English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|TURKTRUST CA Problems

Kurt Baumgartner
Kaspersky Lab Expert
Posted January 03, 21:04  GMT
Tags: Google, Microsoft, Mozilla Foundation
0.3
 

Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there.

0.2
 

A very important “internet trust” discussion is underway that has been hidden behind closed doors for years and in part, still is. While the Comodo , Diginotar, and Verisign Certificate Authority breaches forced discussion and action into the open, this time, this “dissolution of trust” discussion trigger seems to have been volunteered by Trustwave's policy clarification, and followup discussions on Mozilla's bugzilla tracking and mozilla.dev.security.policy .

The issue at hand is the willful issuance of subordinate CAs from trusted roots for 'managing encrypted traffic', used for MitM eavesdropping, or wiretapping, of SSL/TLS encrypted communications. In other words, individuals attempting to communicate over twitter, gmail, facebook, their banking website, and other sensitive sites with their browser may have their secure communications unknowingly sniffed - even their browser or applications are fooled. An active marketplace of hardware devices has been developed and built up around tapping these communications. In certain lawful situations, this may be argued as legitimate, as with certain known DLP solutions within corporations. But even then, there are other ways for corporate organizations to implement DLP. Why even have CA's if their trust is so easily co-opted? And the arbitrary issuance of these certificates without proper oversight or auditing in light of browser (and other software implemented in many servers and on desktops, like NSS ) vendor policies is at the heart of the matter. Should browser, OS and server software vendors continue to extend trust to these Certificate Authorities when the CA’s activities conflict with the software vendors’ CA policies?

0.1
 

The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.

0.2
 

Web based threats such as malicious links on social medias, infected websites and malicious ads are terms that we read about quite often. We security experts have for quite some time tried to emphasize the importance of protecting both your website and computer from being infected, since these malicious websites often exploit client vulnerabilities. These vulnerabilities have been one of the major attack vectors for malware writers in recent years, but is it still a problem?

We are constantly seeing new software vulnerabilities , and the bad guys are very quick to developg exploits which are then hosted in their exploit kits. The vulnerabilities themselves are not dangerous unless the attacker is able to exploit them on the victim’s computer. The attackers have therefor developed ways to get victims to visit a website, for example, which then triggers the exploit. Some common ways are through social engineering or infecting a legitimate website with redirection code that points to the exploit kit.

Last month almost all major vendors released critical security updates for their software, such as Adobe, Oracle, Apple, Microsoft and Mozilla. I then started to research the current threat landscape, and focused on Sweden since I am the security researcher for the Nordic region; and after just a few minutes I saw that both Swedish websites and Swedish users were under attack.

In September we saw a 3700% increase in JavaScript-based redirection scripts, specifically Trojan.JS.Redirector.ro. This malicious redirector went from 908th place to 15th place in the list of the most detected malware in Sweden in one month. This code only redirects users to another URL, and I thought it was strange that we did not really see an increase of detected malware in September?

0.3
 

Overshadowed by the Duqu madness yesterday, Oracle released a slew of critical updates (please see "Related Links" in the right column of this page). Most interesting, but perhaps with little impact, is the Java SE BEAST update. Oracle claims to have pushed 57 different fixes across their product lines, including patches for Java and their virtualization Sun Ray product. But the hottest thing to talk about, of course, is the patch closing up CVE-2011-3389, or holes in the JSSE.

The BEAST researchers' demo at Ekoparty Argentina that we posted on last month developed a fresh exploit to crack SSL/TLS sessions with a technique described almost a decade ago. The trick is always in the implementation, not the discussion, so it was impressive work that left the major software vendors with some heavy work. That list of vendors included Oracle, because the exploit developed for the demo abused vulnerabilities in Java code (the researchers claimed that vulnerabilities exist in Microsoft's Silverlight and Javascript code too, they just didn't deliver the exploit in those forms. Unfortunately, Silverlight BEAST exploit code is publicly available). The exploit almost turned into more of a disaster when Mozilla considered blocking all Java add-on use from their browsers: "We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so." So, it is somewhat surprising that Oracle rated this fix low within their risk matrix with a "Base Score" of 4.3 (on a scale of 1-10, with 10 being the most risk).

Meanwhile, Oracle gives six different Java patches a base score on their risk matrix of "10", with four of those highest risk level patches impacting the recently released Java 7. They impact logic within the JRE itself, AWT, Deserialization, and Scripting components within the JRE.

I've seen Oracle's virtualization product "Sun Ray" adopted in a variety of corporate cloud situations, and cloud admin should be aware that the platform is impacted with a fix for CVE-2011-3538 and related authentication issues.

Comment      Link
0.5
 

BARCELONA -- The annual Virus Bulletin conference kicks off here tomorrow with anti-malware researchers discussing a wide range of important issues facing the industry.

Researchers from Kaspersky Lab will have a major presence at the conference this year -- nine speaker slots! -- with talks on the cyber-crime underground, mobile (Android) malware, web application security and social network threats.

I'd like to call attention to a few of the important Kaspersky Lab presentations:

0.4
 

With headlines like "New cyber threat compromises financial information - Experts say new threat could affect millions of sites", you would think that the trust model of the internet is finally crumbled.

Following an hour long Friday evening wait for the demo, the Ekoparty demo for the SSL hack was staged. And it was interesting that the attack succeeded in cracking the SSL confidentiality model as implemented by the Mozilla Firefox browser when communicating with paypal.com web servers over https. At the same time, it seemed to be an impractical exploit targeting a weakness that was fixed three months ago in Chromium source code.

Also of note, is the fact that the attack has been well known for almost 10 years, it's just that there hasn't been a practical exploit implementing the attack. And that they refined their blockwise attack model far better than previous chosen-plaintext attack models, making it more effective than prior attacks.

So there seems to be another good security reason to use Google's Chrome browser, for those of you highly sensitive to security issues. Also interesting were some of the tricks they used to make it work. While they couldn't get it to work in pure javascript or flash, they implemented the exploit in a Java applet and attacked the stream between Firefox and https://paypal.com. The "tricks" they used to bypass "Same Origin Policy" with Java were surprising, and they came up with the entire stolen session cookie with which to log in to paypal.com as the victim over http in under three minutes. While I am sure that the other browser vendors will update their CBC encryption routines to better randomize their IV and overcome this attack as suggested almost ten years ago, one could use Chrome and maintain secure communications in regards to this exploit. To me, this exploit is a low risk one because of its impracticality. Whether they properly disclosed their work to all browser vendors, giving developers plenty of time prior to disclosure remains a question to me, but they did contact at least the Chrome team. Interesting research and impressive effort implementing a difficult to work concept certainly. These guys know crypto and communications technologies. But the sky has not fallen. Yet.

For related technical information, and thoughts from relevant developers and researchers, please check out my "Related Links" list to the right side of the post text. I try to be thorough in my selection.

UPDATE(9/26): Microsoft advises that they are investigating the matter for their Internet Explorer browser customers, stating that the issue is low risk anyways, "Considering the attack scenario, this vulnerability is not considered high risk to customers". Perhaps they were one of the browser vendors that were not contacted about the vulnerability.

Comment      Link
0.2
 

This month's Microsoft patch release is pushed out with lower urgency recommendations overall. While the Sharepoint and server side vulnerabilities are interesting, IT and individuals should attend to the Excel vulnerabilities with urgency. Microsoft is also putting to bed any issues related to Diginotar certificate trust by adding cross signed Diginotar root certificates to the Microsoft Untrusted Certificate Store.

Only five security bulletins are being distributed along with the Diginotar Certificate additions and updates. None are labeled with "Deployment Priority 1". However, in light of the ongoing spearphishing and targeted attacks, the most relevant and important of these arguably is the Excel related bulletin, MS11-072. While it is being listed as "Important", not every enterprise has rolled out the latest version of Excel to all of their systems. A set of "use-after-free" and other heap corruption vulnerabilities that are very difficult to discover with automated auditing frameworks plague the application. These vulnerabilities can be exploited to execute spyware, backdoors, and downloaders of the attackers' choosing on victim systems. Excel related email attachments and links have commonly been used in targeted attacks on organizations and this one should be addressed.

Excel can be a major problem. The RSA breach "2011 Recruitment Plan.xls" file made it very clear how social engineering schemes are used to effectively trick employees - it is important to note that the message was pulled out of the RSA employee's spam folder and opened. This Excel attachment maintained embedded malicious Flash content and exploited the vulnerability right in front of the employee after being opened, effectively delivering its cyber-espionage payload. Now, attackers don't need embedded Flash content to take advantage of employee dependency on Excel.

comments      Link