(Feb 10) An updated wget package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Low [More…]
Comment
Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers. Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank. This would leave both parties unaware that the attacker may have captured the customer’s authentication credentials, or manipulated the amount or recipient of a money transfer.
The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com). As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.
Fake certificates alone are not enough to allow an attacker to carry out a man-in-the-middle attack.
He would also need to be in a position to eavesdrop the network traffic flowing between the victim’s mobile device and the servers it communicates with. In practice, this means that an attacker would need to share a network and internet connection with the victim, or would need to have access to some system on the internet between the victim and the server. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks, as the attacker can easily monitor all network traffic as well as influence the results of DNS lookups (for example, making www.examplebank.com resolve to an IP address under his control).
Researchers from Stanford University and
The University of Texas at Austin found broken SSL certificate validation in
Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, integrated
shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites. A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.
Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.
The following fake certificate for facebook.com is served from a web server in Ukraine. There are clearly fraudulent intentions behind this certificate, as browsing to the
site presents a Facebook phishing site; however, the official Facebook app is safe from such attacks, as it properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.
Similarly, this wildcard certificate for *.google.com could suggest an attempted attack against a multitude of Google services. The fake certificate is served from a machine in Romania, which also hosts dozens of websites with .ro and .com top level domains. It claims to have been issued by America Online Root Certification Authority 42, closely mimicking the legitimate AOL trusted root certificates which are installed in all browsers, but the fake certificate lacks a verifiable certificate chain. Some browsers’ default settings will not allow a user to bypass the resultant error message.
Not all fake certificates have fraudulent intentions, though. The KyoCast mod uses a similar wildcard certificate for *.google.com, allowing rooted Chromecast devices to intentionally send certain traffic to KyoCast servers instead of Google’s. The fake certificate is issued by “Kyocast Root CA”. Using the Subject Alternative Name extension, the certificate specifies a list of other hostnames for which the certificate should be considered valid:
Russia’s second largest bank was seemingly targeted by the following certificate – note that the issuer details have also been forged, possibly in an attempt to exploit superficial validation of the certificate chain.
A similar technique is used in this certificate which impersonates a large Russian payment services provider. SecureTrust is part of Trustwave, a small but bona fide certificate authority.
GoDaddy’s POP mail server is impersonated in the following certificate. In this case, the opportunities could be criminal (capturing mail credentials, issuing password resets, stealing sensitive data) or even state spying, although it is unexpected to see such a certificate being offered via a website. Although the actual intentions are unknown, it is worth noting that many mail clients allow certificate errors to be ignored either temporarily or permanently, and some users may be accustomed to dismissing such warnings.
Apple iTunes is currently the most popular phishing target after PayPal. In this example, the fake certificate has an issuer common name of “VeriSign Class 3 Secure Server CA – G2”, which mimics legitimate common names in valid certificates; however, there is no certificate chain linking it back to VeriSign’s root (so it is a forgery rather than a mis-issued certificate).
It is not always criminals who use fake certificates to intercept communications.
As a final example, the following fake certificate for youtube.com was served from a machine in Pakistan, where there is a history of
blocking access to YouTube. This certificate is probably part of an attempt to prevent citizens from watching videos on YouTube, as the website serves “This content is banned in Pakistan” when visited.
Netcraft’s Mobile App Security Testing service provides a detailed security analysis of phone or tablet based apps. A key feature of this service is manual testing by experienced security professionals, which typically uncovers many more issues than automated tests alone. The service is designed to rigorously push the defences of not only the app itself, but also the servers it interacts with. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.
GCHQ’s website at www.gchq.gov.uk is exhibiting some noticeable performance issues today, suggesting that it could be suffering from a denial of service attack.
Last week, documents from whistle-blower Edward Snowden revealed that GCHQ carried out denial of service (DoS) attacks against communications systems used by the hacktivist group Anonymous during their own Operation Payback, which itself involved carrying out denial of service attacks against high profile websites such as MasterCard, Visa, Amazon, Moneybookers, and PostFinance.
This caused some furore amongst supporters of Operation Payback, some of whom were tried and convicted for carrying out denial of service attacks. Denial of service attacks are illegal in the UK under the Police and Justice Act 2006, yet the leaked slides suggest that GCHQ may have used such techniques against Anonymous, resulting in 80% of IRC users leaving within a month.
Part of a statement published by Anonymous on AnonNews.
Following these revelations, a statement on GCHQ’s war against Anonymous was posted on the AnonNews website. The statement ends with a suggestion that some kind of retaliation could be expected: “Now that we truly know who it was who attacked us, Expect all of us.”
Twitter accounts associated with Anonymous also fuelled suggestions that they could be responsible for GCHQ’s website woes, with some referring to the #TheDayWeFightBack hashtag.
http://t.co/FCYJFlYAHr is still #TANGODOWN
We are anonymous.
It is far to late to expect us. pic.twitter.com/PVbTunXjqt
— AnonOpsCenter (@AnonOpsCenter) February 12, 2014
Curiously, a much larger amount of downtime has been observed from Netcraft’s Romanian performance monitor since the leaked slides were made public. That could indicate much more extreme DDoS mitigation techniques are being applied to these requests, and this in turn suggests that if an attack is occurring, perhaps Romania is one of the countries from which the attacks are being launched.
The www.gchq.gov.uk website is served from a content delivery network run by Limelight Networks, who claim to be one of the world’s largest, best performing, and most highly available content delivery networks. Although it remains hosted at the same location, the website changed its Server header from “WebServer” to “EdgePrism/4.1.2.0” earlier this week. Limelight Networks first unveiled EdgePrism in 2001, so any similarities to the name of the NSA’s PRISM mass electronic surveillance program are presumably coincidental.
(Feb 10) Multiple security issues have been found in Iceweasel, Debian’s version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, too-verbose error messages and missing permission checks may lead to the execution of arbitrary code, the bypass of security [More…]
(Feb 8) It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete. [More…]