This month’s ‘Ouch!’ newsletter (PDF) from SANS explains social engineering – the process by which nefarious persons obtain private information by non-technical means.
A must-read for anyone unclear on the concept of social engineering, this issue also provides tips for recognizing this behaviour.
The folks over at Duo Security recently posted a fun infographic about some of the more common network-based attacks. It’s presented in a comic book format, but it includes some useful descriptions of actual events from the past year or so. Highly recommended.
Tor (The Onion Router) is a software toolkit that can be used to make your Internet-based communication more secure. It’s been getting a lot more attention since the Snowden leaks, as most people are uncomfortable with the knowledge that the NSA is spying on everyone.
Of course, the NSA and its supporters characterize Tor as a tool for criminals and terrorists, but in fact it’s used by plenty of regular folks who just want some privacy on the ‘net. Certainly there are some people who use Tor to hide criminal activity, but those people also use telephones.
Note that if Tor is used improperly, it won’t completely hide your Internet activity. It also adds overhead to network communications, making browsing somewhat slower. Worse, many Internet-based services and sites now detect the use of Tor, and limit or block Tor connections. As a result, Tor has been falling out of favour lately.
Now Facebook, in a move that seems to have surprised everyone, has decided to back Tor in a big way. A version of Facebook is now available via Tor. This move has the potential to propel Tor into wider use, and sets a standard for the general acceptance of Tor by large service providers. Whether Facebook actually turns out to be the ‘killer app’ for Tor remains to be seen.
The troubled Universal Plug and Play protocol has a new problem: malicious hackers are increasingly using it as the basis for Distributed Denial of Service attacks.
UPnP is a set of protocols – intended to be used with home networks – that simplifies the process of making connections between network-enabled devices. Unfortunately, misconfigured devices often make UPnP devices visible on the Internet, allowing easy access for intruders.
Now, according to Internet content caching service provider Akamai, those exposed UPnP devices are being used for DDoS attacks. Specially-crafted requests are sent to such devices, so that replies from those UPnP devices are sent to the DDoS target, flooding it with traffic.
If you think you may have UPnP devices that are exposed to the Internet, or just want to make sure you don’t, head over to Steve Gibson’s ShieldsUp site. Click the Proceed button, then on the next page, click the big button labeled GRC’s Instant UPnP Exposure Test. After a moment or two, your results will be shown.
SSL3 is one of the ways web sites encrypt data. It has theoretically been superseded by TLS, but in fact is still widely used.
Now researchers at Google have demonstrated that SSL3 encryption can be made to reveal supposedly secure information. The name they’ve given to the new attack is POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption. In any case, this technique has been verified, and now the race is on to mitigate the vulnerability of browsers and web servers worldwide. If you run a web server, and it supports SSL3, you should disable SSL3 as soon as possible.
A post on Microsoft’s MSRC security blog provides a brief overview of the problem from their perspective and points to security advisory 3009008. The advisory provides instructions for disabling SSL3 in Internet Explorer.
Anyone still using Internet Explorer 6 (why?) is going to have difficulty accessing secure web sites from this point forward, because IE6 requires SSL3 for secure web browsing, and web servers are now busily having SSL3 disabled.
More information:
Update 2014Dec11: A new variant of the POODLE attack targets TLS and apparently affects up to 10% of the world’s servers. Brian Krebs has more.
Update 2015Jan12: One of the SANS handlers posted a followup that looks in detail at assessing the actual risk of a POODLE attack. It turns out that the risk is actually fairly low.
It looked briefly like Dropbox might have been hacked. But it really wasn’t.
Someone posted a big list of credentials on a sharing site. The credentials were likely obtained from various sources, but definitely not from Dropbox. Unfortunately, many people still re-use passwords for different services, and some of the credentials worked on Dropbox.
Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).
A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.
Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.
Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.
As new information emerges, I’ll post updates here.
References:
Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.
Update #2: It looks like there are more holes to be patched in BASH.
Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.
Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.
Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over
In the wake of the recent exposure of supposedly private celebrity images comes this timely look at Cloud (web-based) storage (warning: PDF). The article covers all the basics, including what you should look for in a Cloud provider, and how to keep your Cloud-based data secure (hint: use a strong password). Recommended reading for anyone currently using or considering using the Cloud for data storage.
This month’s Ouch! newsletter (PDF) from SANS provides a useful overview of encryption, and what it means in the context of the web. Recommended reading for anyone hazy on the subject.
On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.
The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.
Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.
Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.
In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.
In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.
boot13