Connect with us

Cyber Security

Fixing the Problems #1 – CAA




Reading Time: 6 minutes

Following the incident on March 15, Comodo introduced additional methods and controls immediately against this new threat vector.  On March 26 these systems detected that a further reseller was under a similar attack from what we believe to be the same perpetrator.  The new security measures protected against this attack.  Neither of these recent attacks involved the compromise of any Comodo infrastructure. Comodo has updated the incident report. We at Comodo look forward to continuing our work with all stakeholders and the security industry to continue to respond to this incident through remediation measures and set new standards to these new and emerging threats.

As the uses of the Internet change, the threat model changes. The weaknesses in the Internet infrastructure highlighted by the attack from Iran have been present for over a decade, what has changed is their significance.

Money is a fungible good and it is not worth expending $X in time, effort and resources to protect assets worth less than $X. Freedom is not a fungible good and so the threat model has changed.

If we are going to be successful we need to address the security of the system and look beyond the immediate event and the specific target. The attack highlights a weakness in the Certification Authority Infrastructure that we were already proposing to address with the Certification Authority Authorization (CAA) proposal made to the IETF, co-authored by Ben Laurie of Google.

We will look at CAA in a moment, but first lets look at the other parts of the system that are vulnerable; password authentication and code authentication.

The ultimate objective of the attack in question was to intercept communication to the authentication servers at major email providers and social networking sites, specifically to gain control of those accounts by obtaining usernames and passwords. The core weakness in the current Web authentication scheme is that the Web browser authenticates to a Web server by passing it the password. Use of SSL protects the password from interception during communication but the Web server receives the actual password typed by the user. Thus the consequence of any compromise of a Web server or an SSL certificate is compromise of the user credentials. This is an unnecessary weakness in the Internet security infrastructure and one that can be solved through some minor changes to the SSL/HTML authentication mechanism if only we could find the will to act.

The other part of the system that is vulnerable is the code authentication. One of the many services that the government of Iran offers to its citizens is a Web server offering free software. Unlike the free software provided by SourceForge and the like, this free software is mostly stolen commercial software with any copy-protection mechanisms stripped out. Experts who have reviewed the software tell me that it contains backdoors and keystroke loggers that would enable government surveillance of the use of the machine.

If we are going to be successful in defending against this new level of attack we will have to be proactive and address all three issues. A reactive approach that only addresses vulnerabilities as they are exploited will fail.

Certificate Authority Authorization (CAA) is a proposal to address the first area of vulnerability authored by myself and Rob Stradling of Comodo and Ben Laurie of Google. The first draft of the proposal was made in October 2010, before either the attack or the political events that are believed to have motivated occurred.

CAA is a mechanism that allows a domain name owner to specify which Certification Authorities and/or signature keys are authorized to issue certificates for a domain. The basic mechanism allows Certification Authorities to avoid mis-issue of certificates and for application software to avoid reliance on mis-issued certificates.

For example, imagine that Alice Corp is a 10,000 employee company with offices in 30 countries. If Carol CA requests a certificate that purports to be from Alice Corp they will validate and issue the certificate under the policy of Carol CA which might be very different from the policy that Alice Corp would want to be applied.

Large corporations that are frequent targets of this type of attack have recognized this particular vulnerability and have established sole or restricted vendor agreements with a single CA or a small number of CAs. The process of issuing certificates and management of the certificate lifecycle can then be integrated into the business processes of the customer.

Preventing mis-issue of an Alice Corp certificate by an approved CA is quite straightforward as all legitimate requests will be made through the specific processes agreed between Alice Corp and the approved CA. The problem arises when Carol CA is not an approved CA. Today Carol CA has no means of knowing that a restricted supplier policy even exists. CAA allows a domain name owner to advertise the existence of a restricted supplier policy and thus prevent mis-issue. If Carol CA is on the list of authorized Certification Authorities it will check to see that it complies with whatever additional authentication requirements have been agreed out of band. If a set of authorized Certification Authorities is published and Carol CA is not listed, the request is almost certainly fraudulent and must be refused.

In addition to making it easier for a CA to avoid mis-issue, the CAA mechanism provides an objective standard for mis-issue. If a CA issues despite a published Certification Authority Authorization set, the issue of the certificate can only be a mis-issue. Certification Authorities that persistently mis-issue are liable to find that client software providers are no longer willing to include their root Certificates or mark them as trustworthy.

CAA is thus an accountability control against certificate mis-issue. Unlike most proposed changes to the Internet infrastructure, the benefits of preventing mis-issue events can be realized very rapidly. A domain name holder does not have to wait until everyone has updated their Web browser, they will receive the benefit when Certification Authorities deploy and the latter have a very strong motivation to do so very rapidly.

If the threat model was limited to financially motivated attacks from organized crime, the accountability control alone might be sufficient. Accountability controls are not sufficient when the threat model extends to government agencies that can coerce a certificate issuer or their agent.

We can hold a person accountable for mis-issue that results from negligence or malice but the system must be robust against threats of coercion. Bank employees are told on the first day of work that if an armed robbery is attempted they are to hand over the contents of the safe and the die-pack. Attempting to resist an armed robbery is a firing offense. We need to take the same approach to Certification Authority operations: take all reasonable precautions but do not expect unreasonable ones. Banks limit thefts from armed robberies by ensuring that the amount of inventory (i.e. money) on hand never exceeds a relatively small amount.

In addition to the accountability control that provides an almost immediate benefit as soon as the necessary DNS Resource Record code is assigned, CAA allows certificate issuer restrictions to be enforced by client software such as Web browsers. To gain the benefit of this control, a user will of course need to update their Web browser. The benefits will thus be initially limited to a relatively small number of users at first, but this is an acceptable limitation since the browser users most likely to be targeted by this form of attack already know that they need to keep their software defenses current.

This last point, the fact that those targeted for government directed attacks can be expected to be early adopters for countermeasures is important because it allows us to consider other, more comprehensive measures. The vulnerability of using usernames and passwords as the basis for Internet authentication have been known for more than two decades, as has the fact that the approach adopted in the Web world, of delivering the password itself to a server for verification is amongst the worst. What has been lacking until now has been the incentive to make the necessary changes.

In the mid-1990s we faced a similar problem with Internet mailing lists. At the time all that was necessary to subscribe to a mailing list was to send a request. A few mailing list managers could send an email message to request confirmation, but this option was rarely used. Then one day some wag decided to subscribe a couple of thousand public mailing lists to each other so that a mail sent to one list would cascade through to all of the others and sign up the US White House mailing addresses to the result.

I recall that the attack began on a Friday. By the following Monday almost every mailing list on the Internet was running with subscription requests verified or with request verification enabled. Internet standards usually move pretty slowly but on occasion they can move very fast indeed. We could deploy CAA with similar speed.

In this case we need to move fast: First deploy CAA and then lets fix the Web user authentication disaster.


Cyber Security

USCYBERCOM Released New Malware Samples





New malware samples associated with the operations of Russian threat actors Turla and Zebrocy have been released this week by the United States Cyber Command (USCYBERCOM).

Turla was most recently observed attacking a European government agency with numerous backdoors, connected to malicious activities dating back two decades and often referred to as Rat, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON.

USCYBERCOM posted new samples of the ComRAT Trojan on VirusTotal on Thursday, which is suspected to be one of the oldest malware families employed by Russia-linked threat actors.

The FBI is extremely optimistic that ComRAT malware is being used by Russian-sponsored APT actor Turla, an intelligence organisation operating for at least a decade, to hack victim networks. A malware intelligence study from the Cybersecurity and Information Protection Agency (CISA) reports that the group is well known for its customised software and tailored operations.

The report shares knowledge about a PowerShell script that is used to mount another script that loads the ComRAT version 4 DLL in turn. CISA clarifies that the malware contains DLLs used as contact modules that are inserted into the default browser and that use a called pipe to communicate with the ComRATv4 code. In order to accept commands and exfiltrate files, a Gmail web interface is used.

A total of five ComRAT files and two samples identified with the Russian threat actor Zebrocy were posted by USCYBERCOM on VirusTotal.

The Russian hacker community, initially detailed in 2018, is considered part of the notorious Sofacy APT (also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium) by some security firms, while others see it as a distinct organisation.

New Zebrocy attacks were discovered in September 2020, demonstrating persistent targeting of countries connected to the North Atlantic Treaty Organization ( NATO).

Windows executables are the two examples that USCYBERCOM shared on VirusTotal that are suspected to be a new version of the Zebrocy backdoor. The malware gives remote access to a compromised device to attackers and facilitates multiple operations, CISA says.

CISA advises that security best practises be implemented by users and administrators to ensure that their devices stay safe from recently shared samples of ransomware or other risks.


Continue Reading

Cyber Security

The WordPress Core Team has Released an Emergency Release of WordPress 5.5.3





An emergency update of WordPress 5.5.3 has been released by the WordPress core team, just one day after version 5.5.2 was released. This emergency update was made to fix a problem implemented in WordPress 5.5.2, making it difficult to run WordPress without a database link installed on a brand new website. A second problem caused a number of pages to be erroneously upgraded to version 5.5.3-alpha while planning for this emergency upgrade.

According to the release notes, the WordPress auto-update framework upgraded some pages from version 5.5.2 to 5.5.3-alpha between about 15:30 and 16:00 UTC on October 30th. This happened because, in an effort to discourage new users from using this update, the WordPress Core team blocked the 5.5.2 release download. By deleting the 5.5.2 download, the API returned the 5.5.3-alpha-49449 alpha version as the version that WordPress can migrate to.

An overview of the release 5.5.3-alpha-49449 showed no distinction between the release 5.5.2 of WordPress and 5.5.3-alpha-49449 of WordPress, since much of the key features is the same. Owing to the mistake, no recorded site functionality was disabled. However, along with the Akismet plugin, a number of additional Twenty- themes were built with that autoupdate.

To fix both concerns, download 5.5.2 was originally re-enabled by the Core team to discourage sites from upgrading to the alpha version, followed by the WordPress 5.5.3 emergency release to resolve the issue that stopped new install.

What Should I Have Done?

If your WordPress 5.5.3-alpha site has been upgraded, you can have additional themes built on your site. You may have Akismet mounted as well. When installed as part of the pre-release kit, these themes and plugins were not allowed. Check the themes and installation of plugins. There will be no other plugins installed or deleted.

Upgrade the pages to WordPress 5.5.3 normally, just as you will on every other update to WordPress. If you want your site to auto-update, you will already have version 5.5.3 enabled.

If you haven’t upgraded to 5.5.2 for WordPress yet, upgrading to 5.5.3 is exactly the same version with a slight patch. It is secure to upgrade your site.


Continue Reading

Cyber Security

Hackers Continue to Target Zerologon Vulnerability





This week, Microsoft announced that it continues to obtain complaints of attacks targeting the Zerologon vulnerability from customers.

Patched on August 11, the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) found the security vulnerability. Tracked as CVE-2020-1472, to compromise Active Directory domain controllers and obtain domain administrator rights, the problem can be exploited.

After the DHS directed federal departments to quickly submit available fixes, the flaw came into the spotlight, with both Microsoft and CISA releasing reports on the attackers actively exploiting the bug.

Microsoft released a guide at the end of September to provide companies with all the required information to fix the problem inside their Active Directory implementations, but it seems that certain customers are already vulnerable.

“The vulnerability could cause an attacker to fake a domain controller account that could be used to capture domain credentials and take over the domain, if the original advice is not implemented,” Microsoft now says.

The technology giant also reiterates that downloading the available patches on each domain controller is the first step in fixing the vulnerability.

Responsive Directory domain controller and trust accounts will be secured alongside Windows domain-joined system accounts until they have been fully deployed. The business states that we highly urge everyone who has not adopted the upgrade to take this measure now.

Customers can use the upgrade to follow the previously released advice from Microsoft to ensure that they are completely covered. In that guide, for more clarification, the organisation has already revised the FAQs.

Following the upgrade, to ensure that CVE-2020-1472 is actually handled in their system, consumers are recommended to locate any devices that might still be vulnerable, fix them, and then allow compliance mode.

CISA issued a warning on Thursday to warn of continuing misuse of Zerologon and to encourage administrators to instal the patches available as soon as possible.


Continue Reading
Esports5 hours ago

blocker steps down from FATE

Energy6 hours ago

Energy Inspectors Corporation Receives U.S. Environmental Protection Agency National WaterSense Provider of the Year Award For 2020

Blockchain News7 hours ago

Chinese President Xi Jinping: Participate in Making Digital Currency and Digital Tax’s International Rule Actively

Esports7 hours ago

BIG qualify for BLAST Premier Fall Finals over Complexity

Energy8 hours ago

1 p.m. Update: Georgia Power working to restore remaining 68,000 customers after Hurricane Zeta

Blockchain News8 hours ago

South Korean Hospitals to Usher in New Healthcare Era Using Blockchain Technology, AI and Big Data

Code8 hours ago

[AWS Certified Developer] – Associate Practice Test Exam

Esports9 hours ago

Edward: “After three consecutive tournament victories in 2018, we could have become the best team in the world, but we chose to hang out”

AR/VR9 hours ago

VR Animation Baba Yaga Exclusive to Oculus Quest in 2021

Blockchain10 hours ago

Bitcoin-Themed NFT Card Set Launches On Anniversary Of Satoshi’s White Paper

Blockchain News11 hours ago

Verizon’s New Blockchain Verification Tool ‘Full Transparency’ Combats Fake News

Energy11 hours ago

9 a.m. Update: Georgia Power working to restore remaining 78,000 customers after Hurricane Zeta

Energy12 hours ago

E-Bikes Catch on Outside China, Boosting Global Market Growth Through 2024

Blockchain News12 hours ago

Chinese City Eyes Blockchain Applications for Urban Governance and Smart Education

Cyber Security12 hours ago

USCYBERCOM Released New Malware Samples

Blockchain News12 hours ago

The Bank of Russia Says CBDC Will Eliminate Challenges Caused by Cryptocurrencies

Esports14 hours ago

ESEA Season 35 Global Challenge canceled

Cyber Security17 hours ago

The WordPress Core Team has Released an Emergency Release of WordPress 5.5.3

Energy22 hours ago

Exchange between ChantsWood (Beijing) Information Technology Co., Ltd. and ZHOU Qian, Renowned Chinese Expert on Electric Power Communication

Energy1 day ago

Energy Fuels Announces Q3-2020 Results; Debt-Free with Strong Working Capital; Advancement of Uranium & Rare Earths; Webcast on November 3, 2020

Energy1 day ago

7 p.m. Update: Power restored to nearly 741,000 Georgia Power customers after Hurricane Zeta’s path through Georgia

Energy1 day ago

ACC: Plastic Waste Study In “Science Advances” Provides Incomplete Picture

Esports1 day ago

Complexity eliminate FaZe from BLAST Premier Fall Series

Blockchain1 day ago

TRAMS DEX Propels Global Adoption of DeFi with Automated Market Maker (AMM) protocol

AI1 day ago

AI Contact Tracer Awarded at UNLV

Press Releases1 day ago

Bixin Ventures Announces $100M Proprietary Capital Fund to Support Global Blockchain Ecosystem

Press Releases1 day ago

SHANGHAI, Oct 26, 2020 – (ACN Newswire)

Start Ups1 day ago

CB Insights: Trends, Insights & Startups from The Fintech 250

Press Releases1 day ago

Valarhash Launches New Service Series for its Mining Hosting Operations

zephyrnet1 day ago

Trends, Insights & Startups from The Fintech 250

AR/VR1 day ago

The VR Game Launch Roundup: Time to Grapple With Zombies & Interior Design

Cyber Security1 day ago

Hackers Continue to Target Zerologon Vulnerability

AR/VR1 day ago

Oculus Quest 2 Sales Surpass Facebook Expectations, Pre-orders 5x More Than Original Quest

Crowdfunding1 day ago

Warning: This Is Cyber Criminals’ New Method of Attack

Cannabis1 day ago

Current Research on Effect Specific Uses of Cannabis

Crowdfunding1 day ago

Friday Charts: I Double Dare You To Ignore This Trend

AR/VR1 day ago

Five Nights at Freddy’s AR: Special Delivery Update Expands Phone Compatibility, Adds New Modes

AR/VR2 days ago

Hybrid Tower Defence/FPS Cyberspace VR Launches Kickstarter

Covid192 days ago

How Telemedicine Can Help Keep Your Health on Track

Start Ups2 days ago

Website Packages – Good or Evil?