Friday, January 31, 2014
Wednesday, January 29, 2014
Friday, January 24, 2014
Thursday, January 23, 2014
Wednesday, January 22, 2014
Security firm Proofpoint believes they've detected a spam-sending botnet that includes internet-connected televisions and a refrigerator.
"Proofpoint Uncovers Internet of Things (IoT) Cyberattack"
That was the headline on this January 16th press release issued by Proofpoint, Inc. The press release went on to explain how Proofpoint researchers were analyzing a botnet-based spam campaign. Nothing unusual there, botnets composed of exploited computers and servers spew forth billions of spam emails on a regular basis.
Except these were not computers, they were "things".
In an interesting juxtaposition, a day before the Proofpoint press release, SANS Institute ran a webcast titled: SANS Survey on Securing the Internet of Things. Along with the webcast, the SANS Institute included a comprehensive report sharing the concerns of the survey participants. (My thanks to SANS Institute and John Pescatore, author of the report, for allowing my use of material from the report.)
What is the "Internet of Things"?
Before getting to the survey results, the paper attempted to eliminate confusion. It seems "Internet of Things" is not a universally accepted term. The National Security Telecommunications Advisory Council likes "Industrial Internet," whereas the National Institute of Standards and Technology prefers "Cyber-Physical Systems."
The SANS paper also mentions many vendors are going with the "Internet of Everything." SANS Institute, in deference to simplicity, sided with the "Internet of Things" (IoT), and offered the following list as possible "Things":
- PCs, servers, routers, switches and other such devices bought as Information Technology (IT) devices by enterprise IT people, primarily using wired connectivity
- Medical machinery, SCADA, process control, kiosks and similar technologies bought as appliances by enterprise Operational Technology (OT) people primarily using wired connectivity
- Smartphones and tablets bought as IT devices by consumers (employees) exclusively using wireless connectivity, and often multiple forms of wireless connectivity
- Single-purpose devices bought by both consumers, IT and OT people exclusively using wireless connectivity, generally of a single form
It is almost as if the SANS Institute is agreeing with vendors. Their list appears to include "everything." It's the last bullet that we're concerned about today—single-purpose devices.
Your refrigerator might be sending spam
Between December 23, 2013 and January 6, 2014 Proofpoint researchers detected a botnet that was aggressively mailing malicious spam three times each day. Proofpoint believes the 450,000 IP-address strong spam botnet included over 100,000 IoT devices:
"A more detailed examination suggested that while the majority of mail was initiated by "expected" IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator."
The press release and this blog post did not provide much in the way of proof (more on this later), only mentioning attackers compromised the IoT devices by leveraging misconfigured firmware and default passwords.
The SANS Institute survey did not directly refer to IoT botnets, but survey participants were asked: Where do you consider the greatest risk to be in "Things" connecting to your network and the Internet?
The top two concerns were Internet connection and command and control; two requirements for creating a botnet.
Computers are still easier targets
Why waste that much effort to use IoT devices for spam botnets, when there are millions of vulnerable computers just sitting there for the taking? Perhaps this event was just a "proof of concept" exploration or maybe a dare amongst the bad guys.
Dan Goodin took exception with Proofpoint's claim. Writing for ArsTechnica, he expressed his reservations:
"The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented."
Goodin continues by saying the engineering effort to setup a botnet of "Things" would be immense, but possible. Goodin then proceeds to dissect many of the claims made by Proofpoint, asking for clarification, and not getting much. Goodin ends the blog post with:
"Again, I'm open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I'm maintaining a healthy amount of skepticism."
Maybe not this time, but IoT botnets will happen
When talking to security pundits about protecting IoT devices, a common thread surfaced. The SANS Institute survey also referred to it. Due to the nature of IoT devices, it will be difficult if not impossible to patch vulnerabilities in the field. Which means external security, firewalls for example, upstream of IoT devices will be their only source of protection.
We seem to be repeating the same mistakes we made with the inherent vulnerabilities of our computers on our new Internet connected things.
About Michael Kassner : Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.
Posted by CAMACOL at 6:13 AM
Tuesday, January 21, 2014
The internet exploded Friday with the news that Google Chrome extensions are being sold and injected with adware. But the little-known and much more important fact is that your extensions are spying on you and selling your browsing history to shady corporations. HTG investigates.
- Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.
- Some of these add-ons are also injecting ads into the pages that you visit, and Google specifically allows this for some reason as long as it is “clearly disclosed”.
- Millions of people are being tracked this way and they don’t have a clue.
Are we officially calling it spyware? Well… it’s not quite that simple. Wikipedia defines spyware as ”software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent”. That doesn’t mean that all software that gathers data is necessarily spyware, and it doesn’t mean that all software that sends data back to their servers is necessarily spyware.
But when the developer of an extension goes out of their way to hide the fact that every single page you visit is being stored and sent to a corporation that pays them for that data while burying it in the settings as “anonymous usage statistics”, there is a problem, at least. Any reasonable user would assume that if a developer wants to track usage statistics, they are only going to be tracking the usage of the extension itself — but the opposite is true. Most of these extensions are tracking everything else you do except using the extension. They are just tracking you.
This becomes even more problematic because they call it “anonymous usage statistics”; the word “anonymous” implies that it would be impossible to figure out who that data belongs to, as if they are scrubbing the data clean of all your information. But they aren’t. Yeah, sure, they are using an anonymous token to represent you rather than your full name or email, but every single page you visit is tied to that token. For as long as you have that extension installed.
Track anybody’s browsing history long enough, and you can figure out exactly who they are.
How many times have you opened your own Facebook profile page, or your Pinterest, Google+, or other page? Have you ever noticed how the URL contains your name or something that identifies you? Even if you never visited any of those sites, figuring out who you are is possible.
I don’t know about you, but my browsing history is mine, and nobody should have access to that but me. There’s a reason why computers have passwords and everybody older than 5 knows about deleting their browser history. What you visit on the internet is very personal, and nobody should have the list of pages I visit but me, even if my name is not specifically associated with the list.
I’m not a lawyer, but the Google Developer Program Policies for Chrome extensions specifically say that an extension developer should not be allowed to publish any of my personal information:
We don’t allow unauthorized publishing of people’s private and confidential information, such as credit card numbers, government identification numbers, driver’s and other license numbers, or any other information that is not publicly accessible.
Exactly how is my browsing history not personal information? It’s definitely not publicly accessible!
Yep, Many of These Extensions Insert Ads Too
The problem is compounded by a large number of extensions that are injecting ads into many of the pages you visit. These extensions are just putting their ads wherever they randomly choose to put them into the page, and they are only required to include a tiny piece of text identifying where the ad came from, which most people will ignore, because most people don’t even look at ads.
Whenever you are dealing with ads, thereare also going to be cookies involved. (It’s worth noting that this site is ad-supported, and the advertisers put cookies on your hard drive, just like every site on the internet.) We don’t think cookies are a huge deal, but if you do, they are pretty easy to deal with.
The adware extensions are actually less of a problem, if you can believe it, because what they are doing is very obvious to the users of the extension, who can then start an uproar about it and try and get the developer to stop. We definitely wish that Google and Mozilla would change their ridiculous policies to forbid that behavior, but we can’t help them get common sense.
Tracking, on the other hand, is done in secret, or is essentially secret because they try to hide what they are doing in legalese in the description of the extensions, and nobody scrolls to the bottom of the readme to figure out if that extension is going to track people.
This Spying is Hidden Behind EULAs and Privacy Policies
These extensions are “allowed” to engage in this tracking behavior because they “disclose” it on their description page, or at some point in their options panel. For instance, theHoverZoom extension, which has a million users, says the following in their description page, at the very bottom:
Hover Zoom uses anonymous usage statistics. This can be disabled in the options page without losing any features as well. By leaving this feature enabled, the user authorize the collection, transfer and use of anonymous usage data, including but not limited to transferring to third parties.
Where exactly in this description does it explain that they are going to track every single page you visit and send the URL back to a third party, which pays them for your data? In fact, they claim everywhere that they are sponsored through affiliate links, completely ignoring the fact that they are spying on you. Yeah, that’s right, they are also injecting ads all over the place. But which do you care more about, an ad showing up on a page, or them taking your entire browsing history and sending it back to somebody else?
They are able to get away with this because they have a tiny little checkbox buried in their options panel that says “Enable anonymous usage statistics”, and you can disable that “feature” — though it’s worth noting that it is defaulted to be checked.
To sum up, a million people are being spied on by this one extension alone. And that’s just one of these extensions — there are a lot more doing the same thing.
Extensions Can Change Hands or Update Without Your Knowledge
There is absolutely no way to know when an extension has been updated to include spyware, and since many types of extensions need a ton of permissions to even operate properly in the first place before they turn into ad-injecting pieces of spycraft, so you won’t be prompted when the new version comes out.
To make matters worse, many of these extensions have changed hands over the last year — and anybody who has ever written an extension is being flooded with requests to sell their extension to shady individuals, who will then infect you with ads or spy on you. Since the extensions don’t require any new permissions, you’ll never have the opportunity to go figure out which ones added secret tracking without your knowledge.
In the future, of course, you should either avoid installing extensions or addons entirely, or be very careful about which ones you do install. If they ask for permissions to everything on your computer, you should click that Cancel button and run.
Hidden Tracking Code with a Remote Enable Switch
There are other extensions, in fact, a ton of them, that have complete tracking code built right in — but that code is currently disabled. Those extensions ping back to the server every 7 days to update their configuration. These ones are configured to send even more data back — they calculate exactly how long you have each tab open, and how long you spend on each site.
We tested one of these extensions, called Autocopy Original, by tricking it into thinking that the tracking behavior was supposed to be enabled, and we were able to immediately see a ton of data sent back to their servers. There were 73 of these extensions in the Chrome Store, and some in the Firefox add-ons store. They are easily identifiable because they are all from “wips.com” or “wips.com partners”.
Wondering why we are worried about tracking code that isn’t even enabled yet? Because their description page doesn’t say a word about the tracking code — it’s buried as a checkbox on each of their extensions. So people are installing the extensions assuming they are from a quality company.
And it’s only a matter of time before that tracking code is enabled.
Investigating this Spying Extension Awfulness
The average person isn’t going to ever even know that this spying is going on — they won’t see a request to a server, they won’t even have a way to tell that it is happening. The vast majority of those million users won’t be affected in any way… except that their personal data was stolen out from under them. So how do you figure this out for yourself? It’s calledFiddler.
Fiddler is a web debugging tool that acts as a proxy and caches all the requests so you can see what is going on. This is the tool that we used — if you want to duplicate at home, just install one of these spying extensions like Hover Zoom, and you’ll start seeing two requests to sites similar to t.searchelper.com and api28.webovernet.com for every single page that you view. If you check on the Inspectors tag you’ll see a bunch of base64-encoded text… in fact, it’s been base64-encoded twice for some reason. (If you want the full example text before decoding, we stashed it in a text file here).
Once you’ve successfully decoded that text, you’ll see exactly what is going on. They are sending back the current page that you are visiting, along with the previous page, and a unique ID to identify you, and some other information. The very scary thing about this example is that I was on my banking site at the time, which is SSL encrypted using HTTPS. That’s right, these extensions are still tracking you on sites that should be encrypted.
You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.
If you’re the adventurous type, you can easily find this same tracking code by opening up your chrome://extensions page and clicking on the Developer mode, and then “Inspect views: html/background.html” or the similar text that tells you to inspect the extension. This is going to let you see what that extension is running all the time in the background.
Once you click to inspect, you’ll immediately see a list of source files and all sorts of other stuff that will probably be greek to you. The important things in this case are the two files named tr_advanced.js and tr_simple.js. These contain the tracking code, and it’s safe to say that if you see those files inside of any extension, you are being spied on, or will be spied on at some point. Some extensions contain different tracking code, of course, so just because your extension doesn’t have those, doesn’t mean anything. Scammers tend to be tricky.
You’ll probably notice that the URL on the right-hand side isn’t quite the same as the one earlier. The actual tracking source code is pretty complicated, and it appears that each extension has a different tracking URL.
Preventing an Extension from Updating Automatically (Advanced)
If you have an extension that you know and trust, and you’ve already verified that it doesn’t contain anything bad, you can make sure that the extension never secretly updates on you with spyware — but it is really manual and probably not what you’ll want to do.
If you still want to do so, open the Extensions panel, find the ID of the extension, then head to %localappdata%\google\chrome\User Data\default\Extensions and find the folder that contains your extension. Change the update_url line in the manifest.json to replace clients2.google.com with localhost. Note: we haven’t been able to test this with an actual extension yet, but it should work.
For Firefox, the process is a lot easier. Go to the Add-ons screen, click the menu icon, and un-check “Update Add-ons automatically”.
So Where Does This Leave Us?
We’ve already established that loads of extensions are being updated to include tracking / spying code, injecting ads, and who knows what else. They are being sold to untrustworthy companies, or the developers are being bought with a promise of easy money.
Once you have an add-on installed, there’s no way to know that they aren’t going to be including spyware down the road. All we do know is that there are a lot of add-ons and extensions that are doing these things.
People have been asking us for a list, and as we’ve been investigating, we’ve found so many extensions doing these things, we’re not sure that we can make a complete list of all of them. We’ll add a list of them to the forum topic associated with this article, so we can have the community help us generate a bigger list.
Posted by CAMACOL at 9:21 AM