Perpetual IT

Security researchers at WordFence, a company that’s focused on securing WordPress, have reported a burst of old-school attacks that are after your WordPress configuration data.

In a default installation of WordPress, whether you’ve installed it yourself or are using a hosted service, the configuration file wp-config.php should be off limits to outsiders.

That’s just as well, given how WordPress itself describes the file:

One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection information.

Given that any PHP code you put into wp-config.php will run every time your website handles a request, it’s an obvious target for attackers to modify, but it’s also a sought-after gift to cybercrooks if they can access it at all.

Normal WordPress requests received from outside are constrained to the part of your WordPress installation where your site data lives, so in theory it’s impossible to construct a URL that reaches “across and upwards” from the directory that holds your public data into the directory that holds your site’s configuration files and internal data.

WordPress itself goes out of its way to recognise malicioiusly constructed URLs that try to trick the system into visiting unexpected parts of the filing system, and so-called directory traversal exploits are rare these days.

But if you have a forgotten plugin or a neglected WordPress theme installed, the code in it might contain a bug that allows an attacker to read prohibited files anyway, for example by tricking a plugin into including confidential content in a reply that it constructs.

Researchers at WordFence say that over the past month they’ve seen close to a million different WordPress sites receive malicious requests designed to shake loose their wp-config.php files.

We’re assuming that these attacks were orchestrated using a botnet, also known as zombie malware, because more than 20,000 different IP numbers appeared in the list of computers involved in the attack.

Bots, or zombies, are computers infected with malware that regularly – and usually very quietly – calls home to one or more command-and-control (C&C) servers run by the crooks.

By calling home on outgoing connections to fetch their malevolent instructions, and by using innocent looking traffic such as web requests, bots work fine even on home networks and at hosting companies where the provider blocks all or most incoming connections for legal or security reasons.

Of course, with 20,000 different IP numbers in the list, many of which are probably home computers with IP numbers that change every few days or after a reboot, it’s hard to use a blocklist to head off troublemakers because the list is such a moving target.

Indeed, crooks love bots not only because they’re hard to block quickly, but also because it means that someone else is paying for the traffic and that attempts to trace the attack back to its source fail end up in the wrong place – 20,000 different places, in this case.

What’s the risk?

As we’ve mentioned, crooks who can overwrite your wp-config.php file can pretty much do anything they want to your server because the code in there runs on the server for every request.

That means a crook who can modify the configuration file doesn’t have to wait for you restart WordPress or reboot your server – they can just visit the home page of your site.

But even with read access to your configuration file, a crook may be able to use the security information in it to get unauthorised access to your WordPress databases.

That means an attacker could come back later to steal confidential data, add new users, and alter or delete content.

What to do?

WordPress can update itself, but even if you’re relying on automatic updating, don’t forget to check that it’s working correctly.

(Ironically, perhaps, the easiest way to configure autoupdating is via the wp-config.php file.)

WordPress can also update many plugins and themes for you, too…

…but not all of them.

Many plugins and themes either still need manual attention for updates, or are old and tired enough that they haven’t had updates even though they contain bugs that the crooks already know about.

Remember that less is more: if you’re still using plugins or themes that are no longer under active development, see if you can manage without them, or find replacements that are still being maintained and getting security fixes.

---

Latest Naked Security podcast

Until a few years ago, received wisdom for passwords included advice to change them all on a regular and frequent basis, just because you could.

The laudable idea was that this reduced the length of time you’d be exposed if your password were breached, and you’d therefore “obviously” be safer as a reult.

Ironically, this became known in the jargon as password rotation, which is exactly what it turned into, where users simply cycled through a list of passwords they’d used before.

Most apps checked that your new password wasn’t the same as the old one, but few went back very far, and users quickly learned how few different passwords they could get away with for each app or service.

Users also learned how tiny those differences could be and still count as changes rather than merely minor adjustments.

There was another serious problem with password rotation on a company network, namely that IT departments often imposed forced changes in a very predictable way, such as on the first Monday of each month.

And anything that introduces predictability into a process that’s supposed to be awash in randomness is asking for trouble.

Firstly, you’re as good as encouraging users to make changes in an algorithmic way to suite a doctrine rather than to address a genuine need – such as adding the digits of the current month to a core password that always stays the same.

Secondly, you’re crowding the vast majority of each month’s worth of “Oops, I forgot my password” helpdesk calls into a short and predictable period.

That means you’re giving social engineers – cybercrooks who are masters, basically speaking, at talking other people into doing insecure things – a believable pretext for calling up to provoke bogus password resets.

Are password resets needed at all?

If you’ve listened to the podcast above, you’ll already know that we’re not suggesting that password changes are an irrelevancy.

By all means, change your passwords whenever you like if you want to – and if you use a password manager, it’s easy to do just that.

But the only time you should feel compelled to change a password is when there is a clear and obvious reason to do so, and that’s if you think – or, worse still, know – that it might have been compromised.

Fortunately, in many or most recent data breaches (though, sadly, not all) where authentication data gets stolen, the crooks don’t end up with your actual password along with your login name.

Passwords usually are – or certainly should be! – stored in a hashed form, where the hash can be used to verify that a supplied password is correct, but can’t be wrangled backwards to reveal what the password was.

As a result, most password exposures that arise from data breaches require that the crooks first crack your password by trying a long list of guesses until they find one that matches your password hash.

Simply put, the longer and more complex your password, the longer it will take for the crooks to crack it.

They try the most obvious passwords first, so 123456 will probably be the very first one they try for each user; Pa55word! might be the 100,000th on their list; but they are unlikely to get round to trying VFRHFMNOLR5LAIVGDOW5UZRT for days, or months, or even years.

In other words, if a service provider notifies you that your password hash was acquired by crooks, you’ll nevertheless remain safe if you change your password before the crooks get round to cracking it.

Even if the breach happened weeks or months ago, you’ve probably still in a good position to beat the crooks to it, assuming you chose wisely in the first place – and if you use a password manager, it’s easy to do just that.

How quick are we?

So, if we’re not changing our passwords every month “just in case” any more, how quick are we at changing them when there’s a clear and present reason?

Sadly, a paper that came out recently from Carnegie Mellon University in the US suggests that a worrying number of us aren’t quick at all.

The paper, entitled (How) Do People Change Their Passwords After a Breach?, says that the researchers:

…found that very few of their participants in an online study reported intentions to change passwords after being notified that their passwordswere compromised or reused, including because they believedin the “invincibility” of their passwords.

Admittedly, the significance of the findings in the paper is limited somewhat by the age of the data (it was collected in 2017 and 2018), by the small sample size of 63 breach victims from 249 participants, and by the fact that only users putting in passwords via Chrome or Firefox were monitored.

Nevertheless, the study found that 42 of the 63 participants (two-thirds) who were notified about a data breach didn’t change any of their passwords at all.

How good are we?

Disappointingly, even for the one-third who did change the relevant password, most took more than three months to get around to it, and many of those replaced their old passwords with weaker ones.

Even more intriguingly – though perhaps, with hindsight, not surprisingly – the researchers claim that those who did change passwords tended, on average, to pick a replacement that was more similar than before (measured by substring similarities) to all their other passwords.

In other words, if you aren’t using a password manager to generate truly random passwords for you, the research invites you to infer that your password choices will tend to influence each other, and thus that your passwords will become less varied over time.

That might not benefit the crooks very much, but it doesn’t exactly do you any entropy favours, either. (Entropy is the jargon word for how “disordered” your password is – where, in general, higher disorder means harder to guess.)

In short, humans really aren’t good at randomness – but then, they aren’t very good at reacting to data breach advice either, it seems.

What to do?

• Don’t delay, do it today. If there’s a valid reason to change one of your passwords, do it right away and keep ahead of the crooks.
• Don’t take shortcuts. Crooks will spot any tricks or patterns you use in order to make your passwords different yet similar enough to remember easily. If you have u64b2vqtn5-fb for Facebook and u64b2vqtn5-tw for Twitter, the crooks will figure out the rest of your passwords with ease.
• Don’t think you’re invincible. The crooks probably won’t crack your password if it’s 6GHENBIZMX3TTUHJTPQZTEKM, but why take the risk that they might?
• Don’t use 2FA as an excuse. Don’t use 2FA as an excuse to choose a trivial password or to use the same one everywhere – it’s meant to be a second factor, not just a different sort of single factor.

---

Latest Naked Security podcast

The US is protected by what’s known as a nuclear triad: a three-pronged attack force that consists of land-launched nuclear missiles, nuclear missiles on submarines, and aircraft equipped with nuclear bombs and missiles.

One of the triad’s legs – the land-based LGM-30 Minuteman intercontinental ballistic missile (ICBM) – has been kicked by hackers who’ve inflicted Maze ransomware on the computer network of a Northrup Grumman contractor.

Sky News reported on Wednesday that the contractor, Westech International, has confirmed that it’s been hacked and that its computers have been encrypted. It’s not yet clear if the extortionists managed to steal classified military information. Investigations to identify exactly what they got away with are still ongoing.

However, the attackers have already leaked files that suggest they had access to sensitive data – including payroll and emails – that they copied before they encrypted it, Sky News reports. They’re threatening to publish all of the files.

Unauthorized access to data about intercontinental ballistic nuclear missiles would be bad enough, but depending on what the attackers accessed, the attack could have yet more serious repercussions, given Westech’s client list.

That list includes US military branches, government infrastructure agencies, and major military contractors, including the Army, the Air Force, the Navy, Joint Service Agencies, the Commerce Department, the Energy Department, the General Services Administration, Booz Allen Hamilton, General Dynamics Information Technology, Lockheed Martin Information Technology, and more.

Minuteman III missiles

Minuteman III missiles are stored in hundreds of protected underground launch facilities operated by the Air Force Global Strike Command. Westech reportedly provides Northrup Grumman with engineering and maintenance support for the missiles.

Each ICBM contains multiple thermonuclear warheads that can be delivered further than 6,000 miles: roughly, about one-fourth of the planet’s circumference or, as Sky News notes, the distance between London and Buenos Aires. They can hit speeds of up to Mach 23: that’s 17,508 miles/28,176 kilometers per hour.

The time frame of the attack, extortion demands and publishing of Westech’s sensitive data haven’t been disclosed. The firm told Sky News that it immediately initiated an investigation and contained its systems after learning about the hack. It’s also working with an independent computer forensic firm to “analyze its systems for any compromise and to determine if any personal information is at risk.”

Northrup Grumman and the Department of Defense (DoD) reportedly declined to comment.

About Maze

Maze ransomware is a new-ish ransomware strain that’s also been used recently against Cognizant, a large US IT services company that disclosed that it had fallen victim in April.

Westech International is just the latest in a string of Maze attacks. As SophosLabs described last month in a report – titled Maze ransomware: extorting victims for 1 year and counting – Maze has been in the news quite frequently recently, notably because the gang who created it have been in the vanguard of a new wave of “double-whammy” ransomware attacks.

Here’s how it works, according to Naked Security’s Paul Ducklin: The crooks confront you with not one but two reasons to pay the extortion money:

• Pay up to get the decryption key to recover your precious files, which we scrambled with the malware.
• Pay up to stop us releasing your precious files, which we took copies of before we scrambled them.

Westech’s saga is in keeping with how Maze operators work: they follow through on threats of public exposure of stolen data by posting it in public data dumps – what are also known as name-and-shame sites. If no payment is forthcoming, they’ll offer it up on cybercrime forums. From the SophosLabs report:

The Maze gang has made public exposure central to their ‘brand’ identity, and actively seeks attention from press and researchers to promote their brand—and make it easy for victims who might hesitate to pay them to find out their reputation.

“Brand identity?” Oh, yes, in all its animated glory. The ransomware has been around for more than a year, though it was originally known simply as ChaCha, after the encryption algorithm it used. In May 2019, its criminal operators adopted its current name, Maze, and have come up with their own visual branding:

I checked in with Westech International on Wednesday to see how it’s doing with its recovery, whether there’s any update on its investigation, and what the contractor’s thinking might be vis-a-vis paying the ransom – a sum that hasn’t been disclosed. I’ll update this article if I hear back.

Pay or pray?

The answer, in a nutshell, is Please Don’t Pay. There are very good reasons not to.

According to the State of Ransomware 2020 global study conducted earlier this year on Sophos’s behalf, paying ransoms costs more than reinstating data using backups.

You might well ask how that could be, given that downtime is often cited as the most expensive part of a ransomware attack. The rationale is simply that the cost of recovery is always high, coming in at an average of $732,000. Paying the ransom on top of that simply doubles the bill.

As noted by Naked Security’s John E. Dunn, this explains why extortionists almost always send back encryption keys when paid: if they didn’t, then victims’ doubt would “quickly destroy the whole extortion racket as companies knuckled down to do the hard work themselves.”

That could explain why ransomware attackers are increasingly threatening to leak sensitive data stolen during the attack, as was done in the Westech incident: the threat is an added incentive to pay up.

What to do?

Organizations shouldn’t despair. There are ways to limit the effect of ransomware attacks. The first step: assume that an attack is inevitable, and prepare for it.

Our advice:

• Make and test a backup plan, including storing data offsite where attackers can’t locate it.
• If you’re buying cyber-insurance, make sure it covers ransomware.
• Don’t forget to protect data in the cloud as well as central data.
• Use dedicated anti-ransomware protection. Twenty-four percent of survey respondents that were hit by ransomware were able to stop the attack before the data could be encrypted.
• Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Pick strong passwords and use multi-factor authentication (MFA) as often as possible. And don’t re-use passwords, ever.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.

It’s also worth reading Naked Security’s advice on common mistakes that make ransomware easier to pull off from the attacker’s point of view. For more detailed advice, please check out our end of ransomware page.

---

Latest Naked Security podcast

Google has deleted an app from the Play Store that offered to delete Android software associated with China.

The app, created by Jaipur, India-based developer OneTouch AppLabs, purported to scan Android phones for any apps with links to China. It used market research to identify apps from a named list and would then offer users the chance to wipe them from the user’s phone. Demos found online showed it deleting TikTok, the popular messaging app owned by Chinese developer ByteDance, and UC Browser, developed by Alibaba-owned UCWeb. It also also reportedly deleted the app for the Zoom videoconferencing service, which the Munk School’s Citizen Lab revealed was sending encryption keys to Chinese servers.

After deleting the apps, it displayed the message “You are awesome”.

Why would someone develop an app that wipes another country’s software from a user’s smartphone? Ideology seems to be a key factor. The developer’s website described the app as a way to support Atm Nirbhar Bharat (self-reliant India). Indian Prime Minister Narenda Modi used the slogan in a televised address about COVID-19 in mid-May, during which he said that Indians had to “protect ourselves”.

The app’s launch followed growing tensions between India and China. Their military forces had clashed with each other earlier in May along their border, which is one of the longest in the world. This isn’t the first such standoff. They fought each other for a month in 1962 over contested borderlands in the Himalayas, with further tensions in 2017 and 2019.

Google is said to have taken down the app under its deceptive behaviour guidelines. They prohibit apps that mislead users into removing or disabling third-party apps or modifying device settings or features, or which encourage users to remove or disable third-party apps.

The app was developed “for educational purposes only”, according to OneTouch AppLabs, which said on its site that it didn’t promote or force people to uninstall any software.

The company had previously updated its website with a message thanking people for using the app, which it said had accrued one million downloads within ten days of launching:

Dear Friends, Google has removed “Remove China Apps” from google play store. Thank you all for your support in past 2 weeks. “You Are Awesome”

Latest Naked Security podcast

We don’t know whether lockdown has anything to do with it, but how time flies!

We couldn’t believe it either – it’s four weeks since Firefox’s last regular security update.

If you want to check your version numbers, Firefox 76.0 is now replaced by 77.0; Firefox 68.8.0ESR is now 68.9.0ESR, and the Tor Browser, based on Firefox ESR, is now at version 9.5 and based on 68.9.0ESR.

As we’ve explained before but we’ll mention again because it’s useful to know, the first two numbers in the ESR version should add up to the leftmost number in the regular release.

So the current ESR is based on the feature set of Firefox 68, but with 9 updates’ worth of regular security fixes in there, so it is at 68+9=77 in security terms.

For organisational users of Firefox who are conservative about new software features but aggressive about installing security patches, the ESR version is an excellent compromise.

Indeed, the extent to which new features bring new bugs of their own can be inferred from the fact that the Security Advisory for this update (MFSA2020-20) has two separate items for “memory mananagment bugs fixed in 77 and in 68.9ESR” and for “memory management bugs fixed in 77 only”.

Those fixes are denoted CVE-2020-12410 and CVE-2020-12411 respectively, and cover various memory management problems that were found by Mozilla itself as part of its internal bug hunting process.

The bug lists are still not public, presumably to give people time to get their updates before hints on how to exploit them are published for the world to see.

Understandably, given that these bugs are now fixed, the Mozilla team doesn’t take time to find out how to convert them from vulnerabilities into exploits – a process rather grimly known, when cybercriminals do it, as weaponising a bug.

The security advisory notes merely that “[s]ome of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. that any bug by means of which memory can be corrupted.”

As you often find in monthly bug-fix lists, one vulnerability provides a fascinating mix of both excitement and danger: CVE-2020-12399, described with the words Timing attack on DSA signatures in NSS library.

NSS, short for Network Security Services (the name dates right back to the age of the Netscape browser, which is presumably what the letter N originally stood for), is Mozilla’s own core cryptographic library.

Firefox uses NSS instead of OpenSSL or any of its other widely-known open source variants such as OpenBSD’s LibreSSL or Google’s BoringSSL.

DSA is short for Digital Signature Algorithm, a cryptographic process used as part of the security in many TLS connections.

Don’t be too quick

The hard part in implementing a cryptographic algorithm securely is that the arithmetic calculations needed, notably when multiplication is involved, are both extensive and time-consuming, so it’s important to write code that is fast enough to be useful.

At the same time, you have to be careful that you don’t try to make the algorithm as fast as you possibly can, because that means the time taken will almost certainly be affected by the numbers it’s crunching.

If that happens, an attacker can use the running time of the algorithm itself, measured with enough precision, to guess at or even to determine the values of some of the numbers being used internally, including data that’s part of the encryption key itself.

In the Firefox case, it sounds as though, by repeatedly pushing cunningly crafted data into the digital signature algorithm at the start of very many encrypted connections, you can make inferences about the private key used at the other end, based on how long the calculations take.

This is a called a “timing attack”, and they’re tricky to defend against.

To get a glimpse of how this sort of problem might arise, imagine that someone asks you to multiply two 5-digit numbers together, using pen and paper, behind a screen where they can’t see what you are doing, but can tell when you’ve finished. You can easily see that time alone might give them some intuition about the numbers you were given – for example by allowing them to guess how many zeros were present. That’s because 98765×45678 is harder to work out by hand that 98765×10000. The latter you can do instantly in your head, but the other requires the hassle of long multiplication, where you need to fetch from memory the values 5×8, 6×8, 7×8, 9×8, 5×7, 6×7 and so on for 25 different multiplications. Likewise, 98765×10011 is it bit easier than 98765×45678 (though not as quick as 98765×10000), given that the 1-times table is the easiest to remember. Time often is, as the adage says, of the essence.

What to do?

Check you have the update by going to Help > About Firefox or Help > About Tor Browser. (Use the menu item Firefox or Tor Browser instead of Help if you are on a Mac.)

If you already have the update, the About box will tell you; if not, it will offer to fetch the update and install it for you.

(Some Linux and BSD distros will be configured to deliver Firefox with their own package manager – if yours is one of them, use the operating system’s own update checker instead.)

---

Latest Naked Security podcast