This Week in Information Security (Week of July 13th)
After 2 weeks off, we're back with another week in information security! We'll dive into several high-profile breaches at the Office of Personnel Management (again) and Hacking Team, a malware creator that counts several governments and law enforcement agencies as customers. The Hacking Team breach uncovered a nasty Adobe Flash 0day that they had discovered and not previously reported, which has been seen in live attacks both before and after public disclosure. On a lighter note, we also have some great guides and tools for you this week.
As always, you can find me on Twitter @ccneill if you have any thoughts on this post.
News / Opinions
Hacking of Government Computers Exposed 21.5 Million People - It's been pretty much impossible to avoid hearing about the hacking of the Office of Personnel Management, which was first disclosed about a month ago (I first wrote about it here). Well, it just got worse. The OPM announced yesterday that 21.5 million more people who had applied for background checks for federal employment, as well as their spouses and cohabitants, had their personal information compromised by a related attack. This information included things like social security numbers, fingerprints, health and financial history, and more. The director of the OPM, Katherine Archuleta, has resigned under political pressure from many in Congress. She had previously testified that this data was not encrypted because "it is not feasible to implement on networks that are too old." (Reference)
'Hacking Team' Gets Hacked! 400GB of Data Dumped Over the Internet - Italian malware/spyware creators Hacking Team, who provide services to governments and law enforcement agencies around the world, were apparently hacked last week. Hundreds of gigabytes of sensitive information has been leaked and is available via torrent. Their Twitter account was also hacked and used to distribute the stolen files. Several interesting things have come to light as a result, such as a previously-unreleased Flash 0day that was described as "the most beautiful Flash bug for the last four years" by a member of Hacking Team, and a BGP hijacking attack carried out by an Italian ISP.
Security gurus deliver coup de grace to US govt's encryption backdoor demands - Well-respected security researchers such as Whitfield Diffie, Bruce Schneier, Ronald Rivest, Matt Blaze, Ross Anderson, and others have released a paper (PDF) aimed at discouraging the weakening or breaking of encryption, which has been championed by FBI officials and others, including UK Prime Minister David Cameron. The paper looks back to the first iteration of the 'crypto wars' that took place in the mid-nineties, when claims of 'going dark' prompted similar calls for mandated backdoors in encrypted communications, and examines the overwhelming negative impacts and extreme technical difficulty of implementing such proposals today. This comes as James Comey, Director of the FBI, was testifying to Congress last week about the necessity of such controls to allow law enforcement to gain access to the communications of bad actors.
"We take security seriously", otherwise known as "We didn't take it seriously enough" - (H/T Herb Jackson) - Troy Hunt, a security researcher at Microsoft, posted a blog post last week lambasting software companies for their commitment to security (or lack thereof). He provided examples of several companies saying that they "take security seriously," right after they were hacked. This caused quite a stir in the security community, and several people criticized the article for being unrealistic and unfair. At the end of the day, while these companies likely really do want to be as secure as possible, there is always some level of insoluble uncertainty with security, and it doesn't necessarily make sense to pay infinite dollars to prevent ANY attack, at the expense of running your actual business profitably.
- A month with BADONIONS - Tor is widely used to provide privacy for individuals, governments, and everyone in between, but recent research shows that there are at least a number of bad actors operating exit nodes and sniffing Tor traffic. This researcher set up a honeypot and accessed it with unique passwords for each Tor exit node they used, and monitored for re-use of those passwords. She discovered that roughly 16 Tor exits that she tested attempted to log into the page with the password she used, meaning they were actively sniffing and attacking Tor users. This underscores the need, as mentioned on the Tor website, to use encryption at all times while using the Tor network.
Adobe Flash explot that was leaked by Hacking Team goes wild; patch now! - PATCHED - As mentioned above, the disclosures following a massive data dump from Italian firm Hacking Team included a previously-undisclosed Adobe Flash exploit. This exploit has quickly found its way into malicious malware kits and the popular Metasploit framework, and it has been observed in the wild. It was even able to exploit Google Chrome, which is considered the hardest browser to attack in some respsects due to its unique security controls, in at least one real-world case. You can find patches for your system here.
Information about the recent OpenSSL bug (for techies without infosec chops) - (H/T Laurens Van Houtven) - PATCHED - This post explores the details of the OpenSSL advisory released on Thursday that patched a critical issue in the way certificate verification worked, and provides information about how it might affect you. Thankfully, this issue was introduced in a fairly recent version of OpenSSL, and few stable operating systems were affected. Affected OpenSSL versions are >= 1.0.1n and >= 1.0.2b. Known affected Linux distributions are Fedora stable, Debian testing and unstable, ArchLinux testing, Ubuntu 15.10 (unstable). Homebrew, a popular package manager for OS X also shipped a vulnerable version for a while (1.0.2c). If you are using an affected version, you should patch ASAP!
Django Security releases issued: 1.8.3, 1.7.9, 1.4.21 - PATCHED - A number of vulnerabilities have been patched in the popular Django framework, including 2 denial-of-service issues and a possible header injection issue. All previous versions of Django 1.8, 1.7, and 1.4 are affected. Patches are listed at the bottom of this advisory.
Reference / Tutorials
Using Encryption and Authentication Correctly - This tutorial describes how to properly use encryption together with message authentication to build secure systems that provide confidentiality, integrity, and authenticity. It looks at a number of examples of the right and wrong way to use encryption and keyed-hash message authentication code (HMAC). The code is mostly geared toward a PHP audience, but the information should be readily transferable to other languages. Great read!
Two-Factor-Authentication with SSH - In this post, the author explains how to set up two-factor authentication (2FA) for SSH logins on FreeBSD (though the process should be mostly applicable to other Linux/Unix distros). 2FA has gotten a lot of attention recently after several breaches (including the OPM breach discussed above) have highlighted the insecurity of single-factor/password authentication, and privileged SSH access is definitely something worth protecting with 2FA.
zxcvbn (Password strength testing tool) - Dropbox has a library that can be used to evaluate the security of a given password, looking at things like common dictionary words, common character permutations, repetitions, and more. For example, while other password complexity systems might say a password like "hello!!!!!!!!!!" was secure, zxcvbn recognizes that this is just a dictionary word + a repeated character, which it estimates can be cracked almost instantly. This tool has been around for a while, but I was just made aware of it recently while reading a Stack Exchange answer about real entropy in passwords. You can see it in action here.
Awesome Shell - From the repository readme: "A curated list of awesome command-line frameworks, toolkits, guides and gizmos." I have to agree that this is an absolutely awesome list, and includes all kinds of useful tools and reference materials, like fzf, a CLI fuzzy finder, marker, a shell command bookmark tool, and much more.
Random Link of the Week
- How to undo (almost) anything with Git - Github recently posted a great article on their blog describing how to undo a number of "oops" scenarios when using Git, like pushing a bad commit or tracking a file you don't want to track. Note: these steps are not sufficient for removing e.g. API keys if you've checked them in at some point. If you need to do that, Github has you covered there too