Category Archives: News

S3 Ep37: Quantum crypto, refunding Bitcoins, and Alpaca problems [Podcast]

[03’22”] Will quantum cryptography mean the end of encryption?   [10’30”] How was the FBI able to get bitcoins back in the Colonial Pipeline ransomware case?   [25’00”] What is the ALPACA attack, and does it make your browsing less secure?   [25’00”] Oh! No! of the week.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Clop ransomware suspects busted in Ukraine, money and motors seized

The 5-minute video is well worth watching.

You don’t need to be fluent in Ukrainian to understand the shouted command: “Open up, Police!”

There’s a moment of indecision, with the camera lingering on the sort of front door that looks a bit more rugged than yours or mine, during which you’re left wondering, “What happens if the suspects simply lie low and refuse to open the door?”

That question is answered when a burly copper steps up with a gasoline-powered cutting tool (what a gamer might called a BFG, short for Big Fearsome Grinder) and pulls enthusiastically on the starting cord to fire it up…

…at which point the door opens outwards, slowly and tentatively, and the raid is ON!

(At another property raid shown in the video, the suspects didn’t open up, and you get to see the BFG used to good effect against a reinforced door.)

According to the Ukrainian police, law enforcement officers conducted 21 searches in the capital and Kyiv region.

The video shows piles of cash being counted, bagged, logged and seized by police officers, along with laptops and desktops (many shown running the latest version of macOS, if you’ve ever wondered what computing devices a discerning alleged ransomware criminal might choose), dozens of mobile phones and several flash motors.

We saw a high-end Tesla, an AMG 63 and other vehicles getting hoisted onto tow-trucks for removal.

We didn’t know whether to expect to see a lot of cash, given that ransomware crooks take payment in cryptocurrency; nevertheless, the total seized was said by the police to be UAH5,000,000, which comes out at about $200,000.

Law enforcement officers from the South Korean police can be seen in the raid, acting in what looked like the capacity of observers, presumably because four Korean companies were listed by the Ukranian police as victims in this case.

US law enforcement was also involved, with the Ukrainian report confirming that “[in] 2021, the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California.”

In other words, international co-operation can lead to suspects in cross-border cybercrimes being arrested and charged locally for attacks conducted against organisations overseas.

Here’s how the raids went down, because we know you want to watch what happened:

[embedded content]


“Face of Anonymous” suspect deported from Mexico to face US hacking charges

Media in the San Francisco area are reporting the arrest of a notorious former resident who allegedly skipped bail on hacking charges…

…almost a decade ago.

Christopher Doyon, now 56, featured in a 2020 Canadian TV documentary titled The Face of Anonymous, described by IMDb as:

[A] timely portrait of 21st century activism [that] follows Commander X, an iconic and divisive figure in the “hacktivist” network who spends his days dodging authorities across North America while surfing the web and surviving the streets.

Doyon also published his own book, Behind the Mask, written while allegedly lying low from US authorities after getting himself across the border to Toronto in Canada.

The hacking group that wasn’t

Anonymous is perhaps best described as “a hacking group that wasn’t” – a moniker that could be, and was, claimed by almost anyone with an internet axe to grind.

The group’s followers adopted the use of Guido Fawkes masks (Guido Fawkes, also known as Guy Fawkes, was a consiprator in the so-called Gunpowder Plot to blow up the British Houses of Parliament in 1605), taken from the 1980s post-apocalyptic graphic novel V for Vendetta by Alan Moore and David Lloyd.

Left. Cover art of collected edition of V for Vendetta (1982 to 1989).
Right. So-called “Anons” sporting the V for Vendetta look (2008).

High-profile hacking activities attributed to Anonymous over the years, or claimed under its ambit, have included anti-Scientology protests and takedowns in the late 2000s; a takedown of PayPal in 2010 after the payment company suspended donations to Julian Assange and Wikileaks; and government website takedowns during the so-called “Arab Spring” of 2011.

Indeed, Anonymous, which is loosely speaking a group that anyone can join if they simply claim to be part of it, never entirely vanished after its heyday in the early 2010s.

Recent internet attacks claimed by Anons apparently include: a takedown of the Atlanta Police Department website after the US police shooting of Raynard Brooks in early 2020; the defacement of the UN website in 2020 to add a webpage for Taiwan, which does not have a seat in the UN; and a May 2020 “warning” to the Minneapolis Police Department after the killing of George Floyd.

Vendetta for the homeless

Christopher Doyon, who certainly didn’t keep his face anonymous for The Face of Anonymous documentary, apparently appeared in court in California in early 2012, charged with orchestating a denial-of-service attack in 2011 against the municipality of Santa Cruz, a coastal city in Northern California not far from the San Francisco Bay Area.

Doyon, who dubs himself Commander X, is said to have acted on behalf of a mysterious person known as Commander Adama who “wanted revenge for a homeless friend of his living in Santa Cruz, who was found dead under a bridge.” (Santa Cruz apparently has strict anti-homeless laws that criminalise rough sleeping and prevent the homeless from forming communities.)

After living in Toronto for some years, Doyon apparently decamped to Mexico, which is where his Twitter account still says he’s located [2021-06-15T12:00Z].

Screenshot of Twitter page taken 2021-06-15T12:00Z.

However, Doyon is now back in the US, arrested in Mexico City at the end of last week and extradited to the US on 12 June 2021.

Looks like those denial-of-service charges have caught up with him at last.


ALPACA – the wacky TLS security vulnerability with a funky name

TLS, short for Transport Layer Security, is an important part of online cybersecurity these days.

TLS is the data protection protocol that puts the padlock in your browser’s address bar, keeps your email encrypted while it’s being sent (probably), and prevents cybercrooks from casually substituting the software you download with malware and other nasties.

The TLS protocol works by:

  • Agreeing a one-time encryption key with the other end of the connection, to protect your data from snooping and surveillance.
  • Verifying the person or company operating the server at the other end, making it harder for crooks to set up fake sites to trick you.
  • Checking the integrity of data as it arrives, to stop other people on the network from tampering with the content along the way.

So, whenever a vulnerability is announced in TLS, given how much we rely on it, the announcement typically makes big headlines.

Amusingly, perhaps, that’s had a sort of circular effect, with researchers going out of their way to come up with names and logos for TLS vulnerabilities that encourage big headlines in the first place.

We jocularly call them BWAINs – an impressive name that’s short for bug with an impressive name – and examples include vulnerabilities dubbed BEAST, Heartbleed, Logjam, Lucky Thirteen, and now…

…the delightfully named ALPACA.

A real attack, but not too much of a danger

The good news is that ALPACA isn’t a terribly usable attack, and there are some fairly simple ways to ensure it doesn’t happen on your servers (and therefore, indirectly, to your visitors), so there isn’t a clear and present danger to online commerce because of it.

The bad news, of course, is that ALPACA is a vulnerability nevertheless, or more precisely a family of vulnerabilities, and it exists because we, as an internet community, haven’t been quite as careful or as precise as perhaps we should have been when setting up our servers to use TLS in the first place.

TLS certificate overlap

ALPACA is short for Application Layer Protocols Allowing Cross-Protocol Attacks (many BWAINs involve a bit of a linguistic stretch), and it gets that name because TLS connections aren’t tied to any specific application, but instead simply protect the data in a transaction, without any formal way to restrict that transaction to a specific application or purpose.

The researchers discovered that millions of network domains out there not only use TLS on multiple servers for multiple different purposes, such as securing both HTTP (web browsing) and SMTP (email transfer), but also often fail to keep the verification part of the TLS process separate for the different services they offer.

In other words, the same TLS certificate that they use to verify, say, their email server to other email servers would also work to verify their web server to visitors using a browser.

What that means – and bear with us, because this ends up sounding both complicated and unlikely at first glance – is that if a crook could redirect your browser from a company’s website to, say, one of its email (or secure FTP, or IMAP, or POP3) servers instead, then your browser might end up trusting that nearly-but-not-quite-right other server instead.

Sometimes, crooks can pull off traffic redirection inside your network even if they can’t hack into the servers themselves.

ALPACA attacks provide a method whereby that sort of traffic redirection could be used to subvert security, both inside and outside your network, rather than simply causing a disruption or denial of service, as you might assume at first.

The problem is that TLS secures the raw data that gets transported across the connection it’s protecting, and verifies the name of the server it’s been asked to connect to, but it doesn’t formally verify the actual application that’s running at each end of the link, or determine the validity of the data that’s being exchanged.

In other words, in an ALPACA attack, the padlock would show up in your browser, you’d be unaware that you weren’t actually connected to the server you expected, and your browser would innocently, and trustingly, start talking to another server in on the network instead.

So what?

At this point, you are probably thinking, “So what? Browsers talk HTTP, but email servers talk SMTP. The two are incompatible, so the browser will just get blasted with error messages and that will be the end of it.

But one problem that the ALPACA researchers identified is that different types of server are programmed to recognise and defend against different types of error in different ways.

For example, web servers are (or ought to be!) super-cautious about how data that was included in your web request gets represented in the reply that’s sent back.

If you click a search link for a website, for instance, that includes a search parameter such as <script>alert('Ooops!')</script>, then it’s vitally important that the web server doesn’t send back a web page that includes exactly that text.

If the server sends back an error message that literally contains the message Sorry, the text <script>alert('Ooops!')</script> was not found, then it has just served up a web page, with the origin and authority of the server itself, that contains JavaScript decided by an untrusted outsider!

That’s known as XSS, or cross-site scripting (more precisely, it’s a reflective XSS, because the server simply reflects the chosen JavaScript right back into your browser where your browser magically trusts it and runs it).

In case you’re wondering, the parts of this web page above that appear to contain JavaScript tags don’t literally include the text you see on your screen. The web page contains HTML code that tells the browser to display JavaScript tags at the relevant places, without actually containing the raw tags themselves.

A huge security hole

XSS is a huge web security hole, because the reflected script can access data such as login cookies specific to the site you’re currently visiting, and thereby steal your login, raid your shopping cart, or otherwise poke its nose into your online business.

Email servers, on the other hand, don’t generally deal with JavaScript, and their replies are supposed to make sense to email sending applications, so there’s a chance that aiming a browser at a mail server and sending a carefully crafted but fake web request…

…might cause the email server to produce, inamongst its output, an error message that hasn’t gone through the same scrupulous anti-XSS checking that would happen in a web server.

You’re probably once again thinking, “So what? If the email server sends back some rogue, reflected JavaScript, what harm would that do? There aren’t any session coookies, shopping carts or other private web data associated with the email server, so an attacker would get nowhere.

Except for one thing: the browser thinks it’s connected to the real web server, and it made that decision because it was presented with a TLS certificate that would have been valid for the web server, if indeed that’s where it had ended up.

Therefore the rogue script reflected by the well-meaning email server would be able to read out the browser cookies and web data associated with the web server, even though the broswer didn’t connect to the web server at all.

Server mixup

All of this raises the question: “But how could a browser mix up a web server’s TLS certificate with an email server’s certificate in the first place?

Well, until certificate issuing companies like Let’s Encrypt came along and made the process of acquiring TLS certificates both free and straightforward, there was usually a fair bit of hassle (and cost) involved in buying and updating certificates for all the servers on your network.

As a result, companies understandably often rely on certificates that are valid for several, many, or even all the possible servers in their network domain.

Instead of getting a separate certificate for, say, www.example.com and mail.example.com, for example, you might choose to use what’s known as a wildcard certificate that’s valid for *.example.com, where the asterisk (star) character denotes “any name at all”, in the same way that most file-finding programs interpret *.DOCX as “all files that end with a DOCX extension”.

And that, very heavily simplified, is the essence of the ALPACA problem.

TLS certificates that are valid for more than one different type of server on your network could be used to perform the CA part of ALPACA, namely the Cross-protocol Attacks.

Your browser ends up trusting the wrong server, and talking to it in the wrong sort of language, but is nevertheless able to pull off some sort of harmful security bypass without directly hacking any of the servers themselves.

What to do?

The researchers have identified several ways to reduce the risk of this sort TLS abuse, if you’re worried about visitors to your network being tricked by an admittedly-unlikely ALPACA attack.

  • 1. Use application-level hardening.

Network programmers often invoke what’s known as the Robustness Principle, proposed by the late Jon Postel in the early, uncommercialised internet era: “TCP implementations should follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.

But that “rule” is dangerously out of date in the 2020s, because it encourages programmers to get security details right themselves, but to allow others to break the rules, quite possibly on purpose and with nefarious intent.

A better contemporary rule is: “Get it right yourself, and don’t let others get it wrong, accidentally or otherwise.

The Postfix SMTP server, for example, actively (if not compliantly) watches out for SMTP input lines that look like the start of an HTTP request, rather than merely being mis-spelled commands, and closes the connection immediately if it thinks there’s a web browser at the other end:

 $ mailcat mail.example 25 [connected, type commands after -->] <-- 220 mail.example ESMTP Postfix --> RSET -- legal SMTP command <-- 250 2.0.0 Ok -- expected reply --> RESET -- harmlessly mis-spelled command <-- 502 5.5.2 Error: command not recognized --> GET / HTTP/1.1 -- potentially dangerous HTTP command <-- 221 2.7.0 Error: I can break rules, too. Goodbye. [connection closed] -- Postfix treats this as GAME OVER $ mailcat mail.example 25 [connected, type commands after -->] <-- 220 mail.example ESMTP Postfix --> QUITE -- mis-typing of QUIT, error is tolerated <-- 502 5.5.2 Error: command not recognized --> Connection: close -- illegal in SMTP, looks like an HTTP header <-- 221 2.7.0 Error: I can break rules, too. Goodbye. [connection closed] -- Postfix treats this as GAME OVER $
  • 2. Avoid TLS certificate overlap.

Wildcard certificates are very commonly used, and are handy for administrators who look after dozens or hundreds of different subdomains on a business network.

Nevertheless, try to avoid wildcards if you can, and do your best to limit each certificate so that it only vouches for a list of server names that relate to a specific service or set of services.

For example, instead of acquiring a certificate for *.example.com that your web servers and SMTP servers can all use, consider getting one certificate for each type of server, and identifying the relevant servers specifially in each one:

 # This cross-validates all your servers and is easier to manage... $ namedump -subject -san wildcert.pem X509 Serial Number : b876c80b5ae39ee6aa5d9fc4 X509 Certificate Subject : CN = *.example.com X509v3 Subject Alternative Name : DNS = *.example.com, DNS = example.com # These two are more hassle to manage, but identify your resources more precisely... $ namedump -subject -san webcert.pem X509 Serial Number : a4a5525983c90e6c667d6ae0 X509 Certificate Subject : CN = www.example.com X509v3 Subject Alternative Name : DNS = www.example.com, DNS = support.example.com, DNS = downloads.example.com $ namedump -subject -san mailcert.pem X509 Serial Number : e511a5732f4e0cd81ae10cb0 X509 Certificate Subject : CN = mail.example.com X509v3 Subject Alternative Name : DNS = mx1.example.com, DNS = mx2.example.com
  • 3. Use Application Layer Protocol Negotiation (ALPN) if you can.

Modern TLS versions support a feature called ALPN, where the client, such as your web browser, and the server you’re connecting to can specify which application protocols they would like to use over the connection, e.g. HTTP/1.1, HTTP/2 or FTP.

(Unfortunately, and perhaps surprisingly, the application type SMTP is not yet officially recognised [2021-06-11T14:00Z], but custom protocol strings can be used, and smtp can be used for email connections.)

Strictly enforcing ALPN is not currently practicable, because many legitimate programs that connect to your servers – older browsers, for example, or most email sending programs – either won’t be configured to use it, or won’t support it at all.

However, setting up your own servers to respect the requests of clients that do specify what sort of data they plan to exchange will help to immunise well-informed visitors against ALAPCA-style cross-protocol attacks.

  • 4. Use Server Name Indication (SNI) if you can.

Often, especially in the cloud, a single web server will be used to handle requests for many different domains, but will not be able (or will want to avoid) sharing a TLS certificate amongst all of them.

TLS therefore now allows the client to specify up front which service it plans to use on the server it’s connecting to, using a feature known as SNI.

The server typically uses the SNI information to decide which TLS certificate to send out to verify the connection that’s being made.

But you can also use SNI to ensure that you don’t accept connections that have arrived at your server by mistake, or through some sort of criminally-minded redirection.

Strictly enforcing SNI, so that visitors must make their intention clear in advance via SNI or else get kicked out, is unlikely to work well right now, because few companies that send you email are likely to be adding SNI data to their connection requests, and some browsers still don’t bother with SNI, either.

However, when visitors do declaring their intentions up front via SNI but nevertheless end at the wrong server anyway, blocking their request will to protect both you and them from ALPACA-like tricks.

Baaa!


S3 Ep36: Trickbot coder busted, passwords cracked, and breaches judged [Podcast]

[04’24”] Alleged malware coder from the Trickbot gang arrested.   [15’36”] 5500 passwords cracked and salaries stolen by “credential stuffing” crook.   [29’28”] We answer a listener’s question about just how tough to be when judging a company that’s had a breach.   [34’37”] Oh! No! of the week.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

go top