Global
| SecureWorks - On the Radar Newsletter - 0809 | |
|---|---|
 |
|
Black Hat® USA 2009 Round Up
This year’s Black Hat USA security conference focused on risks to businesses and the technologies they use, including Web encryption, mobile devices and cloud computing. Members of the Counter Threat Unit were there presenting research and working with other security experts. Here is their take on a few key topics of the conference.
Highlights:
- SSL/EV SSL Vulnerabilities
- Metasploit Enhancements
- Managed Code Rootkits
- Mobile Device Hacking
SSL/EV SSL Vulnerabilities
Two presentations given at the conference demonstrated fundamental flaws in the way SSL certificates are issued and processed. Major Certificate Authorities (CAs) only review the root domain name and not the sub-domains when validating domain ownership. This allows an attacker to purchase a certificate containing a specially crafted Common Name, as long as they are the legitimate owner of the root domain. Web browsers commonly perform C string comparison to validate a certificate’s authenticity. By using a certificate with a specially crafted Common Name that contains a null byte, an attacker can trick vulnerable web browsers into ignoring the portion of the Common Name that includes the attacker’s root domain.
This threat would be a boon for phishing scams, as well as any other scams where impersonating a legitimate SSL-secured site would be of value. Shortly after this vulnerability was disclosed, Mozilla Firefox issued an update to fix the flaw. A security update is also expected for Microsoft Internet Explorer in the near future.
EV SSL certificates were also discussed, particularly in the context of Web sites using a mix of EV SSL certificates, regular SSL certificates and un-secured HTTP throughout the site’s content. The problem in this scenario is that it is is counterintuitive to the design of EV SSL, and Web browsers will still represent a page within the Web site as being protected with EV SSL, which may not be the case. This violates the trust that EV presents to the user in the form of the “green bar” being present, and provides a false sense of security. Other scenarios for attacking and working around EV SSL were also presented, and will surely be a topic of further research.
Read this CTU blog post for additional information
Metasploit Enhancements
Black Hat featured an entire track about Metasploit on day one, which saw the release of several tools and enhancements to its arsenal. Specifically covered was Metreperter, a powerful shell payload that gives an attacker complete control over an exploited system. This had been a Windows-only payload, but a new Metreperter payload for Mac OS X was released to give Metasploit users the ability to remotely control an exploited Mac. A demonstration was performed to use the iSight webcam to take a picture and relay it back to the attacking host, demonstrating some of the potential this payload has. A different presentation demonstrated the loading of Metreperter onto a stock (unmodified) iPhone, which can open up a new class of problems such as interfacing with SMS or traffic re-routing through the G3 network. Due to the “always on” nature of most iPhones, loading Metreperter on an iPhone gives an attacker a new, mobile platform to attack from.
Additionally, there were many other Metasploit enhancements released including automation of Oracle attacks, telephony extensions for automating attacks on modems, Wireless “man-in-the-middle” attacks, browser fingerprinting, and much more. All of these enhancements should now be available in the Metasploit toolkit.
Managed Code Rootkits
A few presentations this year focused on managed code rootkits. Instead of modifying the operating system like a traditional rootkit does, a managed code rootkit is an application level rootkit that hides in virtual machines and other environments and runs code from the attacker. The focus at Black Hat was on managed code rootkits targeting Java, but the same principles apply to .NET, Adobe Flash and any other managed code environment. Several approaches were demonstrated, such as adding code to methods in the Java rt.jar file (the core of the Java language), loading modules in memory to override methods, and placing class files into directories in the classpath which give the classes within in higher privileges. The purpose for doing so is that forensic tools and analysis do not normally account for checking the memory within a virtual machine, and placing a rootkit within these environments stealthy and highly desirable.
A tool was released to assist in the modifying .NET DLL files, named .NET-Sploit, which would allow an attacker to select the type of code to insert (e.g. code to connect back to a malicious server) and automatically find the appropriate DLL and patch-in the code that is needed. .NET-Sploit is in the early stages of development, but it could mature into a tool that would allow attackers to create managed code rootkits on the fly.
Mobile Device Hacking
Mobile device security has been a hot topic, specifically iPhone security. The majority of this research has been around using automated “fuzzing” tools to find bugs in the WiFi, Bluetooth, and other network protocols supported by mobile devices. A pair of researchers demonstrated the results of fuzzing SMS messages on various phone platforms, including the iPhone. They were able to demonstrate that through simple replay of some SMS packets, they were able to crash phones, and in the case of a Google Andriod phone, lock the SIM card to prevent the phone from being used at all. These attacks are interesting because SMS messaging is an “always on” technology, and an attack using vulnerabilities like the ones demonstrated at Black Hat may happen at any time with a high degree of success.
Threat Analysis: Clampi
The Clampi Trojan has spread across hundreds of thousands of corporate and home pc networks in a worm-like fashion. Using the Trojan, cybercriminals are stealing a significant amount of financial data and using it to steal millions of dollars from business accounts. Here is what you need to know about the Clampi threat.
How Clampi Works
Clampi’s recent success in infecting victims is accomplished by using domain administrator credentials (either stolen by the Trojan or re-used, or by virtue of the fact that a domain administrator has logged into an already infected system). Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "psexec" to copy itself to all computers on the domain. Clampi uses a modular approach to stealing data, incorporating additional DLLs as needed to gain access to system and user information.
The Group and the Risk behind Clampi
Clampi is operated by a sophisticated organized crime group located in Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change all passwords used on that system for any websites.
How to Protect Your Business Against Clampi
SecureWorks first researched this threat in 2007 and we have had protections in place for our clients since then. Most major anti-virus engines should be able to detect Clampi variants; however there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses that conduct online banking/financial transactions adopt a strategy to isolate workstations where these activities are carried out from possible Clampi or other data-stealing Trojan infections.
This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.
For additional information on the Clampi Trojan, read the CTU’s full threat report.
Log Management: How to Develop the Right Strategy for Business and Compliance
This whitepaper will provide the reader with guidance on developing a strategic approach to managing and monitoring logs that enables more efficient compliance with regulatory mandates and more effective defense against security threats.
SecurePoll
Question: What is your #1 reason to hire a MSSP?
To vote, simply fill out the right-column sidebar on this page.
We thank you for your participation!
