Author: Hari

I am a technology consultant based in Germany. I like travelling, and while doing so, I like capturing interesting moments in pictures and words. And I share some of my interesting life experiences, in this blog.

Microsoft’s HTTP.sys vulnerability – MS15-034

Just last week Microsoft patched a critical vulnerablity that effects the Windows HTTP stack. which if exploited by an attacker by sending a specially crafted HTTP request, could give the adversary an ability to execute arbitrary code in the context of the System account.

Background
For those who aren’t aware already, the HTTP listener in Microsoft IIS, is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). IIS uses HTTP.sys for the following tasks:
  • Routing HTTP requests to the correct request queue.
  • Caching of responses in kernel mode.
  • Performing all text-based logging for the WWW service.
  • Implementing Quality of Service (QoS) functionality, which includes connection limits, connection timeouts, queue-length limits, and bandwidth throttling.
Vulnerability
The problem here stems from HTTP.sys not safely handling the Range header in a HTTP request. The Range header parameter is used to fetch part of a file from a server, which is sometimes handy for resuming downloads. If you set the range way too large, it causes the Windows kernel to crash.
I found these two articles quite useful, while researching this vulnerability.
Exploits found
Two exploits have been discovered to be in the wild as of this post: one to test if a server is vulnerable, and one that crashes it.  Mattias Geniar of hosting solutions provider Nucleus claims to have tracked down one of these exploit code and he covers it good detail here.

Patch released
Microsoft has released a patch as part of their last Patch Tuesday advisory.
The vulnerability has been assigned a reference and is further described here.

Detecting zero day attacks
Software and Hardware are bound to have bugs in them, because they are written by Human Beings! The best way to detect exploits of these bugs/vulnerabilities is to have a holistic approach to setting up an intrusion detection solution. One of the effective frameworks for thinking about cyber defense is called the Cyber Kill Chain, originally created by Lockheed Martin. This is a very interesting framework and I shall be talking in more detail about it in a later post. But briefly, as per this framework, every attack has a set of stages or sequence of steps, that an adversary performs, to accomplish his/her mission.
Cyber Kill Chain - Attack Stages
Cyber Kill Chain – Attack Stages
As per the framework, vulnerabilities are only a part of the whole attack sequence, called here the Exploitation Stage. So by having detection mechanisms that are tuned to detect anomalies at different stages of cyber attack, we get the capability of breaking the sequence even before and post-exploitation stages, thus increasing the possibilities of detecting zero day attacks.

To quote from the Lockheed Martin paper:
Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization of this approach reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and effectiveness. The evolution of advanced persistent threats necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but the threat component of risk, too.

Hence, I believe that in order to succeed in the race with the cybersecurity adversaries, who use zero day exploits and vulnerabilities to accomplish their missions, Enterprises must evolve from using signature/discrete event based detection, to a holistic approach of using the Cyber Kill Chain based intrusion detection framework.

This is a very interesting topic, and I will be talking more about it in my forthcoming posts on this blog.

Title Image Courtesy: slashgear.com

On Mark Zuckerberg’s thoughts on Net Neutrality

It is very reassuring to see the power of social media and internet, taking over this whole debate on Net Neutrality in India. The last few weeks have been amazing, and to see so many people raising their voices on various platforms on the web, makes you feel that these are probably the best times in the history of social communities, where every individual has an equal right to share their views for or against a particular cause. The power of Internet, hasn’t been more evident than in the last decade. The uprising in Egypt in the year 2011, is one of such important even which has changed the lives of the people there, forever.

I believe that this whole uprising in India for Net Neutrality, has already won half the battle, because many of the “partners” who signed up for these “Zero Rating” services (Airtel Zero and Internet.org), have backed out. This list includes big names like Flipkart, ClearTrip, NDTV and Time Of India group.

Recently, this whole debate got a new voice, when Mark Zuckerberg took to a famous Indian Daily called Hindustan Times, where he tried to defend Facebook’s Internet.org initiative, as some sort of world changing CSR (Corporate Social Responsibility) activity.

What Mark is basically saying is the purpose of setting up internet.org is to provide “free internet” to the poor, so that they can leverage the benefits that “Internet” (through internet.org) has to offer. It sounds pretty good and noble, but the fact is that internet.org is not the whole Internet. It is primarily Facebook and a few hand-picked sites, which are identified by Facebook and its partners.

I see this whole definition of purpose as – “Internet.org provides free access to Facebook to the poor and under privileged so that they can leverage the benefits that Facebook has to offer.” Now does that sound noble to you?

Indian journalist Nikhil Pahwa responded to Mark’s post on Hindustan Times, and he elaborates on this whole misconception that these Telcos and companies like Facebook are trying to portray . It’s a definite read.

Image Courtsey: http://www.thehindubusinessline.com

Apple Watch and self-surveillance

Apple’s foray into the wearables industry was being rumoured for 2-3 years, and ever since the rumour mill started, many companies (Google, Samsung, etc..) started coming out with their mostly unfinished and unimpressive wearable products. And as it usually turns out, Apple came along with their Watch, and has stirred up the wearables industry, including the multi-billion dollar non-tech Luxury Watch industry.
But there has also been a lot of debate on the privacy aspects of wearable devices, and Google Glass had a a lot of negative attention due to this aspect. Apple Watch has also been talked about for the same issue. But the balance between privacy and convenience has always been tough to maintain, and looking at the recent trend of social media and technology use by consumers, it is obvious that users prefer the latter over privacy.
I think Apple Watch is also going to experience the same preference – the convenience and utility value that the Watch provides, will be found to be more valuable to consumer than the loss of privacy.
Paul Krugman has an interesting taking on this perspective, and has put down his thoughts on NY Times
His reference to the Varian Rule, which basically says one can forecast the future by looking at what the rich have today, is specifically interesting.
…rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.
 
If you have seen the recent Apple Event where Kevin Lynch demoed some of the use cases of the Apple Watch, wouldn’t you agree that the Varian Rule can actually be true?
Image courtesy: http://www.myasd.com

Pappu and Feku – the Best We Can Do?

This is an offbeat topic, from my usual blogging category, but I found this article by Writer and IIT Delhi professor Rukmini Bhaya Nair quite interesting and I want to take a perspective on this.

The Indian Political environment has changed dramatically, in the last 5 decades. The free and open (yeah I know the “openness” can be debated) access to information that we have today, thanks to the global growth of internet in the last 2 decades, the Politicians and the Politics in India has been exposed to tight scrutiny by media, by citizens and fellow politicians, have come under a lot of focus and constant attention. And as professor Rukmini says, maybe it is that politics today is all screen-spectacle.

This wasn’t the case 5 decades ago, and the politicians and national leaders during our Independence movement weren’t exposed to so much of attention and constant criticism and audit. But I think there were a lot of other types of sources which contributed to similar attention, focus and criticism. For ex., during the period 1920-47, there were a lot of independent journals, news papers, books, articles, poems, essays, speeches, street acts and stand-up shows, providing enough sources of such attention to national leaders in those days.

But as professor Rukmini states in her post, the leaders during that time had a great deal of mutual respect and trust between them, and so there was always a sense of dignity and respect when they conversed and referred to each other. This sense of dignity and mutual respect is something that we don’t see much, in today’s political space, and that’s unfortunate.

This must change, and I am hopeful that it will. I completely agree with her following lines:

My view is that India is a dynamic country with a very young population which deserves truthful as well as entertaining accounts of the challenges facing us. We may have come a long way from the times of the freedom movement, but India still needs freedom from dire poverty, illiteracy, gender abuse, caste factionalism, regional prejudice. In these times of social ‘churn’, I therefore think our politicians still have a crucial lesson to learn from our past: they must respect each other – and us, the aam janta – just a wee bit more.
 
At the moment, our politicians are outdoing themselves trying to disgrace their peers. What’s needed from them is the exact opposite – grace and generosity. If a more coherent vision of the future of India fifty years down the line emerges from this exercise, that would be great. But if not, our political leaders should at least do us the honour of telling us the truth.

Do checkout professor Rukmini’s post on NTDV’s Opinion section, here: http://www.ndtv.com/opinion/pappu-and-feku-the-best-we-can-do-756650?pfrom=home-lateststories

Image Courtesy: http://i.dailymail.co.uk

Dos and Don’ts with Document Embedded Objects

Phishing is a form of online identity theft in which fraudsters trick Internet users into submitting personal information to illegitimate web sites.
The word ‘Phishing’ is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim (and hence the picture I have used in this post)
Phishing scams are usually presented in the form of spam or pop-ups and are often difficult to detect. Once the fraudsters obtain your personal information, they can use it for all types of identity theft, putting your good credit and good name at risk. One of the most widely used Phishing techniques is email spoofing, which necessarily means where the attacker sends a legitimate looking email to a victim, which can have links to websites which is malicious or is controlled by the attacker. Emails are also the most widely used Delivery mechanisms, that an attacker uses to deliver the Attack payload or the exploit itself. (I shall talk about Delivery mechanisms and the larger Cyber Kill Chain Concept in a later post).
These emails can also contain attachments like Word documents, Spreadsheets, PDF files, etc.. And embedding objects within these attachments, is one of the easiest ways of delivering the payload, because embedding objects is something that we IT Professionals also use frequently for legitimate reasons. So this is leveraged by attacker to his advantage.
As Amanda Stewart a FireEye says, in her recent post on their blog:
Phishing emails are one of the most common delivery mechanisms for malware authors. The attachments in those phishing emails have a variety of payloads. Well-known delivery methods include: exploiting vulnerabilities in the document program (e.g., doc, xls, rtf), using macros, or embedding user-clickable objects that drop payloads. Out of all these methods, embedding objects in the document is considered a “gray area” because both IT professionals and malware authors use this technique.
 
In the post, she also talks in detail about the Dos and Don’ts when embedding objects within documents.
Dos
 
  • If you must send someone an installation executable or even a form helper program, compress the executable in a password protected ZIP file, where the password is not easily guessable. Using a standardized strong password limits access to users or employees that need to access the program.
  • Educate your employees to not click on objects in documents without first confirming the source email address.
  • Enforce content filtering on web and email to prevent employees receiving executable files from the internet
  • Remove admin/local admin privileges to prevent employees installing new and unknown software onto devices.
  • Consider Advanced Threat Prevention technologies that can examine emails for sophisticated multi-stage droppers that evade detection of all email security gateways today. 
 
Here is the link to her post; a must read for IT Admins, and also for Security Analysts and Incident Responders: https://www.fireeye.com/blog/threat-research/2015/04/dos_and_don_ts_with.html
Picture courtesy: http://www.cyberoam.com

Flipkart and flipside

I congratulated Sachin Bansal on Twitter when it was announced that they have backed out of the deal. But here are some observations/questions I have, which others have also raised in the social media, about this whole turn of events surrounding this issue:

  • Were the founders really unaware of the implications of initiatives like Airtel Zero?
  • Was their primary motive behind this move, only to increase their reach to people who don’t/can’t afford an internet connection on their mobile phones (their prospective customers)?
  • Has their size, perceived dominance in the e-commerce market in India, and pursuit for growth, made them ignorant to the concept of #NetNeutrality?

Here is K. T. Jagannathan reflecting on similar thoughts for The Hindu Daily.

http://www.thehindu.com/business/flipkarts-stand-on-net-neutrality/article7106072.ece

Picture Courtesy: firstpost.com

Digital Intelligence – Whitepaper by GCHQ’s Former Director

David Omand was the Director of GCHQ, from 1996-1997, and the UK’s security and intelligence coordinator from 2000-2005. If you don’t know already, the Government Communications Headquarters (GCHQ) is a British intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance to the British government and armed forces.
He has just published this new paper “Understanding Digital Intelligence and the Norms That Might Govern It.” The paper does have government’s perspective on the whole internet governance topic, a topic which has gained a whole lot of significance & attention after Edward Snowden’s revelations. But it is definitely an interesting read.
Executive Summary:
This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency (NSA) contractor Edward Snowden. Digital intelligence is presented as enabled by the opportunities of global communications and private sector innovation and as growing in response to changing demands from government and law enforcement, in part mediated through legal, parliamentary and executive regulation. A common set of organizational and ethical norms based on human rights considerations are suggested to govern such modern intelligence activity (both domestic and external) using a three-layer model of security activity on the Internet: securing the use of the Internet for everyday economic and social life; the activity of law enforcement — both nationally and through international agreements — attempting to manage criminal threats exploiting the Internet; and the work of secret intelligence and security agencies using the Internet to gain information on their targets, including in support of law enforcement.
 
He suggests that the norms applicable to digital intelligence, must broadly cover the following. This is definitely reassuring:
  • There must be sufficient sustainable cause
  • All concerned must behave with integrity
  • The methods to be used must be proportionate
  • There must be right authority
  • There must be reasonable prospect of success
  • Necessity
The full paper is available here:
Picture courtesy: www.cigionline.org

Big Valuations Come With Dangerous Small Print

It is high time that we, the tech community, push for  creating value over valuation, in the startup world.
Ben Narasin (@BNarasin) and Jeremy Abelson (@jeremyabelson) have captured some really interesting examples that demonstrate this, in their recent post on TechCrunch. These lines summarize this quite well:
…for founders and funders alike, it’s not just about the valuation, it’s about the whole deal. Focusing excessively on valuation risks losing focus, and negotiating leverage, in the rest of the deal terms. Valuation is a part of the picture, but dilution, all-in dilution, is another very important part. We often say the only “valuation” that matters is the last one, in that valuation and ownership at liquidity is the ultimate measure for any shareholder. It’s a long journey to get there, so pay attention along the way.
 
Read more here: http://techcrunch.com/2015/04/13/big-valuations-come-with-dangerous-small-print/
Picture courtesy: techcrunch.com

DigiCert Offers Continuous Monitoring of Digital Certificates to Defeat Fraud

This is a move in the right direction, considering the rampant use of compromised Certificates by hackers to obscure their real identity/motives.
Jason Sabin, CSO of DigiCert, said in an interview that the system is designed to give customers more control of and supervision over the certificates they have in use.
 
“In some large organizations, you can get people who need to get something done for a certain project so they go and grab a domain and don’t have time to go through whatever process they have in place for getting a certificate,” Sabin said. “So they do it themselves, but then the organization doesn’t know it’s happened, or perhaps it wasn’t done correctly.”
 
The CertCentral platform that DigiCert is rolling out allows for continuous monitoring of an organization’s certificates, and it also can protect companies against phishing and other attacks that play off of variants of their legitimate domains.
 
“We can look for people using certificates that are close variants of your domains, like using zeroes for the letter O or things like that,” Sabin said.
Certificate Transparency (CT) is possibly the best approach one can think of today, to detect and prevent unauthorised Certificate usage. But it also has to be noted that the key player behind this initiative, is Google, a company infamous for their thoughts/acts on User Privacy.
Dennis Fisher (@dennisf) has elaborated this in much detail at ThreatPost: https://threatpost.com/digicert-offers-continuous-monitoring-of-digital-certificates-to-defeat-fraud/112227
CT’s official site is also a great read to understand the concept further:
Certificate Logs:
Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates.
 
Monitors:
Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates.
 
Auditors:
Auditors are lightweight software components that typically perform two functions. First, they can verify that logs are behaving correctly and are cryptographically consistent. If a log is not behaving properly, then the log will need to explain itself or risk being shut down. Second, they can verify that a particular certificate appears in a log
Image courtesy: www.hotforsecurity.com