In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attac…
In the last few months, we have witnessed a rise in the number of cases of modified Web servers that inject malicious redirections into every website that it hosts. One example was the malicious Apache module (Linux.Chapro and Trojan.Apmod) that we blo…
Following on from recent concerted campaigns by Anonymous against Israel on April 7 and Facebook on April 5, the latest target for the online hacktivist collective is the USA and American online interests. Today, hackers and script kiddies of various a…
Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Exp…
If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.
Along with the admiration of a device that appears to do everything, comes controversy. The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.
Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization. In order to make customize the device, he had to “jailbreak” or “root” it.
The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:
“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.
The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”
Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.
Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.
In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.
今では、データ侵害の事例をほぼ毎週のように見かけるようになりました。そのたびに膨大なユーザーアカウントと、おそらくはそれ以外にも重要なデータが危険にさらされていますが、ほとんどの人はそうした報道に驚きさえしなくなっています。データ侵害はそれほど日常茶飯事になりつつあるからです。
データ侵害に使われる攻撃のなかでも特に多いのが、SQL インジェクションです。SQL インジェクションは、Web アプリケーションの欠陥ランキング OWASP Top 10 でも、長年にわたってトップの座を占め続けています。SQL インジェクションを防ぐ手段はいくつも知られているはずですが、残念ながらアクセス数の多いサイトでも SQL インジェクションの発生は後を絶ちません。さらに、Web サーバーの設定不備やリモート管理ツールの脆弱性を狙えば、攻撃者はシステムにアクセスし、潜在的に重要なファイルを読み取ることができます。
最も確実なパスワードの保存方法については長い間さかんに議論されてきましたが、今でもその結論は出ていません。データベースに平文でパスワードを保存するのは好ましくない、というのは大多数の一致するところですが、実際には今でも至るところで行われています。言い訳として返ってくるのは、「データベースには誰も読み取りアクセス権を持っていないのだから、何も問題ないでしょう?」といった言葉です。歴史が繰り返し証明しているように、この言葉がいつまでも当てはまることはありえません。
一般のユーザーは、自分のパスワードがサービス上でどのように保存されているのか知らないのが普通です。パスワードリセットの機能を利用するという鮮やかな手口も考えられます。なかには、ユーザーのパスワードを平文で記載したメールを送信してくるサービスもありますが、それだけでもパスワードが平文で保存されていることは明らかです。疑問に思ったら、サービス会社に問い合わせてみることもできますが、たいてい「パスワードは最新の暗号化技術で保護されています」と請け合うだけで、それ以上のことは知らされないでしょう。
それでも、キーワードは間違っていません。ほとんどのシステムでは、一方向の暗号化関数が導入されているからです。パスワードの保存には、MD5 や SHA1 など、いわゆるハッシュ関数が使われています。注意したいのは、これがパスワード保護の関数ではなく、通常はメッセージダイジェストを作成するための関数だということです。これをパスワードに利用し、ハッシュ値だけを保存することで、平文パスワードの問題は消え去るように見えます。ところが攻撃者には、パスワードとそれに対応するハッシュ値のペアをあらかじめ計算した「レインボーテーブル」を作成するという手があります。最近のクラウドサービスを使えば、レインボーテーブルの生成にそれほど時間はかからず、組み合わせの値も簡単に保存できます。こうした仕組みを利用すれば、簡単なルックアップだけで一般的なパスワードはすべて瞬時のうちに破ることができるのです。
レインボーテーブルでもパスワードを簡単に破ることができないように、ソルト(salt)を使う方法があります。ソルトとは、ランダムな長い文字列で、これをハッシュ化する前にパスワードと組み合わせます。ユーザー単位でこれを使うと、文字列は一気に複雑になります。仮に 2 人のユーザーが同じパスワード(たとえば、123456)を使ったとしても、結果的にテーブルでは異なるハッシュとして生成されます。しかも、攻撃者は想定されるソルトごとにレインボーテーブルが必要になるので、多数のユーザーのパスワードを同時に解析することは大幅に難しくなります。それでも、特定の 1 ユーザー(たとえば管理者)のパスワードを総当たりで突き止めることは、依然として可能です。
ここで登場するのが、イテレーション(反復)またはキーストレッチです。ハッシュ関数を何度も何度も繰り返すと、全体のプロセスは遅くなります。通常の使い方でログオンする場合には、多少の遅延もそれほど問題になりませんが、総当たり攻撃となれば、パスワードの解析に要する時間は数千年に達するかもしれません。簡単に組み込める例が、bcrypt と PBKDF2 です。もちろん、2 要素認証を使うだけでも障壁を高くすることはできます。シマンテックの VIP サービスもその一例です。
パスワードの保存にどのような機能が使われるとしても、サービスごとに異なるパスワードを使うようにするのが理想的であることは変わりません。すべてのサービスで同じパスワードを使っている場合、そのひとつでも破られてしまうと(おそらくはパスワード保存のしかたが悪いために)、他のパスワードもすべて攻撃者に知られてしまうことになるからです。データ侵害に成功するたびに、攻撃者は他のサービスに対しても電子メールパスワードの組み合わせを試そうとするものです。あわよくば、という期待程度にすぎませんが。
そもそも強力なパスワードを使うことが必須であることは、言うまでもありません。「123456」は、もちろん強力なパスワードとはほど遠く、けっして使うべきではありません。パスワードを変えたらすべて覚えていられない、というのであれば、パスワードマネージャを使うという手があります。そうすれば、パスワードをスマートフォンに保存して、いつでも確認できます。もちろん、そのスマートフォンを紛失した場合には誰もパスワードマネージャにアクセスできないようにしておく必要がありますが、それはまた別に考えるべき問題です。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
In today’s connected world, many of us are members of at least one, if not more, social networking services. The influence and reach of social media enterprises, such as Facebook (more than 600M active users per month) and Twitter (more than 140M active users), is staggering and as communications tools they offer a global reach delivering almost instantaneous communications to huge multinational audiences. Social media is attractive for hacktivists because it is a forum for people on the Internet and where big discussions take place. Hijack a forum like this and you have an effective soapbox to get your message across. Hardly a day passes without news of another high profile breach by hacktivists and social media influencers are in the crosshairs. Are social media and hacktivism two ideas that are made for each other? Let’s explore some thoughts and ideas and you can make up your own mind.
The ability of social media to spread news quickly is powerful, and obviously, has great potential for positive use but, like many things in life, it also has potential to be abused. In the case of the recent tragic events in Boston, the tweets started almost immediately and helped keep people informed and also warned people away from the area. Many of the tweets came from “citizen journalists” who were actually on the ground as the events unfolded and were able to describe first-hand what they witnessed. Even in the aftermath of that event, social media played a major part in helping to track down the suspects behind the tragic event. Law enforcement issued a general plea for information and the public gladly did what they could by publishing information, pictures, and videos of the event on the public forums provided by social media sites. Law enforcement was able to utilize this information available to put the pieces together.
The downside of this highly visible means of public participation when looking for suspects in a highly charged situation, such as this, is that individuals may be wrongly accused. This is exactly what happened on certain social media sites where, notably, the Reddit service drew the most criticism. On their site users took the role not only of citizen journalist, but as citizen investigator too. Users began to look at the details and photos posted on the site and pieced together their own—and, as it turned out, incorrect—conclusions on the matter. False information and allegations began to circulate and took on a life of their own.
The business of news is all about influencing people and social media provides a large audience to be influenced. Influence is such a fundamental concept in social media that there are even services which attempt to measure how much influence a user has in the social media space. Services, such as Klout, are designed to address how much influence a user has by using algorithms to measure a person’s “clout,” reflected by a number between 1 and 100, with a higher score indicates a higher level of influence.
The news industry has long recognized the power of social media, not only for influencing people but also for gathering information. Today, just about all news outlets have a social media presence to receive and broadcast news to interested audiences. Twitter is the default choice to quickly get information out there. The 140 character limit on tweets forces users to be succinct and focus on main points when communicating. Since many Twitter users use the service on their mobile device and people generally have their mobile device near them all day, information can quickly reach people and be shared again (retweeted) propagating throughout the service’s user population (“going viral”).
Indeed, services like Twitter reach mass audiences and in turn hold a strong level of influence. Then when trusted media brands enter the social media space, their power of influence and reach is further magnified. We have seen how big news stories often drive follow-up events. Major disasters or terrorist acts have an immediate impact on stock markets. For example, the stock market crashed immediately following the September 11 attacks in 2001—and that happened before the advent of modern day social media services. Recently it was reckoned that the next market crash will be tweeted and given the role social media now plays in society there is no reason to doubt that. What is to stop criminals from perpetrating “pump and dump” stock market fraud by spreading market-moving rumors in social media which cause wild movements in stock prices? This is particularly true as professional trading systems are now even designed to “read” news headlines and react to news autonomously.
Hacktivism is a modern-day evolution of traditional activism brought about by a confluence of technology, politics, and people power. While traditional activism still has its place, activist activity is increasingly being conducted online. There are likely a myriad of reasons why this is the case but one thing is for sure, activists have caught on to the powers of social media and the Internet as tools to further their cause. Many of them actively use Twitter to communicate and coordinate worldwide activities.
Ultimately, hacktivists aim to draw attention to their causes which, naturally, makes big influencers their biggest targets. With so much power and influence under the control of trusted brand’s social media accounts it is not too difficult to see that hacktivists would try compromise these accounts and leverage some of the influence for themselves. We have all heard of various celebrity, politician, and corporate social media accounts being hacked, bogus messages being sent, and much of it relatively harmless. But what if a highly influential account is hacked and a plausible but fake message about some disaster or terrorist attack is broadcast to a nation? The possibility for causing panic and disruption is clear. Unfortunately, this type of activity is set to be become an increasingly common phenomenon.
While much of the hacktivists’ attention is focused on the perceived injustices of governments and big business, along with global issues, they also zone in on local issues too.
In recent months, there has been an increase of hacktivism activity. This activity is largely focused on hacking into legitimate social media service accounts and defacing them or posting false messages. In general, these social media accounts are protected only by password based authentication. The only thing that stands between an attacker and your loyal base of social media followers is a short series of characters. While in some cases, passwords may be guessed due to a bad choice of passwords, there are other ways in which an attacker could get at the password and gain access. It has been proven that people are often the weakest link in many security systems, so it makes sense to exploit this weakness through social engineering. In recent attacks of this type, attackers gained access by sending phishing emails that, at their core, just asked the user for the login details, but disguised the request to make it look legitimate. For example, phishing emails may present users with a link and ask them to log in using the link to verify their account, but in reality their password is being stolen. Attacks of this type have been tried and tested, and found to be effective.
Another way in is to exploit weaknesses in the lost password feature. The feature is not only convenient for users, but also for mischief makers too. There are a plethora of implementations for handling lost user passwords. Some will just ask the user to specify an email address and it will send a new password. Other types will ask a security question, but often times the security questions themselves are insecure, and ask where the user was born or where they went to school. This type of information can be obtained relatively easily on the Internet. Couple this with password reuse and users who do not change their passwords frequently and it is easy to see that there is an opportunity for attack here.
The Internet and the social media services enabled by it are truly revolutionary, but many of them are built in such a way that enables anonymous and irresponsible messaging. For example, when a person signs up for a social media account, they are asked for personal details during the sign process, but how many people actually provide real names and contact details when signing up for these accounts? There may be legitimate reasons for providing false information, particularly in the light of all the data breaches into large and well known websites in recent times, but the ability to access these services without being traceable makes them ripe for abuse. It’s interesting to consider whether people would be as inclined to carry out malicious activities on the Web if they knew they could be easily traced and held accountable for their actions.
Given the potential influence behind the brands who own social media accounts, the question for legitimate account owners and social media service providers is: shouldn’t the protection of these accounts be of the highest priority? We are all waking up to the risks posed but unfortunately, there is no single silver bullet that can stop all misuse. Responsibility for account protection is a shared one. The social media industry could do more to help protect against misuse and unauthorized access, but at the same time, account owners could do more too.
Social media sites could ensure that if account login attempts fail repeatedly, further attempts are either delayed by temporary suspensions to slow down brute force attempts or have the account locked and notification sent to the owner. Some services even track the list of IP addresses used to access the service and will notify the owner if a new IP is used to access the service, which could indicate a possible breach of the account.
Social media service providers can help by implementing improved security around authentication and authorization, and more secure storage and handling of personal information. Many websites are increasingly turning to two factor authentication (2FA) to increase account login security. This is a welcome and necessary measure, but they could potentially do more. How about requiring two factor authorization before messages can be sent? This could help prevent unauthorized messages from being sent, even if the main account password was compromised.
Service providers could also introduce tiered accounts with different access levels; this would be particularly useful for business users on social media. Not everybody in a business needs to be able to send messages, so the ability to manage user access controls would be beneficial. HootSuite is an example of a service that offers granular user access controls for managing social media accounts and may be a helpful add-on service for business users. Subscriber and follower management is another feature area that could be explored. Google had an interesting idea with the concept of circles, which allows for selective sharing of information, and goes some way towards addressing this. When you boil it down, the problem is this: accounts in most social networking sites are designed around a person, who is unlikely to need or want different access control levels for their own account, and not a brand or a company. This situation makes the current mapping of requirements between a commercial or brand entity and a personal social media user account a somewhat uncomfortable fit.
Users can help matters by being better educated against social engineering attacks, equipping themselves with good quality protection software, and practicing better security hygiene such as better choice and handling of passwords. For example, according to a recent report by Ofcom (UK communications industry regulator), over half of the adults in the UK use the same password across multiple websites. This statistic is very likely mirrored in other parts of the world and is not encouraging at all from a security standpoint. Users of social media would be well advised to beef up on their security awareness training because technology only represents a small part of the solution to this problem.
As some commentators say, it’s a bit of a wild west in the social media space right now, freedom of speech and civil liberties is hugely important, but so is the responsibility that comes with it. Back to my original question: Are social media and hacktivism made for each other? Of course that is not true, both can exist quite happily without the other. Social media was not created to be a platform for hacktivism and it would be beneficial if hacktivism was not carried out through it. However, social media does amplify the power of hacktivism and because of that, it represents a highly effective and attractive avenue for hacktivists to carry out their activities.
きたる 4 月 30 日火曜日、午前 9:00(太平洋標準時)(日本時間の 5 月 1 日水曜日午前 1:00)より、シマンテックセキュリティレスポンスの専門家 Kevin Haley と Paul Wood による Twitter 討論会が開催されます(ハッシュタグは #ISTR)。テーマは、最新の『インターネットセキュリティ脅威レポート』第 18 号(英語)で焦点を当てられている主な傾向についてです。ぜひご参加ください。
今回の『インターネットセキュリティ脅威レポート』では、2012 年にシマンテックが確認した主な脅威の傾向を取り上げ、個人情報や重要な知的財産にアクセスしようとするサイバースパイ活動が著しく増加していること、そしてこうした情報窃盗犯罪の手口がどのように変遷しつつあるかを明らかにしています。2012 年に標的型攻撃が最も増えたカテゴリは、従業員数 250 人未満の企業であり、標的型攻撃の総数のうち 31 パーセントを占めています。2011 年と比べると 3 倍にも達したことになります。
ハッシュタグ #ISTR の Twitter 討論会を今すぐカレンダーに追加し、サイバー犯罪者が企業の知的財産を狙う最新の手口と攻撃経路についての議論にぜひご参加ください。
テーマ: 『インターネットセキュリティ脅威レポート』第 18 号 – データが教えてくれるもの
日付: 2013 年 4 月 30 日火曜日(日本時間 5 月 1 日)
時刻: 午前 9:00(太平洋標準時)(日本時間午前 1:00)より
時間: 1 時間
サイト: Twitter.com。ハッシュタグ #ISTR をフォローしてください。
討論に参加する専門家:
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
最近、Microsoft Windows XP 上では動作しないバックドア型のトロイの木馬プログラム(Backdoor.Trojan として検出されます)が確認されました。今回はこの脅威について、なかでもマルウェア作成者がこのトロイの木馬の機能に組み込んだ特殊なテクニックについて詳しく報告しようと思います。このマルウェアを標的型攻撃で使うために設計されたと思われるテクニックです。
この脅威で作成者は fseek 関数を使っています。通常はデータ処理に使われる関数なので、これは異例なことです。たとえば、ファイルの先頭から 100 バイトのデータを読み込むプログラムでは、fseek 関数のプロセスを使って 100 バイトを移動します。
図 1. マルウェアで使われている fseek コードのテクニック
ところが、今回見つかったマルウェアには、ループで連続する 3 つの関数が存在します。
通常、コードは fseek 関数の後でデータを読み書きしますが、このマルウェアの場合にはそのプロセスが発生していません。このような関数がループで記述されているのも奇妙です。
このコードをさらに詳しく見てみると、fseek 関数はファイルハンドルに NULL ポインタを指定して動作していることがわかります。つまり、制御するファイルがないということです。fseek 関数が存在しないファイルを制御するため、このマルウェアは Windows XP 上で実行されるとクラッシュします。
図 2. Windows XP 上で実行されるとマルウェアがクラッシュする
同じファイルを Windows Vista 以降で実行すると、正常に動作します。では、Windows XP と Vista 以降の Windows では何が違うのでしょうか。
Microsoft Visual Studio 2005 以降の MSDN ライブラリによれば、fseek 関数は次のように説明されています。
「stream が null ポインタの場合、または origin が次に説明するいずれの値でもない場合、「パラメータの検証」に説明されているように、fseek および _fseeki64 は無効なパラメータ ハンドラを呼び出します。実行の継続が許可された場合、これらの関数は errno を EINVAL に設定し、-1 を返します。」
しかし、Microsoft Visual Studio .NET 2003 の MSDN ライブラリには、この説明がありません。
以上のことから、NULL ポインタを指定したファイルハンドルをパラメータとして渡されたときの fseek コードの動作が変更されたのだと考えられます。マルウェア作成者は、この変更を意図的に利用して、Windows XP 上では動作しないプログラムを作成したのです。
Windows XP は、2013 年 3 月の時点でもオペレーティングシステム市場において 40% を若干下回る程度のシェアを保っています。Windows XP で動作しないプログラムを作成したら、大量のコンピュータに感染させる絶好のチャンスを逃していることになります。とすれば、わざわざそのようなマルウェアを作成した理由はどこにあるのでしょうか。
1 つ考えられるのは、マルウェアの真の動作がサンドボックスで明らかにされるのを回避しようと試みている可能性です。インターネット上で見つかった 8 つの自動脅威解析システムにサンプルファイルを送信してみたところ、どのシステムでもサンプルファイルの動作はログに記録されませんでした。これは、fseek 関数によるテクニックの後で悪質なコードが見つかったためと考えられます。サンプルのテストに使われるサンドボックスが Windows Vista など、Windows XP よりも新しいオペレーティングシステムで実行されている場合、マルウェアの動作が記録されない可能性があります(セキュリティ企業が自動の脅威解析システムを利用してマルウェアを解析する方法について詳しくは、以前のブログを参照してください)。
有害あるいは破壊的な活動を実行することなく密かに動作するマルウェアは、長期にわたってコンピュータへの侵入を続けることができるので、マルウェア作成者にとってそのメリットは無視できません。
バックドア型のトロイの木馬プログラムは通常、オペレーティングシステムや CPU のクロック数、インストールされているウイルス対策ソフトウェアを調べますが、今回のマルウェアは、以下の情報も収集する点で独特です。
通常、マルウェア作成者はコンピュータ上のバッテリのことまで考えたりしません。ところが、今回のマルウェアの作成者は明らかに、標的企業に強い関心を示しているようです。
このブログの執筆時点で、シマンテックの大口のお客様からこのマルウェアのサンプルが集まったのはわずかに 2 例だけで、大規模な感染は記録されていません。
これまでの解析結果から言えるのは、このマルウェアは標的型攻撃に使われ、作成者は、標的企業のコンピュータで Windows Vista 以降が使われていることを知りつつ、Windows XP では動作しないマルウェアでネットワークへの感染を試みたということです。
標的企業の管理者が、疑わしいファイルの不審な動作に気付き、自動の脅威解析システムでそのファイルをテストしたとしても、テスト段階で悪質な活動は見られず、管理者もこのファイルの本当の動作については何もわからなかった可能性があります。
シマンテックは、今回ご報告した悪質なコードとそのテクニックを引き続き監視していく予定です。疑わしいプログラムは実行しないようにして、オペレーティングシステムやウイルス対策ソフトウェアを最新の状態に保つことをお勧めします。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.
O…
