Double ROT-13 | TechSNAP 241

chris

7 years ago

Encryption & privacy took quite a beating this week in the wake of the Paris attacks. We come to its defense. Your ISP heard you like backdoors, so they put a backdoor in your backdoor, the story of the social RAT & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem

Less than two months ago that Techdirt noted that, having lost the immediate battle for US legislation to backdoor encryption, those in the intelligence community knew they just needed to bide their time until the next big terrorist attack.
Here was the quote from Robert Litt — the top lawyer for the Office of the Director of National Intelligence from September:

“the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied, the New York Times even having to pull one such report offline.
Other claims the attackers had used encrypted Playstation 4 or WhatsApp communications.
Over the past few days, Techdirt has been highlighting the fever pitch of pundits and officials trampling over themselves to blame Ed Snowden, blame encryption and demand (and probably get) new legislation to try to mandate backdoors to encryption.
It now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks.
Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them
The Intercept has reviewed 10 high-profile jihadi attacks carried out in Western countries between 2013 and 2015…, and in each case some or all of the perpetrators were already known to the authorities before they executed their plot.
Are ISIS Geeks Using Phone Apps, Encryption to Spread Terror? – NBC News
Paris Terrorists Used Double ROT-13 Encryption – Schneier on Security
Signs Point to Unencrypted Communications Between Terror Suspects
After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS | Techdirt
The Limits of The Panopticon — why the surveillance state failed

Backdoor in cable modem, contains backdoor

Security researcher Bernardo Rodrigues was invited to give a talk at a security conference, and he decided to research the topic of Cable Modem security
Unlike talks from years ago, this wasn’t about how to get free cable internet, but instead about “the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything’s really really bad.”
“While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it’s going to fix it yet.”
“ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password”
“ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what – many ISPs won’t bother changing it at all.”
“The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface “https://192.168.100.1/cgi-bin/tech_support_cgi” or via custom SNMP MIBs”
“The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password”
“Yes, they put a backdoor in the backdoor (Joel from Dlink is sure to be envy). The undocumented backdoor password is based on the last five digits from the modem’s serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.”
The researchers marketing solution for the vulnerability? A old fashion keygen complete with chiptunes and ascii art
The vulnerability was disclosed to CERT on 2015-09-13, and CERT has a 45 disclosure policy. The vendor has yet to correct the issue
Ohh, and it seems there are more backdoors

The Story of the Social RAT-in-the-Browser

A Remote Access Trojan (RAT) is a malicious malware that runs on your computer giving unlimited access to a cybercriminal who can then steal information or install other malicious software.
They are able to operate under the radar of traditional security measures because a RAT’s installation mechanism is usually attached to a legitimate program, allowing an intruder to do just about anything on the targeted computer including, access confidential information, such as credit card and social security numbers, activate a system’s video or webcam, distribute malware, or alter files.
RATs have been used by countries and hacktivists for many years, however recently, we’ve seen this remote access attack vector migrate to online banking fraud.
These specific RATs, termed RAT-in-the-Browser (RitB), give cybercriminals access to banking credentials and account information.
One of the reasons these Trojans have spread so rapidly is because banks often use traditional security measures such as device fingerprinting to validate a device’s reputation, assigning ‘risk’ to new or untrustworthy devices and assigning ‘trust’ to known user devices.
RitB sessions are, therefore, often successful since these detection tools won’t find anything unusual.
A Social RitB, adding another layer of complexity, as fraudsters are beginning to use social engineering to carry out remote access attacks. All a fraudster needs to do is convince a user to install a standard remote support tool on their computer — for example, Ammyy, UltraVNC, AeroAdmin, or RemotePC — and use it to perpetrate online banking fraud.
This type of banking fraud is simple for cybercriminals to carry out since it doesn’t require the technical knowhow needed to develop malware and is easy to infect users through various exploitation mechanisms.
Here’s how it works: a fraudster calls a user and convinces him or her that he or she is an employee of a reputable organization (i.e. an Internet service provider or bank), explains to the user that there is a security issue on his computer and then fools the user into downloading and installing a remote support tool (or gives the fraudster access to an existing tool already installed). The fraudster then convinces the user to login to his or her bank account for a quick ‘security check.’ And voilà, the attacker is in and can submit a fraudulent transaction. This is a relatively easy process for the criminal that requires far less technical know-how and monetary expenditure than a regular RitB attack.