt and oil. “You could pour coffee on the keyboard, and it would not be damaged,” said Wang. “Because it is based on a sheet of plastic, liquids will not hurt it.” AND the special surface coating repels dirt and grime!
But can it keep dog hair from getting stuck in the grooves between keys?.
4) A Possible Tor Replacement?
By this point, everyone paying any attention at all should know about Tor, onion routing, and the so-called deep web. If you didn't know about it a month ago, the recent trial of alleged Silk Road founder Ross Ulbricht, and the take-down of the Silk Road site should have pounded it home. Well for all you former Silk Road users looking for some libertarian economics on the net, there is a new Silk Road.
The fact that there is a new Silk Road (or even that there was an original Silk Road) does not interest me that much, what interests me is that it has been moved off of the Tor network and onto I2P. I2P (originally an acronym for "Invisible Internet Project") has been around since 2003, but was always overshadowed by Tor. 
Like Tor, I2P encapsulates and anonymizes communications over the Internet, passing Web requests and other communications through a series of proxies to conceal the location and identity of the user. Like Tor, I2P also allows for the configuration of websites called "eepsites," within the network that are concealed from the Internet at large (always with the .i2p extension) and are only reachable using the anonymizing network.
But there are some significant differences between Tor and I2P beneath the surface, from the technologies they are based on to how the networks are implemented. In many ways, I2P is a much less mature technology than Tor—but it has the potential to anonymize a greater range of applications and services as it gains adoption, and its architecture is theoretically less vulnerable to the sorts of deanonymizing attacks that have been used against Tor.
By contrast to Tor's "onion routing", I2P uses an approach jokingly called "garlic routing". The message is encrypted with a key for the end-point, and then each router along the path uses an encrypted "tunnel" to add a second layer of protection as it moves to the next—so there's always two layers of encryption on I2P traffic. And bundled in with the packaged "clove" of a message are additional encrypted handling messages: a "delivery status" message giving instructions on sending a message response to provide information on where the response of the message is to be sent and data with the sender's public key and other data needed to route back the response. Additionally, the router can bundle in other messages from other users into the same "garlic" for forwarding, making it more difficult to track an individual message in the stream.
I2P is essentially a peer-to-peer anonymizing service. All clients on the network also act as routers for I2P traffic, and there is no centralized directory server to help clients pre-build the routes for their connections. This is allows I2P to be a packet-switched network and load balance traffic across peers rather than having all the traffic from one client to an exit point follow a single path. It also allows I2P to use unidirectional tunnels—responses sent back to a request don't follow the same network path, making it more difficult to man-in-the-middle both parts of an I2P communication. The packet-based, one-way approach to connections also allows I2P to support UDP traffic—which means I2P can support a number of streaming applications. 
While this makes I2P useful for things like anonymized BitTorrent streams and the like, it does not have the scale or the level of additional protections that the Tor network provides. There are no tools to help get around state-imposed firewalls, for example, like Tor's pluggable transports and bridges. There's also not as much in the way of ready-made software and developer support for I2P as there is for Tor. But since I2P is based on Java, it is easily ported to new platforms. And as with Tor, there is a browser bundle available based on Firefox—called Abscond—for those who want a simpler way to hide themselves. (Unfortunately, it's only available for Windows.)
Of course, legally questionable marketplaces are not the only things hiding in anonymized networks. The newest version of the CryptoWall ransomware has started using I2P instead of Tor. Likewise, Popcorn Time (a BitTorrent media player) has started looking at supporting I2P anonymization.

5) Sometimes the conspiracy theories are right...
Back in July, The Official CIA Twitter account (yes the CIA uses twitter) tweeted:
"Remember reports of unusual activity in the skies in the '50s? That was us." 
The tweet, as well as a followup in December included links to a recently declassified (and as usual heavily redacted) 270 page document entitled The CIA and the U-2 Program, 1954-1974
The CIA has long been suspected of playing a part in one of the most elaborate hoaxes of the twentieth century; including Area 51 and the secrecy they shroud over it. At the least, the popular belief was a cover up from the public, when the government were well aware of the UFO sightings. But the policy was always one of strong denial at all cost.
“The technology that enabled U-2
pilots to operate extended periods
in reduced atmospheric pressure
would later play a major role
in the manned space program.”
In the foreword of the document released late last year, the CIA admitted the “struggle between the CIA and the US Air Force to control the U-2 and a-12 OXCART projects reveals how the manned reconnaissance program confronted problems...” in the broadest sense. But the blame is placed on the shoulders of the communist bloc at the time, cutting away at communications that were once easily accessible. The United States needed and warranted the high altitude capabilities of the U-2 aircraft; where the “Soviet radars would not be able to track aircraft flying above 65,000 feet.
Though unsuccessful, the predecessor of the U-2 was to be a “giant, almost flat-shaped airship with a blue-tinted, non-reflective coating, it would cruise at an altitude of 90,000 feet,” to demonstrate what capabilities the CIA were exploring for their aircraft at the time.
It is the section in Chapter two, entitled "U-2s, UFOs, and Operation Blue Book" that add credence to the CIA claims of responsibility. The interesting part is in the end section on page 85, where the document states that U-2 and later OXCART flights, “accounted for more than one-half of all UFO reports during the late 1950s and most of the 1960s.”
What does remain, which the document doesn’t seem to answer, is the other half of the UFO sightings that the CIA don’t take accountability for. Who is responsible for them?