Operation Black Tulip: Fox-IT’s report on the DigiNotar breach

Creative Commons photo of black tulip courtesy of Photography_Gal's Flickr photostreamFox-IT, the security auditors hired to investigate the compromise of DigiNotar, the digital certificate authority that signed fraudulent certificates for Google, the CIA and others, released their preliminary findings this afternoon.

It’s at least as bad as many of us thought. DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public.

Fox-IT’s report shows that the initial compromise appears to have occurred on June 17th, 2011. On the 19th DigiNotar noticed the incident, but doesn’t appear to have done anything about it.

July 2011 calendarThe first rogue certificate (as far as we know), *.google.com, was issued on July 10th, 2011. All of the other 530 rogue certificates were issued between July 10th and 20th.

There are several very disturbing conclusions about security at DigiNotar and the investigation isn’t even complete yet:

  1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.

  2. The administrator password was simple and could be easily brute forced.
  3. Much of the malware and tools used in the attack would have been easily detected by anti-virus, had it been present.
  4. The software on public-facing servers was out of date and unpatched.
  5. They had no centralized nor secure logging.
  6. There was no effective separation of critical components.

The attacker left behind a message in one of the scripts used to generate the rogue certificates, arguably tying this attack to the earlier attack against Comodo back in March of this year.

The message reads in part:

“THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS
MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE”

Flag of IranFox-IT analyzed the lookups against DigiNotar’s OCSP servers (which browsers check to see if a certificate has been revoked) and determined that during the active attack period more than 99% of queries originated in Iran.


Video showing origin of OCSP queries against DigiNotar’s servers courtesy of Fox-IT.

This is the most solid evidence yet that these certificates may have been used by the Iranian government or ISPs to spy on private communications of Iranian internet users.

Many of the other requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians to avoid censorship.

This indicates that the method used to perform the man-in-the-middle attacks with these certificates likely depended on DNS poisoning at the ISPs.

While some folks are complaining that too much fuss is being made over this attack, it is far more important than many other stories that the security press have been obsessed with over the last two years.

This incident demonstrates in a real way the fragility of the SSL/TLS certificate trust model in use on the net today.

ConvergenceI hope adoption of replacement technologies like Moxie Marlinspike’s Convergence take off in a meaningful way to provide us with more confidence in the security of our communications.

We now know not to trust certificates issued by DigiNotar, but how many of the 600+ other certificate authorities have similar security holes and may already be compromised?

Creative Commons photograph of a black tulip courtesy of Photography_Gal’s Flickr photostream.



Fake Offers with Fake Trust Seals

Thanks to the co-author of this blog, Wahengbam RobinSingh.

Phishers are constantly looking for new ideas in their efforts of tricking end users. In August, Symantec observed a phishing site that utilized a number of new tricks. The phishing site masqueraded as a well known software company and claimed to offer associated software products at discounted rates. The phishing page highlighted these fake offers as “summer offerings” and stated that customers could save 80% on their purchases. Users were prompted to enter their billing information, personal information, and credit card details to complete their purchases. The personal information that was requested consisted of the user’s email address and phone number. The credit card details that were asked for were the card number, CVV code, and card expiration date. If any users had fallen victim to the phishing site, the phishers would have successfully stolen their confidential information for financial gain.

Although these fake offers were used as the bait, it wasn’t the only trick being offered up by the phishing site. There were further tactics employed in the hope of luring a greater number of end users. The phishing site was hosted on a newly registered domain name, and this new domain name was indexed in several popular search engines and had a very high page ranking. Phishers achieved the boosted page ranking by using common search keywords for the products within the domain name. For example, the domain would look like “common-search-keywords.com”. Thus, if a user searched with these keywords in a search engine, they could end up with the phishing site as a high-ranked result.
 
The phishers’ ploys didn’t end there. The phishing page also contained fake trust seals at the bottom of the page. A legitimate trust seal is a seal provided to Web pages by a third party, typically a software security company, to certify that the website in question is genuine. Clicking on a trust seal will pop up a window provided by the third party, which contains details of the site name and the encryption data used to secure the site.

How did phishers overcome this security measure? They used fake trust seals that spoofed two major companies, which when clicked, popped up a window that referenced a fake site. The URL of the fake site utilized sub-domain randomization. Below is the format of the URL:

http://www.<software security company>.com.<fake domain>.com

With a quick glance at the URL, it would seem that the trust seal is linked to an appropriate third party, but it’s not. If we read the complete URL for the pop-up window, we can see that it’s a fake site. The best practice for identifying a legitimate trust seal is to click on the seal and read the complete URL of the pop-up window. The pop-up window should have a padlock icon, ‘https’, or a green address bar.

Internet users are advised to follow best practices to avoid phishing attacks:

•    Do not click on suspicious links in email messages.
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up page or screen.
•    When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Is Al Gore asking permission to spam from your social networking account?

Al Gore, Facebook and TwitterIs this spam or not? I’m finding it hard to decide.

But there’s certainly something about it which makes me feel uncomfortable with my security hat on.

Al Gore’s Climate Reality Project is encouraging social networking users to “donate” their online accounts for what they call “24 hours of Reality”.

During that time, the organisation will be able access your Twitter and Facebook account and post information about climate change and a global awareness event they are holding on September 14th with the aim of focusing attention on the “full truth, scope, scale and impact of the climate crisis about climate change”.

Climate Reality

All the Climate Reality Project needs you to do is authorise its application so it can post Facebook status messages and Tweets in your name.

You’ll still be able to use the social networks as normal – it’s just that a few times an hour you will find messages from the Climate Reality Project issued using your name, interspersed amongst your regular online activity.

Climate Reality

Is it spam? I freely admit that I’m undecided.

I mean, there’s nothing to stop the Climate Reality Project’s supporters retweeting and sharing everything the campaign says anyway, and subjecting their Twitter followers and Facebook fans to all that messaging.

24 hours of realityInstead, what it sounds like is just another example of an organisation trying to muscle their way into social media success – ironically, the diametric opposite of what actually works. Something that might actually be considered rude in whatever the Web 2.0 version of netiquette is.

Perhaps the Climate Reality Project would do better to just be interesting. That way, people would reshare their content or build upon it in an authentic way which would most likely be more appreciated by the supporters’ online followers.

After all, isn’t an argument put more convincingly if people can see that some effort and passion has been put into forming the case, rather than someone lazing about on their sofa and getting an app to tweet it out for them?

But more than that. Isn’t this bad security practice? Should people be encouraged to hand control of their Facebook or Twitter account to a third party for a day?

Isn’t it a bit like lending somebody your credit card for 48 hours? Haven’t we seen enough abusive third-party apps on Facebook and Twitter without users being encouraged to install more?

Or.. in your opinion, does none of this matter? Is it okay for the normal rules of netiquette and account safety to be waived for 24 hours, because the cause of climate change awareness is so important?

I’m not sure what to make of it all. Why not tell us your opinion in the quick poll below and leave a comment.

View This Poll


Facebook page hijacking locks out original admins [VIDEO]

As you can see in the following video, it’s easier to hijack a Facebook page than you would expect, because of sloppy security from the social network.


(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The question is – will Facebook do anything about it?

Facebook pages are an important part of many business’s marketing activities. Brands such as Coca-Cola, Victoria’s Secret and Starbucks have millions of Facebook fans signed-up to their pages.

Popular Facebook pages

Even more impressively, Lady Gaga has a jaw-dropping 43 million fans on the social network.. and rising.

So it’s clear that Facebook pages are an enormously effective way for firms and celebrities to promote themselves and raise brand awareness There’s very little cost for a potentially huge amount of publicity.

Facebook pages are run by administrators. Anyone can create a Facebook page, and if your page proves popular you might choose to recruit some additional co-administrators to help you run it.

That’s where you need to be very careful – because one of your fellow administrators could hijack the page you have been working on, and remove your admin rights.

That shouldn’t be possible, of course. When a journalist rang me yesterday to talk about the problem I pointed them towards Facebook’s own help pages that say that although administrators can remove other administrators, they *cannot* remove the person who originally created the page.

Facebook help page

Unfortunately, Facebook’s own help pages have got it wrong.

Any page administrator *can* remove the original administrator of a Facebook page, as the video above showed.

Facebook hijackThere are two scenarios here. One is that you have a trusted friend or colleague who you ask to help you administer a Facebook page. Even if they have the best intentions, their Facebook account may get compromised (perhaps their passwords are phished or cracked) giving a stranger the chance to hijack the Facebook page you created.

The other possibility is that you gave a stranger admin access to your Facebook page.

Why would you do that? Well, there are many people and businesses wanting more fans for their Facebook page, and if you go to a site like Fiverr (an online marketplace where you can buy and sell any service for just five dollars) you’ll find plenty of folks willing to help you maximise the success of your page.

If you give a cut-price “social media expert” admin rights to your Facebook page, you only have yourself to blame if you’re ousted.

And don’t go crying to Facebook. They seem to be unwilling to rectify a page hijack, meaning that if you want to recreate the online community you may have spent much time and money on building you’ll have to start again from scratch.

Come on Facebook – sort it out. Page administrators should not be able to remove the original administrator without the creator’s specific permission.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest attacks.

Hat-tip: The Register. Please note: You might have difficulty reaching The Register because of their ongoing DNS issues.