On April 12th, 2016 Microsoft and the SAMBA project announced patches and updates for the so-called Badlock vulnerability. One month prior to this release a German company called SerNet announced that a serious and significant bug had been discovered with Windows file sharing services (SMB/CIFS). Information about the discovery was vague, leaving most to speculate as to the issue based on little information. A website and logo for the issue were created to generate hype around the issue.
On the 12th, Microsoft rated the vulnerability as only “Important” while simultaneously releasing six other updates rated as “Critical”. Clearly, the hype around the Badlock issue was not as bad or world-ending as other “named” issues in the past. The SerNet company indicated in an interview that interest in their business has increased due to the media and controversy. The clues from the announcement and the length of time between announcement and release gave researchers and attackers plenty of opportunity to discover the underlying issue and possibly exploit the issues before updates were available. Do named vulnerabilities help or hurt the industry?
Preston and Keith discuss Badlock and its hype in this episode. They talk about the nature of the vulnerability industry and whether named vulnerabilities help or hurt. Should researchers continue to use the named vulnerability approach to announce issues they discover? They also spend a little time talking about Apple v. FBI. Is there a security issue with modern Apple iPhone hardware and software that the FBI (and others) can use to access our private data?
Windows 10 was a free upgrade available for users in July. But free in price does not mean free in terms of privacy. Much like free online services, the price you pay is in your privacy. Microsoft has developed features in Windows 10 that are intended to rival and surpass features provided by Google and Apple in their products. Microsoft appears to be monetizing the desktop in similar ways to their competitors. With features like Cortana, embedded web search, WiFi password sharing, advertising IDs, and others, users have a right to be concerned.
Preston and Keith talk about the controversial features in Windows 10 related to privacy. We focus on concerns over features that capture user information to provide unique services. We also talk about how these features can be configured and/or disabled. The links below provide additional details on the configuration steps and some of the risks.
We’ve talked about the Internet of Things before, that is devices that you use everyday being connected to the Internet. This can include things like the thermostat, fridge, and even your car. In this episode, we talk about the remote hacking of a Jeep Cherokee that was used to take control of the vehicle. This has both safety and privacy implications. Should our cars be connected to the Internet? Are automakers dropping the ball and having their buyers pay the price? What can you do to protect yourself? Listen and find out.
Commercial VPN service providers promise security, privacy, and even anonymity. However, these claims are often unproven. A recent paper in the Proceedings on Privacy Enhancing Technologies 2015, shows that commercial VPN services have some security and privacy issues. Of concern is the support for flawed protocols such as PPTP, IPv6 Leakage, and DNS Hijacking. The paper reviewed fourteen services and described some of the issues uncovered in the research. The result of this work may lead to better awareness of the issues and a push to correct the problems. There are also a high number of providers in the market at the moment. The nature of the competition in this market may lead to quick changes and better marketing efforts around these services.
In this episode, Preston Wiley and Keith Watson review some of the highlights of this paper and discuss the challenges in commercial VPN services.
Two issues affect Diffie-Hellman key exchange. It is used in many cryptographic systems, including SSL, TLS, SSH, and IPsec. The Logjam attack can downgrade the key exchange to use export-grade keys. The second issue is related to the fact that many servers use the same prime number for Diffie-Hellman key exchange. Using the number field sieve algorithm, which is used to attack Diffie Hellman, this prime is used to attack subsequent connections.
In this episode, Josh, Preston, and Keith discuss the Diffie-Hellman issues.
On March 16th, GreatFire.org was in the sights of a distributed denial of service (DDoS) attack from thousands of web browsers. Later on March 26, Github.com was targeted by the same DDoS attack platform for hosting code from GreatFire.org. The source of these attacks appears to be the Chinese government.
While the Chinese government has not admitted its role in the Great Cannon and its first targets, there is fairly convincing evidence that China is the source and that censorship was the purpose. CitizenLab, a University of Toronto research group, provided analysis of the Great Cannon and outlined its relation to the Great Firewall. The attacks were not obfuscated and it was easy for the researchers to identify the source and its operations.
Preston Wiley and Keith Watson take a look at the Great Cannon.
The past comes back to haunt us! Decades ago the US Government required weak cryptography for export outside of the US. Software that used SSL included cryptographic cipher suites with lower key lengths. This allowed the National Security Agency (NSA) to decrypt the communications of foreign nationals that used US-originated software when needed. Eventually, the requirement for weak cryptographic cipher suites went away and stronger cipher suites became the norm. While the need for weak cipher suites went away, the suites themselves did not. Most software and SSL libraries included the weaker cipher suites for backwards compatibility, even though they are disabled.
The FREAK attack (Factoring RSA Export Keys) uses a man-in-the middle attack to exploit a vulnerability in the cipher suite negotiation in SSL. This attack can trick a web browser into using a weak export-level key. While the communications are encrypted, the level of effort and costs to decrypt the communications is significantly reduced given modern, distributed hardware.
In this episode, Preston Wiley and Keith Watson discuss the issues associated with the FREAK attack.
Kaspersky Lab released a report on a group that they call the “Equation Group”. This group is responsible for a variety of sophisticated malware platforms that use 0-day exploits and advanced techniques for storing and exfiltrating data. Kaspersky identified multiple platforms and multiple versions of each platform, indicating a long history of development and deployment.
Kaspersky Lab described the specific details on multiple malware platforms. DOUBLEFANTASY, EQUATIONDRUG, GRAYFISH, and FANNY are the names assigned to platforms. DOUBLEFANTASY provides the initial infection and determines if the system is “interesting”. If it is, another more persistent malware platform, such as EQUATIONDRUG or GRAYFISH, is loaded to provide more espionage capabilities. FANNY is specifically designed to exfiltrate information from air-gapped networks.
The most interesting and sophisticated technique that the group uses is overwriting hard drive firmware. Clearly, the group had access to the firmware code or has advanced capabilities to reverse engineer it in order to learn how to exploit it. By modifying the drive firmware, the malware cannot be easily removed even after the hard drive is formatted and the OS reinstalled. The drive firmware can determine that the OS is not infected and then re-infect it, establishing persistence for the malware.
Preston, Josh, and Keith explore the Equation Group in this episode.