Search This Blog

Tuesday, April 26, 2016

Signaling System No 7 (SS7) Vulnerability in Mobile Phone Networks (Week 7)

Signaling System No 7 (SS7) is a system that connects one mobile phone network to another. SS7 is a suite of protocols that were standardized in ITU-T Q.700 series. New protocols to support additional services such as roaming, Short Message Service (SMS), and data. As with many legacy technologies, SS7 was designed with little security. Concepts such as authentication and authorization were hardly present or discussed. The SS7 security was solely based on trust. The protocol was regarded as a closed network, and researchers had no access to SS7 networks. However, the SS7 network is no longer closed. Network providers are opening up their SS7 networks to third parties as part of their commercial offerings.

This legacy technology has vulnerabilities. Malicious actors can exploit the vulnerabilities which was brought to attention in 2010 and still exist today. The actors can transparently forward calls, record or listen to calls, read SMS messages sent between phones, and track the location of a phone. The attack surface is vast. There are over 800 cell phone networks around the world, each with roughly 100 to 200 interlocking roaming agreements with other networks.That means virtually every cell phone network is interconnected allowing hackers to potentially tap any phone regardless of location.

Since the exposure of security holes, some organizations have setup a series of services that monitor abuses of the networks and employed security contractor researchers to perform analysis of the SS7 systems in use to try and prevent unauthorized access. The main risk to users are their privacy of listening voice calls, text messages, and tracking people and their habits from the criminal hacker to government surveillance. However, there are other dangers like interception of two-step verification codes that are often used as a security measure when logging into email accounts, banks, or other secure institutions to verify a user’s identity.

For an attack to occur, the bad actor sufficiently know how to build a node to emulate that of a mobile operator. To access an SS7 network, attackers can acquire an existing provider’s connection on the black market and obtain authorization to operate as a mobile carrier in countries with lax communications’ laws. In addition, any hacker who happens to work as a technical specialist at a telecommunications operator, would be able to connect their rouge equipment to the company’s SS7 network. In order to perform certain attacks, legitimate functions of the existing communication network equipment must be used.

There are multiple attacks and how these attacks can be accomplished. This post will only provide an example of intercepting SMS. However, the Signaling System 7 Security Report from Positive Technologies and The Fall of SS7 - How Can the Critical Security Controls Help in the SANS Institute InfoSec Reading Room are a great resource for in-depth look at the attacks.

Intercept SMS Attack:

The updateLocation message is used to update the subscriber’s location in the network. It informs the network of which Visitor Location Register (VLR)/Mobile-services Switching Center (MSC) the subscriber is currently connected to. Using a fake updateLocation message the attacker claims that the victims mobile station is connected to their MSC. In this case, the subscriber SMSs will be forwarded to the attacker’s SMS center to be delivered to the MS. In addition to intercepting personal SMSs of the target, this attack can be used against authentication systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could lead to the compromise of the target’s identity.


Glossary:

The Mobile-services Switching Center: constitutes the interface between the radio system and the fixed network. It performs all the needed functions to handle the circuit switched services to and from the mobile stations. The MSC usually consists of two systems: the MSC server, responsible for the signaling, and the media gateway (MGW) handling the user traffic.

The Visitor Location Register (VLR): is a database of the subscribers who have roamed into the jurisdiction of the MSC which it serves. When a Mobile Station (MS) enters a new location area it starts a registration procedure. An MSC in charge of that area notices this registration and transfers to a Visitor Location Register the identity of the location area where the mobile station is situated. If this MS is not yet registered in the VLR, the VLR and the HLR exchange information to allow the proper handling of CS calls involving the MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC.

References:

Gibbs, S. (2016). SS7 hack explained: What can you do about it? Retrieved April 26, 2016, from https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

Bennett, C. (2016). Serious weaknesses seen in cell phone networks. Retrieved April 26, 2016, from http://thehill.com/policy/cybersecurity/277329-serious-weaknesses-seen-in-cell-phone-networks?utm_medium=email

Mourad, H. (2015). The Fall of SS7 – How Can the Critical Security Controls Help? Retrieved April 26, 2016, from https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225

Positive Technologies. (n.d.). SIGNALING SYSTEM 7 (SS7) SECURITY REPORT. Retrieved April 26, 2016, from http://www.ptsecurity.com/upload/iblock/083/08391102d2bd30c5fe234145877ebcc0.pdf

Monday, April 18, 2016

URL Shortening - Week 6

Uniform Resource Locators (URLs) are the standard method for addressing Web content. URLs often grow to hundreds of characters in length. The Hypertext Transfer Protocol (HTTP) doesn't specify a limit on the length of a URL, but implementations impose various restrictions, 2048 characters in practice. Long URLs are difficult to distribute and remember (Georgiev & Shmatikov, 2016). Thus, a service called URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter in length and still direct to the required page. This is achieved by using a redirect on a domain name that is short, which links to the web page that has a long URL. For example, the URL "http://en.wikipedia.org/wiki/URL_shortening" can be shortened to “http://tinyurl.com/urlwiki" (URL shortening, n.d.).


URL shorteners provide a useful, simple, way of sharing links; however security researchers Vitaly Shmatikov and Martin Georgiev discovered that web URL shorteners operate in predictable way in which these links can disclose sensitive information. The researchers analyzed the most popular URL shorteners: services implemented by Google, Bit.ly and Microsoft. It was found that the shortened URLs can be enumerate by brute force.  Their scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.

Google and Microsoft have introduced fixes to secure new shortened URL links, however old links remain vulnerable. The researchers explained that shortened URLs are predictable by combining domain names and a sequence composed of five to seven-character. The short URL and the knowledge of the generation mechanism introduces the basic vulnerabilities to brute force attacks.

The actual URLs are public and can be discovered. The scan of 100 million URLs resulted in the discovery of more than 1.1 million publicly accessible OneDrive documents including documents and executables. In their sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42 percent resolved to actual URLs. Of those,19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.


The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 percent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs (Paganini, 2016). The researchers suggested five approaches to mitigate the vulnerability: make short URLs longer, inform users about the risks of URL shorteners, do not rely on universal URL shorteners, employ CAPTCHAs or other methods to separate human users from automated scanners, and design better APIs for the cloud services that use short URLs.

References: 

Georgiev, M., & Shmatikov, V. (2016, April 10). Gone in Six Characters: Short URLs Considered Harmful for Cloud Services. Retrieved April 17, 2016, from http://arxiv.org/pdf/1604.02734v1.pdf

URL shortening. (n.d.). Retrieved April 17, 2016, from https://en.wikipedia.org/wiki/URL_shortening

Paganini, P. (2016). Watch out! URL shorteners could leak sensitive content. Retrieved April 17, 2016, from http://securityaffairs.co/wordpress/46377/hacking/url-shorteners-flaws.html?utm_medium=email

Monday, April 11, 2016

Hardware Vulnerability - Week 5

Over the last four weeks, this blog has covered vulnerabilities ranging from instituting a permanent vulnerability in every Apple iOS device, Android patch management flaws, meatware (humans) as the weakest link in the information system security, and the latest malware crazy exploiting meatware. This week is a review of a firmware flaw in Arris SURFboard SB6141 cable modem (hardware) affecting over 135 million users deployed by Comcast, Time Warner Cable, and Charter which was discovered by David Longenecker.

Attackers can exploit the flaw through remote measures that cause a denial-of-service by rebooting the SURFboard modems without authentication due to the presence of cross-site request forgery. The modems have a static Internet Protocol address that is not consumer-changeable and the web user interface does not require authentication, no username or password, to access the administration web interface at 192[.]168[.]100[.]1 from a local attacker.

Restarting the cable modem will disable the victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet which is an annoyance. However, there is a much larger issue. An attacker can also reset the modem, as the application doesn't verify whether the reboot or reset the modem command comes from the user interface or an external source through the use of social engineering techniques to trick users into clicking on a specially crafted web page or email.

For example: A web page including <img src="http://malicious_url/">  tag could call any of the following URLs:
  • http://192.168.100.1/reset.htm (for restart)
  • http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
If an attacker chooses this option, the modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. 

The Arris modem vulnerability has existed since 2008, because it was present in Motorola which was bought out by Arris, VU#643049. There's no practical fix for the flaw, the simplest solution would be a firmware update requiring a username, password, and validate that a request originated from the application and not from an external source. However, there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, the modems need to wait for Internet Service Providers to apply the fix and push the update.

References:

Paganini, P. (2016). More than 135 million ARRIS cable modems vulnerable to remote attacks. Retrieved April 10, 2016, from http://securityaffairs.co/wordpress/46117/hacking/arris-cable-modems-attack.html?utm_medium=email

Whittaker, Z. (2016, April 8). Over 135 million modems vulnerable to denial-of-service flaw | ZDNet. Retrieved April 10, 2016, from http://www.zdnet.com/article/millions-of-routers-vulnerable-to-unpatched-reboot-flaw/

Vulnerability Note VU#643049. (2008, April 29). Retrieved April 10, 2016, from http://www.kb.cert.org/vuls/id/643049

Khandelwal, S. (2016, April 9). No Password Required! 135 Million Modems Open to Remote Factory Reset. Retrieved April 10, 2016, from http://thehackernews.com/2016/04/hack-modem-internet.html

Longenecker, D. (2016, April 3). Full Disclosure: Unauthenticated CSRF reboot flaw in ARRIS (Motorola) SURFboard modems. Retrieved April 10, 2016, from http://seclists.org/fulldisclosure/2016/Apr/8

Monday, April 4, 2016

Malware - Ransomware (Week 4)

Malware is a nonspecific term referring to diverse forms of malicious software based on their function: viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other. For sometime, the latest craze has been ransomware. Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back. 

Three US hospitals have been infected with ransomware within the last three weeks: Chino Valley Medical Center and Desert Valley Hospital in California and Kentucky Methodist Hospital. The last thing anybody want to see is something like this:



The latest ransomware type attack was identified by Trend Micro that has been named Petya, which is delivered to victims who believe they are linking to a resume stored on a cloud storage site like DropboxThe ransomware overwrites the affected system's hard drive master boot record (MBR) in order to lock out users. The process of overwriting the MBR of the system and putting the ransom note in the startup process of the machine makes this variant of ransomware unique. The scam starts with the attackers using phishing emails disguised to look and read like an applicant seeking a job. The email provides a link to a Dropbox storage location. The email is supposed to link to the applicant's resume, but instead the link is connected to a self-extracting executable file that unleashes a trojanThe cybercriminals asked for 0.99 Bitcoins to unlock the computer. 

Trend Micro Senior Global Marketing Manager, Jon Clay, stated that "users can avoid infection by improving their email security and implementing messaging solutions that employ advanced detection features specific to phishing and socially engineered emails." Mr. Clay is suggesting that users obtain behavior based applications that scan incoming email and their attachments. However, most product on the market for individuals are signature based, these only know threats that have already been identified virus how the malware is working, access it attempts, etc. These behavior based solutions are for corporate uses through appliances such as SOURCEfire and Sophos.   

Since these solutions are not widely available for individuals, there are other methods that can protect their system. One solution is to implement a web reputation control like OpenDNS. Open DNS automatically categories website: social, parked domains, uncategorized, sports, entertainment, etc. Most infected websites are parked domains and uncategorized. Utilizing this tool can help prevent your devices from going to a bad site. However, this tool itself wouldn't have protected against this particular attack, but is very helpful when surfing the web in general. Another solution, is to install virtual machine application. Virtual machine software allows a user to run a guest operating system. It can be setup in different was: live boot and persistent. Persistent is where it stores data just like your normal operating system; thus if infected it stays infected, however you can take a snapshot prior to surfing the web and role back to a pristine image. As for a live image, the data is wiped when it is turned off or rebooted. Malware is also delivered heavily through ads on website. In addition to the other controls, ad blocks such as "adblock" work well. As stated on 3/27/16 posting (Meatware), humans are the weakest link because it is their actions that compromise the system. It is difficult for users now-a-days to determine if a well crafted email is legitimate. These are technical controls to help users, however a user needs to have a questioning attitude. 

References: 
  
Abel, R. (2016). UPDATE: Petya ransomware leverages Dropbox and overwrites hard drives. Retrieved April 03, 2016, from http://www.scmagazine.com/petya-ransomware-overwrites-mbrs-and-leverages-cloud-services/article/485833/?utm_medium=email