Symantec tricked into revoking SSL certs with fake keys

Hanno Böck. Journo tests legitimacy processes.

A bogus private digital key was sufficient to fool security vendor Symantec into revoking a transport layer security (TLS) certificate for a domain, a researcher has discovered.

German freelance infosec journalist Hanno Böck set out to test if certificate authorities like Comodo and Symantec have rigorous processes in place to check the legitimacy of private keys for digital certificates.

Certificate authorities are expected to revoke TLS credentials if the private keys have been compromised; Böck said certificate issuers should cryptographically check that the private key in question belongs to the purported TLS credential.

Böck registered two test domains with his identity hidden, and obtained TLS certificates via Symantec’s RapidSSL brand as well as Comodo.

He then created fake private keys for both domains, uploaded them to the Pastebin website, and reported to Comodo and Symantec that the keys had been compromised.

Where Comodo spotted that the key for the domain certificate was fake, Symantec accepted the one in Böck’s report and revoked the certificate.

“No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also faked private keys of other peoples’ certificates,” he wrote.

“Very likely Symantec would have revoked them as well, causing downtimes for those sites. I even could’ve easily created a fake key belonging to Symantec’s own certificates.”

He also noted that Symantec didn’t tell the domain owner the certificate was revoked because of a key compromise, potentially leaving administrators unable to figure out why the credential had been pulled.

Böck said there was no excuse for Symantec’s approach.

“It indicates that they

View the Original article

Microsoft rolls out cloud-based fuzzing tool

“Project Springfield” comes alive.

Microsoft has released a software bug finding tool that the company says will help developers identify flaws and vulnerabilities before software under development is released.

Code-named “Project Springfield”, the tool was announced as a preview in September last year.

It performs what is known as fuzzing, which involves entering large amounts of random data into a software system to see if this causes unexpected behaviour or crashes that can be exploited for attacks.

Microsoft said companies would usually hire security experts to conduct fuzz testing, if they did it all.

“As the sheer volume of software that companies create and use has increased, it’s gotten harder to keep up with the dizzying pace of testing so much software – but more important than ever to keep systems safe from attackers,” the company said.

Microsoft’s Security Risk Detection (MSRD) tool uses artificial intelligence to automate the reasoning process that security experts use to find bugs, and augments this with cloud-based scaling.

MSRD lets developers test their software in a virtual machine, along with a program that runs through different fuzzing scenarios, to find potential bugs. Results are accessible via a web-based portal.

The new tool has its origin in Microsoft’s Scalable, Automated, Guided Execution (SAGE pdf) whitebox fuzzer, which the company has used since the mid-2000s to test several products including Windows 7 prior to release.

A preview of MSRD for Linux is also available for coders who program across multiple platforms.

View the Original article

Sweden exposed sensitive data on citizens, military personnel

Sent unredacted drivers licence database to marketers.

Swedish authorities are battling to contain a major privacy breach that has seen sensitive information on its citizens and the country’s military leaked to companies and individuals outside the Nordic nation.

In 2015 the Swedish Transport Authority hired IBM to move the country’s drivers licence register to the cloud. IBM in turn used subcontractors in the Czech Republic and Romania.

These contractors were given access to the full dataset from the Transport Authority, which included information like photographs and home addresses on Swedish Air Force and special forces personnel.

The overseas contractors did not have security clearance to view such sensitive information, which also included road and bridge weight capacities and whether a vehicle is armoured, Sweden’s national TV broadcaster SvT reported.

People in witness protection programs were also included in the drivers licence data.

Rather than making available a redacted version of the database, the Swedish Transport Authority instead sent out clear text emails to the companies asking them to manually delete the sensitive information they held.

The email messages listed the full details of the individuals the government agency wanted removed.

While the data breach took place in March last year when the unredacted information was made available, the scandal has only now come into the public eye.

Sweden’s government knew about the data breach last year but kept quiet about it, according to SvT.

The general-director of the Swedish Transport Authority, Maria Ågren, resigned from her position in January this year.

Her resignation was originally attributed to differences with the government, but in July this year, Ågren was fined SEK 70,000 (A$10,740) for leaking classified information and harming national security.

Speaking to Swedish media, the newly appointed general-director of the country’s Transport Authority, Jonas Bjelfvenstam, said the government agency has embarked on a set of measures to improve its IT security, but cannot guarantee that foreigners without security clearance won’t have access to the sensitive data in the drivers licence database.

View the Original article

G Suite customers leak internal data via Groups

Tick a box configuration mistake.

A simple configuration mistake has seen hundreds of companies using Google’s G Suite productivity platform publish internal information to the internet, researchers have found.

G Suite provides the Google Groups sharing and messaging service, which was originally designed as a gateway to Usenet newsgroups.

In an advisory

View the Original article

Kaspersky offers free anti-virus software

Looks for security data to power its machine learning.

Kaspersky is rolling out a free version of its anti-virus software across the globe, a product launch that comes amid mounting suspicion in the United States that the firm is vulnerable to Russian government influence.

Kaspersky Free was immediately available in the United States, Canada, and several Asia Pacific countries and would launch in other regions in the coming months, Eugene Kaspersky, the company founder, wrote in a blog post.

Kaspersky said the free version was not intended to replace the paid versions of its anti-virus software, describing it as offering “the bare essentials,” such as email and web anti-virus protection and automatic updates.

But the free software would benefit all of Kaspersky Lab’s customers by improving machine learning across its products, he said.

The company has been working on Kaspersky Free for 18 months, a development phase that included pilot versions in several markets including Russia, Ukraine, China and Scandinavian countries.

Founded in 1997, Kaspersky Lab grew rapidly through the 2000s to become one of the world’s leading anti-virus software companies. 

But the company has faced suspicion for years about its ties to Russia’s Federal Security Service or FSB.

Concerns about the company have metastasised in the United States in recent years due to the deterioration in US-Russia relations following Russia’s invasion of Crimea in 2014 and later when US intelligence agencies concluded that Russia had hacked the 2016 US presidential election.

Moscow denies the hacking allegations, and Kaspersky has repeatedly denied it has any untoward relationship with any government, saying the accusations against it lack evidence.

Last month FBI agents visited the homes of Kaspersky employees as part of a counterintelligence probe, and the Trump administration took steps to remove the company from a list of approved vendors who sell technology products to federal government agencies.

There is also a bill in US congress that would explicitly prohibit the US Department of Defense from using Kaspersky products.

Privately held Kaspersky said its US revenue, most of which comes from selling anti-virus software to consumers and small businesses, slipped from US$164 million in 2014 to about US$156 million in 2016.

View the Original article

Qld ex-cop charged with 44 counts of database snooping

Latest in a long line.

The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’s core crimes database 44 times over six years without authorisation.

The ex-cop joins a long list of Queensland police officers to have been charged with snooping into the QPRIME system over the last year.

The CCC yesterday served a notice to appear in court on a 60-year-old former male sergeant for unauthorised use of the database.

The commission also alleges that the former sergeant handed over information from the database searches to another man. This 72-year-old has also been served a notice to appear in court.

Both have been charged with 44 counts of misconduct throughout 2010 to 2016, and will appear in court on July 18.

The CCC said it had notified the QPS ethical standards command about the charges against the former officer.

The commission has been on a crusade to stamp out unauthorised use of QPRIME within the state’s police force.

Just two weeks ago it charged a 31-year-old Brisbane police officer with using the database to conduct personal checks.

Three months ago another Brisbane police officer, a 43-year-old male detective, was hit with the same charges, and last May an officer was convicted of using QPRIME to look up people he met through a phone dating line.

Three other officers were charged with database misuse in the same year.

The fining of sergeant Steven Patrick Wright for accessing information on netballer Laura Geitz, as well as his family and friends, prompted the CCC to last month warn the public service not to use government databases to “peek” at citizens’ personal information.

View the Original article

Petya designed to destroy, not ransom users

Ransomware guise might have been a ruse.

The Petya/GoldenEye malware that wreaked havoc on Windows computers worldwide this week was most likely designed to destroy rather than ransom victims’ files, according to security researchers.

Comae Technologies founder Matt Suiche believes the Petya variant used in Ukraine is a disk wiper that overwrites the first 25 sector blocks of target systems’ hard disks. 

Disk wipers such as the Shamoon malware have been used in sabotage operations against Saudi oil companies, with Iran widely assumed to be the culprit.

Suiche compared the original Petya version with the current strain of malware, noting it doesn’t attempt to save the hard disk sector blocks so they can be decrypted after ransom has been paid, and an unscrambling key received.

“2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas 2017 Petya does permanent and irreversible damages to the disk,” Suiche said.

Suiche’s analysis is backed up by security vendor Kaspersky, which also labelled the current version of Petya a data wiper pretending to be ransomware.

Kaspersky dug into the Petya decryption routine and found that the installation identifier required for key recovery is essentially random data.

This means it is not possible to extract decryption information from the installation identifier.

Victims of Petya will not be able to unscramble their data even if they pay ransom, Kaspersky said.

Security researcher The Grugq earlier noted that the function to receive ransom payments in Petya is “extremely poor”.

This was simply an email address that the service provider disabled within hours of the Petya attacks starting, further pointing to the malware being designed to destroy data rather than extort money, he said.

Suiche speculated that the ransomware function was designed to take attention away from the real, destructive purpose of Petya.

“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” Suiche said.

View the Original article

Some WA agencies still floored by simple infosec

Poor passwords, patching, and plain text.

Several Western Australian agencies have been caught out by a review that uncovered easily-guessable passwords, unpatched systems, and unencrypted data stored on tape back-ups.

The state’s auditor-general Colin Murphy declared he was frustrated at reporting “the same common weaknesses year after year”, many of which he said could be “easily addressed” at little cost.

Murphy found common weaknesses in password security: specifically passwords that could be too-easily guessed, were a single character in length, were the default password set by the manufacturer, or were stored in plain text in documented IT policies.

He said that in one instance last year, he used the credential ‘password’ to log into a system containing “thousands of sensitive documents”. The password still worked this year, but the documents had been removed.

The Department of Racing, Gaming and Liquor had simple passwords protecting the databases underpinning its Navigate system, used to apply for and manage licenses and permits.

“We identified high privilege (sys and system) database accounts with very easy to guess passwords. Examples include passwords such as ‘abcd’ and passwords only one character in length,” the auditor reported.

The department accepted that it needed to change.

The Chemistry Centre – a government lab services operator – also suffered from password problems.

“The password policy, last reviewed in 2010, allows users to set simple passwords such as ‘password’ or ‘12345678’,” the auditor said.

“In addition, the policy does not require stronger passwords for highly privileged network, database and application accounts.

“As a result, we were easily able to guess passwords for the database system administrator account and for accounts within ForLIMS”, a system used to manage and report forensic science and medicine cases.

The auditor said in another case, default credentials for “network switches, routers and remote management systems” had not been reset. As a result, the auditor was able to “log on to a remote system with full administrative privileges. This system was used for server hardware maintenance”.

In addition to bad password management, many agencies ran systems that were well behind on their patch management.

In some cases, patching was left to contractors or managed by software that had been poorly configured or otherwise was not working as intended. That left many systems and agencies exposed to – in at least one case – hundreds of publicly-circulating exploits.

There also appeared to be common issues in the way data was shipped outside of the agency, either via the public internet or on tape drives being handled by third parties.

WA Police, for example, was found to share traffic infringement data electronically “in an insecure manner” with a third party that printed and mailed out fines. It is now investing in more secure file transfer technology.

The same data was backed up in an unencrypted state to tape that was picked up by a third party for transport to an offsite storage facility.

The Department of Racing, Gaming and Liquor stored unprotected credit card data on its tape back-ups in violation of PCI standards. Its back-up tapes, handled by a third party operator, also weren’t encrypted.

The Chemistry Centre’s tape back-ups were also unencrypted. The auditor said all three could face problems should tapes be mislaid or stolen.

The auditor said that over the past nine years, about 60 percent of the state’s agencies have not lived up to the auditor’s standards for information security.

View the Original article

Petya attack ‘likely cover’ for malware installation in Ukraine

Disguise for unknown motive.

The primary target of a crippling virus that spread from Ukraine across the world this week is highly likely to have been that country’s computer infrastructure, a top Ukrainian police official said.

Cyber security firms are trying to piece together who was behind the ransomware, dubbed NotPetya by some experts, which has paralysed thousands of machines worldwide, shutting down ports, factories and offices as it spread through internal organisational networks to an estimated 60 countries.

Ukrainian politicians were quick to blame Russia, but a Kremlin spokesman dismissed “unfounded blanket accusations”. Kiev has accused Moscow of two previous cyber strikes on the Ukrainian power grid and other attacks since Russia annexed Crimea in 2014.

A growing consensus among security researchers, armed with technical evidence, suggests the main purpose of the attack was to install new malware on computers at government and commercial organisations in Ukraine. Rather than extortion, the goal may be to plant the seeds of future sabotage, experts said.

International firms appear to have been hit through their operations in the country.

Slovakian security software firm ESET released statistics today showing 75 percent of the infections detected among its global customer base were in Ukraine, and that all of the top 10 countries hit were located in central, eastern or southern Europe.

Arne Schoenbohm, president of BSI, Germany’s federal cyber security agency, said most of the damage from the attack had hit Ukraine, and Russia to a lesser extent, with only a few dozen German firms affected.

“In all of the known cases, the companies were first infected through a Ukrainian subsidiary,” the German official said.

Smokescreen

Ukraine’s cyber police said it had received 1500 requests for help from individuals and companies in connection with the virus.

The malware ncrypted data on computers and demanded victims pay a US$300 ransom, similar to the extortion tactic used in a global WannaCry ransomware attack in May.

A top Ukrainian police official said the extortion demands were likely a smokescreen, echoing working hypotheses from top cyber security firms, who consider NotPetya a “wiper”, or tool for destroying data and wiping hard disks clean, that is disguised as ransomware.

“Since the virus was modified to encrypt all data and make decryption impossible, the likelihood of it being done to install new malware is high,” the official, who declined to be identified, said.

Information Systems Security Partners (ISSP), a Kiev-based cyber research firm that has investigated previous cyber attacks against Ukraine, is pursuing the same line of inquiry.

ISSP said that given that few people actually paid the US$300 demanded for removing the virus, money was unlikely to be the primary object of the attack.

“It’s highly likely that during this attack new attacks were set up,” said ISSP chairman Oleg Derevianko.

“At almost all organisations whose network domains were infected, not all computers went offline. Why didn’t they all go offline? We are trying to understand what they might have left on those machines that weren’t hit.”

Ukraine’s National Security and Defence Council secretary Oleksandr Turchynov said the virus was first and foremost spread through an update issued byaccounting services and business management software provider MeDoc.

“Also involved was the hosting service of an internet provider, which the SBU (Ukraine’s state security service) has already questioned about cooperation with Russian intelligence agencies,” he said..

Destructive intent

Technical experts familiar with the recent history of the cyber escalation between Russia and Ukraine, say these latest attacks are part of the wider political and military conflict, although no “smoking gun” has been found to identify the culprits.

John Hultquist, a cyber intelligence analyst with FireEye, said the failed ransomware attack disguises an as yet unseen destructive motive.

“If it were an attack masquerading as crime, that would not be unprecedented at all,” Hultquist said.

Some cyber security researchers have said the fact that the Kremlin’s two flagship energy companies are victims of the attack could suggest Moscow was not behind it.

Russian oil major Rosneft was one of the first companies to reveal it had been compromised by the virus and sources said computers at state gas giant Gazprom had also been infected.

For technical reasons, NotPetya appears to be more targeted than last month’s global ransomware attack, known as WannaCry. When first infected by WannaCry, computers scanned the internet globally for other vulnerable machines.

By contrast, NotPetya does not randomly scan the internet to find new computers to infect. It only spreads itself inside organisational networks, taking advantage of a variety of legitimate network administration tools.

This makes it far harder for anti-virus software or network security technicians to detect. It also gives it the capacity to infect other Windows computers, even those with the latest security patches, several security firms warned.

“Petya is proving to be more sophisticated than WannaCry in terms of scope, ability to be neutralised, and apparently, the motivation behind its launch,” corporate security consulting firm Kroll has advised its clients.

So far, NotPetya appears only to have been distributed inside Ukraine via a handful of so-called “watering-hole attacks” – by piggy-backing on the software updating feature of a popular national tax accounting program known as MeDoc.

Kaspersky also said it found a second distribution point on a local news site in the city of Bakhmut, Ukraine, which infected visitors who clicked on the site with the ransomware-like attack.

“Our analysis indicates the main purpose of the attack was not financial gain, but widespread destruction,” said Costin Raiu, Kaspersky’s global head of research.

“NotPetya ..combined elements of a targeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation to devastate a specific user base,” Lesley Carhart, a Chicago-based security researcher, wrote in a blog.

View the Original article

Microsoft trials anti-ransomware feature in Windows 10

EMET Exploit Protection arrives in preview build.

Windows 10 users who have signed up to the bleeding edge ‘fast ring’ updates of the operating system will be able to try out new features to protect against ransomware.

With the Windows 10 Insider build 16232, Microsoft’s Windows Defender Antivirus lets users designate specific folders or directories on their computers and block applications’ access to them.

Called Controlled Folder Access, the feature is specifically designed to thwart ransomware attempting to encrypt or otherwise tamper with user files, Microsoft said.

The feature spans the Windows 10 system directories Documents, Pictures, Movies and Desktop by default when switched on.

While users cannot change the default folder inclusion list above, they can add other directories like network shares.

Users can decide which apps are allowed to make changes to files stored in the protected folders; if an app blacklisted by Controlled Folder Access attempts to alter files, users will be notified.

Microsoft has also tweaked the Windows Defender Application Guard (WDAG) in build 16232.

It is now possible to persist data such as cookies, bookmarks and saved passwords across multiple sessions when running the Microsoft Edge web browser in a WDAG virtual machine, isolated from the rest of the operating system, to prevent remotely delivered attacks.

The company’s Enhanced Exploit Mitigation Toolkit (EMET) security add-on is included in build 16232. t The tool was set to be sunset this year, but Microsoft brought it back after customer feedback.

EMET tries to prevent software bugs and unexpected use of system features from being exploited by new and unknown malware.

Microsoft has yet to fully document the EMET Exploit Protection feature in the latest Windows 10 Insider build.

The new security features are expected to appear in next major release for Windows 10, which Microsoft calls the Fall (northern Autumn) Creators Update.

View the Original article