Security Threat 2014 - Heartbleed

Heartbleed 

It is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from "heartbeat".

According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team reported Heartbleed on April 1, 2014.

The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. The first fixed version of OpenSSL, 1.0.1g was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.

At the time of disclosure, some 17% (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

A British Cabinet spokesman recommended that "People should take advice on changing passwords from the websites they use... Most websites have corrected the bug and are best placed to advise what action, if any, people need to take." On the day of disclosure, the Tor Project advised anyone seeking "strong anonymity or privacy on the Internet" to "stay away from the Internet entirely for the next few days while things settle."

As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.

TLS implementations other than OpenSSL, such as GnuTLS and Mozilla's Network Security Services, are not affected, as the defect lies in OpenSSL's implementation rather than in the Internet protocol itself. Consequently, none of Microsoft's products or services is affected by Heartbleed.

Source:

http://en.wikipedia.org/wiki/Heartbleed

http://heartbleed.com/

http://blogs.mcafee.com/consumer/what-is-heartbleed

Also go through the security threat report 2014 made by sophos.com:
http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf 

Security Threat 2014 - Shellshock

Shellshock 

Also known as Bashdoor, is a security bug in the widely used Unix Bash shell which was disclosed on 24 September 2014 though it was the vulnerability since bash was born. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The bug causes Bash to unintentionally execute commands when they are stored in environment variables in a non-standard form. Within days, a series of further related vulnerabilities in Bash were found, leading to the need for further patches.

Stéphane Chazelas discovered the bug on 12 September 2014 and suggested the name "bashdoor". The bug was assigned the CVE identifier CVE-2014-6271 and kept under embargo until 24 September 2014 14:00 UTC, in order to ensure that security updates were available for most systems as soon as the details were made public.

Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in 1992. The maintainers of the Bash sourcecode have difficulty pinpointing the time of introduction due to the lack of comprehensivechangelogs.

By 25 September, botnets based on computers compromised with this exploit were being used by attackers for distributed denial-of-service attacks and vulnerability scanning.

Apple Inc. commented that most Mac users were likely not affected, unless they are advanced users.

Background

The Shellshock vulnerability affects Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system's default command line interface.

In Unix-based operating systems, and other operating systems that Bash supports, each running program has its own list of name/value pairs called environment variables. When one program starts another program, it provides an initial list of environment variables for the new program. Separately from these, Bash also maintains an internal list of functions, which are named scripts that can be executed from within Bash. Since Bash is both a command interpreter and a command, it is possible to execute Bash from within Bash. When this happens, the original instance of Bash can export environment variable and function definitions into the new instance. Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. Bash performs this conversion by creating a fragment of code from the value and executing it, thereby creating the function 'on-the-fly', but affected versions of Bash do not verify that the fragment is merely a function definition. Therefore, given the opportunity to execute Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.

The name "shellshock" is attributed to Andreas Lindh from a Tweet on September 24, 2014 at 11:16am

Exploitation Vectors

CGI-based web server attack

When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a crafted server request, such as one that identifies the requesting program as () {echo "Hello World";}; echo "You've been hacked". It should be noted that CGI was already considered a security risk, and other methods of handling web server requests are widely used.

SSH server example

OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.

DHCP example

A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.

Check your vulnerability

Run below exploits in your bash shell:

Exploit 1

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If output shows 'vulnerable', you are vulnerable.

Exploit 2
env -i X=' () { }; echo hello' bash -c 'date'

if output is 'hello', you are vulnerable.

Exploit 3
cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo

If output is gives date and errors, you are still vulnerable. If output shows word 'date' and errors, you are not.

Exploit 4
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"


Exploit 5
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

Solution

Check your bash version

#bash --version

Update bash

#yum update bash

Source:

http://en.wikipedia.org/wiki/Shellshock_(software_bug)

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

http://www.bbc.com/news/technology-29375636

Security Threats 2014 -Cryptolocker

CryptoLocker 

It was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.

Operation

CryptoLocker typically propagated as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company.^[4] A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as aPDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. CryptoLocker was also propagated using the Gameover ZeuS trojan and botnet.

When first run, the payload installs itself in the user profile folder, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer.^[1][6] The server may be a local proxy and go through others, frequently relocated in different countries to make tracing them more difficult.^[8][9]

The payload then encrypts files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft Office, OpenDocument, and other documents, pictures, and AutoCAD files.^[7] The payload displays a message informing the user that files have been encrypted, and demands a payment of 400 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or an equivalent amount in Bitcoin (BTC) within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted down to 0.3 BTC by the operators to reflect the fluctuating value of Bitcoin),^[10] or else the private key on the server would be destroyed, and "nobody and never [sic] will be able to restore files."^[1][6] Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key.^[6] Some infected victims claim that they paid the attackers but their files were not decrypted.^[4]

In November 2013, the operators of CryptoLocker launched an online service which claims to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline expires; the process involves uploading an encrypted file to the site as a sample, and waiting for the service to find a match, which the site claims would occur within 24 hours. Once a match is found, the user can pay for the key online; if the 72 hour deadline has passed, the cost increases to 10 Bitcoin.^[11][12]

The success of CryptoLocker spawned a number of unrelated and similarly named worms working in essentially the same way,^[13][14][15] such as CryptoLocker 2.0—which was originally thought to be a variant of CryptoLocker, but was ultimately considered by security researchers to be a copycat due to notable differences in its internal architecture (such as being written in a completely different programming language, and using a different type of encryption).^[16][15]

Takedown and recovery of files

On June 2, 2014, the United States Department of Justice officially announced that over the previous weekend, Operation Tovar—a consortium constituting a group of law enforcement agencies (including the FBI and Interpol), security software vendors, and several universities, had disrupted the Gameover ZeuS botnet which had been used to distribute CryptoLocker and other malware. The Department of Justice also publicly issued an indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.^[5][17][18]

As part of the operation, the Dutch security firm Fox-IT was able to procure the database of private keys used by CryptoLocker; in August 2014, Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool.^[19][20]

Mitigation

While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.^[21] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.^[22][23] Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.^{[1][6][7][9][23]} Symantec estimated that 3% of users infected by CryptoLocker chose to pay.^[9]

Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, offline backups made before the infection that are inaccessible from the network, and thus cannot be infected by CryptoLocker).^[4] Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a brute-force attack to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted distributed effort, or the discovery of a flaw that could be used to break the encryption.^{[6][12][24][25]} Sophos security analyst Paul Ducklin even speculated that CryptoLocker's online decryption service involved the brute forcing of its own encryption.^[12]

Solution to Cryptolocker:

All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.

The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.

Thanks to security experts, an online portal (www.decryptcryptolocker.com) has been created where victims can get the key for free.

Source:

http://en.wikipedia.org/wiki/CryptoLocker 

http://en.wikipedia.org/wiki/Ransomware

http://en.wikipedia.org/wiki/Bitcoin

This is also worth seeing - Security Report from Symantec:
http://www.symantec.com/security_response/publications/threatreport.jsp

For Beginners, link below from Kaspersky is also worth seeing:
http://www.kaspersky.com/au/internet-security-center/threats
http://technet.microsoft.com/en-us/library/cc723507.aspx#XSLTsection124121120120