Government on Untrusted Network

Looking back at August 2015

Jan Kopriva — Tue, 08 Sep 2015 17:06:42 +0100

One of the most important information related to cyber security pertains to August release of a patch for the Stagefright vulnerability, to which almost all versions of the Android OS from versions 2.2 to version 5.1 are vulnerable. The existence of Stagefright had been made public at the end of July and it is estimated that vulnerable device number in hundreds of millions. The vulnerability enables the attacker to cause arbitrary code execution by sending a specially crafted MMS. The released patch has unfortunately been shown to be incomplete, the result of which is that even updated devices are still vulnerable.
Another interesting vulnerability which also affects a mobile platform (in this case iOS) is called Ins0mnia. The vulnerability enables malicious applications to circumvent OS security controls and run in the background without users knowledge (and – for example – collect sensitive information). Ins0mnia affects even non-jailbroken devices and has been patched in the iOS 8.4.1 update.
One further August news story has been connected to Apple products – creation of the Thunderstrike 2.0 proof-of-concept worm which is able to infect firmware of Macs. Given the location of infected memory, it is highly problematic to detect the infection from the OS and removal of the worm requires firmware to be re-flashed.
Another newly discovered (however 18 years old) attack vector also exploits vulnerability connected to computer hardware. A vulnerability in Intel x86 processors enables an attacker to install rootkit into memory location used by SMM (System Management Mode – a privileged mode used outside of normal OS execution).
One final interesting news comes from the Czech Republic and concerns signing of a sectoral agreement about cyber security education between commercial and governmental entities.

Looking back at June 2015

Jan Kopriva — Sat, 18 Jul 2015 17:29:33 +0100

Probably the most interesting of security-related news in June has been an announcement by OPM (Office of Personnel Management of United States), organization which is responsible for HR services and administration of US federal employees, about an attack which exposed records for approximately four million current and past employees. The breach has apparently been active for some time before it was discovered using a special IDS called Einstein. Anonymous US officials attributed the attack to China.
Information about a similar attack in Japan has been made available in June. Personal information about approximately 1.25 million citizens was stolen during the attack. Primary attack vector appears to have been a malicious e-mail attachment.
For owners and users of Apple products might be interesting news about discovery of a vulnerability, which enables attacker to rewrite FW in older (devices shipped before the second half of 2014) Macs. The vulnerability enables the attacker to make changes in BIOS when the device is waking up from sleep (when the FLOCKDN protection which should ensure that some parts of the system are accesible in read-only mode is disabled) which may be used to gain root privileges.

Looking back at May 2015

Jan Kopriva — Fri, 05 Jun 2015 00:00:57 +0100

May has been at least as rich on cybersecurity incidents and events as any of the previous months of the year. Some of the more important are described in the following text.
The VENOM (Virtual Environment Neglected Operations Manipulation) vulnerability may be considered to be a very significant one. VENOM is a vulnerability in the code of a virtual floppy drive which is used by some of the virtualization platforms (QEMU, KVM, Xen). It enables the attacker to access underlying hypervisor from a virtualized OS using a buffer overflow attack. Since the vulnerability is non OS specific its impact is fairly high.
A mention should also be made of another of the TLS/SSL protocol implementation vulnerabilities, the so-called Logjam. Using Logjam, a downgrade of encryption is possible in man in the middle attacks on connections which use Diffie Hellman key exchange algorithm and support its export version.
Finally, it is noteworthy that the government has ratified an Action plan for National Cyber Security Strategy 2015 – 2020. Further information (in Czech) may be found here.