Tuesday, June 2, 2015

Justification for Your Paranoia

It has been a good two months since I've posted one of these and a fair amount of interesting stuff has come out of the information security world. If you are at all involved in IT, then you've most likely heard about the LogJam (TLS) and Venom (VM) flaws that came out in May, so we'll not bother with those (if not, check the links and be ready to update your stuff). Instead, as usual, lets talk about some of the weirder (or more snarkable) things.



But first a shout out to the fine men and women of the United States Senate. 
(temporarily at least)


In case you didn't hear, Sunday night three major provisions of the Patriot Act, used to justify the NSA's bulk collection of phone records, were allowed to expire, thanks to the wonderful inaction of the U.S. Senate. This comes just a few weeks after the U.S. Second Circuit Court of Appeals ruled that same bulk data collection program to be illegal

Of course, the fight is not over. Not by a long shot. The Senate just had a procedural vote to consider the USA Freedom Act, which already passed the House. This bill does nothing to actually end that bulk collection, just passes it off to private telecoms to mass collect your data. As someone who works for a telecom and has tools for munging that data let me say, YOU DO NOT WANT IT IN MY HANDS (or any other private entity). That data needs to just die.

Thus, if you are not already, it is time to Blackout Congress. Some 15000 sites are already blocking and re-directing anyone from a congressional IP address to the protest page. Get on it. 



That said, now on to your regularly scheduled paranoia fuel...

1) Malware that cleans up after itself...
The malware arms race has been going on for decades as new malware comes out and security analysts try to reverse engineer it to learn what it is doing, how it does it, and how to stop it. Defensive cyber security folks have always been one step behind the attackers, but the latest models of malware are making this much, much worse.
The spyware known as Rombertik goes to great lengths to evade analysis. Rombertik employs a number of methods to prevent researchers from examining its workings, including a "self-destruct mechanism". Rombertik (a variant of an older trojan known as Carbon Grabber) spreads through spam and phishing emails and is designed to harvest all plain text entered in the browsers on Windows systems (note that even if the connection is secure, you are probably entering your credit card number and CCV into the form as plain-text).
It is common for malware to contain anti-debug, anti-virtualization, and anti-analysis features, but this one is different. If someone tries to tamper with it, Rombertik attempts to overwrite the device’s MBR and encrypt files. Effectively wiping the hard-drive to remove all traces of itself. Yep, that's right, if you try to investigate this malware, it just destroys your machine (which may or may not be worse than getting hacked, if you don't have a handy backup).
The real tricky part here, though, is that some researchers believe that the self-destruct is not targeted at security researchers, but at the people using the malware. The feature may actually be a trap for those who might try to use and modify the malware without authorization. When cybercriminals purchase Rombertik from its creator, they get a copy that communicates only with their command and control server. The address of the C&C is embedded in the binary code. Some cheapskate cybercrooks might try to hack the binary and change the address of the C&C server so that they can use the malware without having to pay for it. To prevent unauthorized use, the developers ensured that the destructive protection mechanism is triggered when such attempts are discovered.
Let this be a warning to ye then. If ye be a frugal criminal, write your own damn virus. 

2) Smart Billboards...
So Russia has banned the import of foods from the European Union and the US. This is not really a problem for shop-owners, as getting a few salami past customs is a time-honored tradition around the world, but how do you advertise your contraband?
Simple, pay an ad company to rig billboards with facial recognition that's been tweaked to spot the official symbols and logos on the uniforms worn by Russian police. As police approached the ad (see video below) the billboard would switch from advertising a nice, fat wedge of imported cheese, rolling over instead to an ad for a nice, completely non-contraband Matryoshka doll shop.
An ad that hides itself from the law is a clever stunt, albeit not too effective, as the police in the video had time to spot the ad for imported food before it scurried behind Matryoshka dolls. But what's more interesting than the effectiveness of this particular ad is the idea that billboards can use facial recognition to this degree to tailor offerings.
Besides the creepy factor of being photographed without your permission or knowledge, there's also the risk that comes with facial recognition being hooked up to the wider web a la the Internet of Things. What happens one someone takes over the camera on the billboard and uses it for other kinds of facial-recognition-enabled snooping?
Then, of course, once such data is in the hands of a service provider, there's always the possibility that it can be subpoenaed away by a (very data-hungry) government.


3) In case you still think your Mac is safe...
It definitely is NOT. 
Yep, more easy, permanent backdooring Macs.
Macs older than a year are vulnerable to exploits that overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. The attack, dubbed "Dark Jedi", affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. The attacker can reflash a Mac's BIOS using functionality contained in "userland" (the part of the operating system where installed applications and drivers are executed). By exploiting vulnerabilities found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.
This is similar, but actually far worse, than the Thunderstrike exploit that came out in December of last year. Both exploits give attackers the same persistent and low-level control of a Mac, but the new attack doesn't require even brief physical access. That means attackers half-way around the world may remotely exploit it.
Updating BIOS and firmware from user space is just plain dumb. It's like asking for a rootkit, and BIOS-based rootkits can survive a complete reinstall of the OS and even updates to the BIOS. 
Dark Jedi works by attacking the BIOS protections immediately after a Mac restarts from sleep mode. Normally apps in userland are only allowed read-only access to the BIOS region. Somehow, that protection is deactivated after a Mac wakes from sleep mode. That leaves the firmware open to apps that rewrite the BIOS. From there, attackers can modify the machine's extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. A drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack.
The attack has been confirmed to work against MacBook Pro Retina, MacBook Pro 8.2 and MacBook Air, all of which ran the latest available EFI firmware from Apple. Though Macs released since mid to late 2014 appear to be immune to the attacks. 
At present, the only thing users of vulnerable machines can do to prevent exploits is to change default OS X settings that put machines to sleep when not in use.

4) SHOCK! Password security questions are not secure!
There are always things that light up the news and the internets that really just deserve an eye-roll. This peer-reviewed study published by Google is definitely one of those. Google's analysis of hundreds of millions of password security questions found that an attacker could guess the answers in 10 tries or less >5% of the time for most questions. This was, of course, even greater if the user had a public social media account where it would be easy to mine information like your school ("What was your high school mascot?"), your mother's maiden name, or other common questions. Which makes security questions actually a good bit LESS secure than user generated passwords...
Are you surprised?
Really? 
Apparently ConsumeraffairsEngadgetABCUSA Today, and pretty much everyone else thought this newsworthy. 
...sigh...
Of course these kind of questions are not secure. We've known this since websites first started using them for password recovery. A few minutes of basic research will come up with the answers for most of them. Unless the user lied about the answers, then a few simple guesses will usually get it, since most users put things like "Don't have one" or other such lamely reused answers.
Seriously, use some form of two-factor authentication.