During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the “Global System for Mobile communications” and is the world’s most popular standard for mobile handsets. The GSM Association estimates that more than 3 billion people are now using GSM technology. With such a massive install base, addressing potential security vulnerabilities in GSM handsets or in GSM networks themselves is clearly an enormous challenge.

The DeepSec In-Depth Security Conference 2009 in Vienna, Austria saw the presentation of research on attacking GSM networks, as well as attacking GSM handsets using SMS / MMS. David Burgess and Harald Welte held a highly regarded workshop entitled “Security on the GSM Air Interface”, covering contemporary technologies and techniques for radio direction finding, including the capabilities and deployment of devices known as “IMSI Catchers.” An IMSI Catcher device functions as a rogue cellular access point and can be leveraged to aid in radio direction finding or may offer full voice and data man-in-the-middle capabilities with a variety of uses. Commercially available hardware and software from the OpenBTS and OpenBSC projects was used to demonstrate attacks and countermeasures under laboratory conditions using a private GSM network.

Continuing the thread of GSM security material at DeepSec, noted security researchers Zane Lackey and Luis Miras presented research on techniques for attacking GSM handsets using SMS/MMS, both the implementations themselves as well as architectural vulnerabilities in the carrier networks.

At the 26th Chaos Communication Congress (26C3) in Berlin, Germany, noted cryptographer and hardware hacker Karsten Nohl and colleague Chris Paget announced that their “A5/1 Cracking Project” had successfully calculated the cryptographic base needed to demonstrate cracking GSM communications secured using the A5/1 encryption algorithm. This data, commonly referred to as a “rainbow table”, is now publicly available on the Internet. Nohl and Paget also announced they have open sourced the software they used to calculate the rainbow tables. The ability to passively decrypt A5/1 secured GSM communications is critical to performing passive, difficult to detect interception. This contrasts with active and easily detectable interception techniques using an IMSI Catcher device.

GSM is being adopted in a growing number of sensitive applications including financial transactions, mobile payments, and of course sensitive voice communications. Capabilities once only available to very well-resourced organizations such as the military, intelligence agencies, civilian law enforcement and organized crime are now increasingly within reach of much less well-resourced organizations, such as smaller criminal groups or even malicious individuals.

Organizations using GSM for sensitive applications or to discuss or transmit sensitive information should adopt a proven information security risk management approach to their use of mobile communications technologies such as GSM, just as they do for more traditional IT systems. For organizations that must utilize GSM communications for sensitive applications within hostile environments, several third-party security solutions are commercially available.

On February 24, 2009, Microsoft published Microsoft Security Advisory 968272 confirming the existence of a recently disclosed 0-day vulnerability in Microsoft Office Excel. For now, there are reports of only limited and targeted attacks attempting to exploit this vulnerability. Unfortunately, with public disclosure and exploits in limited circulation in the wild, the risk is high that more widespread attack will follow.

The flaw lies in code handling the Microsoft Office 2003 and earlier binary file formats. Microsoft confirmed that all versions of Office 2000 and later are at risk. The list of affected platforms also includes Mac OS X, with Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac being vulnerable.

Even in the absence of a security update from Microsoft, there are some good recommendations included in Microsoft’s advisory.

The Microsoft Office Isolated Conversion Environment (MOICE) offers users of Microsoft Office 2003 and Microsoft Office 2007 a way to more securely open Microsoft Word, Excel and PowerPoint binary format files. KB968272 contains details on how to set MOICE as the registered handler for .XLS, .XLT, and .XLA file formats. Documents that are converted to the Office 2007 XML format with MOICE will lose their macro functionality (which depending on your perspective might not be such a bad thing). Password protected or DRM encumbered documents can’t be converted with MOICE. Mac users are unfortunately left out in the cold here, since MOICE isn’t currently supported on the Mac OS X platform.

You can also block your users from opening Office 2003 and earlier documents using Microsoft Office File Block policy. KB968272 contains details for Microsoft Office 2003 and Microsoft Office 2007 on applying registry changes to prohibit users from opening Office 2003 format documents. Office 2007 offers the ability to manage “trusted locations” that can be excluded from the File Block policy. Office 2003 users must instead use an OICEExemptions registry key if they want to exempt a directory from the File Block policy.

It remains to be seen if OpenOffice or other alternative office suites are affected by the same kind of programming flaw that caused the vulnerability in Office. Although Microsoft’s new Office Open XML (OOXML) formats, and the SDLC-developed code that Microsoft wrote to implement them, do seem less at risk to these kind of vulnerabilities than the legacy formats, a move to the exchange of strictly OOXML would have its own drawbacks. Some older releases of Microsoft Office and many alternative office suites do not support the newer OOXML formats. Even users of Office 2003 must go out of their way to install additional software from Microsoft in order to open OOXML documents. When exchanging documents with partners in a business setting, the recipient’s ability to easily read the attachment is an certainly an important consideration.

The Microsoft Security Response Center is a good source for updated information as Microsoft’s investigation continues. I’m sure there will be new developments on this issue shortly.

References:

CVE-2009-0238

We attended ShmooCon V the first weekend in February. We arrived early on Friday morning and had a wonderful time at the con and in DC. Thanks to the all guys (and gals) from The Shmoo Group and the conference staff for all their hard work in putting this event together!

There were a number of talks this year worth noting. Rick “Zero_Chaos” Farina’s humorously titled talk on 802.11 provided some interesting information on using consumer WiFi chipsets to receive (and potentially transmit) on non-WiFi frequencies. Rick found that the radios of many consumer chipsets have the ability to operate outside the normal WiFi channels 1 – 11 that those of us in the United States are legally permitted to use. Other frequencies in the range supported by some of these chipsets include those used for public safety, military communications, terrestrial broadcasts of satellite radio (i.e., SIRIUS Satellite Radio, XM Radio), and DECT-based cordless phones. We hadn’t realized that there was DECT plug-in available for kismet-newcore. Rick also discussed some changes being made in the Linux kernel and userspace around software control over which frequencies a wireless chipset can operate on.

We also attended “Jsunpack: An Automatic JavaScript Unpacker” from Blake Hartstein. Jsunpack looks to be a promising new tool for analyzing packed or obfuscated JavaScript and appears to address many of the shortcoming that plagued previous approaches.

Another talk we enjoyed was “All Your Packets are Belong To Us: Attacking Backbone Technologies” by Enno Rey and Daniel Mende. The talk raised some interesting questions about the trust model (or lack thereof) of MPLS and Carrier Ethernet services used by many enterprises today. Enno and Daniel also threw in a few live demos of re-labeling MPLS traffic traversing a carrier network, and of launching Layer 2 attacks across the cloud via Carrier Ethernet.

Overall it was a great time. We enjoyed having an opportunity to visit with our InfoSec friends, as well the getting chance to make some new ones!

- Ben Feinstein & Bow Sineath

I have the honor of presenting at ToorCon X this coming weekend at the San Diego Convention Center. I will be delivering a new talk entitled “Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln” at 2pm PDT on Saturday, September 27. If you’re in the vicinity of southern California this weekend, I encourage you to make the trip down to ToorCon. Based on my experience as an attendee last year, it is a great smaller con with a strong reputation for very deep technical talks.

I’ll also be in the Crash Course in Penetration Testing Workshop and the Deep Knowledge Seminars, so maybe I’ll catch some of ya’ll there too, before the actual conference kicks off Friday evening.

At SecureWorks, we follow a Responsible Disclosure Policy. As such, when we find vulnerabilities in other vendors’ products or services, there is often a delay between the discovery and when we can publicly disclose the issue.

The following cryptographic hashes are related to a couple of disclosure processes I kicked off on Thursday, September 18, 2008.

File #1
MD5 b0625c8d39e3fcfaf51a577e310eb053
SHA1 0a8bdb073855eee0d31ff3afb081cf1d8d17c2bd

File #2
MD5 c74309900e7b11de5d7f211eb536cdb6
SHA1 99870aa6a0b4b33a88a2fbfd3eb83ce38bfbb7ce

Now that I’m back from Las Vegas and have had a week to dig out from under email and work tasks, I’d like to share a short post-con wrap-up.

The Black Hat Briefings 2008 were a good time. Just as important as the briefings, I had a lot of fun meeting new people, seeing old friends, and networking with others in the security community. Our industry is really based on trust and trusted relationships, so I always try and get out and mingle at the con.

Both of my DEFCON presentations seemed to be really well received. I was surprised with the large turnout Friday 10am for my web application firewall (WAF) talk, given that my slot was competing directly with the Dark Tangent’s annual DEFCON keynote and Joe “Kingpin” Grand’s talk on the making of this year’s badge. There were a few good questions, so at least someone was awake and paying attention.

My Friday afternoon talk on Snort plug-in development was very well attended. A group of Sourcefire employees were filling out the front row. They didn’t throw any rotten vegetables at me, so I figure I did alright.

Updated presentation materials should be getting posted to the DEFCON site soon. Here are links to the slides for my WAF talk, and slides for my Snort-plug-in development talk. I’m busy adding to my Snort preprocessor for weak SSH2 Diffie-Hellman Group Key Exchange, and should be releasing some new code released in the next few weeks.

I’ll be delivering two talks at DEFCON 16 in Las Vegas this Friday, August 8th. My first talk, The Wide World of WAFs, covers web applications firewalls and some PCI DSS background. In talk that afternoon, Snort Plug-in Development: Teaching an Old Pig New Tricks, I’ll be releasing GPL licensed Snort plug-ins for ActiveX control detection and for detecting OpenSSH clients and servers using a broken Debian OpenSSL PRNG.

I hope to see some of ya’ll out in Vegas!

The Unnamed Police Department (we’ll just call them the UPD for short) is charged with keeping the peace in a major American metropolitan area. For a public safety website, theirs is quite advanced. Visitors can view dynamically generated maps showing the distribution of different classes of crimes, make anonymous tips to the narcotics squad, and even try to sign up to join the force. As those of us that work in information security well know, all that rich web functionality brings increased risk.

This past Thursday afternoon I received a report from a colleague that the UPD public website appeared to be serving up malicious JavaScript injections. The URLs of the injected scripts were consistent with the recent waves of mass SQL injection attacks that have targeted Microsoft IIS sites backed by Microsoft SQL Server databases. The injected JavaScript payloads were consistent with malicious scripts generated using the Neosploit obfuscation tool. The first stage script redirected victims to another script, this one hosted at a domain name registered just the day before with a German domain registrar.

The impact of all this? Visitors to the UPD website were having their web browsers loaded with a witches brew of exploits, potentially leading to complete system compromise. While not all visitors were successfully exploited, enough folks are getting owned with these attacks to make them increasingly popular with the bad guys. Users of a tool such as the NoScript extension for Firefox (or possibly Microsoft’s new XSSFilter being included with Internet Explorer 8) would have been protected.

I immediately contacted the UPD and reported the issue. The conversation was initially pretty humorous, as you might imagine. Fortunately, the department includes a cybercrimes unit and my report was immediately routed to them. The contact at the UPD called me back about 5 minutes later and informed me one of the investigators in the cybercrimes unit had indeed confirmed the problem, and that they were working to resolve the issue. To verify the report, the cybercrimes investigator supposedly browsed to the UPD’s own public website and saw his anti-virus software light up with warnings.

I checked back less than four hours later, and the site appeared clean. I’m impressed with the speed of the response, given previously reported compromises of state and local government websites (credit to Sunbelt Blog: here, here, here, and here). I really thought I had enough time to get home before writing a cron job to keep checking the site for when it got cleaned up!

Unless the underlying SQL injection vulnerability was fixed however, this site is very likely to fall victim again, and soon.

This past Tuesday July 8th was a big day in information security. Accomplished security researcher Dan Kaminsky of IOActive announced a major new vulnerability in the DNS infrastructure underpinning the Internet. What is the vulnerability, you ask? We may all have to wait for Dan to tell us at the Black Hat Briefings security conference, kicking off on Wednesday August 6th.

You see, what transpired Tuesday was a massive coordinated exercise in controlled vulnerability disclosure, pulled off by many of the biggest vendors in IT. It has been attempted (e.g., SNMP), but something like this has never really been pulled off before.

Dan Kaminsky, with the help of Internet pioneer Paul Vixie and US-CERT, pulled all the major players together and got them to actually agree they had a problem. At a closely guarded March 31st meeting on Microsoft’s Redmond campus, the likes of Microsoft, Cisco and the ISC BIND team reached consensus on an aggressive fix to be coordinated among the participants. What’s more, this diverse group managed to effectively keep a lid on their efforts until Tuesday. As Dan said in a podcast interview, they “were very careful.”

Security research is all built upon trust, and the folks involved in this disclosure process proved themselves worthy of ours.

Dan references our very own Joe Stewart’s 2002 work on DNS cache poisoning attacks as helping to form a basis for this new work.

For the less technically inclined, Rich Mogull’s “Executive Overview” does a good job at explaining what all the fuss is about. Otherwise, I’d suggest you go right to the source, Dan’s post at DoxPara Research. And for good measure and referential completeness, US-CERT Vulnerability Note #VU800113 is right here.

I will be delivering a talk on PCI 6.6 and web application firewalls (WAFs) at Summercon this coming Saturday May 31st. If you are going to be in the Atlanta area this weekend, you really ought to come out and join the fun!