Not So BadLock – Episode 33

Broken Lock, CC-BY 2.0 Licensed Image by Chad Cooper on Flickr
Broken Lock, CC-BY 2.0 Licensed Image by Chad Cooper on Flickr

On April 12th, 2016 Microsoft and the SAMBA project announced patches and updates for the so-called Badlock vulnerability. One month prior to this release a German company called SerNet announced that a serious and significant bug had been discovered with Windows file sharing services (SMB/CIFS). Information about the discovery was vague, leaving most to speculate as to the issue based on little information. A website and logo for the issue were created to generate hype around the issue.

On the 12th, Microsoft rated the vulnerability as only “Important” while simultaneously releasing six other updates rated as “Critical”. Clearly, the hype around the Badlock issue was not as bad or world-ending as other “named” issues in the past. The SerNet company indicated in an interview that interest in their business has increased due to the media and controversy. The clues from the announcement and the length of time between announcement and release gave researchers and attackers plenty of opportunity to discover the underlying issue and possibly exploit the issues before updates were available. Do named vulnerabilities help or hurt the industry?

Preston and Keith discuss Badlock and its hype in this episode. They talk about the nature of the vulnerability industry and whether named vulnerabilities help or hurt. Should researchers continue to use the named vulnerability approach to announce issues they discover? They also spend a little time talking about Apple v. FBI. Is there a security issue with modern Apple iPhone hardware and software that the FBI (and others) can use to access our private data?

Badlock Links

 

Windows 10 Privacy Concerns – Episode 32

Something Happened, CC-BY-SA 2.0 Licensed Image by Roger Green on Flickr

Windows 10 was a free upgrade available for users in July. But free in price does not mean free in terms of privacy. Much like free online services, the price you pay is in your privacy. Microsoft  has developed features in Windows 10 that are intended to rival and surpass features provided by Google and Apple in their products. Microsoft appears to be monetizing the desktop in similar ways to their competitors. With features like Cortana, embedded web search, WiFi password sharing, advertising IDs, and others, users have a right to be concerned.

Preston and Keith talk about the controversial features in Windows 10 related to privacy. We focus on concerns over features that capture user information to provide unique services. We also talk about how these features can be configured and/or disabled. The links below provide additional details on the configuration steps and some of the risks.

Windows 10 Privacy Links

Automotive Hacking – Episode 31

We’ve talked about the Internet of Things before, that is devices that you use everyday being connected to the Internet. This can include things like the thermostat, fridge, and even your car. In this episode,jeep we talk about the remote hacking of a Jeep Cherokee that was used to take control of the vehicle. This has both safety and privacy implications. Should our cars be connected to the Internet? Are automakers dropping the ball and having their buyers pay the price? What can you do to protect yourself? Listen and find out.

Links:

Commercial VPN Insecurity – Episode 30

The Pipe, CC-BY-NC 2.0 Licensed Image by Ville Miettinen (wili on Flickr)

Commercial VPN service providers promise security, privacy, and even anonymity. However, these claims are often unproven. A recent paper in the Proceedings on Privacy Enhancing Technologies 2015, shows that commercial VPN services have some security and privacy issues. Of concern is the support for flawed protocols such as PPTP, IPv6 Leakage, and DNS Hijacking. The paper reviewed fourteen services and described some of the issues uncovered in the research. The result of this work may lead to better awareness of the issues and a push to correct the problems. There are also a high number of providers in the market at the moment. The nature of the competition in this market may lead to quick changes and better marketing efforts around these services.

In this episode, Preston Wiley and Keith Watson review some of the highlights of this paper and discuss the challenges in commercial VPN services.

Commercial VPN Security Links

The Logjam Attack! – Episode 29

The Weakest Link, CC-BY-NC 2.0 photo by Darwin Bell (darwinbell on flickr)
The Weakest Link, CC-BY-NC 2.0 Licensed Image by Darwin Bell (darwinbell on flickr)

Two issues affect Diffie-Hellman key exchange. It is used in many cryptographic systems, including SSL, TLS, SSH, and IPsec. The Logjam attack can downgrade the key exchange to use export-grade keys. The second issue is related to the fact that many servers use the same prime number for Diffie-Hellman key exchange. Using the number field sieve algorithm, which is used to attack Diffie Hellman, this prime is used to attack subsequent connections.

In this episode, Josh, Preston, and Keith discuss the Diffie-Hellman issues.

Weak DH Links

Blasted by the Great Cannon – Episode 28

The Great Cannon and Firewall of China (image courtesy of citizenlab.org)

On March 16th, GreatFire.org was in the sights of a distributed denial of service (DDoS) attack from thousands of web browsers. Later on March 26, Github.com was targeted by the same DDoS attack platform for hosting code from GreatFire.org. The source of these attacks appears to be the Chinese government.

The attack platform used innocent web browsers loading data from a popular Chinese e-commerce site. As users’ web browsers loaded data from the Baidu advertising network, the Great Cannon would inject Javascript code in the response. The injected Javascript code was malicious and generated connections to the targeted domains under attack. As more browsers received injected Javascript, the attack traffic grew. The distributed nature of this type of attack was difficult to filter and the targets were unavailable to legitimate users.

While the Chinese government has not admitted its role in the Great Cannon and its first targets, there is fairly convincing evidence that China is the source and that censorship was the purpose. CitizenLab, a University of Toronto research group, provided analysis of the Great Cannon and outlined its relation to the Great Firewall. The attacks were not obfuscated and it was easy for the researchers to identify the source and its operations.

Preston Wiley and Keith Watson take a look at the Great Cannon.

Great Cannon Links

Look out! It’s a FREAK Attack! – Episode 27

FREAKing broken locks,  (CC BY-NC-ND 2.0 licensed image by Michael Rosenstein, Flickr user michaelcr)
FREAKing broken locks, (CC BY-NC-ND 2.0 licensed image by Michael Rosenstein, Flickr user michaelcr)

The past comes back to haunt us! Decades ago the US Government required weak cryptography for export outside of the US. Software that used SSL included cryptographic cipher suites with lower key lengths. This allowed the National Security Agency (NSA) to decrypt the communications of foreign nationals that used US-originated software when needed. Eventually, the requirement for weak cryptographic cipher suites went away and stronger cipher suites became the norm. While the need for weak cipher suites went away, the suites themselves did not. Most software and SSL libraries included the weaker cipher suites for backwards compatibility, even though they are disabled.

The FREAK attack (Factoring RSA Export Keys) uses a man-in-the middle attack to exploit a vulnerability in the cipher suite negotiation in SSL. This attack can trick a web browser into using a weak export-level key. While the communications are encrypted, the level of effort and costs to decrypt the communications is significantly reduced given modern, distributed hardware.

In this episode, Preston Wiley and Keith Watson discuss the issues associated with the FREAK attack.

FREAK Attack Links

The Equation Group – Episode 26

Death Star from the Equation Group report
Death Star from the Equation Group report

Kaspersky Lab released a report on a group that they call the “Equation Group”. This group is responsible for a variety of sophisticated malware platforms that use 0-day exploits and advanced techniques for storing and exfiltrating data. Kaspersky identified multiple platforms and multiple versions of each platform, indicating a long history of development and deployment.

Kaspersky Lab described the specific details on multiple malware platforms. DOUBLEFANTASY, EQUATIONDRUG, GRAYFISH, and FANNY are the names assigned to platforms. DOUBLEFANTASY provides the initial infection and determines if the system is “interesting”. If it is, another more persistent malware platform, such as EQUATIONDRUG or GRAYFISH, is loaded to provide more espionage capabilities. FANNY is specifically designed to exfiltrate information from air-gapped networks.

The most interesting and sophisticated technique that the group uses is overwriting hard drive firmware. Clearly, the group had access to the firmware code or has advanced capabilities to reverse engineer it in order to learn how to exploit it. By modifying the drive firmware, the malware cannot be easily removed even after the hard drive is formatted and the OS reinstalled. The drive firmware can determine that the OS is not infected and then re-infect it, establishing persistence for the malware.

Preston, Josh, and Keith explore the Equation Group in this episode.

 

Equation Group Links

Privacy of Anonymous Data and other Data “sharing” – Episode 25

Preston Wiley and Keith Watson are at it again, discussing privacy issues so that you can stay safe.

  1. A study out of MIT hints at how easily “anonymous” data can be linked back to the person it belongs to. Should we continue sending it to companies?
  2. The DEA is collecting millions of license plate scans and locations and sharing them with any law enforcement agency that desires access.
  3. Police are complaining about having their own locations shared in Google’s Waze App. Are there concerns justified?

SSL, Bitcoin, and Stingrays, Oh my! – Episode 24

Preston Wiley and Keith Watson go over three articles to your viewing pleasure.

  1. Gogo, an in-flight WiFi service, is caught serving fake SSL certificates for common websites. They claim it is the prevent abuse of the WiFi, but what about your privacy?
  2. Hackers steal $5 million worth of Bitcoins from Bitstamp and a Canadian exchange decides to shut its door. Are we seeing the fall of the bitcoin?
  3. The FBI claims that they don’t need search warrants to use the “stingray” a decoy cell tower that can collect location and identity data from cell phone.