Security News for 2013 November 01

Verbose security technology news summary:

Contents:

1. Cyber criminals are planting chips in electric irons and kettles to launch spam attacks

2. GimBall and the AirBurr, are robots designed specifically to study the physical interaction between flying robots and their environment.

3. Silent Circle, Lavabit unite for ‘Dark Mail’ encrypted email project

Dark Mail will provide end-to-end encryption, including email metadata

4. Fake social media ID duped security-aware IT guys -Penetration testers used a faked woman’s identity on social networks to break into a government agency with strong cybersecurity defenses

5. “badBIOS” is a mysterious Mac and PC malware that jumps airgaps by high-frequency transmissions passed between computer speakers and microphones.

http://www.bbc.co.uk/news/blogs-news-from-elsewhere-24707337

Cyber criminals are planting chips in electric irons and kettles to launch spam attacks, reports in Russia suggest.

State-owned channel Rossiya 24 even showed footage of a technician opening up an iron included in a batch of Chinese imports to find a “spy chip” with what he called “a little microphone”. Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks. Other products found to have rogue components reportedly included mobile phones and car dashboard cameras.

The report quoted one customs brokerage professional as saying the hidden chips had been used to infiltrate company networks, sending out spam without administrators’ knowledge. News agency Rosbalt reports that while the latest delivery of appliances was rejected by officials, more than 30 devices had already been sent to retailers in St Petersburg.

http://lis.epfl.ch/gimball

 gimball_nccr2b

GimBall is equipped with a passively rotating protective cage, which keeps it stable even during collisions. It can therefore fly in very cluttered environments without fearing contacts.

The AirBurr is equipped with a protective structure and active legs, so that it can fall to the ground without breaking and upright itself to take-off again.

airburrl_nccr2b

In the latest work presented at ICRA 2013 by Ludovic Daler in a paper titled “A Perching Mechanism for Flying Robots Using a Fibre-Based Adhesive”, the AirBurr V11 is shown attaching on walls using a deployable perching mechanism with gecko adhesives. Robots, similar to the AirBurr, capable of exploring cluttered indoor environments have many applications in search and rescue missions: they overcome ground obstacles easily and provide a high point of view. The new perching mechanism allows a flying robot to extend its mission time by turning off its motors while it scans the surroundings.

http://www.computerworld.com.au/article/530582/silent_circle_lavabit_unite_dark_mail_encrypted_email_project/

Silent Circle, Lavabit unite for ‘Dark Mail’ encrypted email project

Dark Mail will provide end-to-end encryption, including email metadata

Their idea, presented at the Inbox Love email conference in Mountain View on Wednesday, is for an open system that could be widely implemented and which offers much stronger security and privacy. As envisioned, Dark Mail would shield both the content of an email and its “metadata,” including “to” and “from” data, IP addresses and headers. The email providers hope a version will be ready by next year.

“The issue we are trying to deal with is that email was created 40 years ago,” Jon Callas, CTO and founder of Silent Circle, in a phone interview. “It wasn’t created to handle any of the security problems we have today.”… Rather than create a closed email service, they decided to design Dark Mail with open-source software components that could be used by any email provider.

“We need 1,000 Lavabits all around the world,” he said….

Dark Mail will be crafted around XMPP, a web messaging protocol known by its nickname Jabber, along with another encryption protocol created by Silent Circle called SCIMP (Silent Circle Instant Message Protocol), Callas said. …

The private key used to encrypt email will be held on users’ systems and not retained by a service provider. Even if the government forced a SSL key to be turned over, users would not be compromised “because all of the messages are encrypted to keys that are sitting in the hands of the recipient,” Callas said.

Dark Mail will encrypt the metadata, using the XMPP protocol to signal when a new message has arrived, Callas said.

The alliance is also considering longstanding problems around encryption keys, such as public and private key pairs that are in use for years. “The longer that a key stays around, the bigger of a vulnerability it is,” Callas said.

One idea is to create a protocol that would only keep a static public key for just a few hours or a day and then refresh it. Older messages would need to be re-encrypted with a new key to maintain access, but it would provide much better long-term protection for sensitive messages, Callas said.

Also under consideration is “forward secrecy,” an encryption feature that limits the amount of data that can be decrypted if a private key is compromised in the future.

Callas said Dark Mail will be flexible, allowing users to send unencrypted email if they don’t need an extra level of security.

http://www.itworld.com/security/380874/fake-social-media-id-duped-security-aware-it-guys

Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations.

The attack was part of a sanctioned penetration test performed in 2012 and its results were presented Wednesday at the RSA Europe security conference in Amsterdam by Aamir Lakhani, a counter-intelligence and cyberdefense specialist who works as a solutions architect at IT services provider World Wide Technology.

By building a credible online identity for a fake attractive female named Emily Williams and using that identity to pose as a new hire at the targeted organization, the attackers managed to launch sophisticated attacks against the agency’s employees, including an IT security manager who didn’t even have a social media presence.

The agency’s name was not revealed, but Lakhani said it was a very secure one that specializes in offensive cybersecurity and protecting secrets and for which they had to use zero-day attacks in previous tests in order to bypass its strong defenses.

The penetration testing team claimed Emily Williams was a 28-year-old MIT graduate with 10 years experience and set up her identity with as much real information as possible. For the fake social media profiles they even used the picture of a real woman — with her approval — who works as a waitress at a restaurant used by many of the targeted organization’s employees. However, no one recognized her.

The team also set up information about her on other websites so people would be able to match the information on her social media profiles with information obtained through Google searches, Lakhani said. For example, since they claimed she was an MIT graduate, they posted on some university forums using her name.

The test was inspired by a similar 2010 experiment by security specialist Thomas Ryan, who created a fake online identity for a female cyberthreat analyst named Robin Sage and was able to befriend about 300 security professionals, military personnel and staff at intelligence agencies and defense contractors on social media websites.

However, Lakhani and his colleagues wanted to see how far they could take such a social media deception and what they could achieve through it.

Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies.

As time went on she started receiving LinkedIn endorsements for skills and men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire, Lakhani said.

The penetration testing team controlling the fake identity didn’t use the work laptop and network access they obtained and decided to launch more sophisticated social engineering attacks against employees in order to break into their computers.

Around the Christmas holiday they created a site with a Christmas card and posted the link to it on Emily’s social media profiles. People who visited the site were prompted to execute a signed Java applet that opened a reverse shell back to the attack team via an SSL connection.

The attack used built-in Java functionality to get the shell instead of exploiting a vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani.

Once they had a shell, the team used privilege escalation exploits to gain administrative rights and was able to sniff passwords, install other applications and steal documents with sensitive information. Some of the documents included information about state-sponsored attacks and country leaders.

Even though it wasn’t part of the plan, some employees who worked for contractors to the targeted government agency also fell for the Christmas card attack, including employees from antivirus companies, Lakhani said. In one case, one of the accidental victims was a developer with access to source code, he said.

A real attacker could have compromised one of these partner companies and then attacked the government organization through them, which would have made the attack much harder to detect, Lakhani said.

At one point the attack team saw that two of the organization’s employees were talking on Facebook about the birthday of the head of information security at the agency. That person had no accounts on social media websites, so the team sent him an email with a birthday card that appeared to come from one of the two people talking about the event on Facebook.

The attack worked and after he opened the malicious birthday card link, his computer was compromised.

“This guy had access to everything. He had the crown jewels in the system,” Lakhani said.

The whole social media deception project involving Emily Williams lasted three months, but the penetration testing team reached its goals within one week. “After that we just kept the project going for research purposes to see how far we can go,” Lakhani said.

“After we performed this successful attack we got requests from other companies that wanted to try the same thing,” Lakhani said. “So we also did the same type of penetration test for very large financial institutions like banks and credit card companies, healthcare organizations and other firms, and the results were almost exactly the same.”

“Every time we include social engineering in our penetration tests we have a hundred percent success rate,” he said. “Every time we do social engineering, we get into the systems.”

According to Lakhani, the fundamental problem is that people are trusting and willing to help others. Many also don’t think it could happen to them because they don’t have an important enough position within an organization, but they don’t realize how their actions could help an attacker gain credibility.

The Emily Williams attack started by targeting low-level employees like sales and accounting staff, but as the social network around her grew, the attack team was able to target more technical people, security people and even executives.

The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

According to Lakhani, social engineering awareness training can help, but it’s not going to work if it’s done on an annual basis. It needs to be constant training, so that employees develop instincts. In fact, the organization targeted in this attack was doing security awareness training for their employees.

“In the military it’s called situational awareness,” Lakhani said. “We need to develop situational awareness for this type of attack.”

Other recommendations that Lakhani made during the talk include: questioning suspicious behavior and reporting it to the human relations department, not sharing work-related details on social networks, not using work devices for personal activities, protecting access to different types of data with strong and separate passwords, and segmenting the network so that if attackers compromise an employee with access to one network segment they can’t access more sensitive ones.

—-

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. … Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw….

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.


“It’s going out over the network to get something or it’s going out to the USB key that it was infected from,” he theorized. “That’s also the conjecture of why it’s not booting CDs. It’s trying to keep its claws, as it were, on the machine. It doesn’t want you to boot another OS it might not have code for.”

To put it another way, he said, badBIOS “is the tip of the warhead, as it were.”

Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

It’s too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer’s lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can’t be detected. It’s even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

“It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,” Ruiu concluded in an interview. “The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they’re faced with sophisticated attackers.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s