The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
August 31, 2018
When Credentials Are the Cost of Curiosity
A new phishing technique against Microsoft Office 365 users was discovered earlier this month. Attackers are taking advantage of a combination of vulnerabilities to sneak phishing emails through Microsoft's security mechanisms and trick users into clicking links to fraudulent websites. Starting with the ZeroFont attack, adversaries can hide characters in an email and bypass algorithms that match certain keywords. For example, the attacker composes a paragraph and then hides all characters, except those that reconstruct a popular trademark that is likely to be familiar to the recipient (e.g., ©Microsoft Corporation). The attackers then build on top of that using legitimate OneDrive documents (Microsoft's product) to present a login page to the user. Security systems are unable to identify the threat since the fraudulent websites are hosted on Microsoft's servers; users trust those websites since they see Microsoft's domain name in the URL.
- BLEEPINGCOMPUTER: https://www.bleepingcomputer.com/news/security/zerofont-technique-lets-phishing-emails-bypass-office-365-security-filters/
- Technotification: https://www.technotification.com/2018/08/examples-phishing-attacks-2017.html
- Computer Business Review: https://www.cbronline.com/news/microsoft-office-365-phishing
- The Hacker News: https://thehackernews.com/2018/08/microsoft-office365-phishing.html
IISP Analyst Panagiotis Kintis: "Attacks like this are not new. We have seen them taking place with Google and Gmail, and they have been very successful. The techniques used for these attacks manage to do two things: bypass security mechanisms and trick even experienced and security savvy users. The security systems are prone to such attacks because the adversaries take advantage of the infrastructure they are targeting and, therefore, it is hard to detect the attack. Users at the same time, have been trained to make sure they are typing their credentials into websites they trust and, obviously, they trust the products they use.
The good news is that security systems can evolve and become better at detecting such attacks. Unfortunately, this is very hard to do when it comes to generalizing and detecting variances of attacks. As mentioned earlier, these attacks are not new, but our security countermeasures are still vulnerable to them, primarily because we base our detection on static signatures. It is time to start thinking of ways to take advantage of mature technologies, like Machine Learning, to do the prediction and detection. At the very least, they can be very good consultants during the uphill battles against attackers. By identifying an attack and creating a unique pattern, we can match against what cannot scale. A small change in the attacker's strategy (e.g., combine several techniques) makes our detectors obsolete. However, we have enough knowledge, data, and resources today to do much more than just identify attack signatures.
From the user's perspective, it is really hard to identify such attacks with a naked eye. The golden rule against phishing is "if you did not expect a message, do not interact with it." Curiosity, however, is in our nature. When someone offers to give us millions of dollars for helping them with something trivial, we immediately think "what if it's true." When someone shares a secret document with us and invites us to read it, we immediately think "what could that be." Our credentials, at the time, are a small price to pay for curiosity, and the adversaries know that.
As I have mentioned in the past, technology is only there to help people. People have to be educated and trained to forfeit curiosity and be more careful when it comes to using the Internet. More importantly, phishing can be the stepping stone or the doorway for an attack that might persist over time and affect businesses, governments, and organizations significantly, as we have seen in the past."
Fortnite Android App Raises Security Concerns
Fortnite, the hugely popular multiplayer game from Epic Games, will not be published on the Google Play Store on Android. This move likely comes to avoid the 30% cut taken by Google for hosting the app, but it has raised concerns in the security community about the game bypassing the controls of the Google Play Store.
- The Guardian: https://www.theguardian.com/games/2018/aug/06/fortnite-is-coming-to-android-phones-but-not-through-google-play
- The Verge: https://www.theverge.com/2018/8/13/17683646/fortnite-android-how-to-install-epic-games-google-play-store-beta-invite
- ZDNet: https://www.zdnet.com/article/android-oreo-google-has-just-made-app-installs-from-unknown-sources-a-lot-safer/
- CNET: https://www.cnet.com/news/just-as-critics-feared-fortnite-for-android-came-with-an-epic-security-risk/
- Google Issue Tracker: https://issuetracker.google.com/issues/112630336
IISP Analyst Kennon Bittick: "Because of Fornite’s popularity, the Android version will certainly be installed by millions of people, most of whom have no expertise in security. The installation of the app away from the Google Play Store has a few security implications that are worth examining. Unlike Apple’s iOS, Android allows installation of applications away from the official app store. However, even on Android, this is disabled by default before version 8.0 (released August 2017). For example, to enable it on my phone, I had to go to the security settings and toggle 'Unknown sources – allow the installation of apps from unknown sources.' This presented me with the message: 'Your phone and personal data are more vulnerable to attack by apps from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these apps.' Once this option is toggled, the application can be downloaded and installed. As stated in the warning, however, this option allows malicious applications to be downloaded by a careless user.
On Android 8.0 and later, instead of having a global option to allow untrusted applications, each application can request the 'Install unknown apps' permission. On newer phones, this means that the Fortnite application can be installed without toggling the potentially unsafe global option. However, even this is prone to errors. Google researchers almost immediately discovered a flaw that would allow other applications on the phone to leverage the Fortnite installer application, which was granted the “Install unknown apps” permission, to silently install other apps with arbitrary permissions. Although Epic Games quickly updated Fortnite installer to fix the issue, Google pointed out in the bug report that this issue would not have happened if Epic Games had used the Google Play Store in the first place.
The security versus openness tradeoff is very clear here. Traditionally, desktop operating systems did not manage user applications in any way. However, taking inspiration from the package managers of popular Linux distributions, most modern systems provide an official installation channel: the Microsoft Store of Windows 10, the App Store of Mac OS and iOS, the Google Play Store of Android, and the package managers of Linux. The maintainers of these review the submissions and, at least in theory, block malicious applications. Users downloading applications from the managed stores can have some assurance that the software they are downloading is safe. However, this also limits the applications that users are allowed to download to those curated by the maintainer of the storefront or package manager. Alternative stores like F-Droid on Android and Cydia on iOS speak to the desire of some users to install software from non-curated channels, and certainly those following the hacker ethos prefer an open environment without management by a third party. As mobile computing continues to evolve and replace traditional computing for many users, the trade-off between the security of walled garden platforms and the freedom of open platforms will be a frequent issue."
Police Bodycams: Marketed for Integrity, Vulnerable by Design
A demonstration at DEFCON 2018 this month as well as Georgia Tech analysis of five, police body-camera models from different vendors revealed that a broad sector of these devices fail to maintain the integrity of evidence they were designed to produce. From devices themselves to the software ecosystems that support them, all of the surveyed camera models contained vulnerabilities that would allow attackers to track their locations or manipulate the software.
- Engadget: https://www.engadget.com/2018/08/13/security-flaw-body-cameras-hacks/
- Wired: https://www.wired.com/story/police-body-camera-vulnerabilities/
IISP Analyst Caleb Purcell: "When I first received an article about this from colleague and fellow Source Port contributor, Chris M. Roberts, my immediate reaction was a simple thought, 'Finally!' For me, this article brings finality and confirmation to some of my earliest security research. In 2015, our group performed a similar vulnerability survey on Internet of Things (IoT) wearable devices, with my focus being police body cameras. Even a few of the same cameras we analyzed were included in this article’s list. The results of the survey were alarming. I’m no proponent of cyber fear-mongering, but the relative ease of compromise genuinely shocked me.
At a high level, we came to many of the same conclusions: default WiFi passwords with no change requirements, lack of software signing, and lack of media digital signatures – all of which represent a fundamental breakdown in security – seem consistent across the spectrum of police body cameras. Together, these vulnerabilities provide an avenue for attackers to deliver malware and tamper with evidence. The details that led to these discoveries, however, are really astonishing.
One camera we analyzed had no password requirement to connect via USB, which would allow any attacker with physical access to update the device’s firmware and WiFi password. Connection via WiFi required a password, but each camera had a default password (‘1234567890’) that wasn’t required to be changed before use. Using this default password, we were able to hack into the camera’s live video feed from a laptop. In addition, the camera’s processor hosted an anonymous FTP server rooted in the main drive, granting any user with a wireless connection total control over device files and data. Connecting to the camera’s internal debug port revealed that, on reboot, the processor always checked that FTP accessible drive for specific filenames to trigger firmware and WiFi password updates. With a default WiFi password, an anonymous FTP server, and automatically triggered firmware updates – remote malware delivery shifts from possible to probable. We successfully pushed firmware modifications to the body camera without any interruption to normal operations. A well-designed malware could reach back and infect any PC that connects to that camera.
Another camera from our survey came with bolder security claims (i.e., FIPS 140-2 compliant digital signatures for media, etc.) and required a combination of vendor-specific software/cables to interface with it. These claims provided the framework for our testing. Using the vendor-specific cable, we devised two methods to bypass the vendor software requirement and obtain full access to all of the camera’s files and data. We then uploaded, downloaded, altered, and deleted video evidence without restriction and without detection. As for the digital signatures, we came to the conclusion that the signatures were applied only after importing videos from the camera into the vendor database. Any modifications or deletions prior to importing the evidence were effectively undetectable.
I’ll end with an anecdote that is less technical, more humorous. The last camera we analyzed seemed to have the most effective security implementation, including a password that, if forgotten, could only be reset by the vendor. Given that our time to complete the survey was quickly running out, I decided to go on a hunch that the vendor had built-in a master password. I reached out to the vendor’s engineering team explaining that I had forgotten my password and didn’t have time to return it. No dice. I then reached out to the sales team with the same story. They responded with a master password – one that could not be changed and worked on every single camera. Amazing. In the end, I suppose humans will always be the weakest link in security.
The world of IoT is held in constant tension between the drive for rapid, low-cost development and the need for better security. There is always a place for the ‘you get what you pay for’ mentality, but the vulnerabilities displayed here are unacceptable. Malware, poor digital signing, and master passwords – all on devices intended to provide integrity. If you can’t trust the cameras or the evidence they produce, then why even have the cameras in the first place? Before investing in IoT, organizations should take the time to properly vet products with security in mind. Especially when those products are intended to support an environment of integrity."
Fax-Printer Combo Machines Leave Networks Vulnerable
Check Point Research demonstrated that combination fax-scanner-printer machines allow an attacker to use the listening telephone line connected to a fax feature to attack networks to which these machines are connected. The vulnerability, named "Faxploit," allows an attacker to embed malicious software in a specially-crafted fax. The malware executes on the victim's fax machine, allowing the attacker to use the fax to pivot to the network to which it is connected. Check Point demonstrated the power of the vulnerability by using a fax machine to take full control of computers on the same network as the all-in-one machine by having the fax utilize the Eternal Blue exploit.
IISP Analyst Joel Odom: "I don't know why it took so long for someone to come up with the idea of doing a vulnerability check of this attack vector. After all, modern fax machines are just computers that listen for incoming data over a phone line. When the machines take a call and receive data, they must parse a complex protocol with plenty of attack surface. As Check Point puts it, 'from an attacker’s point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising.'
In the cybersecurity world we often hear the mantra, 'complexity is the enemy of security.' I like to restate this as 'clever ideas are the enemy of security.' The fax protocol, with its ability to embed different image file formats, is a clever protocol. The idea of creating an all-in-one machine that can print, fax and scan is a clever idea. When these clever ideas appeared on the scene in the 1990's and 2000's, cybersecurity was much less on the mind of engineers than it is now, so I imagine that little thought was given to the attack surface these machines presented. For years they have sat in office mail or print/copy rooms, occasionally used but largely forgotten. How many other clever ideas from years past lie dormant, waiting for attackers to use them in surprising attacks? How many new clever ideas are engineers implementing today that open unexpected vectors for attack?"
Prevalence of DNS Interception by Autonomous Systems
As Google's public DNS resolver hits an eponymous milestone, a recent paper explores the prevalence of DNS interception in various Autonomous Systems. The Domain Name System service translates readable domain names into addressable network locations, which is typically the first step in most network conversations. This study shows that a small but significant number of these conversations are not simply couriered to and from their destination, but may be tampered with along the way. In addition to the privacy and data integrity concerns that this raises, the study also discovers that the interception is performed on insecure platforms that may be further vulnerable to attack.
IISP Analyst Adonis Bovell: "Often browsers mark HTTP as insecure, warning users to switch to HTTPS when entering sensitive data, but typically they stay silent about insecure domain name resolutions. This untrusted first step is an accepted fact of life on the Internet. So, it's not entirely surprising to discover that various Internet providers exploit this vulnerability to monitor and modify DNS queries within their Autonomous System. Ostensibly, this is done for security and speed concerns, but it may also be part of a monetization or censorship strategy. This study begins to put an estimate on the scale of this problem.
Unfortunately, the DNS protocol makes it difficult for an end-user to detect and prevent DNS manipulation. The adoption of newer standards, such as DNSSEC and DNS-over-HTTPS (DoH) will change this. DNSSEC allows users to validate the authenticity DNS responses, whereas DoH also provides privacy by encrypting DNS communications. Google's DNS offering has supported DoH since 2016, whereas CloudFlare's resolver has supported DoH from its inception earlier this year. With the rise of publicly accessible alternative systems that support these advanced protocols, selecting your own DNS resolver is now a real choice that can be enforced by the consumer.
The availability of these resolvers are good for the health of the Internet as a whole. However there is a caveat: using a public resolver gives the resolver an increased view of your Internet communication, and requires a level of trust in their service. Each of these resolvers have their own privacy and data-retention policies which should be reviewed to ensure that it is a viable option."