2018-05-18

Vulnerability in Pretty Good Privacy (PGP) and Secure MIME email encryption services

PGP is a public key encryption-based program that is used often to secure emails. S/mime is a standard defining the encryption of the email ensuring confidentiality, integrity and originality. Now experts have found a vulnerability that may allow outsiders to read even the earlier encrypted emails.

 Münster University of Applied Sciences signalled on 14th May that PGP and S/MIME have both vulnerabilities enabling the third party to reveal the plain-text of ongoing encrypted email traffic and even access the earlier sent secure emails.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus ex-filtrating the plain-text to the attacker."

 The following general advice may apply:

  • Remove the installed and automatic PGP and S/MIME services from your email-service until the vulnerability has been patched
  • Use other end-to-end email encryption services like Signal
  • Wait for detailed analysis and guidance to remedy the services.
  • Consider what has been sent earlier using the above encryption and assess the risks if they are revealed.


 References

  1. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now 
  2. https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#61cbede13e2a
  3. https://ssd.eff.org/en/module/how-use-signal-ios
  4. https://efail.de/efail-attack-paper.pdf


Posted by at No comments:

2018-05-09

Wi-Fi air interface will have a new encryption protocol, WPA3

Situation

The current Wi-Fi encryption protocol WPA2 has a weakness when joining a new node into network. A man-in-the-middle within the wireless coverage can manipulate, KRACK, the handshake procedure and reset the WPA2 encryption using all-zero keys. The assumed encryption is then substituted by a simple coding. Thea weakness is in the standards itself and affects all modern Wi-Fi networks. 

 The Wi-Fi Alliance has announced a new standard, WPA3, will include “robust protection” when passwords are weak, and will also simplify security configurations for devices that have limited or no display interface. It will also include individualised data encryption when using public access network.

Solution

The Wi-Fi Protected Access 3 (WPA3) standard will be published later this year, but currently it seems to include:
  • 192-bit key aligned with the Commercial National Security Algorithm
  • Opportunistic Wireless Encryption which establishes encryption without authentication
  • Protection against weak passwords and brute-force dictionary -based attacks
  • Individualised data encryption when accessing open networks.
Once the standard is published, it will take months for device manufacturers to support it in their devices. First compliant devices may be shipped in the end of this year.

What to do

The following general advice may apply:
  • The WPA2 vulnerability can be exploited only within the range of the Wi-Fi transceiver so all sensitive Wi-Fi should be positioned and effective radiated power configured so that outsiders find it hard to tap.
  • A second layer of encryption should be established end-to-end (e.g., https, IPSEC, SSH) to protect the actual communication (COMSEC) and keep user identities and passwords safe together with the content.
  • All sensitive Wi-Fi devices should be planned to be renewed within next two years.

References

  1. https://www.helpnetsecurity.com/2017/10/16/wpa2-weakness/
  2. https://www.theverge.com/2018/1/9/16867940/wi-fi-alliance-new-wpa3-security-protections-wpa2-announced
  3. https://latesthackingnews.com/2018/01/12/wpa3-new-wi-fi-standard-improve-security/
  4. https://thehackernews.com/2018/01/wpa3-wifi-security.html

Posted by at No comments:

2018-04-24

Lazy hackers are automating their attacks

Introduction

Hackers are using widely bots (automated Web robots that run scripts over the Internet) to seek out and subvert vulnerable servers in Internet or Intranets they have gained access. Once the potential target is located, a human usually carries out the actual breaching operation. 

 Cybereason company created a “honeypot” installation and observed first time an automated breach of system executed by a bot.

 The automation and in future artificial intelligence enhanced bot will increase further the probability of the breach. Currently, Cisco security organisation blocks more than 20 million attacks every day including booby-trapped emails, malicious web pages, and new malware.

Threat case

About two hours after the “honeypot” server for the fake finance firm was put online it was found by a bot which then aggressively set about taking it over. Passwords to protect some of the server's functions were left intentionally weak to tempt the bot which duly cracked them and then went on to plunder information on the machine.
Within 15 seconds of getting access, the bot:
  • sought out and exploited several known vulnerabilities
  • scanned the network to which the server was connected
  • stole and dumped credentials for other vulnerable machines
  • created new user accounts for its creators to use.
Once the bot had done its work, the attackers went quiet for two days but returned to steal data to which the compromised server allowed access. In total, the attackers took about four gigabytes of data, all of which was fake.

Recommendation

Since the attacker is improving and automating their processes and tools so should the defender. Artificial Intelligence enhanced Security Incident, and Event Management systems will increase the probability of catching the crooks on-time, while the human operator cannot maintain focus all the time and is not able to reach far to the historical data.

References:

  1. http://www.bbc.com/news/technology-43788337
Posted by at No comments:

2018-04-20

Russian state-sponsored actor preparing network infrastructure devices for further cyber attacks

What is claimed to happen?


 USA and UK issued a joint technical alert accusing Russian state-sponsored actors of mounting a malicious manipulation and cracking the Internet communications devices. The actor's target government institutions, private sector companies, and Internet providers. The operation has been monitored for months this far by FBI, US Department of Homeland Security and UK NCSC. The mission of this GRIZZLY STEP operation seems to be to prepare the network devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) servicing the target organisations to be a man-in-the-middle attack. Once the front yard network device is compromised, it can capture all IP traffic going through and act as packet capturer. 

How the action seems to take place?


  1. Reconnaissance: Cyber actors scan the possible vulnerable protocols as Telnet, HTTP, SNMP, SMI. 
  2. Weaponization: Actors trigger the device to send them their configuration file. The configuration file contains information like password hash values and SNMP community strings. These user credential are brute-force hacked to reveal the authorised Telnet or SSH login credentials.
  3. Exploitation: Armed with real credentials, the actors access the network devices and activate for example Cisco SMI service thus gaining full control of the device. Once logged in, the actors can: 
  • extract additional configuration information,
  • export the OS image file to an externally located cyber actor-controlled FTP server,
  • modify device configurations,
  • create Generic Routing Encapsulation (GRE) tunnels, or
  • mirror or redirect network traffic through other network infrastructure they control.


What to do?


The following general advice may apply:
  • All network devices should be treated as any other server or PC in the network, harden them by removing unnecessary processes, update them regularly, prefer out-of-band management over in-band-management, install IDS detectors to monitor management traffic.
  • For more detailed countermeasures visit the reference 2.

References:


  1. https://www.theguardian.com/technology/2018/apr/16/us-and-uk-blame-russia-for-malicious-cyber-offensive
  2. https://www.us-cert.gov/ncas/alerts/TA18-106A
Posted by at No comments:

2018-03-31

Military Interoperability part I

This is a first part of article on Military Interoperability. The part will introduce the Interoperability measure and explore why military have been seeking it. The second part will focus in building interoperability and benefiting from it in operations.

1. Introduction

Interoperability is at simple “a measure of the degree to which various organisations or individuals can operate together to achieve a common goal.”  Let’s explore this from general system viewpoint:

  • There are two or more entities A and B functioning purposefully
  • There is an environment E where both entities are executing their functions
  • There is a common goal G that both entities aspire to achieve
  • If the common aspiration to achieve G is strong enough there are two ways to cooperate:

1.The entities in A and B may coordinate their separate effort to create an effect in attaining the G, i.e., a hierarchical hub that ensures the synchronisation of independent efforts as depicted in Figure 1.


 Figure 1: a simple need for interoperability
2. The entities A and B may choose to channel their combined effort through the shared delivery chain in achieving the common G, i.e., shared value chain as in Figure 2.

Figure 2: a value chain need for interoperability

 Applying the above with military systems thinking  viewpoint, the definition for interoperability looks like the one in Figure 3:

  • There are two or more value chains GENERATE, SUPPLY and UTILISE consuming resources from SOCIETY to create an effect on ADVERSARY that is considered valuable to GOVERNANCE (Compiling Clausewitz triangle model with value chain). 
  • The value chains take place in an ENVIRONMENT that effects the open systems, which adjust their functions to adapt to environmental changes or co-evolve with the environment E. 
  • The military system of systems value chain prefers the following definition to interoperability: “The ability of systems, units, or forces to provide services to and accept services from other systems, units, or forces, and to use the services so exchanged to enable them to operate effectively together. ”


 Figure 3: a military system of systems need for interoperability

 For this work, the interoperability is defined as the ability of systems to provide services to and accept services from other systems and use the exchanged value to gain higher goals effectively. In this context, the system is considered as a socio-technical structure with defined functions and processes to purposeful action.  A system can be a military unit that has been given a mission to accomplish.

 There is need to retrofit the components of the military system of systems to improve their ability to interoperate when they are not integrated. Parts of the system of systems can be designed from the beginning and generated together creating a fully integrated entity.
Whether the interoperability or integration, the intention is to exchange the services over the system boundaries. In the socio-technical system , this requires interoperability at least at three levels of the boundary structure as illustrated in Figure 4:

  • People are competent  (i.e., possess understanding, skills and right attitude), share language, are culturally understanding and socially open to cooperate
  • The processes of the cooperating units can exchange transactions both at logical and physical level (i.e., they can exchange information and goods among themselves)


 Figure 4: levels of interoperability in the boundary of two units

  • The technical means of exchange services and information are compatible enough to support the transactions over the organizational boundaries. Focusing only to information and communications technological boundaries, the interoperability may be defined as “the ability of distinct systems to share semantically compatible information and to process and manage that information in semantically compatible ways, to enable their users to perform desired tasks.” 

There is also categorisation according to the levels of military hierarchy , which can be used in defining the interoperability :

  • Strategic level seeks to harmonise worldviews, strategies, doctrines, force structures and efforts within coalitions and alliances. “Interoperability is an element of coalition willingness to work together over the long term to achieve and maintain shared interests against common threats.” 
  • Operational level seeks to minimise inefficiencies between multinational command and control, force elements, and ways to prepare, project and sustain the forces in theatre. 
  • Tactical level seeks alignment in engagement and protection. “The benefits of interoperability at the tactical level derive from the fungibility or interchangeability of force elements and units.” 
  • Technical level seeks integration at service and data exchange and compatibility by means of transport and communications. “Technical level interoperability reflects the interfaces between organisations and systems. Benefits of interoperability come primarily from their impacts at the operational and tactical levels regarding enhancing fungibility and flexibility.” 

2. Why military seek interoperability?


 Military enterprise seeks interoperability for three main reasons:

  1. To achieve better efficiency within the force means that command coordination between separate units is not providing sufficient performance, but the units need to synchronise their efforts directly.
  2. To achieve better efficiency in multinational coalition or cooperation means that political level requires shared contribution, which directs the military to create multinational units at the operational level.
  3. To achieve better efficiency within national defence means that the homeland defence requires closer cooperation and integration between different governmental agencies.

The above three interoperability drivers are studied in the following sections.

2.1. Efficiency within the force

In seeking the understanding of the military enterprise inner interoperability requirements, one may use Beer’s Viable System Model  in Figure 5. A simple enterprise is composed of one or many operational units (L and A) that provide their effect in their specific areas of operation (AOO L and AOO A). These functional units are commanded by the Command element (JC), which balances the use of resources between current and future operations. Militaries have kept for example Land Force separate from Air Force as they are operating differently in their specific areas of operation. Both Services have been commanded by Joint Command that delegates mission command to Service level but may guide more closely the development of future capabilities (or another way around as in U.S. Armed Forces).

 Figure 5: Traditional Armed Forces described with Viable System Model

 As the units specialise and coordination becomes too detailed and slow, there is a tendency to create value chains through units that are supporting each other in the quest for achieving the same goal set by the Joint Command as in Figure 6. For example, Joint Logistics (JL) is supporting both Services Land and Air in the same Area of Operation (JA). The value chain arrangement required direct interoperability between the supporter and supported as the exchange of services becomes more detailed and higher paced for the Command to be able to coordinate.

 Figure 6: Armed Forces organised as value chain

 The Ross et al. developed model for enterprise business architecture  as pictured in Figure 7, explains the movement from diversification towards coordination and further to unification. Armed Forces tend to build their new capabilities in diversified units, but once they meet a joint adversary, they prefer the unified order of battle since the Joint Command coordination is too slow and lacks the necessary details. In unified joint force, the interoperability becomes a force enabler. All specialised force components share the same situational awareness of current and planned operations, can synchronise their manoeuvring, engagement, and protection between themselves and exchange their dedicated services to achieve the common goal. 

 Figure 7: Business Architecture model for military affairs

2.2. Efficiency in coalition or cooperative

The political level has recently required a multinational contribution in military operations (except Russian operations in Georgia, Ukraine, and Syria). In multinational, combined operations either the force units are coordinated in detail under one command, or they are a part of force group that has one host nation providing joint Command and Control as in Figure 8.

 Figure 8: A case for multinational interoperability 

 The 1991 coalition against Iraq was a typical U.S. led operation where all units were under the U.S. control, but only the most compatible coalition units could participate the main operations.

 The Ackoff (1972) model for purposeful systems  provides a framework to understand types of multinational relationships as pictured in Figure 8. A coalition is formed when nations ends are compatible, but their means may not be interoperable. The cooperation is possible when both ends and means are compatible as presented in Figure 9.

 Figure 9: Types of multinational relationships by Ackoff

 The more cost-effective and performing the allied military force, the more compatible their means of waging war needs to be. There may even be aiming to unify all troops like the Warsaw Pact was manoeuvring with multinational units, which were mainly using aligned tactics and standard technology.   NATO is currently seeking for similar kind of status among their 26 members and several partners. Their mission statement is that” Interoperability allows forces, units or systems to operate together. It requires them to share common doctrine and procedures, each others’ infrastructure and bases, and to be able to communicate with each other. It reduces duplication in an Alliance of 26 members, allows pooling of resources, and even produces synergies among members.” 

2.3. Efficiency within national defence

There are two dimensions in interoperability concerning national defence: cooperation between governmental agencies in homeland defence and Armed Forces integration with the society itself.

 The USA woke up in 911 realising that their homeland is not the sanctuary they were assuming. At the same time, it appeared that the US government organisations were not cooperating in their homeland. Thus, the Department of Homeland Security was established 2002 to coordinate the functions of about 22 different federal departments and agencies.  With establishing this cabinet agency, the USA stepped from diversification to coordination on the business architecture map in Figure 10.

 Figure 10: Ross et al. quadrant for business architecture models

 Other nations like Finland had exercised the homeland defence since the II WW and were more towards unification as they were sharing weapons, vehicles, C2 systems, etc. 
The other dimension of national defence is the military need to be integrated into the society that is providing it. There are two primary functions of Force generation and supply that cannot be done separated from the society as illustrated in Figure 11.

 Figure 11: Interoperability between military and the society it provides

 The force generation requires draftees or conscripts. The armament needs to be acquired. The logistics need a feed of supplies, services, and consumables to sustain the forces both in generation and utilisation.

Posted by at No comments:

2018-03-19

Slingshot: Sophisticated Cyber Espionage Platform

Definition

Slingshot is an advanced, cyber-espionage threat actor that has been persistently infiltrating and collecting data since 2012 while avoiding detection until February 2018. Some research organisations have lately detected some hundred infected cases mainly from Africa and Middle-East. 

 The attack routes for Slingshot remain mainly unidentified, but there is evidence that it may infect their target through 0-day vulnerabilities in routers. Once on-board, the Slingshot collects information from the target and sends it to the C2 server invisible to the user. The code seems to be unique referring to nation level manufacturer using English as mother language.

Attack vector

The one known attack vector for Slingshot is through a type of router. The attackers use a faulty feature of the router to take over and download their application. Then they start distributing ipv4.dll files to targets, have it loaded into their memory and execute. The DLL application connects back to the router, downloads other malicious components, and runs them. Slingshot avoids detection by using two mechanics: one is the use of encrypted virtual file system located in an unused part of the hard disk, and the other is to encrypt all text strings avoiding the virus detection with text string seeking. 

 As the Slingshot is a collection of separate modules, each module is also downloaded in diverse ways. During the downloading and gaining the kernel rights, the Slingshot tampers the system logs leaving no tracks.
The Slingshot operates in the kernel, so it has access to all data stored in drives or internal memories. It has been reportedly logging content from screenshots, keyboard, network, passwords and USB connections. There is no hard-coded lines of C2 but listens to the address from each incoming IP packet to kernel.

Protection

The following general advice may apply to protection against likes of this kind of espionage:

  • The military should build a deepness for their cyber environment which makes it harder to reach the valuable targets.
  • Keep the versions of the ICT infrastructure as updated as possible.
  • Have several layers of detection, not only fingerprints but traffic patterns in and out of the system.
  • Have access to newest threat intelligence data through the cyber defence coalition network. 
  • Exercise your cyber defence crews having red teams attacking them also using persistent ways.

References


  • https://thehackernews.com/2018/03/slingshot-router-hacking.html
  • https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
  • https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/
  • https://www.businesswire.com/news/home/20180309005046/en/Kaspersky-Lab-Uncovers-Slingshot-Spy-Router



Posted by at No comments:

2018-03-05

False Flag Attack Against Winter Olympics in South Korea

Incident

The opening ceremony February 9 of the Winter Olympics in South Korea was hacked according to the game organisers. The hacking disrupted the Internet and broadcasting services related to Olympic Games. Many of the attendees were unable to print their tickets for the ceremony, resulting in empty seats. 

 According to US sources, the attack was made by the Russian organisations as retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations.

 The Russian hackers were trying to provide a false flag, i.e., trying to convince that the attack originates from North Korea. The mask-swapping included injecting fingerprints of other known attackers in malware that was used to take down several hundreds of computers just in time for the opening ceremony.

Details

The hackers attacked the Olympic organisation with different tools:
  • The Olympic Destroyer malware tore down the computer networks just ahead of the opening ceremonies, paralyse display monitors, shutting Wi-Fi networks, and denying access to Olympics’ website. The malware used the password-stealing tool, Mimikatz and spread via Windows PSExec and WMI before encrypting or destroying data. It destroyed precisely the amount of data than the North Korean Lazarus hacking team. The attackers proxied their avenue of approach through North Korean IP-addresses. The code of Olympic Destroyer shared almost 20% similar to known Chinese team APT 3 and created the encryption keys similar to another Chinese team APT 10.
  • The known Russian hacking team Fancy Bear had been attacking Olympics-related organisations for months before the opening, stealing documents and leaking them.
  • The Russian military intelligence organisation GRU had gained access to as many as 300 Olympic-related computers early February.
  • January, the GRU hackers were infiltrating in South Korean routers to capture more intelligence data. During the opening ceremony, they rerouted the traffic, thence prevented the access to web pages.
It is claimed that GRU was working through the Main Center for Special Technology, GTsST, which allegedly was behind the NotPetya attack against Ukraine last year. This is not the first time that Russian is trying to masquerade their attack vectors since they have previously used fronts like Russian CyberBerkut, ISIS Cyber Caliphate, and Romanian Guccifer 2.0.
The mask-swapping is easy in the cyber environment; use the similar open source code, use same filenames, copy some of the functions elsewhere, use typical attack vectors for others, and reroute the command and control connections elsewhere.

References

1. https://www.wired.com/story/russia-false-flag-hacks/
2. https://www.digitaltrends.com/computing/olympics-2018-hack/
3. https://www.msn.com/en-us/sports/winter-olympics/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/ar-BBJxnxv

Posted by at No comments:
Subscribe to: Posts (Atom)