Windows RT jailbroken

NEWS ...Continued from front page ‘ENISA Threat Landscape; Responding to the evolving threat environment’ provides a meta-analysis of 120 reports published during 2011 and 2012 by the security industry, standardisation bodies and other independent parties. It provides an overview of observed threats and threat agents together with the current top threats, and emerging trends. The report also analyses what it calls the “cyber enemy”; identifying the top 10 threats in emerging technology areas, including mobile computing, social media, critical infrastructure, trust infrastructures, cloud and big data. The 10 most important threats it identifies are: 1. Drive-by exploits (malicious code injects to exploit web browser vulnerabilities). 2. Worms/trojans. 3. Code injection attacks. 4. Exploit kits (ready-to-use software packages to automate cybercrime). 5. Botnets (hijacked computers that are remotely controlled). 6. (Distributed) Denial of Service attacks (DDoS/DoS). 7. Phishing (fraud mails and websites). 8. Compromising confidential information (data breaches). 9. Rogueware/scareware. 10. Spam. Finally, the Agency makes a number of conclusions for industry and stakeholders on how to better fight the cyberthreats facing business, citizens and the digital economy at large. They include: the use of a common terminology within threat reports; accommodating the end-user perspective; developing use cases for threat landscapes; collecting security intelligence from incidents, including starting point and target of an attack; performing a shift in security controls to accommodate emerging threat trends; collecting and developing better evidence about attack vectors and methods so as to understand attack workflows; collecting and developing better evidence about the impact of attacks; collecting and maintaining more qualitative information about threat agents. The report is available here: http://bit. ly/201301enisa.

January 2013

Microsoft struggles with IE flaws

A

zero-day flaw in Microsoft’s Internet Explorer (IE) browser has been exploited by attackers – possibly as part of the allegedly state-sponsored Elderwood Project. And while the company moved quickly to issue an out-of-band fix, researchers have shown that problems persist.

The flaw, classified as CVE-2012-4792, affects IE versions 6-8 and can be used to achieve remote code execution with the user’s privileges. As many Windows users routinely operate their computers using accounts with administrator privileges, this could be a serious problem. The flaw doesn’t exist in IE versions 9 and 10; however, the earlier versions of the software are still in widespread use. Microsoft issued a temporary FixIt work-around and has also recommended using its Enhanced Mitigation Experience Toolkit (EMET), pending a proper patch. The company’s advisory is available here: http://bit.ly/201301ms. The exploit works on Windows XP and Windows 7 and can bypass protections such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR). The attack uses a ‘use after free’ exploit, in which the memory from a deleted object is used to run arbitrary code, in this case by injecting a DLL. Researchers at security firm Exodus said the FixIt solution from Microsoft failed to prevent the exploit triggering in all cases. It also uncovered another way to exploit the vulnerability, albeit one that does not appear to be in use in the wild. An exploit using the flaw was discovered in late Dec 2012 by FireEye. It had been injected into the website of the Council on Foreign Relations (CFR). Research by Sophos suggests that the exploit had been in place for about three weeks, and the firm found several other sites infected with the exploit. These are very varied, including a site aimed at the Uyghur people of East Turkestan (who are campaigning for independence from China), a Taiwanese travel agency, a Russian science site and an Iranian oil

company. However, the majority appear to have a human rights or political connection to some degree. Security firm Avast also claims that two of the infected sites hosted identical binaries that also match an attack, back in September, that was attributed to the Chinese Nitro gang. Inevitably, fingers have been pointed at China with a suggestion that the malware is aimed at dissidents. According to some reports, the exploit is set to trigger if the user’s browser language setting is English, Chinese, Chinese (Taiwan), Japanese, Korean or Russian. It places a cookie on the victim’s machine to ensure the attack is made only once. The attack code also contains elements in Mandarin Chinese. Sophos believes the payload shows similarities to those used in earlier attacks, including the use of a function called ‘HeapSpary’ – a notable misspelling of the term ‘heap spray’, a technique commonly used by malware. According to research by Symantec, these attacks may have had state backing. In what it dubbed the Elderwood Project, Symantec identified a number of attack campaigns that appear to have access to large numbers of zero-day vulnerabilities (for more information, go to: http:// bit.ly/201301elderwood). Finding and exploiting zero-day flaws requires major resources – something that run-of-the-mill cyber-criminals have not demonstrated. There is no obvious connection between the compromised websites, although plenty of speculation that they may constitute ‘watering hole’ sites – websites commonly used by people from the organisation that’s actually the target of the cyber-criminals’ activities. Placing drive-by malware on such a site is often easier than directly attacking the targeted organisation.

Windows RT jailbroken

M

icrosoft is also facing attack on another front.

A researcher, CL Rokr (aka ‘clrokr’), claims to have found a way of bypassing the code integrity checking in Windows RT – the version of Windows 8 ported to ARM Continued on page 20...

Computer Fraud & Security

3

CALENDAR ...Continued from page 3 platforms. This allows users to run unsigned code on Surface tablets and other devices, effectively jailbreaking the platform. The exploit is possible because much of the Windows RT code has been ported directly from Windows 8. This includes a byte in the kernel that sets the minimum signing level for code execution. On Windows 8, this is set to 0 so that any code can be run. But on Windows RT, it is set to 8, meaning that code must be signed by Microsoft in order to run. That’s because Microsoft is attempting to create a similar ‘walled garden’ to that of Apple’s for devices such as the Slate. However, Rokr claims to have been able to use a debugger to inject modified code, allowing any software to be run – at least until the device is restarted. Full details are available here: http://bit. ly/201301clrokr.

Iran under cyber-attack – or not

I

n a series of events that amply illustrates the fog of cyberwar, Iran announced that it was under attack from data-wiping malware that was quickly – and probably wrongly – attributed to the US and Israeli governments. This was followed by the claim that some of its facilities had come under attack from Stuxnet-like malware – only for this to be later denied.

In December 2012, the Iranian Computer Emergency Response Team, Maher, reported that it had detected a data-wiping attack – dubbed GrooveMonitor or BatchWiper depending on which anti-malware vendor you’re talking to. The malware is dropped as a self-extracting WinRar file called GrooveMonitor.exe. This in turn unarchives and runs executable programs that erase all files on drives D: to I: and on the desktop. The fact that the malware only carries out these actions between certain dates – pairs of dates extending as far ahead as Feb 2015 – has 20

Computer Fraud & Security

led to speculation by some, including Maher, that this was a targeted attack. Maher also said the malware has not been widely distributed, although it hasn’t given details of the victims. The Industrial Safety and Security Source website ran an article suggesting that, like Stuxnet, this attack was the work of US and Israeli intelligence forces, and said a CIA source had confirmed this. However, this seems unlikely – and not just because the CIA isn’t in the habit of confirming covert actions. Unlike Stuxnet – which was arguably the most complex and sophisticated malware ever used – GrooveMonitor consisted simply of crude batch files that had been turned into Windows PE files using the BAT2EXE tool. In addition, one of the executables was 16-bit only and would not run on 64-bit machines. Instead, it would raise an error. Following this attack, the Iranian Students News Agency (ISNA) announced that a power station – the Bandar Abbas Tavanir electrical utility – in the south of Iran had been hit by a Stuxnet-like virus. Ali Akbar Akhavan, head of Iran’s Passive Defence Organisation, was quoted by ISNA as saying that manufacturing industries in the Hormuzgan province had also been attacked. But Akhavan later issued a statement claiming that ISNA had misquoted him.

EVENTS 19–22 February 2013 OWASP AppSec AsiaPac 2013 Jeju, South Korea http://bit.ly/SVp1cx

24–25 February 2013 Security BSides San Francisco San Francisco, US www.securitybsides.com/w/ page/35868077/BSidesSanFrancisco

25 February – 1 March 2013 RSA Conference 2013 San Francisco, US www.rsaconference.com

11–15 March 2013 Troopers Heidelberg, Germany www.troopers.de

12–15 March 2013 Black Hat Europe Amsterdam, Netherlands www.blackhat.com/eu-13/

25–26 March 2013 8th International Conference on Information Warfare and Security (ICIW) Denver, US http://academic-conferences.org

Study shows 94% of US 5–7 April 2013 healthcare organisations Security BSides Puerto Rico San Juan, Puerto Rico leaked data http://bit.ly/Q6wWFn

I

n the past two years, 94% of US healthcare organisations contacted for a Ponemon Institute report admitted that they had suffered at least one data breach, mostly as a RESULTOFSTAFFNEGLIGENCE3OME reported that they had more than five data breaches in that time.

This shows a rise – albeit a small one, given the enormity of the problem – with a similar survey undertaken two years ago. In the 2010 report, 86% of organisations admitted to breaches in the preceding two years, although only 29% had five or more data leaks.

8–11 April 2013 Hack in the Box Amsterdam, Netherlands http://conference.hitb.org

23–25 April 2013 Infosecurity Europe 2013 Earls Court, London, UK www.infosec.co.uk

24 April 2013 Security BSides London London, UK http://bit.ly/XvAtPE

January 2013