Connect with us

Biz & IT

Hackers can mess with HTTPS connections by sending data to your email server

Published

on

When you visit an HTTPS-protected website, your browser doesn’t exchange data with the webserver until it has ensured that the site’s digital certificate is valid. That prevents hackers with the ability to monitor or modify data passing between you and the site from obtaining authentication cookies or executing malicious code on the visiting device.

But what would happen if a man-in-the-middle attacker could confuse the browser into accidentally connecting to an email server or FTP server that uses a certificate that’s compatible with the one used by the website?

The perils of speaking HTTPS to an email server

Because the domain name of the website matches the domain name in the email or FTP server certificate, the browser will, in many cases, establish a Transport Layer Security connection with one of these servers rather than the website the user intended to visit.

Because the browser is communicating in HTTPS and the email or FTP server is using SMTP, SFTP, or another protocol, the possibility exists that things might go horribly wrong—a decrypted authentication cookie could be sent to the attacker, for instance, or an attacker could execute malicious code on the visiting machine.

The scenario isn’t as farfetched as some people might think. New research, in fact, found that roughly 14.4 million webservers use a domain name that’s compatible with the cryptographic credential of either an email or FTP server belonging to the same organization. Of those sites, about 114,000 are considered exploitable because the email or FTP server uses software that’s known to be vulnerable to such attacks.

Such attacks are possible because of the failure of TLS to protect the integrity of the TCP connection itself rather than the integrity of just the server speaking HTTP, SMTP, or another Internet language. Man-in-the-middle attackers can exploit this weakness to redirect TLS traffic from the intended server and protocol to another, substitute endpoint and protocol.

“The basic principle is that an attacker can redirect traffic intended for one service to another, because TLS does not protect the IP address or port number,” Marcus Brinkmann, a researcher at Ruhr University Bochum in Germany, told me. “In the past, people have considered attacks where the MitM attacker redirects a browser to a different web server, but we are considering the case where the attacker redirects the browser from the webserver to a different application server such as FTP or email.”

Cracks in the cornerstone

Typically abbreviated as TLS, Transport Layer Security uses strong encryption to prove that an end user is connected to an authentic server belonging to a specific service (such as Google or Bank of America) and not an impostor masquerading as that service. TLS also encrypts data as it travels between an end user and a server to ensure that people who can monitor the connection can’t read or tamper with the contents. With millions of servers relying on it, TLS is a cornerstone of online security.

In a research paper published on Wednesday, Brinkmann and seven other researchers investigated the feasibility of using what they call cross-protocol attacks to bypass TLS protections. The technique involves an MitM attacker redirecting cross-origin HTTP requests to servers that communicate over SMTP, IMAP, POP3, or FTP, or another communication protocol.

The main components of the attack are (1) the client application used by the targeted end user, denoted as C; (2) the server the target intended to visit, denoted as Sint; and (3) the substitute server, a machine that connects using SMTP, FTP, or another protocol that’s different from the one serverint uses but with the same domain listed in its TLS certificate.

The researchers identified three attack methods that MitM adversaries could use to compromise the safe browsing of a target in this scenario. They are:

Upload Attack. For this attack, we assume the attacker has some ability to upload data to Ssub and retrieve it later. In an upload attack, the attacker tries to store parts of the HTTP request of the browser (specifically the Cookie header) on Ssub. This might, for example, occur if the server interprets the request as a file upload or if the server is logging incoming requests verbosely. On a successful attack, the attacker can then retrieve the content on the server independently of the connection from C to Ssub and retrieve the HTTPS session cookie.

Download Attack—Stored XSS. For this attack, we assume the attacker has some ability to prepare stored data on Ssub and download it. In a download attack, the attacker exploits benign protocol features to “download” previously stored (and specifically crafted) data from Ssub to C. This is similar to a stored XSS vulnerability. However, because a protocol different from HTTP is used, even sophisticated defense mechanisms against XSS, like the Content-Security-Policy
(CSP), can be circumvented. Very likely, Ssub will not send any CSP by itself, and large parts of the response are under the control of the attacker.

Reflection Attack—Reflected XSS. In a reflection attack, the attacker tries to trick the server Ssub into reflecting parts of C’s request in its response to C. If successful, the attacker sends malicious JavaScript within the request that gets reflected by Ssub. The client will then parse the answer from the server, which in turn can lead to the execution of JavaScript in the context of the targeted web server.

The MitM adversary can’t decrypt the TLS traffic, but there are still other things the adversary can do. Forcing the target’s browser to connect to an email or FTP server instead of the intended webserver, for instance, might cause the browser to write an authentication cookie to the FTP server. Or it could enable cross-site scripting attacks that cause the browser to download and execute malicious JavaScript hosted on the FTP or email server.

Enforcing ALPN and SNI protections

To prevent cross-protocol attacks, the researchers proposed stricter enforcement of two existing protections. The first is known as application layer protocol negotiation, a TLS extension that allows an application layer such as a browser to negotiate what protocol should be used in a secure connection. ALPN, as it’s usually abbreviated, is used to establish connections using the better-performing HTTP/2 protocol without additional round trips.

By strictly enforcing ALPN as it’s defined in the formal standard, connections created by browsers or other app layers that send the extension are not vulnerable to cross-protocol attacks.

Similarly, use of a separate TLS extension called server name indication can protect against cross-hostname attacks if it’s configured to terminate the connection when no matching host is found. “This can protect against cross-protocol attacks where the intended and substitute server have different hostnames, but also against some same-protocol attacks such as HTTPS virtual host confusion or context confusion attacks,” the researchers wrote.

The researchers are calling their cross-protocol attacks ALPACA, short for “application layer protocols allowing cross-protocol attacks.” At the moment, ALPACA doesn’t pose a major threat to most people. But the risk posed could increase as new attacks and vulnerabilities are discovered or TLS is used to protect additional communications channels.

“Overall, the attack is very situational and targets individual users,” Brinkmann said. “So, the individual risk for users is probably not very high. But over time, more and more services and protocols are protected with TLS, and more opportunities for new attacks that follow the same pattern arise. We think it’s timely and important to mitigate these issues at the standardization level before it becomes a larger problem.”

Continue Reading

Biz & IT

Biden warns cyber attacks could lead to a “real shooting war”

Published

on

Enlarge / US President Joe Biden, NATO Secretary General Jens Stoltenberg and Belgian Prime Minister Alexander De Croo attend a plenary session of a NATO summit at the North Atlantic Treaty Organization (NATO) headquarters in Brussels, on June 14, 2021.

President Joe Biden has warned that cyberattacks could escalate into a full-blown war as tensions with Russia and China mounted over a series of hacking incidents targeting US government agencies, companies, and infrastructure.

Biden said on Tuesday that cyber threats including ransomware attacks “increasingly are able to cause damage and disruption in the real world.”

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” the president said in a speech at the Office for the Director of National Intelligence, which oversees 18 US intelligence agencies.

A number of recent hacks revealed the extent of US cyber vulnerability, ranging from extensive espionage breaches that have struck at the heart of government to ransomware attacks that have brought operations at an important oil pipeline and meat packing plants to a halt.

The Biden administration has accused the governments of Russia and China, or hackers based inside the two countries, of some of the attacks. US officials have warned that the administration would respond with a “mix of tools seen and unseen” actions, but cyber breaches have continued.

Although he did not say who such a war might be fought against, Biden immediately name-checked Russia’s president Vladimir Putin, alleging that Russia was spreading misinformation ahead of the 2022 US midterm elections.

“It’s a pure violation of our sovereignty,” he said.

“Mr. Putin… has a real problem. He is sitting on top of an economy that has nuclear weapons and oil wells and nothing else. Nothing else,” Biden said. “He knows he’s in real trouble, which makes him even more dangerous.”

At a June summit in Geneva, Biden personally warned Putin that the US would “respond with cyber” if the Russian state or Russian-based hackers targeted critical US infrastructure.

The prohibited sectors spanned energy, health care, IT, and commercial facilities, all of which have already allegedly been targeted by Russian hackers since the 2020 US elections. Others included transport, financial services, and chemicals.

Biden also said Chinese President Xi Jinping was “deadly earnest” about China becoming the most powerful military force in the world by the 2040s, as well as the largest and most prominent economy.

“It’s real… This boy’s got a plan,” Biden said, adding: “We better figure out how we’re going to keep pace without exacerbating [the situation].”

Biden stressed that cyberattacks were just one aspect of the growing threats facing the US, saying that there would be more developments in the next 10 years than in the past 50, placing a tremendous burden on the intelligence community.

“It’s really going to get tougher,” he said.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

Haron and BlackMatter are the latest groups to crash the ransomware party

Published

on

Getty Images

July has so far ushered in at least two new ransomware groups. Or maybe they’re old ones undergoing a rebranding. Researchers are in the process of running down several different theories.

Both groups say they are aiming for big-game targets, meaning corporations or other large businesses with the pockets to pay ransoms in the millions of dollars. The additions come as recent ransomware intrusions of oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya have caused major disruptions and created pressure in Washington to curb the threats.

Haron: like Avaddon. Or maybe not

The first group is calling itself Haron. A sample of the Haron malware was first submitted to VirusTotal on July 19. Three days later, South Korean security firm S2W Lab discussed the group in a post.

Most of the group’s site on the dark web is password protected by extremely weak credentials. Once past the login page, there’s a list of alleged targets, a chat transcript that’s not fit to be shown in full, and the group’s explanation of its mission.

As S2W Lab pointed out, the layout, organization, and appearance of the site are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

The similarity on its own isn’t especially meaningful. It could mean that the creator of the Haron site had a hand in administering the Avaddon site. Or it could be the Haron site creator doing a headfake.

A connection between Haron and Avaddon would be more convincing if there were overlaps or similarities in the code used by the two groups. So far there are no such links reported.

The engine driving Haron ransomware, according to S2W Lab, is Thanos, a separate piece of ransomware that has been around since at least 2019. Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, by contrast, was written in C++.

Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he’d know more soon.

In the shadows of REvil and DarkSide

The second ransomware newcomer is calling itself BlackMatter. It was reported on Tuesday by security firm Recorded Future and its news arm The Record.

Recorded Future, The Record, and security firm Flashpoint, which also covered the emergence of BlackMatter, have questioned if the group has connections to either DarkSide or REvil. Those two ransomware groups suddenly went dark after attacks—against global meat producer JBS and managed network services provider Kaseya in REvil’s case and Colonial Pipeline in the case of DarkSide—generated more attention than the groups wanted. The Justice Department later claimed to have recovered $2.3 million from Colonial’s ransomware payment of $4.4 million.

But once again, the similarities at this point are all cosmetic and include the wording of a pledge, first made by DarkSide, not to target hospitals or critical infrastructure. Given the heat US President Joe Biden is trying to put on his Russian counterpart to crack down on Ransomware groups operating in Eastern Europe, it wouldn’t be surprising to see all groups follow DarkSide’s lead.

None of this is to say that the speculation is wrong, only that at the moment there’s little more than hunches for support.

Continue Reading

Biz & IT

UK worries Starlink and OneWeb may interfere with each other, plans new rules

Published

on

Enlarge / Artist’s impression of low-Earth-orbit satellites like those launched by SpaceX and OneWeb.

A UK government agency is worried that OneWeb, SpaceX’s Starlink, and similar low Earth orbit (LEO) satellite-broadband systems could block each others’ signals.

Ofcom, the UK’s communications regulator, proposed new rules today in a report that details its interference concerns. Ofcom also said it intends to amend satellite licenses already issued to SpaceX and OneWeb to require coordination of frequency use. Without new requirements, the risk of interference could prevent competition by shutting new players out of the market, Ofcom said.

Non-geostationary satellite orbit (NGSO) systems are more complex than the traditional geostationary type because they use hundreds or thousands of satellites, Ofcom noted. “Satellite dishes need to track these satellites as they move across the sky, unlike existing satellite networks, where the dishes are fixed pointing at a single satellite which is stationary in the sky,” the Ofcom report said. Because so many low-Earth-orbit satellites are being launched, “there is a risk of satellites from two different operators appearing to be in the same part of the sky,” causing interference known as “in-line events” in which multiple operators’ satellites are lined up in the sky, Ofcom wrote.

This interference can affect uplink and downlink transmissions between satellites and user terminals that serve individual homes, the report said. The interference can also affect links between satellites and the Gateway Earth stations that connect to the Internet backbone.

“Since NGSO satellites are moving relative to each other and relative to the ground, in-line events may individually only be brief, maybe a few seconds,” Ofcom wrote. “However, if an in-line event occurs and causes interference, it may take longer for the terminal to reconnect to the network. The interference could continue to repeat over time, reoccurring in a regular pattern which will depend on the orbits of the respective systems.”

Outages from interference

Users could lose service when there’s interference to either the user terminal or gateway earth stations, but interference to a gateway station would affect many more users. “[T]he impact of interference on gateway links would be much greater than on individual user links as each gateway provides connectivity for many users (perhaps hundreds or thousands of users depending on the design of the system), so a loss of connection due to interference at the gateway will be experienced more widely across the network,” Ofcom wrote.

Gateway Earth stations operated by different companies “are likely to require large minimum separation distances” of tens of kilometers to avoid interference, Ofcom wrote. In contrast, “multiple GSO [geostationary satellite orbit] gateways can be located on a single site” without causing harmful interference to each other.

The Ofcom report listed five NGSO constellations that are planned or already semi-operational. The biggest example is SpaceX, which is offering beta service from 1,500 already-launched satellites and has over 4,400 satellites planned for its initial phase. Amazon’s Kuiper division hasn’t launched a satellite yet, but it has 3,236 satellites planned in its initial phase, the report noted.

OneWeb—which is co-owned by the UK government and Bharti Global—has launched over 200 satellites and has plans for 648 satellites in its initial phase. Telesat and Kepler round out the list, with plans for 298 and 140 satellites, respectively.

Here’s the Ofcom chart listing low-Earth-orbit satellite networks:

Coordination difficult

The US Federal Communications Commission in 2017 adopted rules, including power limits, to minimize the danger of interference in NGSO systems. The FCC adopted different rules for different slices of spectrum. In the 17.8 to 18.3 GHz band, for example, the FCC said, “while terrestrial use of this band is significant, there are areas, particularly rural areas, where terrestrial deployment is less dense and by using mitigating techniques like siting considerations, off-axis rejection, and shielding, we expect FSS [fixed-satellite service] earth stations will be able to operate successfully without receiving harmful interference… If interference does occur, earth stations can switch to other bands not shared with terrestrial users or use alternative mitigation techniques.”

The FCC also imposed specific conditions to prevent interference and space debris on licenses awarded to SpaceX, OneWeb, Amazon, and others.

Ofcom is worried that the global system for coordinating satellites, overseen by the International Telecommunication Union [ITU], isn’t good enough to prevent NGSO problems. “The potential for harmful interference between different satellite systems is usually managed by operators cooperating with each other under the ITU satellite coordination procedures,” Ofcom wrote.

The agency added:

However, coordination between NGSO systems is proving to be more challenging due to the dynamic nature of these systems, combined with operators having differing rates of deployment (some operators holding older filings will not deploy their systems for a few years) and changing their architecture over time. We are therefore concerned that NGSO satellite services could be deployed before an appropriate level of coordination has been possible with other operators.

Ofcom is also worried about the coexistence of user terminals when two or more companies provide LEO satellite service in the same area:

A lack of agreement over how user terminals of different systems can coexist in the same area and band could restrict competition as a result of earlier deployed systems hindering later ones. Once one operator starts deploying user terminals, other operators wishing to launch services using the same band may expect to experience harmful interference from the existing user terminals. In the worst case, this could mean that the quality of their broadband services would not be sufficiently reliable in order to enter the market. Nonetheless, the established player could have an incentive to cooperate given that the interference is likely to be mutual, i.e. their services could be degraded as well.

New rules, license changes

Ofcom said its goal in issuing new rules is to minimize interference while encouraging competition. The agency proposed, among other things, “an additional explicit license condition requiring NGSO licensees to cooperate so they can co-exist and operate within the UK without causing harmful radio interference to each other.” Ofcom said it also intends to “[i]ntroduce checks when we issue new NGSO licenses so that these are only granted if all systems (existing and new) are able to coexist and provide services to end users” and implement new conditions letting Ofcom “take action to resolve degradation to services if this were to occur at a particular location or location(s) in the UK.”

To preserve competition, Ofcom said it will “introduce a competition check” into its licensing process to account for the “technical constraints that the gateway or user terminals could create on future licensees.” Ofcom said:

In particular, in a market that was concentrated, if there was limited prospect of the licensee system and future systems (applicants) being able to technically coexist, then this could form a barrier to future entry to the market. As a result, we are proposing that a key piece of information that applicants should provide when applying for a network license is credible evidence about the technical ability for their system and future systems to coexist. This would include evidence about the flexibility of their system and/or what reasonable steps new licensees could easily undertake to protect them. This information would also be used when assessing whether it is reasonable for new applications and existing services to coexist, to understand the reasonableness of mitigations being undertaken by existing licensees.

Ofcom said it plans to review all NGSO licenses to determine which companies are using the same frequencies. The agency said it will also amend the existing licenses held by SpaceX Starlink, OneWeb, and Kepler. The changes would require “NGSO licensees to cooperate with the other NGSO licensees operating in the same frequencies so they can coexist,” and allow Ofcom “to require operators to take action in cases of interference between NGSO systems which impacts the provision of services to users in particular location(s) in the UK.”

Ofcom said it will take comments on its proposals until September 20, 2021.

We contacted SpaceX about Ofcom’s report and will update this article if the company provides a response.

Continue Reading

Trending