AutoCAD malware

Recently I have paid some attention to AutoCAD and similar software. Not that I use them or that know much about them, but it definitively striked me both the complexity and the amazing features that some of these applications have. But with complexity, large number of features and dimension of code, come also vulnerabilities, even security vulnerabilities.

A few days ago I noticed this article (here a less technical summary) about AutoCAD malware, which has been around for more than 10 years. The purpose of this malware can be twofold: just another malware infecting channel, or more likely, a very targeted attack channel. Indeed CAD software is used for designing buildings, bridges, tunnels, roads etc., and some blueprints can be worth millions. Companies have taken notice of this, and security features have been introduced in the applications.

But the issue which does not seem to be appreciated enough (I have no statistics though, so I can be wrong on this) is the patching process (and this is not limited to CAD software but applies to other specialised software as for example digital audio or gaming). It seems to me that some of these applications are seldom updated (one needs to download/buy a new version) or that security patches are bundled together with new functionalities which can come at a cost, at least after the initial few years of support.

In my opinion, in an ideal world security patches should be provided for free to anyone until the program is supported. Obviously this can have economical impacts on the company producing the software and could require changes in the way software is built, sold and distributed (costs again).

Hardware Vulnerabilities (Again), Cloud and Mobile Security

Have a very Happy New Year!

… and to start 2017 on a great note, I write again about Hardware Vulnerabilities with comments on Cloud and Mobile Security.

The opportunity for this blog entry has been provided to me by the talk “What could possibly go wrong with <insert x86 instruction here>? Side effects include side-channel attacks and bypassing kernel ASLR” by Clémentine Maurice and Moritz Lipp at Chaos Computer Club 2016 which I suggest to watch (it lasts 50 minutes and it is not really technical despite its title).

A super-short summary of the talk is that it is possible to mount very effective side- (in particular time-) channel attacks on practically any modern Operating System which allow to extrafiliate data, open communication channel and spy on activities like keyboards inputs. All of this using only lecit commands and OS facilities, but in some innovative ways.

The reason for which these attacks are possibile is that the hardware does not prevent them, actually some hardware features, added to improve performances, make these attacks easier or even possible (see also my previous post on Hardware Vulnerabilities about this). So from the Security point of view these Hardware features should be considered as Vulnerabilities.

What is it possible to do with these techniques? Considering Cloud, it is possible to monitor the activities of another Virtual Machine running on the same hardware, extract secrect cryptography keys (but this depends on how the algorithm and protocols are implemented), establish hidden communication channels etc.

Similarly for Mobile, it is possible to have a totally lecit App to monitor the keyboard activity, or 2 Apps to establish a hidden communication so that one reads some data and the other sends it to a remote destination, all without violating any security rule (actually each one having very limited privilegies and restricted setups).

Morevoer it seeems easy to embed this kind of attacks in lecit applications and current anti-virus seem to lack the capabilities needed to intercept them. Indeed the activites performed to implement these attacks look almost identical to the ones performed by any program and it seems that only a particular performance monitoring could discover them.

 

On Denial of Service attacks and Hardware vulnerabilities

Denial of Service attacks are growning and getting the attention of the news: some of the latest incidents are krebonsecurity , OVH and Dyn. The economics behind these attacks are helping the attackers: today it costs little to mount a devastating DDoS attack able to block even a sizable part of Internet, thanks to all the botnets of unsafe machines, from PCs to routers and IoTs. Defence can be much more expensive than attack, and in some cases even than the ransom.

How did we get in this mess? This trend is not good at all, these attacks could threaten Internet itself, even if this would not be in the interest of the attackers (not considering State sponsored ones).

Fixing the current situation will be extremely expensive, many devices cannot be “fixed” but need just to be replaced. But before doing that, we need to build “secure” devices and design networks and protocols that support them and are somehow interoperable with the current ones. How? And When?

At the same time, a new trend is emerging: security vulnerabilities in Hardware.

The Rowhammer bug and its recent implementations in Virtual machines and Adroid phones (DRAMMER) or the ASLR vulnerability can open new scenarios. Hardware must provide the foundation of the security of all IT processing: data should be protected, accesses should be controlled etc. But we are discovering that the Hardware that we have been relying upon for the development of IT in the last 20 years, could have reached its limits. New security features are needed (see for example this) and vulnerabilities are discovered that must be managed, and not always it will be possible to fix them in software.

On the Security of Modern Cryptography

The security of modern cryptography is based on number-theoretic computations so hard that the problems are practically impossible for attackers to solve. In practice this means that approaches and algorithms to crack the cryptographic algorithms are known but with the current best technologies it would take too many years to complete an attack.

But what if a shortcut is found at least in some particular cases?

This is exactly what some researches [article, arstechnica] have just found for the Diffie-Hellman (DH) algorithm with 1024bit keys, algorithm which is one of the pillars of the security of Web transactions among many other uses. The researchers have shown that for DH with 1024bit keys there exist some parameters (prime modulus) that allow with current technologies to compute the secret encryption keys in short time. In other words, some parameters adopted in DH-1024 can contain invisible trapdoors. The only ways to securely use DH today seem to be:

  • to know how the parameters have been generated and to be sure that they do not allow for any “trapdoor”
  • or to use DH with 2048bit or larger keys.

What does this teach us about the security that cryptography provides to everyday IT?

How should we implement and manage cryptography within IT security?

Is cryptography joining the “zero days => vulnerabilities => patch management” life-cycle which has become one of the landmarks of current IT security?

How Secure are the Products of the IT Security Industry?

In the last months quite a long list of critical vulnerabilities in security products have been made public, for example in products by  FireEye, Kaspersky Lab, McAfee, Sophos, Symantec, Trend Micro etc. Wired just published this article with further information and some comments. These incidents make me think if writing secure code is just too difficult for anyone, or if there is something fundamentally wrong in how the IT industry in general and the IT Security industry in particular, is setup.

Implementing Cryptography right is hard

The security researcher Gal Beniamini has just published here the results of his investigation on the security of Android’s Full Disk Encrytion and found a way to get around it on smartphones and tablets based on the Qualcomm Snapdragon chipset.

The cryptography is ok but some a priori minor implementation details give the possibility to resourceful attackers (like state / nation agencies or well funded organized crime groups) of extracting the secret keys which should be protected in hardware. The knowledge of these keys would allow to decrypt the data in the file systems, the very issue which has been at the basis of the famous Apple vs. FBI case a few months ago.

Software patches have been released by Google and Qualcomm but, as usual with smartphones and tablets, it is not clear how many afflicted devices have received the update or will ever receive it.

In a few words, the problem lies in the interface between the Qualcomm’s hardware module, called the KeyMaster module, which generates, manages and protects the secret keys and the Android Operating System that needs to indirectly access the keys in this case to encrypt and decrypt the file-system. Some KeyMaster’s functions used by Android can be abused to make them reveal the secret keys.

This is another case which proves how it is difficult to implement cryptography right.

On Hardware Backdoors

Since at least the ’70s, the time of Multics (see eg. this old document on the vulnerability analysis of Multics security), the Orange Books, Military IT security etc., the role of hardware in IT security has been discussed, evaluated and implemented.

In the last years the discussion has risen again in particular about the possibility of hardware backdoors and malicious hardware. For example, since the publication of the Snowden documents there have been rumors about possible hardware backdoors in Intel, AMD and Cisco products.

A few days ago at the 2016 IEEE Symposium on Security and Privacy has been presented this paper (see eg. also here for a summary) describing how to implement a Hardware Backdoor called Analog Malicious Hardware which, as of today, seems practically impossible to detect.  The researchers were able to add a tiny circuit composed by a capacitor and a few transistors wrapped up in a single gate, out of the millions or billions in a modern chip, which acts as the hardware Trojan horse.

How difficult could it be to add a single, almost undetectable gate to the blue prints of a chip at the chip factory? How can be verified that similar gates are not present on a chip?

PS. 10 years ago I gave a couple of seminars in Italian about some aspects of history of IT security and I looked into some issues of how hardware must support the security features of Operating Systems; if interested some slides and a paper (in Italian) can be found here and here.

IT Security in the brave new world of Agile and DevOps

I just published a short article that can be downloaded here , about IT Security in the advent of Agile and DevOps development processes.

I tried to give a high level overview of the new opportunities and of the new and returning risks that Agile and DevOps bring to IT security management and governance. This requires that the IT security practitioners find new continuous and adaptive ways to provide to business the security of IT systems.

 

On a Kernel Backdoor and IT Security

It just became public that a custom built Linux kernel for embedded devices has been shipped and installed in production with a root debug backdoor open to anyone, see here for the announcement and for example here for some more details.

Besides the gravity of this particular incident and the difficulty of remediating it (I expect that many devices shipped with this kernel will never be updated) a couple of considerations come to my mind:

  • first of all the need for IT Security Awareness and Education starting from everybody working in IT : anybody can make a mistake or even a blunder, but there should be safety nets proportional to the risks and IT professional should always be aware of the “security” consequences of what they do;
  • the process of “bringing into production” IT products (aka Change Management) should be improved: as of today most of the time the really important test of an IT product is the final User Acceptance Test, which means that it is only important that the features requested by the final users work as expected. But this is not enough, and it is not like this in many other industries, think for example of televisions, refrigerators, cars etc. they all need to pass safety tests and be labelled accordingly otherwise they cannot be sold on the market. Why is it not like this also for IT products? As of today it is difficult to think of security standards, tests and labels common to all IT products, but it should be possible to agree on and adopt some common IT security baseline.