Internet threat news

The massive DDOS attack on the Akamai CDN (content distribution network) that last year took down Netflix, Amazon, and others because of compromised IP cameras that were using a default password shined the spotlight on IoT security. In particular, there is the concern about attacks on heavy industrial machinery, valves, gas pipelines, turbines, electric grids, etc. and other equipment. Many if not most of these use the ModBus protocol to communicate between PLC and SCADA devices, which control this equipment. ModBus has no authentic at all and transmits its data in clear text.

Most industrial machines do not have a public IP address. Ethernet does not even work throughout all of the plant as part of the industrial network is serial and other protocols that a hacker could not attack using tools written for Linux or Windows.

But there are many devices exposed to the internet. Here is via a Shodan query a list of wind turbines on the internet, for example. And here are devices that have “ics” somewhere in their name.

The most famous of all industrial ICS hacking was the Stuxnet worm launched by the USA and Israel against Iran’s nuclear fuel enrichment program. By hacking PLC controllers the spies were able to cause expensive centrifuges used to separate fuel to rotate at such high speed that they broke.

As we have said before, it seems hardly a week goes by without an announcement of another security weakness found in Adobe Flash. This week we discuss two.

HTML5 was supposed to replace Adobe Flash. The goal was to have a standard that browser designers could use to process video without having to rely on 3rd-party software for that. But for different reasons, most sites still use Flash. Steve Jobs at Apple famously wrote in 2010 that he would not allow Flash onto the iPhone or iPad. He later backtracked, in part because of the threat of anti-competitive litigation. Plus website owners whose videos would no longer work complained in large numbers.

The Flash Player is built into most browsers. For example in Google Chrome you can type chrome://plugins/ and you will see something like:

Adobe Flash Player - Version: 24.0.0.194
Shockwave Flash 24.0 r0

The two new exploits are CVE-2016-4117 Flash Zero-Day Exploited in the Wild and CVE-2016-1019 A New Flash Exploit Included in Magnitude Exploit Kit, reports FireEye. Those vulnerabilities are in version 21.0.0.216 and and 21.0.0.197 and older. They have been fixed by Adobe.

Adobe thanked the security researcher @kafeine for finding the second one. It is related to some of the hacking techniques leaked to WikiPedia by The Italian Team, author of million dollar exploits sold to governments and others.

Metasploit is a tool that white hat hackers use to do penetration testing. No doubt criminals use it too.

What Metasploit does is take exploits gathered by thousands of contributors and package them into scripts and a command line and web interface so that security admins and analysts can test if any of the computers on their network are subject to any known vulnerabilities. If they are then they need to be patched against that vulnerability.

The product is open-sourced, Metasploit says, but you still have to pay for it. You can download the Community Edition and use that free for 1 year. The Professional version is free for 14 days.  Both are open-sourced in that anyone can write code that exploits a vulnerability and then contribute that to Metasploit.

To get you started with learning this tool, Metasploit provides a virtual machine called Metasploitable that you can run with VMWare or VirtualBox. This is an Ubuntu VM that has been deliberately loaded up with security flaws, such as out-dated versions of software and misconfigured software and using default passwords that Metasploit can guess.

You download and install Metasploit. Then it sets up a web interface. But that is mainly useful for scanning hosts. It’s easier to run exploits from the command line. On Ubuntu, that is /opt/metasploit/msfpro. The name is “pro” even for the Community Edition. You have to remember to run this with sudo privileges or it will throw an error.

Microsoft publishes security bulletins and advisories here. Those warn of vulnerabilities in Microsoft products.  You can sign up for updates via RSS or email here. They say:

“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release.”

Microsoft says that Security Advisories flag security problems with Microsoft products. They are released as issues are found. Security Bulletins are issued monthly as a update for the issues found that month. The Advisory updates only the component mentioned in the Advisory.  Bulletins update the whole OS or a packaged bundle, like the .Net runtime. Advisories are targeted to programmers who can update the single subroutine mentioned in the advisory. So it is a way to issue the fix ahead of the bulletin. But it is not always going to help people who are using apps written by 3rd parties until the 3rd parties update those. Microsoft keeps older versions of its run-time components in Windows to support apps that have not been updated to use the newer components.

A group of hackers known as Carbank, who in 2015 stole an incredible $1 billion USD from banks, have been again using RTF documents with embedded OLE objects to plant malware on computers. They send these documents in emails using phishing attacks. Then they use Google services on the machine to plant further instructions.
   
OLE is an object (Object Linking and Embedding) in old Microsoft technology, still in use, that lets programmers create objects with relative ease, like push buttons, drop box lists, or to execute code that they wrote themselves in Visual Basic.

Visual Basic has been in Microsoft Windows and DOS since Bill Gates and some other people wrote that when Gates was in Harvard. Visual Basic is one of the easiest languages to code.  But it is dangerous, since it can access low level functions, like copying files.

VB in a spreadsheet is similar to a Macro, except VB is a full programming language. Macros just do simple steps. For example, with OLE, users of any Microsoft Office product can put buttons on screens in Microsoft Excel or Microsoft Access and then they can write their own VB code and attach it to those buttons or kick it off automatically when those docs are loaded.

The Tor browser is a tool used by Edward Snowden, journalists, US government workers traveling overseas, terrorists, criminals, pedophiles, and people downloading movies and doing chat to protect their IP address from discovery. But recently there was a zero day defect that unmasked the identity of whoever was using it. So Tor has hardened its browser against that.   Here we given an overview of that.

The hardened Alpha version of Tor is here. You have to build that one from source code. The production version is here. Just download that one to use it.

Using Tor to Hide Your IP Address
When you visit a web set, you transmit your IP address to that site. That is necessary so that the website knows where to send the page you requested.

Tor, is opensource software that lets you mask your IP address. Tor, ironically, was developed with American Department of Defense funding. This is ironic because now their enemies are using it.

The drama, some might say circus, keeps unfolding around the Russian spying on the US election. What is remarkable is that President-elect Trump is at odds with the security apparatus he will soon inherit. He is saying he does not agree that the Russian government did the hacking. The US intelligence agencies say they have proof they did. Trump is also at odds with members of his own Republican Party. And the former head of the CIA under Bill Clinton, who had become a security advisor to Trump, quit, saying that he was not even invited to meetings where this subject was discussed.

The NSA says they have definitive proof of where the spying came from. Last week we wrote about the technical analysis the NSA provided on our website here. But what is less clear is whether this spying was directed by top Russian officials or President Putin himself.

Obama has already seen and Trump will see this week classified information that the NSA will not show the public. That information, it is said, reveals two items. First, Russians sent communications back to their country celebrating Trump’s win.  Second, they say they have proof that Russian officials provided the stolen documents to Wikileaks, a charge Julian Assange denies. They even know their names.  It is not clear what proof those documents contain that could show that President Putin or the people around him directed the spying.

The Department of Homeland Security and FBI Have released technical details of the hacking of the Democrat Party and Clinton Campaign that they first described in this document in October. As President Obama promised, the government has released proof that this hacking came from Russian intelligence agencies. Now he has punished them by expelling 35 spies and putting banking and travel sanctions on certain Russians. Americans have a unique ability to effectively punish people around the world that way, since most international commerce uses American dollars and some part of the US banking infrastructure.

Obama also promised that any technical analysis would not reveal all the details of how they uncovered what the Russians did, saying that would give away secret techniques. Instead the document includes a list of malware, exploit kits, viruses, domains, techniques, and IP addresses used by the Russians. The document also gives advice how system administrators can help secure their network against these attacks.

It seems hackers also go after people who are supposed to be educated about the dangers of phishing: tech professionals.

Last week I updated the DNS records for my personal email domain. So I was easily tricked when a few hours later I got this email that looks very much like it came from Google support. Luckily this was a harmless ad rotator and not malware. Or it could be that this switched to an ad rotator when it queried my browser and OS and found no match for whatever attack they had planned.

In what one could characterize as the worst banking hacker attack this year - and the only one to have ever caused a bank to shut down its site - Tesco Bank shut off online banking for all of its accounts after 40,000 of them were attacked. Hackers stole £2.5 million from 9,000 accounts. The bank stopped all online activity, but the site is back up now. The bank has not said specifically what steps they have taken to harden their site.

An employee who spoke to the media says the problem most likely could be blamed on Tesco grocery. Tesco also operates an online and brick and mortar grocery business. The employee said the bank’s employees are carefully vetted and its security is good. But the bank’s system is connected to the grocery system which has unpatched servers and poor security in general, the employee said.

It could be that the banking regulator shut down the online bank. The regulator issued a statement scolding the bank for lax security. Now the bank faces fines that could run into the millions of pounds.

The The New York Times, under the scary headline “Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say,” reported that Kryptowire security researchers reported that a Chinese firm Shanghai Adups Technology Co. Ltd has planted software on hundreds of thousands of Android devices and is siphoning off phone data. It did this at the request of an unnamed Chinese manufacturer, they said.

The NYT wrote, “Security contractors recently discovered pre installed software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.”

This is the worrying part: “... this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior …”

This news was broadcast on November 15. So far the US Department of Homeland Security has said it will post a bulletin, but it has not yet. Regarding Europe, it seems that this spyware might have been only intended for the Chinese market but ended up on BLU phones sold in the USA through Amazon and Best Buy by mistake. There is no news so far of this spyware being on phones in Europe or anywhere else besides China and the USA.

SHA-1 (Secure Hashing Algorithm 1) is an encryption algorithm used to encrypt traffic to and from SSL/HTTPS websites. It has some known security weaknesses. So it is being phased out and replaced with SHA-2 and SHA-3. Certificate authorities will quit issuing SHA-1 certificates in January 2017. Microsoft, Google, and Mozilla web browsers will quit supporting those then. That is all good, but the problem is 35% of websites still use these older certificates says research firm Venafi. Web browsers tell you exactly how strong the encryption in a website is when you go there by color coding the address bar. Green is good. Red is bad.

Lock means the site is safely encrypted and you can feel safe entering data there. Info means the site does not use encryption at all or in all places. And the red warning means the SSL certificate is expired, the site has been flagged by the Safe Browsing organization, or there is what Google calls “a weak security setup,” meaning SHA-1.

Should you panic? Is the internet going to stop working on January 2017? Doubtful.

First of all, the security weakness of SHA-1 is probably exaggerated where you consider practical details.

What are some of the new security features in Windows 2016?

Windows 2016 is the soon-to-be released version of Windows server software. The Server version of Windows is the software designed to power business, engineering, and other applications. It is not for desktop users. Prior to Windows 2016 there was Windows 2012 and Windows 2008. So it looks like Microsoft releases a new version about every 4 years.

Changes to Windows 2016 this time can be said to be incremental rather than wholesale. The basic architecture is the same.

One addition to Windows is containers. These have gained a wide following with Linux servers. A container lets a user download and start running application software in just a few minutes or seconds as opposed to hours, days, or weeks to install that by hand. It is like a virtual machine, but it is much smaller since it is not a full operating system.

Nano Server
The Nano Server is something in between the container and hypervisor.

Now you can install Windows as a Nano server. This is a small operating system that lacks, for example, a graphical interface. A Nano server would be used to run databases and other applications on the cloud. The idea is if it is small then there are less components to attack. For example there are less security updates to install. It is the minimum OS needed to run applications. The Nano server is stripped of many Windows features, thus making it suitable for doing just one task.

Some software companies invite security researchers to look for weaknesses in their software and then pay they for finding those. That is called a Bounty Bug program. Microsoft is one company that does that. Google has a bounty program for Android. Apple is late to the game, only launching its program this year. But they pay the highest bounty, up to $200,000 for zero day vulnerabilities. Many smaller companies offer bounty bug programs too.

Not only does Microsoft pay a reward for finding bugs in Windows—some of them are sizeable—they feature the researcher’s name in their bulletins and invite some of them to come to the Researcher Appreciation Party in Las Vegas.

Researchers have to be at least 14 years old and cannot come from countries against which the USA has sanctions. And they agree not to publish their exploit code.   

Microsoft discusses weaknesses and their fixes in their Microsoft Security Bulletins.

But Microsoft says researchers can write about the bug as well as show the exploit code, but only once the vulnerability is fixed. They say, “Please do not discuss the vulnerability in any form prior to Microsoft notifying you that it is fixed. And they say “This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.”