Friday, 26 September 2014

‘Shellshock’ Bug Spells Trouble for Web Security

As if consumers weren’t already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present in countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed “Shellshock,” is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise.
The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.
The problem resides with a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests.
According to several security firms, attackers are already probing systems for the weakness, and that at least two computer worms are actively exploiting the flaw to install malware. Jamie Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.
“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”
The vulnerability does not impact Microsoft Windows users, but there are patches available for Linux and Unix systems. In addition, Mac users are likely vulnerable, although there is no official patch for this flaw from Apple yet. I’ll update this post if we see any patches from Apple.
The U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability. To check your system from a command line, type or cut and paste this text:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
 this is a test
An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test
US-CERT has a list of operating systems that are vulnerable. Red Hat and several other Linux distributions have released fixes for the bug, but according to US-CERT the patch has an issue that prevents it from fully addressing the problem.
The Shellshock bug is being compared to Heartbleed because it affects so many systems; determining which are vulnerable and developing and deploying fixes to them is likely to take time. However, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable Web servers, Shellshock potentially lets attackers take control over exposed systems.
“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley. “The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, one could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages.”

Jimmy John’s Confirms Breach at 216 Stores

More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores.
jjohns On July 31, KrebsOnSecurity reported that multiple banks were seeing a pattern of fraud on cards that were all recently used at Jimmy John’s locations around the country. That story noted that the company was working with authorities on an investigation, and that multiple Jimmy John’s stores contacted by this author said they ran point-of-sale systems made by Newtown, Pa.-based Signature Systems.
In a statement issued today, Champaign, Ill. based Jimmy John’s said customers’ credit and debit card data was compromised after an intruder stole login credentials from the company’s point-of-sale vendor and used these credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and Sept. 5, 2014.
“Approximately 216 stores appear to have been affected by this event,” Jimmy John’s said in the statement. “Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, email, and password, remains secure.”
The company has posted a listing on its Web site — — of the restaurant locations affected by the intrusion. There are more than 1,900 franchised Jimmy John’s locations across the United States, meaning this breach impacted roughly 11 percent of all stores.
pdqThe statement from Jimmy John’s doesn’t name the point of sale vendor, but company officials confirm that the point-of-sale vendor that was compromised was indeed Signature Systems. Officials from Signature Systems could not be immediately reached for comment, and it remains unclear if other companies that use its point-of-sale solutions may have been similarly impacted.
Point-of-sale vendors remain an attractive target for cyber thieves, perhaps because so many of these vendors enable remote administration on their hardware and yet secure those systems with little more than a username and password — and often easy-to-guess credentials to boot.
Last week, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.

Some government computer systems taken offline after Shellshock security bug discovery

Photo illustration: text from the Bash command-line program overtop a computer user\'s hands.
The federal government has rushed to update software across its computer systems and taken other vulnerable systems offline after a critical network security flaw known as “Shellshock” was disclosed Wednesday.
The Shellshock bug lets people issue commands using the Bash shell program, which is shipped with most Linux and UNIX distributions and Apple’s Mac OS X operating system. That leaves everything from personal computers to routers and many other devices that connect to the internet vulnerable to exploitation.
“When the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch affected systems on a priority basis,” Kelly James of the Treasury Board of Canada Secretariat said Thursday afternoon in an email to Postmedia.
“For vulnerable systems where no patch is available, departments have been directed to take those systems offline.”
The Treasury Board of Canada Secretariat handles internal administration for much of the federal government.
The federal government was criticized in April for being slow to notify the public about the Heartbleed bug discovered in the OpenSSL encryption library, waiting several days even as some 900 Social Insurance Numbers were copied from the Canada Revenue Agency website. A 19-year-old computer science student at Western University in London, Ont., was charged with one count of unauthorized use of a computer and one count of mischief in relation to data over the incident.
Some security experts warn that Shellshock could prove more harmful than the Heartbleed bug. Whereas Heartbleed allowed third parties to “listen in” on users’ activity, Shellshock could let hackers execute malicious code on remote machines that use the vulnerable versions of Bash, putting much of the internet at risk.
Updates for the affected Bash software have not completely patched the vulnerability yet, according to network administrators, and attacks by hackers exploiting the Shellshock flaw have already been carried out. The U.S. Department of Homeland Security has listed the Shellshock bug in its national vulnerability database under the identifier “CVE-2014-6271″ — with a severity rating of 10 out of 10.
The vulnerability was discovered last week by Stephane Chazelas, a French programmer working in Scotland who told the Globe and Mail he checked Bash after finding a similar flaw in other software. The bug was reportedly part of the code for over two decades before it was discovered and it could take months before its full impact is known.

Drozer – The Leading Security Testing Framework For Android

Drozer (formerly Mercury) is the leading security testing framework for Android. drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.
drozer - Android Security Testing Framework
drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming. In a way you could think of drozer as Metasploit for Android devices.
  • Discover and interact with the attack surface exposed by Android apps.
  • Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.
  • Discover Installed Packages
  • Send Intents to IPC Endpoints
  • Broadcast Intents
  • Access Databases from other Apps
  • Interact with Services in other Apps
  • Arbitrary Java Execution
  • Run an Interactive Shell
  • Access a device with Remote Exploits
  • Root Privilege Escalation
  • Command-line Interface
  • Use drozer with Physical Devices
  • Use drozer with Android Emulators
You can download drozer here:
Debian/Ubuntu (.deb)drozer_2.3.3.deb
Redhat/CentOS (.rpm)drozer-2.3.3-1.noarch.rpm
Or read more here.

Why the Heyday of Credit Card Fraud Is Almost Over

Credit Cards_Merithew
Jim Merithew/WIRED
In 1960, an IBM engineer named Forrest Parry was developing a new type of ID card for the CIA when he had an epiphany: Why not make each card a tiny data storage device in and of itself? He cut a short length of half-inch wide magnetic tape from a reel and wrapped it around a blank plastic card, secured it with Scotch tape, and then, at his wife’s suggestion, pressed it on with a warm iron.
The magnetic stripe card was born.
Today magstripes are on the backs of millions of US-issued credit and debit cards, where they hold all the information needed to produce a flawless counterfeit card—account number, expiration date, and a secret code called a CVV. That has made Forrest Parry’s invention one of the computer underground’s most prized targets—more valuable than anything on your hard drive. We were reminded of that last week, when Home Depot confirmed that 56 million shoppers had their credit card data siphoned from the big box retailer’s point-of-sale systems over six months. That’s 3,000 miles of magstripe, stolen three inches at a time.
The announcement makes the Home Depot breach the single largest known theft of credit card data in history, edging out the 40 million cards stolen from Target late last year, and about the same number taken from TJX in 2006. It may also be one of the last major credit card heists.
But more on that in a moment.
The first magstripe card.
The first magstripe card. (CC) Jerome Svigals via Wikimedia Commons
First, a bit of history: What happens to stolen bank card data hasn’t changed in 15 years—the hackers package it and sell it in bulk to the underground’s third-party resellers. Ten years ago it was the Ukranian known as “Maksik”; today it’s the Ukrainian known as “Rescator.” If Parry’s innovation was to take a bulk storage medium and literally slice it into a wallet-sized one, the computer underground has perfected the opposite process, compiling all those squirts of information into a big data play that would make Mark Zuckerberg envious.
Once it’s in an underground shop, card counterfeiters buy the magstripes they need—sometimes ordering by bank or ZIP code—and copy it onto fake cards using their own magstripe encoding machines. Then they use the cards to buy goods they can resell or dispatch crews to do the shopping for them in exchange for a cut of the profits.
Since about 2001, stolen magstripe swipes, or “dumps,” have been the pork bellies of a massive hacker commodities market, centered in Eastern Europe and stretching around the globe. Beyond the hackers who breach stores like Home Depot, and the resellers like Rescator who market the cards, there are vendors specializing in the hardware and material—plastic embossers, fake holograms, blank cards, magstripe encoders—needed to use the data and others who crank out professional fake IDs to help pass the fake cards. By the most conservative estimates, it all adds up to $11 billion in losses annually.
But the golden age of credit card fraud is drawing to a close, and history will regard Home Depot, TJX, Target, and all other breaches as a single massive exploit against one catastrophic security hole: The banks’ use of roughly 23 characters of magnetically encoded data as the sole authentication mechanism for a consumer payment infrastructure that generated 26.2 billion transactions in 2012 alone. Engineering students will study that gaffe with the astonished bemusement with which they view old footage of the Tacoma Narrows Bridge twisting in the wind.
The fatal problem with the credit card magstripe is that it’s only a container for unchanging, static data. And if static data is compromised anywhere in the processing chain, it can be passed around, copied, bought and sold at will.
The solution has been available for years: Put logic in the card. Thanks to Moore’s Law, an inexpensive tamper-resistant microprocessor fits comfortably in a space smaller than your driver’s license photo. With a computer on both edges of the transaction, you can employ cryptography and authenticate the card interactively, so that eavesdropping on the transaction gains you nothing. Just as IBM’s Parry made our wallets smarter by adding computer storage, a modern card is smarter still by having an entire computer onboard.
Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.
By then, it’s probably safe to say, the entire idea of a credit or debit “card” will be quaint. With the newly announced Apple Pay joining Google Wallet as a real-life payment system, even the chip-based credit cards will be little more than a backup technology. Apple took some ribbing for announcing Apple Pay while its iCloud celebrity breaches were still in the news. But unlike cloud storage, the state of the art of retail payment is so poor today that Apple can’t possibly fail to improve it.
You can see where this is headed by looking at one of EMV’s early adopters. Since the UK deployed EMV “chip-and-PIN” cards in 2004, overall card fraud in that country has fallen 32 percent, from 504.8 million euro in losses that year to 341 million in 2011, according to the most recent figures from the UK Card Association.
There are two loopholes that kept criminals from being hit even harder by the chip cards. First, the UK cards still have magstripes so UK travelers can use them when visiting the US. Adaptable criminals in the UK began working with confederates in restaurants and shops, covertly swiping magstripes from customers and selling them to American crooks to use at primitive American point-of-sale terminals. These scams contributed as much as 80 million euro in foreign fraud charges on UK cards in 2011.
But that loophole will close once the US switches over to EMV. The second, bigger, loophole is online fraud. Internet transactions aren’t made any safer by having a chip on your card, and in the UK and elsewhere criminals were able to make up much of what they lost by doubling down on fraudulent web purchases.
But the end is nigh for online credit card fraud, too. Systems like Apple Pay and Visa’s newly announced Visa Token Service accomplish the same security goals as EMV, but also work online. They replace the static credit card number with a temporary token that changes every time. “Initially, Apple Pay’s tokenization will only be for in-app purchases from mobile phones,” says David Robertson, publisher of the respected payments industry newsletter The Nilson Report. “But over time that will broaden.”
Robertson agrees that the simultaneous arrival of EMV and tokenization in the US will trigger a sea change in the underground. “There’s every reason to think that the industry will get ahead of the bad guys again,” he says.
None of this means cybercrime will become unprofitable. Skilled cyber-criminals will still make tons of money in more elaborate scams, like account takeovers and identify theft. But the death of the magstripe will trigger a financial crisis in the unskilled ranks of the computer underground akin to what the mortgage collapse did to Wall Street. And Perry’s historic invention, so brilliant at the time, can relax into its long overdue retirement.

The FBI says disgruntled employees are the new danger

The FBI has warned about the insider security threat
THE UNITED STATES Federal Bureau of Investigation (FBI) has warned businesses to watch out for disgruntled employees with an axe to grind and a basic command of internet services.
In a note on the US Homeland Security website the FBI said that the insider threat is a very real one, presumably because it has cottoned on to the whole Edward Snowden and NSA thing, and employees represent a "significant risk" to networks and proprietary information. In its advice the FBI suggests that firms be on the lookout for people who look glum, have personal email addresses and use things like Dropbox.
"The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorised goods and services using customer accounts, and gain a competitive edge at a new company," the FBI said, recommending that firms look out for poisoned exit strategies.
"The theft of proprietary information in many of these incidents was facilitated through the use of cloud storage web sites, like Dropbox, and personal email accounts. In many cases, terminated employees had continued access to the computer networks through the installation of unauthorised remote desktop protocol software. The installation of this software occurred prior to leaving the company."
Some rascals have left companies only to return and extort them for access to websites and other information, added the note, and the FBI admitted that it spends a fair amount of time looking into such capers and that companies can spend between $5,000 and $3m recovering from them.
The FBI had some recommendations for organisations. First it recommended that companies change network access passwords when someone leaves, and delete that person's credentials from the system. It also said that passwords should not be shared, either by people or systems, and that they should be changed from any defaults.
It didn't say this, but it is also a truism: You should not iron your trousers while you are wearing them.

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.
But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's OS X.
It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.
An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.
The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
Patches released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables.
New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.
Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.
"CVE-2014-7169 is a less severe issue and patches for it are being worked on," the Linux maker said.
Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.

The above code can be used to drop files onto patched systems and execute them, as explained here. Completely unpatched servers and computers can be exploited to open reverse command shells – a backdoor, basically – or reboot them (or worse) if they connect to a malicious DHCP server.
The main CVE-2014-6271 flaw was discovered by Stephane Chazelas of Akamai before it was responsibly disclosed. A Metasploit module leveraging the bug is already available. A blog post by Metasploit developers Rapid7 explains the grim state of play.

FBI:Apple's iPhone, iPad encryption puts people 'above the law'

FBI Director James Comey has complained that Apple and Google's use of stronger encryption in smartphones and tablets makes it impossible for cops and g-men to collar criminals.
"There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper's or a terrorist or a criminal's device," he apparently told a press conference.
"I just want to make sure we have a good conversation in this country before that day comes. I'd hate to have people look at me and say, 'Well how come you can't save this kid,' 'How come you can't do this thing.'"
Apple has made great play of its tweaked file encryption in iOS 8, which is designed so that Apple doesn't hold people's crypto-keys so it can't be forced to give them up. The device owner's passcode is used to create the encryption and decryption key in the iThing; decrypting the contents of a person's iOS 8 phone or slab is no longer Apple's problem.
Shortly after the change was made public, Google said it too would switch on a similar system by default.
"I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law," Comey moaned today.
"What concerns me about this is companies marketing something expressly to allow people to place themselves above the law."
Comey said the FBI was in discussions with Apple and Google about their crypto implementations, but didn’t give any details as to what Cupertino and Mountain View's response was. It's clear he's not happy that the Feds can no longer get direct access to the handsets via Apple or Google, although data in iCloud is still up for grabs.
And, on iOS 8, not all data is encrypted on the gadgets, and some information can still be extracted if the g-men really want it, security expert Jonathan Zdziarski says.
But Comey is not the first law enforcement type to complain about Apple's it's-not-our-problem-anymore encryption, and he won’t be the last. The untrammeled access law enforcement has had to such devices in the past has been a major tool for fighting crime Comey argued and said enough was enough.
"I get that the post-Snowden world has started an understandable pendulum swing," he said. "What I'm worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far."
Comey doesn't seem to get that in a "post-Snowden world" a lot of phone buyers actually want to make sure their private conversations and pictures remain private. Firms like Silent Circle have sprung up to meet this demand, and now the major players are getting the message too.
Despite Comey's criticism, it's unlikely Apple or Google is going to bow down to the wishes of government and install backdoors in their own products. This would be disastrous to sales if found out, and there are increasing signs that the tech sector is gearing up for a fight over the issue.

Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'

Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks.
The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer.
Under the right conditions, the researchers sway, the domains net villains plan to use could be blocked or otherwise used to in the service of good instead of evil.
Palo Alto researchers Wei Xu, Yanxin Zhang and Kyle Sanders presented the paper We know it before you do: predicting malicious domains [pdf] at this week's Virus Bulletin conference.
Much effort has been put into building reputation-based malicious domain blacklists, however in order to evade detection and blocking by such systems, "many malicious domains are now only used for a very short period of time" they write.
"In other words, a malicious domain has already served most of its purpose by the time its content is detected and the domain is blocked.
"... we propose a system for predicting the domains that are most likely to be used (or are about to be used) as malicious domains. Our approach leverages the knowledge of the life cycle of malicious domains, as well as the observation of resource re-use across different attacks."

Life cycle of a malicious domain

The trio observed attackers reused valuable resources in setting up malicious domains and built in to their formula knowledge of the malicious domain life cycle. They designed systems to leverage Domain Generation Algorithms (DGAs) which could automatically predict future malicious domain names, and found temporal patterns in DNS queries of the malicious domains before their use.
Shared hosting IP addresses, DNS resolution infrastructure and shared domain registration information allowed domains to be identified that have not yet but would very likely be used in future attacks.
Malware flingers were increasingly taking advantage of resources geared to reuse given the economic benefits, which fell right into the hands of researchers.
"The reuse of resources across different attacks also presents opportunities for us to find connections between malicious domains," they said. "Using our knowledge of these connections, we can identify domains that are setting up to be used for malicious purposes."
They said the technique could predict and prevent malicious domains which could become stronger with future work.
The work did not consider benign domains that were hacked to host attacks, and focused crosshairs on bulletproof hosts.