The year that was

Over the past year there has been a great focus on information and computer security and, as such, a great deal of new vulnerabilities have been found. In fact, finding security vulnerabilities has become so important, that companies like Google, Facebook, Microsoft and others have created programs that offer rewards to anyone who finds security vulnerabilities on their software (http://tinyurl.com/mq2meu6 , http://tinyurl.com/p95cpth ).

New vulnerabilities by year (1988 - 2014)

When a new vulnerability is found, it is reported under a common vulnerability exposure (CVE) tracking number to the NVD (http://nvd.nist.gov). Once reported, it will be analysed and receive a CVSS score (http://tinyurl.com/qzesna3). These scores, varie from 0.0 (low) to 10.0 (high) depending on factors like exploytability and impact.

During this past year, three critical vulnerabilities were found. Each one with a different attack vector but, all capable of compromising the security of systems exposed to the internet.

Heartbleed (CVE-2014-0160)

In April, a bug was found on the most widely used library to secure communications between peers on a network, the OpenSSL library (https://www.openssl.org/). Due to its origin, it has become known has the Heartbleed bug (http://heartbleed.com).

By exploiting this bug, an attacker is able to read arbitrary chunks of memory from the process on the server that is executing the OpenSSL library. By doing this, an attacker can obtain the private and secondary keys used to encrypt the traffic between the peers. With this information, it is then possible decrypt the traffic. Since this is a bug on a feature of OpenSSL, it leaves no trace of being exploited.

Its origin resides on a the implementation of the function used to keep the channel between the peers open, the heartbeat function. This function allows the peers to send at most 64KB (65536bytes) of information to the other peer. The information is then reflected back in order to access if the other peer is still there.

Heartbeat normal operation

The bug resides in the fact that this message contains a length field that is not compared with the actual message size to check if they match. Since the length is not checked, it is possible to send a very small message (ex: 1byte) but state in the length field that the message is of size 64KB. When the the message is reflected back, the attacker will receive the original message plus 65535bytes (64KB – 1byte) of random memory from the server. He can then execute this attack multiple times until he has gathered enough memory to get the desired content.

Heartbleed attack

OpenSSL is used by the most popular webservers on the Internet, Apache and nginx. These, combined, represent arround 66% (http://tinyurl.com/l4kvsjy) of the webservers. By this number, it is possible to grasp how serious this bug really was.

Currently, new releases of OpenSSL have been made available that correct this problem.

Shellshock (CVE-2014-6271)

In September, a 25 year old bug on the GNU Bourne-again shell (bash) was found. The bash is the most popular command line and, is present on all Linux and OS X operating systems. By exployting this bug, an attacker may execute arbitrary code on a server using specially crafted requests.

The bug resides on the way that the bash handles a special type of variables called environment variables (http://tinyurl.com/mtpe5m5). When the bash evaluates these vairables, if it is set with a function (small program) that starts with a special sequence of characters ( “() { :;};” ), it will not stop when the function ends but, in fact, will continue to evaluate the variable until all its content is parsed. This behaviour causes the execution of the code after the function ends which, in some cases, may be controlled by an attacker to, for example gain an iligit access to the server.

Following, we have an example on how to test if a bash is vulnerable to this bug.

Shellshock bug test example

In the above example, an environment variable x is crated with the value ‘() { :;}; echo vulnerable’, after, a new bash get’s called and executed (bash –c “echo this is a test”). Once it starts to execute, it parses the content of the environment variables defined in the system, which includes x, that contains the attack. So, if a vulnerable bash is being executed, the output would be the result of command echo “vulnerable” (the malicious code) followed by “this is a test”.

Although there are many ways to explore this vulnerability, the most common is by using an HTTP request (generated by the web browser and other similar tools). During a normal, non-malicious requests, a user sends an HTTP request to a webserver and expects a reply that contains some type of content.

Each HTTP request is composed of multiple fields that are read and interpreted by the webserver. To process these fields, the webserver will most likely call other small programs. To pass the fields to these programs, it will store them on environment variables.

HTTP request example

Since the HTTP requests are generated on the user side, he can craft special requests to execute arbitrary code on the webserver. On the following example, the User-Agent field has been replaced by content that can cause the server to try and contact another server (evilserver.com).

Malicious HTTP request

By broadcasting this message to a network, an attacker would be able to identify the webservers that are vulnerable to the Shellshcok bug.

Malicious HTTP effect

Due to simplicity and wide spread utilization of the bash on servers, security experts consider that this bug is even more dangerous than Heartbleed (http://tinyurl.com/o57dj8e).

Following the discovery of the shellshock bug, several other simillar bugs have been found (http://tinyurl.com/nngb368). In order to fix them, vendors have released patches that prevent their exploitation, so, if you haven’t updated your bash in since September, you should!

Poodle (CVE-2014-3566)

Less than a month after shellshock, researchers at Google release a paper called “This POODLE Bites: Exploiting The SSL 3.0 Fallback” (http://tinyurl.com/p9bxcdk). In it, they describe a flaw on SSLv3 protocol (in cipher-block-chain mode) and how to exploit it.

This flaw is know as POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption and, by exploring it, an attacker will be able to obtain a session cookie of another user, and thus, impersonate the user to a service.

Since the discovered flaw resides on the protocol itself and not on the implemetations or the ciphers that are used, it actually invalidates its use.

Altough most secure communications use TLS (sucessor of SSL), many web servers and web browsers will downgrade to SSLv3 (or older) if they detect problems in the negotiation of the TLS session. This beaviour allows an attacker (assuming that he is able to perform man-in-the-middle attack) to interfere with the connection between both and, force them to downgrade to SSLv3. Once this is accomplished, he will then be able to decrypt the traffic between both by executing the POODLE attack.

SSLv3 Message format  1

SSLv3 in CBC (cipher-block-chain) starts by adding a message autentication code (MAC for short) in order for the receiver to check for the integrity (i.e if the content was modified or otherwise tampered with). Next, it has to split the message into 8 or 16 byte blocks (depending if the cipher is AES or DES) to be encrypted. However, since not all messages have a size that is multiple of these values, padding is added to the end of the message. Because the protocol does not specify the content of the padding, a set of random bytes is added as a pad. In order to know the size of the padding, one last byte that indicates its size is also added.

After being padded, the message is splited into blocks. Each block of clear text is then encrypted seperatly using a secret key and the previous block (an initialization vector is used to encrypt the first block). The process ends when the last block is encrypted.

CBC Encryption

Decrypting a message follows the reverse process. It starts by decrypting the last block using the previous block and the secret key. Then each encrypted block is used to decrypt the next block. Once the final block is decrypted, the last byte of the pad is read (size of the padding), the padding is striped of the message and the integrity of the message is verified. If for some reason the verification of the integrity fails, the message is rejected and the connection is closed.

CBC Decryption

Note that the padding is not verified in this process, and that if a message is rejected, the channel used to communicate is closed. The POODLE attack is based on these two facts.

To execute the POODLE attack, an attacker has to have the ability to perform a MITM (man-in-the-middle) attack and alter the traffic on the “wire”. Once the attacker is able to this, he will replace the padding block with another block (for example, the cookie block) and observe the response from the server. Since the padding itself is not checked, if the server accepts the message, he will have decrypted the last byte of message (he knows the size of the padding). He will then alter the message and repeat the process for the next byte and so on until the block is decrypted (http://tinyurl.com/kju8l2m).

The probability that a server will accept a modified message and decrypting one byte of information from the block is 1/256. Meaning that for a block of n bytes, we have at most 256*n to decrypt the block. This number may seem big, but with the current internet connection speeds, it is quite small.

SSLv3 is a protocol with 15 years that is still used for legacy reasons. Due to dificulty of performing this attack, the POODLE has a score of 4.6 in the CVSS, which rates it has a Medium risk vulnerability. However, this attack actually invalidates the use of the SSLv3 protocol and since the flaw resides on the protocol, the only solution is to disable to possibility to downgrade to it.

During the first ten months of 2014, three vulnerabilities with a great impact have been found. With little more than one month left until the end of the year, do you think that a new major vulnerability will be found? And what about 2015 and beyond? Are your systems and teams prepared to deal with this new reality?

Read More

Cryptocurrency, the coins of the future?

In 2009 an author going by the pseudonym of Satoshi Nakamoto published a paper called Bitcoin: A Peer-to-Peer Electronic Cash System (http://tinyurl.com/kkxbyss) that describes a decentralized electronic cash system based in cryptography that does not depended on financial institutions to validate transactions or to generate the cash. Since the system depends on a distributed network, it is very difficult to establish a relationship between the digital cash and its owner.  This paper has started the era of Cryptocurrency.

Although the Bitcoin is the most famous (and valuable) of cryptocurrencies, there are well over five hundred different types of digital coins in circulation (http://tinyurl.com/o94fhlw), each having different values and market capitalizations. Some of these coins actually reach very high values, being the most famous the case of the Bitcoin that reached the value of $1124.76 by the end of November of 2013. Although this value has decreased, it still has a high market quotation (at the time of writing: $427.20).

According to DELL, an estimated $2.6million worth in digital coins are generated every day (http://tinyurl.com/o6y4hrr) by users. Since these coins are traded digitally, are difficult to trace and have such a high value, they make a very attractive target for cyber criminals since they can use them to pay for illegal stuff or ask ransoms without worrying about being identified.

A study published by Kaspersky (http://tinyurl.com/m25vuma), shows that 8% of financial malware is already targeting cryptocurrency wallets, and 14% targets the mining process.

Also, the appearance of new malware that targets cryptocurrency varies according to the market quotation of the coins as another study from DELL (http://tinyurl.com/nqcu5h9) shows.

Although the cryptocurrency system equates into a rich, complex and distributed environment (please refer to https://bitcoin.org/ to learn the details) two core processes are systematically targeted by most attackers: the mining process and the transaction process.

To earn “coins” entities contribute to the validation of a set of the transactions by performing some complex computations (also known as mining). According to the amount of effort employed to perform the computations, entities are rewarded “coins”.

The proof of ownership of a set of “coins” is stored in the entity digital wallet. The “coins” are, like real money not tied to anyone’s identity, so what really matters is maintaining the ownership of the coins by protecting the one’s wallet.

Typically attacks to cryptocurrency environments aim to steal coins and sometimes to disturb the environment (or the network) and usually target:

• Wallets (represent a user personal wallet)
• Exchange Services (works like a bank or a store)
• Cryptocurrency network (similar to the economic system that regulates the market)
• Mining resources (where the coins are created)

User Wallets

The most obvious targets are the wallets. Since these are used to store the coins (or the coin address and private key that assures the network that the user is the owner of a set of coins), if an attacker can compromise the devices were wallets are stored, it will be possible to transfer the coins. Once the transfer is accepted, it becomes impossible to revert the operation (remember that the system works through “proof of ownership” and not by tying coins to anyone’s identity). Performing these attacks are equivalent to pickpocket a user wallet.

Currently there are over one hundred different families of wallet stealing malware (http://tinyurl.com/ovnddwz). These vary from phishing malwares that send emails that try to make the user reveal the content of his wallet, to more sophisticated ones like CoinThief.A (http://tinyurl.com/q88kxaz), which hides on the users device and waits for them to access their wallets to steal their credentials. These malwares can be seen as the pickpockets of digital wallets.

Exchange Services

Since digital coins are worthless if there isn’t a broker service that trades them for other things (like “physical” money or some kind of valuable service), exchange services have appeared and thrive worldwide. These services provide for the buying and selling of coins, and as such, they also have become a target due to the amount of digital coins that they store. Successfully attacking these services can be seen as robbing a bank or store.

Although there have been many attacks on the exchange services (http://tinyurl.com/q2ecy6t), the most famous one is the heist of MtGox (http://tinyurl.com/npnab5b). MtGox was a Tokyo based exchange service that at the time traded ¾ of the world Bitcoins.

With this heist, they lost 850.000 bitcoins (almost half a billion US dollars at the time) which, of course has lead to the bankruptcy of the service. How this heist was performed remains a mystery until now however and, if true, according to Campbell Harvey (professor at Duke University's Fuqua School of Business), it is the biggest bank heist in history.

Cryptocurrency Network

When a buyer (or sender) wants to acquire some goods (like “physical” money, service or any other product) from a seller (or receiver), a transaction of digital coins from one to another is performed. This transaction is initiated by the buyer that generates a signed block composed of his wallet address, the amount of coins and the seller wallet address. The block is then sent to the network in order to confirm the coins ownership transfer (mined). Once the seller receives the confirmation of the transaction he will accept it and handle the goods to the buyer.

But, by looking at this process, what stops the buyer from performing a double spending (spend the same coin twice) attack by creating two different block’s (one for each buyer) and sending them to the network to be confirmed? The distributed nature of the network stops this attack, because only one of those transactions will be accepted (added to the chain). This is due to the fact that one of those transactions will be accepted first (i.e. added first to the chain), and nodes only consider the first transaction (only accept the longest chain). If a transaction using the same coin arrives to be confirmed, they will detect the double spend and will not confirm it. So, to perform this attack, the sender must be able to forge a chain that is larger than the one that is currently accepted by the network.

In order to forge a larger chain, the sender must control a total amount of computing power greater than 50% of the network (i.e >=51%, which is very unlikely due to the size of the network). With it, he will be able perform a double spending attack by letting the first transaction be confirmed by the network, and then, introducing is own chain. Once introduced, it will become the main chain of the network since it is larger that the honest chain and nodes will start to work on it by adding new blocks to it.

Although this attack seems tempting because it can potentially encourage an attacker to always use the same coins to pay for something, it is less profitable than mining (http://tinyurl.com/kkxbyss). This is due to the fact, that by controlling that much computing power, the attacker will be able to collect very big rewards by staying honest and mine for coins. This means that an attacker will gain more by activity contributing to the “economy” well being than trying to control it.

Mining Resources

Earlier this year, researchers at Secure Works have discovered an attack where someone was able to redirected users (miners) to his own servers in order to “steal” their mining resources (http://tinyurl.com/o6y4hrr). Since users are rewarded according to their participation, the objective of the attacker was to have the users performing the heavy computations, and then collect their reward. This attack can be interpreted has stealing the salary of workers at a coin forging facility since it is effectively stealing their rewards for mining.

With this attack, it is estimated that the attacker was able to steal about $83.000 from the users, which isn’t much, but the interesting thing here is the way in which this attack was performed.

To execute this attack, the attacker changed the BGP routes (protocol that connects networks on the internet, for more details please read: http://tinyurl.com/o6y4hrr). After the initial advertisement, BGP ensures that the new routes are propagated through the network. When the attack was finally uncovered, it had already reached 51 different networks (http://tinyurl.com/mgo9zb6) and 19 Internet Service Providers (ISP).

The researchers have traced the origin of the attack to an ISP located in Canada. Since the BGP connected networks can only be changed manually (ensures that malicious networks can’t hijack traffic from legit ones), this means that the attacker was either an ex-employee of the ISP or was still working there.

With Cryptocurrencies current hype and exposure, researchers believe that these are just the first attacks, and that new and more complex ones will arise in the future (http://tinyurl.com/o6y4hrr).

Currently, the first Bitcoin ATM machine has been installed in Lisbon, and two more are planed for Porto and Algarve (http://tinyurl.com/lh8dwvx).

So are you prepared to start using Cryptocurrency on your day-to-day basis?

Read More

Secure QR Codes: the next step?

In the last couple of years, we have been seeing a boom in the usage of Quick Response (QR for short) Codes (bit.ly/1psFKTY).

According to Visual.ly (bit.ly/1ko7quq), the number of created QR Codes outside Japan (where they are most popular) will reach 590 million by 2016.

This increase in usage was powered by:

1. The popularity of smartphones that have the capacity to read and interpret the QR Codes;
2. As a means of marketing.

According to the marketing guide Heidi Cohen (bit.ly/1ACNGYI), people tend to scan QR Codes to either get some type of discount, purchase products, access additional information, or perform bets.

QR Codes are commonly found in printed media like (magazines, newspapers), public transportation, publicity boards, social events, and many other places.

The most common type of content embedded in a QR Code is a URL. These, are opened in the device’s browser and transport the user to a web page that contains the intended information.

This type of behavior may lead to potential problems if the authenticity of the QR Code is not verified or not present because the user can’t read the encoded information.

Citation from mobilephonesecurity.org (bit.ly/UO2bYx)

A study conducted by AppSec Labs (bit.ly/1koJ0ks) tests fourteen different QR Readers, and concludes that 35% of them are vulnerable to the evilURL vector.

From the tested applications, only one would not execute the malicious code. This shows that it is possible to use evilQR’s as an attack vector to infect user devices.

By leveraging the ease of creating an evilQR (bit.ly/1odERyW) and social engineering techniques or false publicity (ex: mail publicity for promotions, phishing, big sport events, etc.), it would be quite easy to trick people into scanning the malicious QR Code.

In fact, attacks based on evilQR’s are already performed.

An attack called QR-Jacking has appeared in 2011 on Japan.

There are some good practices that try to minimize the possibility of this kind of attacks (bit.ly/UO2bYx). However, since these rely on the prudence of the users, they offer little or no protection.

But, does this mean that we are destined to use “unsecure” QR Codes?

Citation from mobilephonesecurity.org (bit.ly/1s9Zjl0)

Based on a paper published on the 4th International Conference on Computer Engineering and Technology (http://tinyurl.com/ory89en) and on the work performed by Ecert, we are able to answer to the above quotation with: “yes, we can add some security to the QR Codes”.

By providing Authenticity (it was created by the “legit” owner) and Integrity (it was not modified after creation) to QR Codes, we are able to mitigate the QR-Jacking attack.

Once a QR is created with these properties, an attacker will no longer be able to make an evilQR and impersonate a legit one because, the reader will be able to detect that the QR either was modified or replaced.

This is the case of Ecert that, recently started to emit certificates with QR Codes in order to verify their authenticity (bit.ly/1qPQEXW).

The Japanese government is currently issuing passport visas with QR Codes (bit.ly/1nbqW7Z). These codes are encrypted and are used by the country authorities to get information related to the entry.

While the Japanese government is concerned with the confidentiality of the data encoded on the QR Code, the Integrity and Authenticity of the information is key to address other security dependent scenarios.

By creating a digest of the content of the information that we wish to put on the QR Code and then signing it (with the creator’s private key), we are able to provide both Integrity and Authenticity to it.

After signing, the authenticated digest is added to the original information and (if necessary) both are compressed. Then, the output is feed to the QR Code generator thus generating an authenticated QR Code.

The below picture depicts this process.

Authenticated QR Code creation

When the QR Codes that are generated in this manner are scanned, they can be verified for authenticity and integrity by applying the inverse process.

When the QR Code reader scans the code, it will decompress the content, thus obtaining the information and the signed digest.

First, the reader should check the signature (using the creator’s public key), if the signature verification fails, the code has been tampered and the process should be aborted.

If everything is ok with the signature, the reader generates a digest of the information and compares both digests, if they match, then everything is ok, otherwise, the QR Code was altered.

The following picture illustrates the verification of the QR Code.

QR Code content verification

By applying the described processes, we are able to ensure the Authenticity and Integrity of QR Codes.

This processes will provide stronger security properties to them, thus providing enough reliability to encourage new ways of utilization.

So, are you going to take the next step and provide security to your QR Codes?

Read More