internet

For the sixth year in a row, Internet freedom is declining.

According to the latest Freedom on the Net report, 67 percent of all Internet users now live in countries where online criticism of the government, ruling family or the military is subjected to censorship, and such activity can result in individuals getting arrested.

Blocking social media apps

Also, more governments have come to realize the power of social media and messaging apps, and are actively trying to censor them or prevent their use, particularly during anti-government protests, but also because they help thwart their surveillance efforts.

“The increased controls show the importance of social media and online communication for advancing political freedom and social justice. It is no coincidence that the tools at the center of the current crackdown have been widely used to hold governments accountable and facilitate uncensored conversations,” says Freedom House, the NGO that compiled the report that focuses on developments that occurred between June 2015 and May 2016.

“Authorities in several countries have even resorted to shutting down all internet access at politically contentious times.”

The “problem” with some communication apps is that they encrypt the exchanges, but it’s interesting to note that the use of some online voice and video calling apps is being blocked or restricted in a number of countries, mainly because they eat away at the profit margins of national telecommunications firms.

The range of censored online content is also expanding, and includes news outlets that favor political opposition, sites that launch calls for protest, sites expounding LGBTI issues, and images.

China, Syria, Iran, Ethiopia and Uzbekistan lead the pack of countries with the smallest amount of Internet freedom. On the other end of the spectrum are Estonia, Iceland, Canada, the US, and Germany.

State of Internet freedom around the world

“Of the 65 countries assessed, 34 have been on a negative trajectory since June 2015. The steepest declines were in Uganda, Bangladesh, Cambodia, Ecuador, and Libya,” Freedom House noted.

“In Uganda, the government made a concerted effort to restrict internet freedom in the run-up to the presidential election and inauguration in the first half of 2016, blocking social media platforms and communication services such as Facebook, Twitter, and WhatsApp for several days. In Bangladesh, Islamist extremists claimed responsibility for the murders of a blogger and the founder of an LGBTI magazine with a community of online supporters. And Cambodia passed an overly broad telecommunications law that put the industry under government control, to the detriment of service providers and user privacy. Separately, Cambodian police arrested several people for their Facebook posts, including one about a border dispute with Vietnam.”

While there have been improvements in 14 other countries, they are small, and not always the result of positive government actions.

The tug of war between protestors, digital activists, and companies offering social media services and communication apps on one side, and a wide variety of governments on the other continues.


Help Net Security

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
thirteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161117001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Internet Explorer 11 iertutil LCIEGetTypedComponentFromThread
use-after-free
=======================================================================
(The fix and CVE number for this issue are unknown)

Synopsis
--------
A specially crafted web-page can cause the iertutil.dll module of
Microsoft Internet Explorer 11 to free some memory while it still holds
a reference to this memory. The module can be made to use this reference
after the memory has been freed. Unlike many use-after-free bugs in
MSIE, this issue, and apparently all code in this module, is not
mitigated by MemGC. This issue appears to have been addressed in July
2016, as it failed to reproduce after the July security updates were
installed.

Known affected software, attack vectors and mitigation
------------------------------------------------------
+ Microsoft Internet Explorer 11

An attacker would need to get a target user to open a specially
crafted web-page and allow the web-page to open a popup. The target
user may need to run MSIE in the non-default single process mode.
Disabling JavaScript should prevent an attacker from triggering the
vulnerable code path.

Description
-----------
This looks like a pretty straightforward use-after-free, but I did not
investigate at what point in the repro the memory gets freed and when it
gets re-used, so I do not know if an attacker has any chance to force
reallocation of the freed memory before reuse.

The issue can be triggered with MemGC enabled; the object that is freed
does not appear to be protected by MemGC.

The repro requires that MSIE is run in single-process mode in order to
trigger the use-after-free. It is not known if it is possible to tweak
the repro to have MSIE take a similar code-path that leads to a
use-after-free when MSIE is not in single-process mode.

MSIE can be started in single process mode by setting the following
registry key before starting MSIE:

`HKCU\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = DWORD:0`

To revert this change, remove the registry key or set the value to 1 and
restart MSIE.

Exploit
-------
A number of factors appear to be getting in the way of creating a usable
exploit for this issue:
* I did not investigate if it is possible to reproduce the issue without
opening a pop-up to make it exploitable in the presence of a pop-up
blocker.
* I did not investigate if it is possible to reproduce the issue without
running MSIE in single-process process mode to exploit it on a system
with default settings.
* I did not investigate if it is possible to reallocate the freed memory
between the free and the use-after-free in order to modify control
flow.
Because there are so many things that would need to be investigated in
order to write an exploit, I felt it was not cost-effective for me to do so.

Time-line
---------
* July 2016: This vulnerability was found through fuzzing.
* July 2016: This vulnerability was submitted to ZDI and iDefense.
* July 2016: ZDI reports they are unable to reproduce the issue.
* November 2016: Details of this issue are released.

Cheers,
SkyLined

Repro.html

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=5">
<script>
onload = function ()
open("about:blank").close();
createAPopup();
document.write("x");
;
</script>
</head>
</html>


Exploit Files ≈ Packet Storm

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Wednesday, September 28th 2016
Length: 5:07 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Rig Exploit Kit Used to Spread Locky Ransomware
https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+from+the+Afraidgate+Campaign/21531/

Facebook Releases osquery for Windows
https://blog.trailofbits.com/2016/09/27/windows-network-security-now-easier-with-osquery/

Update Cowrie and "New" Default Password used in Internet Wide Scans
https://isc.sans.edu/ssh.html?pw=xc3511

BIND Name Server Update
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775%3A-A-query-name-which-is-too-long-can-cause-a-segmentation-fault-in-lwresd.html

Various Cisco DoS Vulnerabilities
https://tools.cisco.com/security/center/publicationListing.x?product=NonCisco#~Vulnerabilities

Discussion

Login here to join the discussion.


Information Security Podcasts

Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamai's chief security officer Andy Ellis has told The Register.

Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down Krebs' website, saying it was mostly made up of hacked Internet of Things devices.

“We've noticed a strong overlap between the attack … and one of the botnets that we have been working at in modelling,” Ellis told El Reg, as he named the Kaiten malware as one of the vectors involved in the Krebs attack.

Kaiten has long been known as a source of IRC-controlled DDoS attacks. While the original chiefly targeted routers, this latest version also “targets DVRs and some cameras” according to Ellis.

During the attack against Krebs, Akamai jettisoned him from their DDoS mitigation service with two hours' notice. Krebs was a pro bono customer and the sheer volume of traffic – 620Gbps – threatened to affect services for Akamai's paying clients. Krebs later said he didn't blame Akamai for taking the action they did, even though Google stepped in with its Project Shield service.

“This is a very concerning thing, looking at the prevalence of IoT and the ability for [the Krebs attackers] to throw around this volume of traffic,” Ellis said. “More research is being done on the adversary side to find out how to better take control of IoT devices, whether by means of a brute force attack using a known and common credential such as the [default] admin password, which gets them into a handful of routers out there, and then [the attackers start] leveraging the bandwidth of these end users.”

The chief problem for DDoS mitigation outfits trying to defend against IoT botnets is that with so many devices potentially falling under the control of miscreants, it is straightforward for the attacker's traffic to masquerade as legitimate web traffic.

“Compromised IoT devices … have the ability to source traffic from the same IP address as a legitimate user,” said Ellis, “which obviously gives the advantage that it stops [attackers] from being trivially filtered. I don't think I'm giving anything away when I say that when you're protecting a web server, any traffic coming in that's not related to web traffic is very deep and easy for you to drop. And the more that an adversary can look like a legitimate user, the more difficult it becomes, the more resources you have to expend to identify that that's an attacker and mitigating it.”

Culture change needed in IoT architecture

Part of the problem is the sheer difficulty of patching and updating IoT devices to take advantage of the latest vuln plugs.

Ellis said: “If you have an iPhone it auto updates in the background and you press OK and it takes care of it for you. We've become so used to that on the internet of general purpose computing devices that when we look at the Internet of Things – or as one of my colleagues likes to call it, Things on the Internet – there aren't devices built into that same robust infrastructure.”

Then he spelled out the painful upgrade process for most current IoT devices:

If I want to patch them, I need to go to the vendor website, hunt for my model of device, download an executable to my desktop and run it, when the executable will open a network hole and patch, upgrade the firmware on my device. You walk through that and to you and I that probably seems like, 'that's painful but at least I understood what it was I was doing'.

For most users that's a really challenging thing. They're not professional systems administrators. Why do we expect them to treat these devices the same way that a systems administrator treats enterprise-class routers?

He also said that IoT devices ought to be “deployed in a fashion that makes them automatically udpate and keep themselves secure all the time.”

As for the Krebs hack, does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed? Do we need to trash it all and start over?

“We don't know for certain that every machine involved in this was IoT; it's quite possible that the attacker spliced together a botnet including traditionally compromised servers as well as these IoT devices,” Ellis concluded. “Hopefully we'll learn more as we dig through the data.” ®

Sponsored: Application managers: What’s keeping you up at night?


The Register - Security

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Monday, September 26th 2016
Length: 5:42 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Analyzing Malicious .PUB files
https://isc.sans.edu/forums/diary/PUB+Analysis/21517/

iOS 10 Backup Passwords Easier to Crack
http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-passwords-much-easier-to-break/

Windows 10 Certificate Pinning of Microsoft Domains
http://hexatomium.github.io/2016/09/24/hidden-w10-pins/

IBM Geoblocking Fail For Australian Census
http://www.aph.gov.au/DocumentStore.ashx?id=124f22ba-caaa-46ff-899d-7d96851fee3e&subId=414127

97% Of Fortune 1000 Companies Have Leaked Credentials
http://info.digitalshadows.com/rs/457-XEY-671/images/CompromisedCredentials-LearnFromtheExposureoftheWorlds1000BiggestCompanies-Download.pdf

Discussion

Login here to join the discussion.


Information Security Podcasts

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Thursday, September 22nd 2016
Length: 5:25 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

OpenSSL Security Update
https://isc.sans.edu/forums/diary/OpenSSL+Update+Released/21509/

ATM Skimmer Prototypes To Collect Fingerprints
https://securelist.com/files/2016/09/16_09_en.pdf

Yahoo! Breach Leaks 500M User's Data
https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security

Login here to join the discussion.


Information Security Podcasts

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Tuesday, September 20th 2016
Length: 5:39 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Taking Over Facebook Pages
http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/

Exchange Auto-Discovery Vulnerability
http://www.theregister.co.uk/2016/09/19/ms_exchange_alleged_bug/

Spyware Apps Targeting Travelers Removed From Goolge App Store
https://blog.lookout.com/blog/2016/09/16/embassy-spyware-google-play/

Firefox Will Patch HSTS Vulnerability
https://threatpost.com/mozilla-patching-firefox-certificate-pinning-vulnerability/120694/

OpenSSL Patch Pre-Announcement
https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html

Discussion

Login here to join the discussion.


Information Security Podcasts

Twitter, Dropbox, Uber and several other major tech companies have joined forces and launched the Vendor Security Alliance (VSA), a coalition whose goal is to improve Internet security.

The VSA aims to help organizations streamline their evaluation processes for vendors through a standard questionnaire designed to assess security and compliance practices.

Companies will be provided a yearly questionnaire that will help them determine if a vendor has all the appropriate security controls in place.

The first questionnaire, created by security experts and compliance officers, will be made available for free on October 1. It will measure vendors’ cybersecurity risk level, including procedures, policies, privacy, data security and vulnerability management.

“Once complete, that questionnaire is evaluated, audited, and scored by an independent third party auditor working alongside the VSA,” explained Ken Baylor, head of compliance at Uber. “Points will be granted for sound practices and taken away for practices that could increase security risks. Vendors can then use that score when seeking to offer their services to any business in the VSA, without the need for further audits.”

“The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months – the new VSA process cuts the process down to minutes,” Baylor added.

The founding companies of the VSA are Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy and AirBnb. Executives from each of these organizations form the VSA’s board of directors.

A vendor security assessment questionnaire (VSAQ) is also available from Google. The search giant announced earlier this year that it had decided to open source its VSAQ framework, which the company has been using to evaluate the security and privacy posture of its third-party vendors.

Related Reading: Businesses Doubtful That Vendors Would Disclose a Breach

Related Reading: The Three W's of Re-evaluating Your Network Security Vendor

Related Reading: Facebook, Partners Unveil Alliance on Cybersecurity

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Tuesday, August 16th 2016
Length: 6:04 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Cryptoanalysis of a Fully Homomorphic Encryption Scheme
http://eprint.iacr.org/2016/775.pdf

Recreating Android App Displays from Memory
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_saltaformaggio.pdf

Various Router Exploits Released
https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216#.mnoyydmeu

Login here to join the discussion.


Information Security Podcasts

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Monday, August 15th 2016
Length: 6:20 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Starting October 2016, Microsoft Will Use Montly Rollup Updates for Win 7/8.1
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Updated Group Policies To Block Macros in Office 2013
https://isc.sans.edu/forums/diary/MS+Office+2013+New+Macro+Controls+Sorta/21371/

Bypassing Application Whitelisting using WinDbg
http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

Bypassing UAC without writing to disk
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Discussion

Login here to join the discussion.


Information Security Podcasts