This Week in Information Security (Week of June 15th)
Welcome back to This Week in Information Security! Sorry if you missed us last week, but posts should follow the schedule you're used to going forward. This week, we have news of two high-profile compromises, a few hair-raising hardware/firmware vulnerabilities, tools from DARPA for searching the "deep" and "dark" web, an opinion piece about vulnerability embargoes in open source software, and more. Finally, we wrap up the week with a fun, interactive article from Bloomberg about the meaning of code and the people and culture that produce it.
As always, you can find me on Twitter @ccneill if you have any thoughts on this post.
News / Opinions
FBI official: Companies should help us 'prevent encryption above all else' - Last week Michael B. Steinbach, the assistant director of the FBI's Counterterrorism Division, gave testimony that puzzled many, claiming that the FBI was working with technology companies "to build technological solutions to prevent encryption above all else." This is just another in a long line of statements by law enforcement about the need to introduce a government "front door" into encryption standards. As I've mentioned in previous posts, cryptography experts argue that "front doors" in encryption are very hard or impossible to get right, and, generally speaking, are not a good idea. We're still facing the consequences of weakened encryption, or "export-grade encryption," that was introduced in the last episode of the "crypto wars" in the '90s.
Why the "biggest government hack ever" got past the feds - In other government news, a huge breach of the Office of Personnel Management (OPM) potentially exposed the personal information of millions of past and current federal employees. Ars Technica digs into the details of how this might've happened, citing a 2007 report from the Inspector General's office that labeled OPM's security a "material weakness." The Inspector General also found that "OPM [did] not maintain a comprehensive inventory of servers, databases, and network devices. In addition, [they] were unable to independently attest that OPM has a mature vulnerability scanning program." Some fear that the stolen information could be used to unmask or threaten undercover agents or spy-agency employees, or to submit fraudulent tax returns to the IRS, as happened with roughly 100,000 taxpayers' information during the 2015 tax season.
Kaspersky Lab cybersecurity firm is hacked - A new breed of malware dubbed 'Duqu 2.0' has been found targeting Kaspersky Lab, an antivirus vendor from Russia, via previously-undisclosed vulnerabilities in Microsoft products (Microsoft Word is mentioned specifically). The firm believes that the attack was targeting new technologies, and some speculate it could also have been an attempt to spy on Kaspersky's customers, as was the case with the RSA hack that was confirmed several years ago, though Kaspersky denies that any interference with its systems took place. The original version of the Duqu malware seems to be related to the Stuxnet worm used to attack Iranian nuclear facilities.
The hidden costs of embargoes - Red Hat has released a blog post discussing the advantages and disadvantages of using "embargoes" to coordinate vulnerability releases with open source projects. They call out the fact that most open source projects don't really have processes or tools in place to deal with developing in the dark so to speak. Their code repositories, their CI/CD infrastructure, their bug reporting systems, etc. are mostly public, so developing a fix in private means potentially not leveraging the expertise of the community or existing testing infrastructure, which can lead to incomplete patches that have to be updated later. It is also worth noting that if one security researcher has found an issue, there is nothing preventing others from doing so. The blog post suggests that embargoes be used sparingly, and that most security bugs be treated just like other bugs. This way, a larger number of eyes can be focused on the problem at once, thus giving the project the greatest chance of releasing a fully functional patch quickly.
Why Stegosploit isn't an exploit - Some of you may remember the research I mentioned last week about a tool called "Stegosploit" that claimed to be able to embed malicious exploit code into an image file, which could be triggered by a user simply viewing the image in their browser. A new article from researcher Christian Bundy says that this is at best an exaggeration, claiming that the exploit will only work if the attacker can embed the image within an HTML
<script>tag. Anyone familiar with cross-site scripting will tell you that if you're able to inject a
<script>tag into a legitimate site, you don't need an image to do nasty things - you've already won. If true, this means that Stegosploit isn't much more than a way to obfuscate attacks, rather than a truly novel way to smuggle them through a previously undiscovered channel.
How apps track your location without asking for permission - Researchers at Trustlook have released some interesting research showing how an Android app can acquire users' location data, even if the app doesn't explicitly ask for the well-known "Location" permission. It is possible to retrieve the BSSIDs of WiFi networks the user has scanned, as well as signal strength for those networks, even with WiFi disabled on the phone. The BSSID can be plugged into a service like WiGLE, which tracks the BSSIDs of WiFi networks around the world, to get a surprisingly accurate picture of the user's location.
The Memory Sinkhole - Unleashing an x86 design flaw allowing universal privilege escalation - Researcher Christopher Domas will present a talk at this year's Black Hat Conference detailing a flaw in the x86 architecture that could be used by attackers to gain privileged access to low-level bits of the processor that are normally off-limits. He claims that he will be releasing a proof-of-concept of the attack during the talk. It will be interesting to see if he is "allowed" to give a presentation that has such high potential for abuse, or if it will be cancelled at the last minute, like in the case of the Carnegie Mellon researchers who were [prevented from giving a talk about de-anonymizing Tor][tor] at last year's Black Hat conference.
The Empire Strikes Back Apple - how your Mac firmware security is completely broken (H/T Ed Ray) - UNFIXED - A researcher looking into recent attacks on Apple firmware (1) (2) has discovered that by simply putting a Mac to sleep and waking it back up, an attacker is allowed to overwrite the BIOS and introduce a rootkit into the UEFI, making the attack much simpler than those detailed in the past. More Apple firmware vulnerabilities might be announced at the DEFCON hacking conference in August.
Mongo BSON Injection: Ruby Regexps Strike Again (H/T Josh Gibbs) - FIXED - Egor Homakov (@homakov) details an issue in the Ruby BSON gem that can create DoS or BSON injection, depending on the version of BSON in use. The vulnerability hinges on the fact that Ruby, unlike most other languages, treats regular expressions as multi-line expressions by default. What does this mean?
If I have this regular expression:
Rather than only matching strings like this, as would be the case with many other languages:
Ruby will also match strings like this:
Egor has a great post from a few years ago about this issue. The Ruby on Rails security guide calls out this issue and suggests using "\A" and "\z", which will be treated as the beginning and end, respectively, of the whole string, rather than matching on one line in a multi-line string. The latest version of the gem (3.0.4) can be obtained here.
- MEMEX - A few months ago, DARPA open sourced code from a project called MEMEX which is intended to provide developers with tools to create more advanced search engines than are common today. MEMEX has already been used to combat human trafficking, helping to secure a conviction of a human trafficker in New York City. The tools are wide-ranging in their abilities, but some examples include Formasaurus, a tool to detect types of HTML forms (e.g. login, search, contact, etc.) and Splash a lightweight, HTTP-based browser emulator written in Python.
Random Link of the Week
- What is code? - This is a long read from Bloomberg that seeks to answer the question "What is code?" with great pictures, examples, explanations, and a liberal sprinkling of humor throughout. Whether you're a seasoned developer, a project manager trying to manage a team of developers, or a recent graduate of a learn-to-code bootcamp program, this article will likely amuse you, and might even teach you something interesting along the way.