Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes

NIST invites
comments on
Draft NIST
Special Publication (SP) 800-208,
Recommendation for Stateful Hash-Based
Signature Schemes.
All of the digital signature schemes
specified in Federal Information Processing Standards Publication (FIPS) 186-4
will be broken if large-scale quantum computers are ever built. NIST is in the
process of developing
standards
for post-quantum secure digital signature schemes that can be used as
replacements for the schemes that are specified in FIPS 186-4. However, this
standardization process will not be complete for several
years.

In this draft recommendation,
NIST is proposing to supplement
FIPS
186
by approving the use of two stateful hash-based signature schemes: the
eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature
system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554,
respectively. Stateful hash-based signature schemes are not suitable for
general use since they require careful state management in order to ensure
their security. However, their use may be appropriate for applications in which
use of the private key may be carefully controlled and where there is a need to
transition to a post-quantum secure digital signature scheme before the
post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS,
XMSS, and their multi-tree variants. This profile approves the use of some but
not all of the parameter sets defined in RFCs 8391 and 8554. The approved
parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs.
This profile also requires that key and signature generation be performed in
hardware cryptographic modules that do not allow secret keying material to be
exported.

The public comment period for this document is open through February 28,
2020.
See
the publication details
for a copy of the draft and instructions for
submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat
features at all and it was riddled with espionage behaviors. When
launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several
scheduling jobs to collect call logs, SMSs, contacts, and files on the
device. It also receives commands from the C&C server to take
screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
Figure 3. Scheduled jobs
Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local
database before they’re uploaded to the C&C server periodically.
This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
Figure 4. Privacy database
The screenshot gets captured
when a command is received from the C&C server. The screenshot image
then gets encoded using Base64 and sent back to the server via a
preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here

Caller Poses as CISA Rep in Extortion Scam

National Cyber Awareness System:

 

Original
release date: November 29, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a
phone scam where a caller pretends to be a CISA representative. The scammer
claims to have knowledge of the potential victim’s questionable behavior and
attempts to extort money.

If you receive a threatening call from someone claiming to be a CISA
representative, CISA recommends the following actions:

  • Do not respond or try to contact the caller.
  • Do not pay the caller.
  • Contact your local
    FBI field office
    to file a report.

(In)Security Management Engine

   The out of band management system bundled on almost all Intel processors has become a hot target for attackers in recent years. This is because it runs alongside the main processor and has virtually unrestricted access to all the hardware in the machine. As long as the machine has power the management engine is sitting there silently waiting for commands from a system administrator with access to it. While this feature can be a huge help for administrators managing a large number of machines it also presents an extremely attractive attack point.

    Intel provides a number of different subsystems under the Converged Security and Management Engine (CSME). The management engine is the specific firmware for mainstream chips, they also provide Server Platform Services (SPS) for server hardware and the Trusted Execution Engine (TXE) for tablets and other low power devices. Security researchers have been skeptical of the CSME for years due to it being closed source, having full access to the hardware, and its inability to be disabled. Several vulnerabilities have been found in the system by various researchers in the past. It’s time to make sure your systems are up to date as Intel just released a bug advisory with 77 found vulnerabilities, including one listed as critical.
    The most critical vulnerability found (CVE-2019-0169) is a heap overflow bug that could allow an unauthenticated attacker to take over a target system or cause a denial of service. Other high security bugs were found as well including cross site scripting, insufficient access control, and privilege escalation. For most of the attacks the only requirement is that the target machine is on the same network as the attacker. While many of the vulnerabilities allow an already privileged user to escalate their privileges, some of them require no prior authorization. By chaining these types of vulnerabilities together it would be possible for someone to go from having no access to having full privileges on the machine.
    Most of the vulnerabilities were found by Intel itself as part of an internal audit designed to harden the CSME system. 10 of the vulnerabilities came from independent researchers who reported the bugs to Intel. As always, it is important to make sure your systems are up to date, especially if public facing or used on untrusted networks. The required patches are typically bundled in your operating systems update mechanism such as processor micro code updates. Depending on your specific hardware and software setup you may have to acquire and run the updates manually.

Sources

 • https://threatpost.ccom/intel-critical-info-disclosure-bug-securityengine/150124/

https://blogs.intel.com/technology/2019/11/ipas-november-2019-intelplatform-update-ipu/11

Vulnerability in Amazon’s Ring Video Doorbell

    Researchers at Bitdefender have found a vulnerability in Amazon’s Ring Video Doorbell which allows an attacker with proximity to the device to intercept the Wi-Fi credentials of the network it operates on, which could lead to further attacks to devices on the network. The Ring Doorbell is an IoT device that allows a person to remotely view and communicate to people on their property. The exploit revolves around the setup procedure and the lack of security in place during that setup. The researchers say that while setting up the device, the doorbell will broadcast an unprotected wireless signal which is meant to facilitate the communication between the app and the device. Besides this, the communication between the app and the doorbell is done insecurely through HTTP. This means that when the app prompts the user to enter their home Wi-Fi credentials, an eavesdropper can see the password in plaintext. This could then lead to exploitation of the network and attacks against the devices on it.

    While the doorbell is only vulnerable when performing the initial setup, the researchers say that there is a way to trick the user into going through the setup again. They discovered that sending de-authentication messages to the device will make the user think that the device is not properly working, leading them to reconfigure it. A de-authentication attack is a type of denial of service attack where an attacker continuously sends de-authentication frames to one or more devices, preventing them from connecting to the network. While sending the de-authentication messages, the doorbell will disconnect itself from the Wi-Fi network and make it unable to reconnect. The last resort to resolve the connection issue is to reconfigure the device by going through the setup process again, leading to an eavesdropper gathering the credentials.

    Ring has since patched this vulnerability with the release of its newest software update and urges its users to perform an update on their device. However, users that have not yet updated should be aware of this method to force a reconfiguration. If you suddenly find that the device is unable to connect to Wi-Fi you may be the victim of this attack. The exploitation of this vulnerability, while relatively easy, does require the attacker to be within some proximity to the network. This is not the first time that Ring has exposed users’ Wi-Fi passwords to attackers. In 2016, researchers found that by pushing a button on the device to activate access point mode, an attacker could use a mobile device to navigate to a URL that exposed the network settings. While IoT devices can provide great benefits to consumers, they must contain proper security controls.

Sources: 

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html 

https://www.bitdefender.com/files/News/CaseStudies/study/294/Bitdefender-WhitePaper-RDoor-CREA3949-en-EN-GenericUse.pdf 
11

Amazon Alexa and Google Home are listening

    Amazon Alexa and Google Home are listening. It’s likely you are aware of the security and privacy concerns as well as their mitigations. It’s the price we pay for the technology we want. Unfortunately, there is another attack vector recently exposed by researchers at Germany’s Security Research Labs (SRL). The most interesting part of this research is that it is an absolute “confirmed proofof-concept”. The researchers developed four Alexa “skills” and 4 more Google Home “actions”, submitted the malicious apps where they all passed Amazon and Google security vetting processes, and made it into the respective markets. SRL developed two types of malicious applications: a set for eavesdropping, and a set for phishing. The eavesdropping apps responded to the wake phrase and provided the requested information while the phishing apps responded with an error message. Both methods created the illusion of stopped functions while proceeding silently with their attack. The eavesdropping attacks used methods involving pauses, delays, and exploiting flaws in text-to-speech engines speaking unspeakable phrases that produced no auditable output. This gave the impression that the application finished when it was still listening, recording, and sending it back to the application developer. In the case of the phishing apps, the error message created the impression that the application had finished unsuccessfully. Similar tricks to keep the application running were used followed by the application mimicking the device voice claiming there is an update available and requesting that the user say their account password. Neither Amazon Alexa nor Google Home do this, but naive users might respond. These seem like they may not be too effective- a user may not say anything of utility or anything at all to the eavesdropper and they should know to ignore the requests of a phishing attempt.

    But these attacks highlight key issues:

• What vetting process is Amazon or Google using?

• What other exploitable flaws exist in their vetting methods?

• Why would Amazon or Google allow a functionality change after review?

    Google Play has an unfortunate history of hosting a variety of malicious apps and eavesdropping concerns have been previously reported by Checkmarx and MWR Labs for Alexa skills. SRL did report the results of its research to Amazon and Google through their responsible disclosure process. Both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future. But SRL’s success raises serious concerns and it’s worth noting these key issues are not only applicable to listening smart home devices but can be considered for all applications available on any platform. I’m not ready to give them up just yet, but Dan Goodin of ARS Technica sums it up this way: “SRL’s research only adds to my belief that these devices shouldn’t be trusted by most people.”

Sources: 

https://arstechnica.com/information-technology/2019/10/alexa-andgoogle-home-abused-to-eavesdrop-and-phish-passwords/

https://srlabs.de/bites/smart-spies/

Adobe Data Leak

    Multinational software company Adobe has suffered a data leak that exposed the account information of an estimated 7.5 million customers, according to security researcher Bob Diachenko. Those affected were subscribers to Adobe’s Creative Cloud service which provides users with access to its line of software applications which includes Photoshop, Illustrator, and After Effects, among others. This leak is the result of an unsecured and poorly implemented Elasticsearch database.

    The researchers discovered the database on October 19th and notified Adobe the same day. Exposed information includes email addresses, owned products, account creation date, subscription status, account ID, country, last login date, and if the user is an Adobe employee. The database did not include any financial information or passwords. It is also unknown whether this database had been stumbled upon before researchers found and disclosed it to Adobe. Adobe released a blog post stating that” last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.” Adobe also confirmed that the data did not include any passwords or financial information.

    This is not the first time Adobe has been careless about how user information is stored. In 2013, Adobe suffered a major data breach that affected at least 38 million users but could have affected up to 150 million. This 2013 breach also resulted in the loss of password data as well as stolen source code for several Adobe products. Analysis of this breach found that Adobe was improperly storing passwords, allowing for many of the most common passwords to be guessed. At the time, the 2013 breach was considered one of the worst data breaches to have occurred. 

    While the leaked data may seem unalarming, it may still be a cause for concern. Using the leaked data, a malicious actor could create a very targeted phishing campaign. Typically, phishing emails are sent to a wide range of individuals, and because of this tend to not include information relevant to the recipient. However, using this data an individual could use details such as first and last name, account number, subscription status, and last login date to create a very convincing phishing email. While, as previously stated, it is unknown as to whether this information was found by anyone else, users should still be aware of possible phishing emails containing Adobe account information. 

Sources

https://thehackernews.com/2019/10/adobe-database-leaked.html 

https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html11

Computer Baselines

    Security, for many, seems hard to do right.   I know that we all think about firewalls, patch
management, antivirus and physical security.  
But I like to cover an area that does not get focused on by most
companies.

     Baseline and inventory of computers on a network are often overlooked.  I ask all the time, “Do you know what the
computers are in your network?  What are
the services that are running?  What
ports are open?  Who uses the
services?  Who are the users?”

    For the most part, I hear “Uh, no. We don’t know.”   If you do not know what’s running on your
systems, how will you know what changed if someone breaks into your network?  How will you know?  I believe that you need to create a master
file (portfolio) that lists what the computers/servers are doing; what tasks/services
are being run; what ports are open; who is the owner of that application; who
are the users; what are the data backup requirements, 1 a day, once and hour ?;
and finally, who maintains master file (portfolio)?
    If you have this as minimum documentation you can then do a
risk assessment and identify all the systems and prioritize what needs to be
monitored and controlled.

Apps Apple App Store that are infected with clicker trojan malware.

    Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

    The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

About the infected apps

    The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

Adware Campaign Affects Millions

    Smartphones have become the icon of our modern technological society. They are so prevalent that app development has grown exponentially in recent years in the struggle to become the next Facebook or Pinterest. The phrase “There’s an app for that” truly describes the breadth of apps available. However, this can also lead to many malicious apps available that could be harmful to users, such as the Ashas family of adware apps available on the Google Play store.

    ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.

    The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background. 

    ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.

Sources:

 • https://thehackernews.com/2019/10/42-adware-apps-with-8-milliondownloads.html 

 • https://www.welivesecurity.com/2019/10/24/tracking-down-developerandroid-adware/ 

https://www.zdnet.com/article/vietnamese-student-behind-androidadware-strain-that-infected-millions/10