Connect with us

Bugs

Researcher: Even LastPass Will Be Hacked

Published

on

It seems we live in an era where all the things will, indeed, be compromised. Creativity in hacking is at an all-time high, and for perhaps the first time, a generation exists which does not immediately associate hacking with ill-conceived films from the end of the 20th century. As further proof of this observation, Hacked offers the findings of Martin Vigo and friends, who’ve apparently found several ways to get to a target’s LastPass.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Metasploiting And Decrypting Hashed Passwords

Vigo has previously written on the topic of LastPass, recounting in another entry how he’d managed to gain the seed to decrypt hashed passwords transmitted via LastPass. He notes that the password reset feature of LastPass was particularly useful in research; incredibly, that the password itself is allowed to appear in the password reminder.

2 factor authentication should be the way to go but LastPass has this option. While indeed, the reminder cannot be the password itself, we found out that it can “contain” the password. If your password is say, ‘qwertyui’, your reminder cannot be ‘qwertyui’ BUT it can be ‘my password is qwertyui’. This might be because they hash the password so there is no way for them to tell that the sentence contains the password unless they hash the words separately to compare first.

In addition to reconstructing how LastPass’ API calls are made, Vigo and Co. were able to learn a great deal about the browser plugin of LastPass. Using a clever technique, they first learned what each function was actually doing. The plugin library is written in Javascript, “so no fancy assembly here.”

Alberto wrote a small script to help us […] This script would add as the first line of every function some logic to print information about the method itself and the value of the parameters passed. With that, we had a chronological stack of function calls and their parameter values. […] What caught our eye was what was happening when the user would click the option “store password”. This functionality provides the commodity of never having to enter the master password again as it will be populated to the plugin and you will be automatically logged in.

The researchers realized that with a few strokes of the keyboard, using a “metasploit module,” they were able to gather the master passwords of those who’d stored them in the browser. For this reason they recommend against doing that.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Further research has taught Vigo and friends that there are many ways to exploit LastPass, including via cookies.

Our first shot was simply to look at using cookies to obtain the vault key. While this sounds straightforward, because of how LastPass is designed, the cookies will only get you what LastPass stores in their servers, and as you may guess, it does not include the vault key. […] We found that the vault key is actually stored locally encrypted. Where is the decryption key to decrypt the vault key? LastPass has the seed from where we can derive it.

The researchers noted that even if LastPass master passwords are obtained using the methods they have developed, they will be useless in the case of users who’ve implemented 2-factor
Encryption_unlockauthentication. 2FA is a relatively new method of doing web passwords, and there are many ways it is done.

One common way is to send an SMS to the phone number of the account holder with a one-time code. Therefore, if the attacker doesn’t have access to said phone, then that’s as far as they go. The more paranoid will be quick to point out that phones can be obtained, numbers can be hijacked, and so forth. This would be true, but the point is that it creates an additional layer of difficulty on top of LastPass itself.

There were other exploits outlined in Vigo’s most recent post, all of which were disclosed at Black Hat Amsterdam. Particularly interesting is the fact that people are inadvertently sharing LastPass credentials online, as evidenced by searching for “extensions.lastpass.loginpws.”

Hacked recommends the reader take a look at the whole debrief for more information. Specifically, the recommendations made near the end are important:

  • Use the binary version of the plugin
  • Do not store the master password
  • Activate the new Account Recovery over SMS
  • Audit your vault for malicious JS payloads
  • Don’t use “password reminder”
  • Activate 2FA
  • Add country restrictions
  • Disallow TOR logins

False Sense of Security?

LastPass and solutions like it are often presented as if they were impenetrable fortresses, when in fact they are like anything else: software that will eventually have bugs and vulnerabilities, no matter how many audits they undergo. At the same time, using some form of password manager is pretty necessary in an era when the average user will be credentialed on dozens of web platforms, from social media to forums to online banking to health insurance.

The human brain is not as gifted as a computer in retaining data, and so relying on it to keep a variety of secure passwords would be untenable. Despite finding several ways to get around LastPass’ security measures, Vigo closes by saying that password managers are still vital.

Password managers are a great tool that everyone should use. […] I can’t recommend any but make sure you use one!

Vigo also wanted to point that his team has not “hacked” LastPass, but rather done it some favors. This is not just splitting hairs. Hacking would mean they’d found a way to pwn the entire system on the regular, and potentially not told anyone but those willing to pay for access.

Instead, they’ve noticed some significant security flaws and responsibly reported them to the world. It’s the very nature of their career to do as much, and labeling them “hackers” against their will is unfair. As Vigo says:

We have seen media and tweets mentioning that we “hacked LastPass”. We did not hack LastPass. We also don’t feel comfortable with those claims. What we did is find a number of bugs, bad practices and design issues which we used to obtain the vault key and decrypt all passwords in different scenarios. There is no bug-free software and any future research on other password managers would likely have similar results.

Images from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

1 Comment

1 Comment

  1. Hitoshi Anatomi

    November 22, 2015 at 3:38 am

    ID federations (single-sign-on services and password managers)
    create a single point of failure, not unlike putting all the eggs in a
    basket. It remembers all my passwords
    when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized
    formation or should be considered mainly for low-security accounts, not for
    high-security business which should desirably be protected by all different
    strong passwords unique to each account.

You must be logged in to post a comment Login

Leave a Reply

Bugs

Automaker Fiat Chrysler Announces Bug Bounty Program

Published

on

The latest bug bounty program from an automobile manufacturer comes from Fiat Chrysler, more than a year after two white hat hackers proved that they could remotely compromise and take control of its popular selling vehicle, the Jeep Cherokee.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

White hat hackers can now start picking away at cybersecurity flaws in the vehicle software embedded in Fiat Chrysler connected cars. The bounty program is specifically focused on the automaker’s fleet of connected vehicles, including the systems used within them as well as the applications and external services that are connected to them.

The bounty reward is relatively small compared to the bug bounties offered by the likes of Google and Facebook. Fiat Chrysler’s program pays out beween $150 to $1,500 for a bug. In comparison, Tesla Motors’ bug bounty program on the same platform used by Fiat Chrysler (more details below) rewards between $25 and $10,000 for valid bug reports.

The program will be managed and operated by crowd-sourced cybersecurity company Bug Crowd. The platform claims to have nearly 28,000 white hat hackers and security researchers available on its platform.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

In a statement, Fiat Chrysler Automobiles’ senior manager for security architecture Titus Melnyk said:

We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.

The hacking demonstration of a Jeep Cherokee occurred a year ago in July 2015, when two security researchers hacked and took total control of a car driven by a Wired journalist who penned the report at the time. Hacked reported on the incident which showed a relatively straightforward process in which hackers took control of the vehicle. Altogether, nearly half a million vehicles were revealed to be vulnerable, with multiple variants of the Jeep Cherokee, the Dodge Ram, along with other Fiat Chrysler vehicles.

For its part, Chrysler set about damage control by issuing an official recall of some 1.4 million vehicles by providing vehicle owners with a USB stick that contains a firmware upgrade and a patch to remedy the situation.

Still, that did not stop vehicle owners to launch a class action lawsuit against Fiat Chrysler, due to the hack.

 Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Bugs

Zero Day Offer To Attack Windows For Profit Part Of A Rising Trend

Published

on

Microsoft Windows 10

SpiderLabs, a team of ethical hackers that fights cybercrime, recently posted a blog about a recent zero day offer to attack Windows that demonstrates how such offerings are marketed and becoming more common.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Zero day is a disclosed software vulnerability that hackers can exploit to attack computer programs, data, additional computers or a network, according to Wikipedia. SpiderLabs is a part of Trustwave, a company that helps businesses fight cybercrime, protect data and reduce security risk.

SpiderLabs notified Microsoft about the zero day offering and continues to monitor the situation. The blog is titled, “Zero Day Auction for the Masses.”

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Cyber Crime Evolves

By way of background, the blog noted cyber criminals have evolved from individuals and small groups to big networks. Small malware campaigns have become malware-as-a-service that can deliver instant revenue in the form of ransomware.

Criminal enterprises have splintered. Groups used to develop malware, seek victims, launch a campaign, and monetize the stolen data. Nowadays, they prosper by focusing on one thing and selling it as a service.

The underground malware market is profitable and the development of zero days has become a bigger part of it.

Zero Day Pays Big

Hacking blogger Vlad Tsyrklevich noted in a post on the zero day market that a Eugene Ching received $80,000 USD for a working zero day offering. The payment was split into a contract fee and a delivery bonus.

Zerodium, a cyber security company that pays premium rewards to security researchers to acquire their original and previously unreported zero-day exploits affecting major operating systems, will pay $5,000 to $500,000 USD.

Last year, Angler Exploit Kit introduced four zero-day exploits as a part of its offering, and because of the continuously refreshed list of new exploits, it became the most popular exploit kit last year, representing 40% of all exploit kit-related incidents observed.

A Current Offer

A zero day being offered for sale stood out to SpiderLabs among the other offerings in an underground market for Russian-speaking cyber criminals. The forum serves as a collaboration platform for hiring malware coders, leasing exploit kits, buying web shells for compromised websites, or renting botnets. Finding a zero day listed in between these fairly common offerings is an anomaly, the blog noted. It indicates zero days are becoming a commodity for the masses.

The zero day claims to be a Local Privilege Escalation (LPE) vulnerability in Windows. Below is a screen shot of the original offer, posted on May 11, 2016:

SpiderLabs image 1

The offer refers to a vulnerability in the incorrect handling of Windows objects. The exploit is implemented for all OS architectures from Windows XP up to current variants of Windows 10. The exploit successfully escapes all existing protection mechanisms.

What Is Offered

The buyer will receive:
1. Source code with all the source code of the exploit and a demo for the exploit.
2. Free updates to address any Windows version the exploit might not work.
3. A detailed write up of the vulnerability details.
4. Complementary consultation on integrating the exploit.
5. On request – convert the source code project to a different MSVC version.

The seller was willing to accept offers starting from $95,000 [USD]

The seller insisted on doing the deal using the forum’s admin as the escrow. In an update on May 23, the seller said the exploit will be sold exclusively to a single buyer.

The seller provided two proof videos for potential buyers who might be concerned with the offer’s validity. The first one showed an updated Windows 10 machine being successfully exploited successfully.

The second one showed the exploit bypassing all of Microsoft’s protections for the latest version of the product.

Despite indications of the offer’s authenticity, there’s no way to be certain without purchasing the exploit or waiting for it to appear.

What’s Ahead?

Local Privilege Escalation (LPE) vulnerabilities are likely next in line in popularity, even though the most coveted zero day would be a Remote Code Execution (RCE) exploit.

An LPE exploit paired with a client-side RCE exploit can enable an attacker to escape an application that deploys sandbox protection, such as Adobe Reader, Google Chrome, etc. An LPE exploit provides a way to persist on an infected machine, a crucial aspect when considering advanced persistent threats. Such an exploit can be leveraged in nearly every kind of attack.

What This Zero Day Can Do

The possible capabilities presented to an attacker purchasing this exploit are as follows:
1. Escape from sandbox if the initial compromise vector is an RCE for a sandboxed app, e.g., Adobe Reader, Google Chrome, etc. – converting a limited RCE exploit into a functional takeover tool.
2. Because this zero day exploit offers a way to execute code in ring0, the purchaser will be able to use it to install a root kit on the victim’s machine, shielding itself more efficiently. This enables the attacker to escape detection and prolong control of the infected system.
3. The seller noted the exploit was tested on Windows Server OS versions. This allows a new possibility should an attacker already have a type of limited control over a web server (SQLi, web shell with restricted privileges – as all modern web servers run under a designated user account with limited privileges).
4. Modify system properties allowing persistence on the system. An example posted by FireEye demonstrates how criminals used a zero day LPE for Windows to persist on POS systems and rob credit card data.
5. Install more malicious software – a privilege that is reserved for administrative accounts on OSs, including Windows.

There are not many public records of what the price of such exploit should be. But one can consider the prices offered by Zerodium and discussed by Vlad Tsyrklevich. While the price of the zero day was lowered 12 days following the initial post, it was only lowered 5.3% from $95,000 to $90,000. On June 6, it was lowered again, to $85,000.

Based on what prices are known, this price seems high but within a realistic range, particularly considering the return on investment buyers are likely to make using this exploit.

A base assumption for anyone who has worked with code is that all software has bugs. Trustwave SpiderLabs, having worked with Microsoft years, recognizes the lengths Microsoft takes to prevent zero days. This includes independent research, bug bounty programs and establishing the MAPP program with transparency of its patching process. Criminals sometimes find those bugs before the “good guys” do.

Also read: More Kaspersky zero days revealed by Google hacker

What Can Be Done About It?

Given all the unknowns connected with zero days, it’s difficult to give protection advice. There are use lessons learned from previous cases to provide general guidance:
1. Keep software up-to-date. LPE is one of several components that constitute a successful compromise. Break one link in the chain and you will likely thwart the attack. Consider the scenario where this LPE exploit occurs in tandem with an RCE exploit to break out of a sandbox. A machine may not be patched against the zero day LPE, but it may be patched against the RCE component.
2. A chain link can be broken in different parts of security infrastructure. Deploy a full stack of security products to improve the odds of breaking a link.
3. Use common sense. Many attacks rely on user interaction, like clicking a link or opening an attachment. Avoid suspicious links or attachments sent from unsolicited sources.

The company will update the blog with new developments.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Breaches

FBI: Newfound iPhone Unlocking Technique Won’t Work On Newer Devices

Published

on

The technique the FBI used to unlock an Apple iPhone used in the San Bernardino, Calif. terror attack cannot be used on new devices, FBI Director James Comey told students at Kenyon College in Ohio recently, according to AppleInsider.com.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Comey did not reveal the process the FBI used to unlock the phone, but he said it would not work on the 6S or the 5S. He said the tool only works on a “narrow slice of phones.”

Will The Technique Be Revealed?

Comey was noncommittal regarding Apple’s request to reveal the method the bureau used to unlock the phone. He said he is concerned about the FBI losing the access it currently possesses.

Since announcing its success unlocking the iPhone last month, speculation about the method has focused on an “IP Box” tool that emerged last spring. The tool latches onto an iPhone’s power circuitry and enters PIN numbers over USB. The tool retails for under $300.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

When the tool detects an incorrect guess, it cuts the power to the phone’s logic board before the guess is recorded, which defeats the 10-try limit.

Some believe Apple has patched the vulnerability in older iPhones with iOS 8.1.1. Because the iPhone 5c is believed to run iOS 9, the FBI has chosen either a different method or has found an unreported software vulnerability.

The iPhone 5S manages PIN guesses in the hardware Secure Enclave, which neutralizes an attack.

Comey said he is confident both the FBI and the third party that provided the unlocking technique could keep it secret if government officials decide they want it to remain so, The Wall Street Journal reported.

Also read: FBI tests its new phone unlocking technique on other devices

FBI/Apple Conflict Subsides

The FBI’s announcement last week that it found a way to open the phone ended for the moment a legal fight with Apple about whether the government could force the company to write software that would help investigators open the phone and examine its data.

The FBI is using its newfound ability to crack the San Bernardino terrorist iPhone to see if it can open other versions of the phone, CCN reported. The American Civil Liberties Union said the FBI is taking a chance that no other entity will discover the capability. Government officials said it could take months for the FBI to decide whether and how to disclose the security gap.

Featured image from Pexels.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending