13 Different Phishing Tactics and 1 Way to Prevent It

 

Phishing Attacks are no longer that TOO GOOD TO BELIEVE – you have won a Million $$ jackpot kind of emails from strangers that easily stands out from your otherwise mundane life.

Today, phishing emails have got sophisticated. It is called spear phishing where the attacker tries to “custom-write” the emails to make it believable to you. They try to copy our (normal) life, and that’s where it gets interesting and scary at the same time.

23% of recipients now open phishing emails and 11% click on attachments. and nearly 50% of this happens within 60-minutes of the attack !

– 2015 Data Breach Investigations Report (DBIR group)

Let me share a personal experience.

We got selected as the Top 50 Product Companies as part of #Intech50 2016, and I was on the road – on my way to the event. I got an email on my phone saying “a gift from Intech50 is waiting for me”.

I was surprised and opened the email. and this is how it looked…

Spear_Phishing_Example

Being in the security space – It will not be an overstatement if i say – I have got “hardened” to suspicious emails. But for any other normal person, this email would be too tempting to not to fall for it.

Right Person. Right timing. Right content. Wrong Intent !!

In this article I will cover the various different tactics that the bad guys use to succeed in a phishing attack, and in the end also cover one of the most effective tactics to prevent it.

Sit tight and enjoy the ride …

Tactics Used for Phishing  (Many Old. Some New.)

1. Deception Phishing

One of the most traditional approaches to phishing is to send out a mass email and try to convince users to click the link in the message such as the one shown below.

Deception_Phishing_Example

(Source: Srijan)

2. Tab-Nabbing

Tab-nabbing techniques seek to impersonate popular websites that have been left unattended for some time, and convince users to re-enter their credentials.

Tabnabbing-Example

3. Malware Based Phishing

Malware based phishing, a strategy typically aimed at small and medium -sized businesses (SMBs) inserts malware onto a user’s computer (by email attachment, download, etc.) in order to gain information and exploit vulnerabilities. SMBs frequently have weak patch management policies, thus forgetting applications and operating systems updates – which frequently have patches to harden the system against these types of attacks.

Ransomware is a special type of malware that is getting increasingly popular. It involves encrypting the victim’s data, and asking for a ransom to decrypt it. Very effective because of the bad data backup routine we all follow.

68% of 200 security professionals surveyed by TripWire during the 2016 RSA conference expressed concern that their company would not be able to fully recover from a Ransomware attack.

Malware-Ransomware-Example

(Source: The Hacker News)

4. Key Loggers and Screen Loggers

Key loggers and screen loggers are a type of malware that can record a user’s keystrokes and activities – sometimes even your entire display. Computers can become infected with key loggers and screen loggers when users visit certain web pages or complete downloads such as applications and device drivers. Using this method, phishers can intercept any information input to the system once it is sent to the designated collection server.

Spyeye, one of the more popular keyloggers, plagued the financial services industry for years by quietly stealing customer account information by recording keystrokes.

Keylogger-example.png

(Source: TrendMicro)

5. Web Trojans

One of the most devious and deceitful methods of phishing involves web Trojans, which are malicious programs that are used to collect a user’s login credentials while disguising itself as a specific website – e.g. a company login portal, a social media platform, or an email account. The user believes they are entering their ID and password into this certain website, when in reality they’ve just submitted their credentials to a phisher.

The Dyre Banking Trojan was delivered by emails disguised as JP Morgan & Chase advertisements. These trojans were able to pass through anti-virus software allowing them to remain undetected for large periods of time.

Web-Trojans-example

(Source: Softpedia)

6. Data Theft

Once malicious code is successfully implanted on a user’s computer, phishers are able to steal confidential information. Not only is this tactic widely used to collect social security and bank account numbers, but this has been known to be aimed at corporate espionage in many cases.

Data-Theft-Example

7. Content Injection

When hackers are able to gain access into the back-end of websites, they are often able to tweak content to be misleading, resulting in users submitting sensitive information.

content-injection-example

(Source: Netcraft)

8. System Reconfiguration Attacks

Hackers can modify system settings on user desktops to create holes in endpoint security that can be further exploited – such as updating URL favorites to redirect to malicious websites and even disabling endpoint anti-malware endpoints with administrative privileges.

Sys-reconfigure-example

(Source: Google)

9. Search Engine Phishing

Search engine phishing occurs when phishers create websites with “offers” – often, too good to be true, and have them indexed systematically within popular search engines.

Users stumble upon these sites in their usual searches, and oftentimes are fooled into providing information to receive the offer (which can be a false bank offering low interest rates, insurance solutions, etc.)

The search companies would eventually take them down if there are complaints, but that might be later.

search-engine-phishing-example

 

10. Man in the Middle (MitM)

Quite possibly the hardest type of attack to detect, MitM phishing attacks occur when hackers position themselves between users and legitimate websites – resulting in the interception and recording of any data sent to the website.

MitM-example

(Source:  Understanding the  Increasing Problem of  Electronic Identity Theft – by Markus JAcobsson/Steven Mayers)

11. Session Hijacking

Session hijacking occurs when malicious software “hijacks” a user-initiated session once a user has entered their credentials. This type of attack can simply be used to monitor activity, and is usually carried out by local malware on the user’s endpoint or as part of a man-in-the-middle attack.

session-hijacking-example

(Source: PC & Tech Authority)

12. DNS Based Phishing (Pharming)

DNS Based Phishing generally includes any technique that interferes with the integrity of a domain name search.

As per Infoblox and DarkReading.com -The DNS threat index jumped almost 60% in 2015 as attackers became far more sophisticated in their campaigns. Also a new generation of inexpensive and quick startup domain names has made it easier for bad guys to set up shop in the DNS infrastructure.

One example includes a phisher polluting the user’s DNS cache with information that can be used to redirect the user to a false, corrupted location.

DNS-Pharming-example

(Source: Massive)

13. Host File Poisoning

Hackers use this form of local pharming, or DNS poisoning to corrupt the user’s host file. When a user enters in a web address, it must first be converted to IP address using the host name lookup, before undertaking the DNS lookup. By “poisoning” the user’s host file, users are sent to websites impersonating others in order to steal information.

host-file-corruption-example

(Source: Phishlabs)

So these were some of the tactics used in phishing.

Having said that – this list is by no means complete. The bad guys are devising new ways to attack, as we are reading this !

So How to Prevent ?

There are a whole lot of things you can do as a counter measure in order to harden your organization against falling prey to phishing. Some of these measures can be –

  • Anti-malware: Popular anti-virus/anti-malware solutions
  • Web Filters: Determining what websites users can access using a risk-based approach
  • Data Loss Prevention(DLP) : Protecting data in transit, at rest, and in use
  • Anti-phishing software: Containerization solutions for downloads from malicious emails and websites
  • Using HTTPS for transactions: Checking the padlock icon to ensure secure transactions
  • Spam Filters: Many email clients can detect potential spam (many being phishing attacks) and separate out those emails
  • Patch Management: Ensuring systems are patched and up-to-date can mitigate many vulnerabilities targeted by phishing campaigns

But the most important defense mechanism is still the “people”.

Companies without security training & awareness programs spent an average of $683,000 due to new hire security incidents while those who did have security training & awareness spent only $162,000. i.e less than 1/4th of the cost !

– PwC’s US State of Cybercrime Report

Phishing is called a Social engineering for a reason – because it is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Therefore one of the most effective prevention tactics involves training people.

“One of the most effective ways you can minimize the phishing threat is through
awareness and training.”

—Lance Spitzner, Training Director,
SANS Securing The Human

Phishing Fall and Fail Rates: Why they matter ?

In a typical phishing attack, the target is enticed to read an email, visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he/she can get based on user actions, even when there are no major revelations of private data. For instance, just by the action of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets.

The Fall Rate is defined as the percentage of users (targets) who “fall” for the attack and visited that fake website.

The Fail Rate is defined as the percentage of users (targets) who “fail” in the attack, visit the fake website and reveal sensitive information.

It is obvious that all employees who “fall” need not necessarily “fail”, which means that either they realized it was an attack (most likely the case) or just didn’t proceed further due to other priorities. This means there is a good opportunity to train people using the “teaching moments”.

If people are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic training.

Phishnix is a phishing diagnostic solution by Aujas that simulates a phishing attack and captures users potential reaction to a real attack. It further leverages the teaching moment created based on the user’s response, and generates an easy-to-implement action plan to drastically improve the defense against future phishing attacks.

Do you want to see a demo or want to know more about Phishnix ?

Please tell us a little more about you.

Phishnix is currently being used by several organizations globally to strengthen their people defense against phishing attacks. It focuses on the “Fall rate” and “Fail rate” based on actual employee behavior and is very effective in helping organizations in developing specific control measures to address potential problem areas.

How can Internet of Things (IoT) Not become a pain-in-the-a$$ from a cyber security perspective?

Internet of Things is as enticing to hackers, as it is to consumers like you and me!

Let’s look under the hood of IoT from a security perspective, in order to see how we can reduce the risk of cyber threat.

IoT is the network of physical devices which are embedded with electronics, software, sensors, and network connectivity, and it enables these devices to collect and exchange data. IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for closer integration between the physical world and computer-based systems, resulting in improved efficiency, accuracy and economic benefits; when IoT is augmented with sensors and actuators, the technology becomes an instance of the more general class of cyber-physical systems, which also encompasses technologies such as smart grids, smart homes, intelligent transportation and smart cities. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.

As the Popularity of IoT devices increase, so does their vulnerabilities to attacks.

 

IoT Cyber Attacks

(Source: Spectrum.ieee.org)

The above picture sums up the situation pretty well.

As per a study conducted by HP – 90% of devices collected at least one piece of personal information via the device/cloud/mobile application and 60% of devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS, un-encrypted connections & weak credentials.

Let’s look at an example

If we consider a Home automation system which is controlled by a Mobile App built on Android or IOS platform using angular.js (which is mostly the case for most of the devices), each of them has more than 10-15 different vulnerabilities.

If you do a Threat Modeling Diagram of a Simple Home Automation system – a total of 22 vulnerabilities popped up !!

Threat-modelling-simple-home-automation-aujas

To make our lives easy – Open Web Application Security Project (OWASP) has classified these vulnerabilities into the following Top 10 categories.

  1. Insecure Web Interface
  2. Insufficient Authentication/Authorization
  3. Insecure Network Services
  4. Lack of Transport Encryption
  5. Privacy Concerns
  6. Insecure Cloud Interface
  7. Insecure Mobile Interface
  8. Insufficient Security Configurability
  9. Insecure Software/Firmware
  10. Poor Physical Security

(Source: OWASP 2016 Top10 for IoT)

If you look closely into this – You will notice that most of the vulnerabilities are very basic yet can give the bad guys an opportunity to own an entire database of PSI (Personal Sensitive information) and BSI (Business Sensitive information).

Going back to our example of home automation system – Most of them use Amazon or Azure Cloud web services for communication from Mobile to their servers. If you are intercepting the traffic between Mobile device app and device via web-services, it is very easy to get access to a lot of valuable data.  You can try to get information from AWS token, JWT token, or any other tokens, most of them will give information in the form of Base 64 encoding which can be easily decoded using online resources like JWT.IO (https://jwt.io/) which will give you the decoded information in micro-seconds!

Also note that when it comes to IoT, Business logic vulnerabilities are more prevalent than technical ones because most of the IoT devices communicate using an identification number like device-id or username due to which it becomes very easy to gather a lot of information by just running a script containing numbers (sequential/random) to gather PSI or BSI related to the device. Most of the devices will also have CSRF or Session related vulnerabilities unless you address that in the configuration.

Coming to the Network part of IoT devices, needless to say IoT devices run with very low power and the communication between the IoT devices can happen over a wide variety of communication protocols like   Zigbee, Bluetooth, Z wave,  Wi-Fi, NFC, Neul Or BLE.

As with the rise of new protocols coming to light, the attack surface has also increased. As these communication mediums also possess risk to IoT devices. There is more to IoT devices than you can think. You can pass various sorts of commands to these devices for them to crash or cause a DOS (Denial of Service attack)

IoT devices have made our lives a lot richer in terms of consumer experience .However in terms of Privacy evasion it is going to be the next big thing given the number of vulnerabilities that keeps popping up. It is estimated that by 2019 a total of 15 million devices would be in use by users, consumers, industry and needless to say by hackers as well.

But don’t panic. If you take care of the basics as covered above – you should be good. For most part of it !

Bonus: My personally recommended list of tools 🙂

  1. Hardware Security module (HSM) – a security based hardware device which generates, stores and protects cryptographic keys.
  1. Bus pirate – an open source sniffer which supports various hardware protocols like I2C, SPI, JTAG, 1-Wire, etc
  1. Good FET – Open source tool for interfacing, hacking chips and target devices.
  1. There are various commercial sniffers available (eg. Beagle) which supports dissecting lower level protocols.
  1. Logic Analyzer – concurrent capturing, visualizing and decoding large quantities of digital data.
  1. Protocol Analyzer – Real time non intrusive device for monitoring, capturing and decoding of wired communication.
  1. Spectrum Analyzer – Visualizing RF or radio spectrum.
  1. Burp- For intercepting traffic between Mobile and device.
  1. Codenomicon /Achilles- For fuzzing protocols.
  1. IDA Pro/Fortify/Klocwork-Reverse Engineering and Firmware analysis

 

About The Author:-

Avinash Sinha is a Security Consultant with Aujas. His areas of interests include Vulnerability assessments, Secure Code review, Security research, Web/Mob Penetration testing, SCADA/ICS, and network infrastructure protection.

30-Sec Guide: How to save from DROWNing? (DROWN Attack – SSLv2 – CVE 2016-0800)

 

What is DROWN ?

DROWN is the latest in a long line of recent vulnerabilities discovered in SSL/TLS. It is a cross-protocol attack which uses a combination of brute-force decryption of weak ciphers and a Bleichenbacher padding oracle attack on SSLv2.

The RSA algorithm used in TLS and SSL uses a particular form of padding called the RSA-PKCS#v1.5, the implementation of which was known to be vulnerable to an information leakage attack called the Bleichenbacher padding oracle attack. Most SSL/TLS implementations resorted to fixing this vulnerability using a hack that works around one of the preconditions for this attack to succeed. This fix has mostly been found satisfactory from SSLv3 onwards, but has just been found to be inadequate for SSLv2 which has fundamental differences in the way it works.

What does a generic attack look like?

The general variant of this attack involves first observing and storing a number of TLS connections. Then a specially crafted handshake message, with a modified RSA cipher text from the original TLS connection is sent over an SSLv2 connection. Because of the Bleichenbacher padding oracle, the attacker would be able to deduce whether the cipher text was successfully decrypted to the plain text or not. The attacker would then be able to repeat this over several attempts to fully decrypt the original TLS connection.

Ideally around 40000 connections and around 250 offline brute force computations would be required on average to decrypt a single TLS connection. Even though the amount of computing power required for this seems high, the researchers who identified the vulnerability were able to make use of GPU computations and perform the attack in around 8 hours.

If you are lucky – You might see this “Improvised” Attack

A variant of this attack exists which makes use of identified vulnerabilities in OpenSSL to significantly speed up the attack process. In the special case, the researchers were able to decrypt the TLS connection in just a minute on a standard computer by exploiting vulnerabilities in OpenSSL. The OpenSSL vulnerability (CVE 2016-0703) is in the SSLv2 code and accepts any non-zero value for a cipher. This allows an attacker to perform the DROWN attack using only 17000 connections and significantly lesser rounds of brute-force computations compared to the generic version of the attack.

Who should worry?

Weaknesses in SSLv2 have been known for over two decades now and its use has been deprecated ever since. But even though modern clients do not have support for SSLv2, many servers still support SSLv2 either to ensure backwards compatibility or because of default configurations. Measurements by the research team has shown that 17% of all HTTPS servers allow SSLv2 connections.

Compounding this issue is the fact that most organisations use the same private key pair across multiple servers. That is, even if a web server did not explicitly support SSLv2, it was enough if another server such as the VPN server or a mail server also supported SSLv2. All an attacker requires is to have at least one server with a shared private key that supports SSLv2.

Some implementations of OpenSSL (CVE 2015-3197) allow SSLv2 connections to a server with SSLv2 support built-in even though it has been explicitly disabled in the configuration.

How bad is this really?

An attacker using this vulnerability needs to have privileged access within a network and make a large number of requests to decrypt a single TLS connection. The private key is not accessible, but only the master key used for a particular connection can be obtained. This makes it less severe than the Heartbleed vulnerability. Most security research firms categorise it with medium severity and have assigned the CVE a CVSS score of 5.9.

How to fix the Vulnerability

Fixing the vulnerability is merely a matter of disabling SSLv2 support on all servers (Web, Mail, VPN, etc.) and ensuring the SSL/TLS library used is updated to the latest version possible. Since the attack does not impact the confidentiality of the private key, it is not required to change the certificate.

If it is not possible to immediately disable SSLv2 because of backward compatibility reasons, it is recommended that a firewall be implemented to block multiple consecutive failed SSLv2 connections to a server.

About the Author:

Naresh T.A is a security consultant with Aujas. He is interested in researching on new vulnerabilities and threats, in order to help enterprises strengthen their defense systems against cyber threats.

Encounter with Mobile Malware

Author: Milan Singh Thakur

The trend of Smartphones has evolved drastically over the decade. The number of Smartphones in the market almost double up each year.  The usage of mobile devices has increased the productivity and has changed the way organizations do business. This has led to the   development of millions of Mobile Applications, but how many of these applications are safe? How many applications steal your personal data like your email, mobile number, location info, your Money?

clip_image002_0005

Mobile applications are the most effective way used by attackers to spread malwares/rat onto devices. Many applications available on Google Play Store/Apple App Store are analyzed using automated analysis tools, which however, cannot detect sophisticated malwares like Zeus Bot or Dyre Wolf Banking Malware. Additionally, users install applications from unverified sources. It is highly recommended that all mobile applications undergo Security testing before being released on App Store or even to users.

Understanding How Mobile Malware works:

There are many free applications available on the internet, which has  a backdoor that allows the attacker to gain access to our mobile devices. Moreover, users are prone towards downloading free software rather than buying it. This also includes patches, mod apks, and various cracked gaming applications. Given below  is the actual depiction of how malware gets into our device:

Below given is the actual depiction of how malware gets into our device:

clip_image004_0001

Most affecting and Active Malwares on Mobile Devices:

DangerousObject.Multi.Generic
Trojan-SMS.AndroidOS.OpFake.bo
AdWare.AndroidOS.Ganlet.a
Trojan-SMS.AndroidOS.FakeInst.a
RiskTool.AndroidOS.SMSreg.cw
Trojan-SMS.AndroidOS.Agent.u
Trojan-SMS.AndroidOS.OpFake.a
Trojan.AndroidOS.Plangton.a
Trojan.AndroidOS.MTK.a
AdWare.AndroidOS.Hamob.a
Android.Geinimi
SMS.AndroidOS.FakePlayer.c
Android.DroidDream AKA
Android.Rootcager AKA
AndroidOS_Lootoor.A
Android.BgServ AKA
Troj/Bgserv-A AKA
AndroidOS_BGSERV.A
Android.KungFu Variants

More are here:

AegisLab, Andr/Plankton-A, Andr/SMSRep-B/C, Android, Android Market, Android OS, Android.Adrd, Android.Adrd.A, Android.Adsms, Android.Basebridge, Android.Bgserv, Android.DroidDream, Android.Fokonge, Android.Geinimi, Android.GGTracker, Android.Gunfu, Android.Hippo, Android.HippoSMS, Android.HongTouTou, Android.Jsmshider, Android.LightDD, Android.Lovetrap, Android.NickiBot, Android.Nickispy, Android.Pjapps, Android.Rootcager, Android.Smssniffer, Android.Smstibook, Android.Snadapps, Android.Spacem, Android.Tonclank, Android.Trojan.SmsSpy.B/C, Android.Uxipp, Android.Walkinwat, Android.Zeahache, Android.Zsone, Android/DroidKungFu.A, Android/Sndapps.A, Android/YZHCSMS.A, AndroidOS_Adsms.A, AndroidOS_BGSERV.A, AndroidOS_Droisnake.A, AndroidOS_Lootoor.A, Botnet, F-Secure, Google, Lookout, Malware, Security, SMS, SMS.AndroidOS.FakePlayer.a, SMS.AndroidOS.FakePlayer.b, SMS.AndroidOS.FakePlayer.c, Spyware, Symantec, Trend Micro, Troj/Bgserv-A, Trojan-Spy.AndroidOS.Smser.a, Xuxian Jiang

Mobile Phishing: Thief right in your pockets

Author: Sohail Najar

No other technology has impacted us like the mobile phone. The fastest growing manmade phenomenon ever, it grew from zero to 7.2 billion in three decades. Today there are more mobile phones than humans and they are growing almost five times faster than the rate at which the population of the world is growing. These facts are enough to  prove how popular mobile phones have become. This rapid growth has also led to lot its exploitation and with each year, new types of vulnerabilities are added. More than 90% of the attacks start from phishing . In this article we will talk about how one can help themselves and others from this epidemic.

Phishing through mobile is relatively easy with better success rate of stealing the information than through computers, laptops or other electronic media due to the following reasons:

  1. Usability: – We use  our mobile phones day in and day out. Statistics reveal  that the amount of time spent on Smartphone has increased to more than 30 hours per month. So, more one us their mobiles, more are the chances of  revealing private information to a hacker.
  2. Screen Size: – Smaller screen size would make it difficult for the user from distinguishing between a phishing site and a genuine website.  The applications (or apps) developed are made relatively simple to entertain different screen size which also make it  easy for the hackers to replicate it.
  3. Security Indicators: – There are very few application indicators which can evaluate how secure and authentic  an  application is.
  4. Behavioral: – We are accustomed to entering our password in familiar and repeated setting which make it more vulnerable to attack with higher success rate.
  5. Inadequate Identity Indicators: – As far as apps are concerned , there are very few identity indicators available and fewer people who use it. So a user is not able to distinguish between apps from legitimate and non-legitimate source.

Nobody wants to reveal information to strangers who can misuse it for their own benefit especially the sensitive information like credit/debit card details, your personal information, your personal data etc. But before we tell you what you can do to not accidentally supply the information to a stranger, you need to understand the way in which they can attack you.  No attack is possible without a data transfer medium, and mobile phones these days, use plethora of mediums from short distance mediums (like infrared, NFC, S Beam etc.) to long distance mediums (like Bluetooth, Wi-Fi, 3G, 4G etc.). Let us look at how an attacker can exploit these mediums for his benefits

  1. Wi-Fi Phishing Attack: – Wi-Fi has become one of the imperative  needs in our life. Whether it is your office or your favorite café or your home, the need to remain connected is all time high. So Wi-Fi has indeed become an integral part of our life and hence a hotspot for the attacker too. While using Wi-Fi, it is easy to set up a fake Access Point (AP) as a user cannot validate the authenticity of APs they are connecting to.  Hence, an attacker can setup an AP with SSID that looks like as a legitimate one. For example, he can create an AP near Starbucks with a cousin SSID: Starbucks Wi-Fi or similar names.  Once the victim is connected to a fake AP, the attacker can misdirect the user to fraudulent sites or proxy servers which appear to the user as legitimate websites.
  2. Bluetooth Phishing attack: – Bluetooth is a wireless technology standard for exchanging data over a short range. Bluetooth enabled phones have a serious security flaw that allow users to connect to the device without the user’s permission. Once the attacker gets access to your phone through Bluetooth, he can get access to your files, call logs, phonebook, connect to your internet etc. It doesn’t end there, he can change the contact number, send you a phishing message, make you download malware by making you believe it’s a genuine one . So once you get into his trap, you are most likely to reveal your secure information to him assuming he is genuine.
  3. SMS Phishing or SMShing: – It uses cell phone text messages to deliver the bait to induce people to divulge their personal information. In many cases, such texts are sent via emails which are difficult to trace. If the sender’s number is a small number or some texts like ‘516000’ or ‘DM-YATR’ instead of an actual phone number, it is an indication that it is coming from email.
  4. Voice Phishing or Vishing: – In this, attackers use telephone systems to impersonate a legitimate company and steal the personal information from the bait. Some attackers use Voice over IP (VOIP) features like caller id spoofing by which they could choose any number to call the bait. To the bait, it appears to be coming from the legitimate source. It is even difficult for the legal authorities to monitor or trace such calls which make such type of phishing attack more dangerous.
  5. Mobile Web Application Phishing Attack: – On an average Smartphone user uses more than 24 apps per month which gives attacker 24 spots per user to attack. Due to the small screen size, most of the apps have simple designs which make it easy for an attacker to replicate. There are typically four ways by which you could be directed to these phishing websites which are:-
    1. App ->App: – In this user is directed to other phishing application from the legitimate application and thus the user doesn’t get suspicious about such phishing apps and reveals his data.
    2. App -> Web: – In this user is directed to the website by the legitimate application. As the screen size of the mobile is usually small the user doesn’t verify the credentials of the websites. So next time, if you are directed to any website from your Facebook or twitter account you should think before providing any information
    3. Web ->App: – In this user is directed to phishing app from the web browser which appears to be a legitimate app. As there is no security application indicator which can distinguish between the legitimate and the phishing app, user ends up revealing his information. So next time, your browser directs you to your Facebook app, you should check properly if it opens the legitimate Facebook or the fake one.
    4. Web -> Web: – In this user is directed to another phishing website from the legitimate website. This is the most common attack as it is useful to attack computer users as well.
  6. Others Probable Phishing: – There are new data transfer mediums like S Beam, NFC which could be exploited in the near future by the attackers to target you. Although there are still no signs of such attacks but one should be alert of any such attacks which can use mechanisms similar to the ones  mentioned  above

This is just the broad classification of how the phishing attacks are possible on your mobile device. So a thief is right in your pocket and is just waiting for you to make one mistake. So now the question is what can you do to prevent yourself from such traps? Suspicion is the key to prevention. So let’s find out where you should keep your eye of suspicion on.

  1. Check before connecting: – One should always ensure that they are connecting to the right or legitimate AP or hotspot (in case of Wi-Fi and Bluetooth respectively) connection.
  2. Secure Connection: – Pay attention to the site’s security connection — if the URL appears correct but it isn’t preceded by https, it’s almost certainly not legitimate.
  3. Check URL: – Compare the address of the sender to the address that usually appears when you get an email from this person or organization — it’s probably a fake.
  4. Check Sender: – Watch for spelling mistakes or other telltale signs of a phishing scam – if you’re reading an email supposedly from Facebook but the address that appears when you hover over the link to visit Facebook to retrieve that message doesn’t show a URL with http://www.Facebook.com anywhere in it, it’s not legitimate.
  5. Check Redirection: – If you are redirected to a new page when you open the message, check the URL of this page. If it isn’t in line with where you expected to be, leave immediately.
  6. Make Whitelist: – Make the list of trusted vendors (called whitelist) and try to install applications, download content or retrieve information from these trusted vendors only. Even if you face any phishing attack, it’s easy for you to detect and report.
  7. Use Application Identity Indicators: – User cannot reliably tell what web site is currently loaded in the browser or what application is currently running. So the user should dedicate a small portion of the screen to application identity because websites and applications can replicate each other with the high degree of accuracy.
  8. Use Updated Antivirus: – Antivirus keeps track of the websites, application and even messages coming from a non-legitimate user and could help you track it. One should keep the antivirus updated to keep your phone aware of such websites and vendors.
  9. Be Suspicious: – Whenever you are providing any information on any medium, you should check all the credentials and authenticity. A little suspicion can help you  avoid falling into traps.

Current defense mechanisms against phishing attacks in a mobile environment are still inadequate. Therefore, there is a need of an anti-phishing solution which can work on the recipient as well as the transmission mode. The landscape of the digital world is changing day by day with users spending more time on their phones and tabs rather than their laptops or computers. Phishing attacks are going to grow and the need of an Anti-phishing solution is a must for this changing landscape.

Venom Vulnerablity

Introduction

Venom, an acronym for “Virtual Environment Neglected Operations Manipulation”, is one of the “Virtual Machine (VM) Escape” category vulnerabilities in which an attacker may be able to break out of confined virtual machine and interact with the host operation system. However, VENOM is different from the rest of the VM escape vulnerabilities in a sense that it can be exploited even in the default configuration of the VM platforms and can spread to all other VMs running on the host.

This vulnerability resides in the floppy disk controller (FDC) driver code used in QEMU, a free and open source virtualization package used by many virtualization platforms like Xen, KVM, and VirtualBox. VMware, Microsoft Hyper-V, Linode, Amazon AWS and Bochs hypervisors are not impacted by this vulnerability.

The Vulnerability

As per the blog published by Jason Geffner, a security researcher from CrowdStrike who discovered this bug, the attack can be triggered by sending specially crafted data from guest virtual machine to Floppy Disk Controller (FDC) to cause the buffer overflow and ultimately execute arbitrary commands. This may result into (should be in) gaining control of the host machine and all other virtual machines running on the same host. Now, an attacker can access the sensitive data outside the exploited VM. In a cloud environment, it means gaining the access to other company’s (cross-tenant) data. 

CrowdStrike has published the diagram that elucidates the attack flow –

aujas-dig

Though this vulnerability seems to have a devastating impact, there are multiple factors we need to take into account while measuring the likelihood of this vulnerability getting wide spread –

  1. An attacker needs to be authenticated to one of the virtual machines in order to be able to exploit the vulnerability. Hence, it is not remotely exploitable vulnerability.
  2. CrowdStrike states that “Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild.” It means that exploit is not yet found or at least publicly not known.
  3. Even if the exploit is discovered, most likely this vulnerability will be used for targeted attacks and would not be used on large scale like Heartbleed.

Fixing the vulnerability

Even though there is no known exploit for this vulnerability, attackers may come up with the exploit as soon as the code is publicly available for them to reverse-engineer. Hence, it is advised to patch the vulnerability before attackers discover the exploit.

If you are running your guest system on any one of the affected virtualization platform, please contact your cloud service provider at the earliest. Patch information for different affected platforms is listed below –

QEMU

Patch information is published at http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c

Xen

Patch information is published at http://xenbits.xen.org/xsa/advisory-133.html

All versions of Red Hat Enterprise Linux (RHEL) running QEMU:

Update system using the commands, "yum update" or "yum update qemu-kvm."

Oracle VirtualBox

Patch information is published at http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html

References

http://venom.crowdstrike.com/

http://blog.crowdstrike.com/venom-vulnerability-community-patching-and-mitigation-update/

https://threatpost.com/oracle-patches-venom-vulnerability/112868

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/05/13/venom-hypervisor-vulnerability

Logjam (CVE-2015-4000) – Are you FREAKed again?

Author : Naresh T A

The TLS protocol is vulnerable once again. This time it’s  identified as the logjam attack and it is the most recent one in a long list of weaknesses that have been identified in the SSL/TLS protocol ever since it was introduced. This recent vulnerability has been identified in the Diffie-Hellman key exchange algorithm by research teams from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania.

Logjam is very similar to the FREAK attack, in the sense that it also exploits the availability and the use of export ciphers but   while FREAK exploits the RSA key exchange algorithm, Logjam exploits the DH key exchange algorithm. Export ciphers are a relic of the cold war era in which the U.S. Government restricted the export of software with strong cryptographic algorithms to countries it perceived as enemies; thus allowing it to easily eavesdrop on them.

Even though these restrictions no longer exist, a large number of cryptographic libraries continue to support and offer these ciphers. Let’s first understand how the Handshake and Key Exchange works

The Handshake

In the initial phase (called the handshake), when a connection is being established between two systems, the following steps happen:

  1. The client sends a message (called Client Hello) telling the server what cipher suites (algorithms) it supports.
  2. The server picks a cipher suite from the list sent by the client, then picks a set of parameters for key exchange and performs a set of computations.
  3. The chosen cipher suite, parameters and the computation performed is signed by the server using its certificate and sent to the client (called Server Hello)
  4. The client verifies the signature, extracts the parameters and performs its own computations on it which is sent to the server.

Once this is done, both systems use the parameters and computations to separately arrive at the same common key. This is the shared secret key and is used by both the systems to encrypt future communications in the session.

Key Exchange

The algorithm that allows two systems to generate a common key by only sharing a few computations is called the key exchange algorithm. The most commonly used ones are RSA, DH and recently ECDH.

The DH (Diffie-Hellman) algorithm is the oldest of the three, makes use of the fact that it is extremely difficult for computers to calculate the discrete logarithms of two large prime numbers in a finite group.

These large primes are the parameters that are chosen by both the client and the server during the handshake process. When export cipher suites are used, the sizes of the parameters chosen are limited to 512-bits in length.

A 512-bit key by itself was good enough even though most libraries choose these keys from a single group of primes, this was considered secure as long as a new key was chosen for each connection.

The Attack

The research team modified the general number field sieve, the most efficient algorithm that can calculate the discrete log for a set of primes to pre-compute the first step. Since most implementations only use primes from a known common group, the researchers could pre-compute a part of the results with the algorithm and calculate the discrete logs for 512-bits long primes in a few minutes.

Furthermore, the same technique was tested on 768-bit and 1024-bit primes and was found to be computable by capable adversaries.

The logjam attack is not only applicable to TLS but also to any protocol that implements the DH algorithm including IPSec and SSH.

The Impact

An attacker who is able to intercept and store the communication that is using weak DH ciphers would be able to decrypt the encryption key offline and as a result decrypt the entire communication.

Even if the connection is not using EXPORT DH ciphers by default, an attacker can launch a man-in-the-middle attack to downgrade the connection and later decrypt it offline.

Testing for Logjam

The research team behind identifying logjam have created a website for quickly testing if you’re vulnerable to logjam. For checking clients you can go to https://weakdh.org and for testing servers you can use the testing tool at https://weakdh.org/sysadmin.html.

Mitigations

  1. Disable all EXPORT cipher suites: Although export-grade cryptography is no longer supported by modern browsers, an adversary can trick them into supporting it.
  2. Use ECDH over DH: Elliptic-Curve Diffie-Hellman prevents all known cryptanalytic attacks of the original DH and should be given preference over DH.
  3. Use a strong, unique DH group: Servers should generate a unique 2048-bit or stronger DH group for each server.

The instructions for configuring many different kinds of servers to mitigate logjam can be found here.

References:

https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html

https://isc.sans.edu/forums/diary/Logjam+vulnerabilities+in+DiffieHellman+key+exchange+affect+browsers+and+servers+using+TLS/19717/

Fundamentals of Secure Code Review – Part 1

Author: Amit Ranjan

Insecure coding practices can put problem codes in two categories, the superset is the code that is Vulnerable and the subset is the code which is Exploitable. The Exploitable code helps getting fancy POCs during a Penetration Testing exercise and remaining are waiting for a development mistake that will transform a vulnerable code into an exploitable code for more POCs.

Secure code review is the practice of identifying vulnerable code either by manual review of the entire code or by eliminating false positives from the results generated by a code review tool. Most of the code review tools can be categorized as either a Static analyzer or Dynamic analyzer. Static analyzer does the Vulnerability Analysis by pattern matching in the code before compiling the code. Dynamic analyzer on the other hand compiles the code first and then performs the analysis.

This article is about the programming language fundamentals required for a successful secure code reviews. We can concentrate on specific programming language constructs in order to find vulnerabilities. I am starting with the most used high-level language ‘Java’ to discuss the language basics. Since most of the constructs in other languages are similar to below examples, it will cover code review practices for other high level languages as well.

There are series of articles about secure code reviews where I will try to cover most of the frequently used frameworks, delta constructs in other prevalent programming languages that are significant for code review, and commonly vulnerabilities found during code review and their mitigations using scalable, reusable and robust code with the idea of defense in depth wherever it can be applied. All the examples in this article have to be very concise as these are not to teach programming.

Secure code review is an art and art is subjective so it is necessary for the reader to delve deep into programming language concepts to develop more concrete understanding as most of the reviewers are not regular programmer but they need to deal with them in each review exercise.

*Comments starting with ‘//’ are provided to explain the code better

Language Basics:-
A class denotes a category of objects and acts as a blueprint for creating such objects.

package com.aujas.examples;
public class rectangle {
//Example #1
int height;
int breadth;

//Below is an explicit constructor
//rectangle(int ht, int bd){this.height = ht; this.breadth = bd;

        double calculateArea(){
return this.height*this.breadth;
}
}

A class can be instantiated as:

public static void main(String[] args){// Main method is the entry point of a java program
                //Example #2
rectangle rect = new rectangle();//rectangle() is the default constructor
//default constructor is the one provided by jvm if we have not specified one
//An explicit constructor is the one commented above //rectangle…
}

We use interface and abstract class to define most generic template in an inheritance hierarchy

package com.aujas.examples;
public interface Shape {
//Example #3
public static final double pi = 1.414;
double calculateArea();
}

public class rectangle implements Shape{
double calculateArea(){//rectangle’s implementation to calculate area}
}

public class Triangle implements Shape{
double calculateArea(){//Triangle’s implementation to calculate area}
}

  1. Member variables are by default public static final in an interface
  2. Methods are by default public and always without any implementation.
  3. An interface cannot be instantiated
  4. If a class implements an interface it has to provide definition for all methods in the interface else it cannot be instantiated with the new operator.
  5. An interface is an implicit abstract class.
  6. A class imlements an interface is called design by contract.
  7. A class extends  another class is general Inheritence
  8. An interface can extend multiple interfaces, a class can
  9. final class cannot be extended, final method cannot be overridden, final int var = 10 (variable) cannot change its value
  10. static methods(), static int var = 10 belong to a class shared by all objects instantiated from that class, non-static methods and variables belongs to objects instantiated from a class using new

Polymorphism (One Name, Multiple forms/actions):

Two Types

  1. Compile Time or static polymorphism(Method Overloading, mostly in the same class)

    public class Math {
            //Example #4
    public double max(double i, double j){
    return i>j?i:j; //ternary operator, if i greater than j return j else j
    }
    public int max(int i, int j){
        //Same name but different number of, type of or order of parameters
    //Identified at compilation of program which method gets called
    return i>j?i:j;
    }
    }

  2. Run Time or Dynamic polymorphism(Method Overriding, in an inheritance hierarchy)

    Look at Example#3 first for Example#5

      public class AreaCalculateTest {
    //Example #5
    public static void main(String[] arg){ 
    Shape iShape = null;//Generic interface
    iShape = new rectangle();//Specific implementation assignment
    iShape.calculateArea();//Calculates area of rectangle
    iShape = new Triangle();//Another specific implementation assignment
    iShape.calculateArea();//same call as above but calculates area of triangle
    }
    }
  1. double calculateArea(){.. are overridden in multiple subclasses.
  2. Signature(name, parameter types/ordering/numbers, return type(double) and exceptions in throws clause) have to be exactly same in two overridden methods
  3. rectangle and triangle class is a type of Shape interface that’s why assignment of rectangle, triangle objects possible to Shape variable

Exception Handling

public double division(int a, int b) throws Exception{// throws to tell caller to handle exception
double div = 0.0;
try{ //put the code that may throw exception in try block
if(b==0) throw new ArithmeticException("Division by Zero"); // throw to explicitly throw an exception
div = a/b;
}catch(ArithmeticException ae){//catching a specific exception to handle it
ae.printStackTrace();
}
catch(Exception e){//catching a generic exception to handle it
e.printStackTrace();
}
finally{}//put code here that should be executed even if exception occurs
return div;
}

Reflection & Introspection

  1. Reflection is the ability to examine and modify the structure and behavior of an object at runtime.
  2. Introspection is the ability of a program to examine the type or properties of an object at runtime.

public static void main(String[] args) {
try{
Class<?> c = Class.forName("com.aujas.examples.rectangle");//Load a class
Object rect = c.newInstance();//Instantiate
Method m = c.getDeclaredMethod("calculateArea", new Class<?>[0]);//introspect,get a method
m.invoke(rect); //Call a method on a class object while running
}
catch(Exception e){e.printStackTrace();}
}

public static void main(String[] args){
Object obj = new com.aujas.examples.rectangle();
if(obj instanceof rectangle) //introspect if object is of specific type
((rectangle) obj).calculateArea();//call method if of that type
}

Servlet

A Servlet is a web component managed by the web container (Web server i.e tomcat) that handles http methods (get, post, put, delete, options etc)

public class HelloServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException //request object have access to all html parameters as well as running session
{
//Handle Get request on http
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException //response can be used to write to interface or select a jsp to create interface
{
//Handle Post request on http
}
}

Web.xml

Web.xml is a deployment descriptor of a j2ee application used to configure all components, it resides in /WEB-INF folder. We can configure error page, servlets, url mapping to servlet, init parameters or any other configuration. Any framework (struts, spring) is configured in web.xml

<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>HelloWorld Application</display-name>
<description>
This is a simple web application with a source code organization
based on the recommendations of the Application Developer's Guide.
</description>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>examples.Hello</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
</web-app>

JSP

JSP is used to create dynamic web pages. It is java code between inside html codes.

  <% ... %> (Scriplet) where  fragment of java code is written
<%= ... %>(Expression) anything goes here directly prints on web interface
EL(Expression language) ${javabean.variable}

Log4j
log4j.properties contains configurations related to logging such as log file name, location, type of appender etc.

final static Logger logger = Logger.getLogger(classname.class); //Logging Example
logger.error("This is error : " + parameter);
logger.info("This is info : " + parameter);
logger.debug("This is debug : " + parameter);

Maven Build

Maven is build tool to compile and build the jar, war file. Pom.xml contains the dependencies to compile, these dependencies can be internal on any internal project jar or on any external jar such as itext, log4j etc.

Key learning from Security Breaches of 2014

Author: Amit Khanna

In the battle of keeping your crucial information secure, it’s not just the hackers you should worry about but also lax security and stupidity that these hackers rely on. Data breaches are on the rise reaching new record each year. Year 2014 is no different either with maximum security breaches in a year so far. It won’t be wrong calling it the year of data breach considering the fact that three out of eight biggest data breaches in last decade happened in 2014. And to be put it in numbers, there is almost 30% increase in security breaches every year which is much more than number of companies adopting stringent methods to prevent such security breaches.

These breaches are not constrained to any particular sector or particular geography but restrained to the need of hackers or criminals thus making it epidemic. Even the big players like Home Depot, JP Morgan Chase, Sony Entertainment, eBay are not able to help themselves from this epidemic. To understand the gravity of the situation let’s look at the major data breaches of 2014 and how much it affected companies and its stakeholders (employees, customers, suppliers etc.). You must be thinking what these stakeholders have to do with data breaches it should be organization’s problem. Not exactly! Most of these breach not only steal organization’s data but also the personal information and even debit & credit card numbers of stakeholders.

Being the year of maximum data breaches, there are few that needed to be highlighted to present the severity of such attacks. These attacks are different not in the severity but also the way the data is breached and how it was done so as to make you understand the different way of attacks.

  • Sony Online Entertainment Service’s breach is one of the worst corporate breach where lots of internal data including employee’s personal information, passwords, upcoming movie scripts, upcoming movies, salary information were exposed out in public. An attacker use sophisticated malware to get the information but Sony used to store employee information and security credentials were not up to par.
  • JPMorgan Chase is another such case where it affected about 76 million households and 7 million small businesses. Hacker compromised the personal information by getting the access to the computer of an employee with special privileges.
  • Home Depot, the world largest home improvement chain, also faces serious intrusion where 56 million credit and debit card information were compromised. The criminal used a third-party vendor’s username and password to enter the network and later acquired elevated rights for the system. The organization had to face more than $43million lawsuit for this breach.
  • Internet Corporation for Assigned Names and Numbers (ICANN) which overlook after the internet address system was also attacked by mere spear phishing attack. Crafted email message was sent to employees from domain similar to organization’s domain. This email compromised credentials of several staff members.

The data primarily include the personal information, credit & debit card information and most importantly date related to point of sales. So now the question is what could the organization do to prevent such breaches?  There are two ways going about it. First is filling all the loopholes in the security and second the most important is to learn from other’s mistake. So here are the few takeaways that can help you prevent such breaches in your organizations.

  • Educate your Employees: – Most of the security breaches won’t even happen without the employee interaction with either malware, spam emails or through other communication channels like phone, SMS, etc. E.g. In case of ICANN, if any one employee could even report the phishing email that has been sent then there won’t be any leakage. Also in cases like Home Depot, phishing is confirmed as the cause. Therefore, it becomes mandatory for the organization to put important efforts in educating their employees about such attacks and channels to report the same as they are the weakest link in their chain of security. Also 84% of the large companies suffer phishing attacks so educating employees become crucial for any organization.
  • Employing internal and external firewalls: – Proper firewalls need to be there in place both internally and externally which could prevent such breaches. 94 million credit cards information was stolen from TJX network as they don’t have any firewall. Firewalls are the front security gates and by not putting them in place you are inviting Hackers a homely welcome.
  • Focus on detection and response: – Cyber security is a continuous process so there needs to be proper detection system and reporting system in place to prevent such breaches. Many experts believe that focusing effort in detecting security breaches as quickly as possible and then responding appropriately will help to minimize the harm. Also anti viruses and firewalls need to be regularly and proactively updated to detect new intrusion methods and malware. Proper guidelines need to be in place to what need to be done in the case of security breach.
  • Encrypt critical data: – In case of JPMorgan Chase, criminals were not able to access the credit and debit card due to encryption system in place. Proper encryption system does not only eliminate the breach but also adds an extra layer of protection. Organization can rely on SSL, SHA or other encryption algorithm to encrypt the data present on various servers to achieve high level of confidentiality.
  • Update Security Channels:- With the advent of technology, it becomes crucial to adopt technologies and strategies which are more secure. E.g. Banks should provide EMV cards to their customer which requires password for payment and difficult to duplicate. The security update resolves a privately reported vulnerability and help in system fighting malwares. So reinforcing and updating organization’s defense over time become necessity as hackers are constantly looking for loopholes in this era of information.
  • Choose Right password: –Passwords or decryption key should be chosen properly to make it difficult for hacker to steal it. This can be done by using numbers, special characters, capital letters, etc. in your password. Also one should ensure not to use the same password for multiple servers. This will ensure that if a hacker has one key then he won’t be able to access other servers using the same key. On an average it takes 2-3 months for hacker to crack into the network and exploit it. So user should change their password within 2-3 months to make it impossible for hacker to get access.
  • Divide and Conquer: –Some companies practices “air gap or air wall” where a secure computer network is physically isolated from unsecured network which prevents the hacker to access it. However, it won’t be possible to isolate network but companies could segment networks based on the type of crucial information it holds and imposing proper security measure for more secure network. This measure not only ensures extra security for more crucial data but in case of breach it would help to detect the breach and respond appropriately.

We are living in information world where Information is everything. Any data leakages or security breaches not only result in a financial loss but also cost the organization its image. The above steps would ensure the security of any organization, but one thing that needs to be understood is that cyber security is a continuous job. It requires continuous efforts from CISO (in some cases CIO) to detect loopholes and block them permanently as well as from employees not to fall into any traps set by the criminals.

How to design a Cryptographic Solution – Part 2

Authors: Amit Ranjan & Rahul Veer

Once a cryptographic requirement is in place we need to start working on the design and the challenges we might face during its implementation. Designing a cryptographic solution has its own characteristic weaknesses which aren’t apparent at its initial phase. During implementation, we have to deal with practical nuances and choices that we make to avoid such vulnerabilities while maintaining adaptability for future modifications in standards.

Most parts of cryptographic implementations deal with maintaining the confidentiality of plain text or Image communicated over a channel. Broken cryptography is where an adversary can infer the data from ciphertext thereby compromising communication between two parties. In this article, we will understand typical cryptographic vulnerabilities along with certain elementary concepts of cryptography. In subsequent articles, we will discuss more techniques and best practices to avoid these vulnerabilities.

Let’s start with typical cryptographic vulnerabilities.

  • Known Ciphertext attack is one such vulnerability where an adversary has access to a set of ciphertexts and can deduce plain text through some knowledge such as the language in which the plain text was written.

Impacted Algorithm:  WEP (Wired Equivalent Privacy) and stream ciphers such as A5/1, A5/2 used in GSM telephony and initial versions of Microsoft implementation of VPN using PPTP Point-to-Point Tunneling Protocol,

  • Known Plain text attack is an attack where the attacker has access to both the plain text and ciphertext of one or more messages. This can be used to attack information systems to reveal cryptographic keys.

Impacted Algorithm: The PKZIP stream cipher used for file compression is prone to this attack.

  • Chosen ciphertext attack is an attack model where an adversary can decrypt some of the ciphertexts without knowing the key. Having access to some ciphertext, an adversary can fool the system to provide plain text which may be useful in analyzing the system. A non-adaptive (Lunchtime) chosen ciphertext attack refers to an attack where a system is available to obtain plain text of randomly chosen ciphertext while the owner of the system is out for lunch or not monitoring the system. An Adaptive chosen ciphertext attack is an attack where the ciphertext is chosen before and after the challenge ciphertext is given to the adversary. The adaptive ciphertext is planned after analysis of the cryptosystem using the non-adaptive chosen ciphertext attack.

Impacted Algorithm: ElGamal an asymmetric encryption algorithm based on Diffie–Hellman key exchange is not secure under chosen ciphertext attack. Early versions of RSA padding used in SSL protocol were vulnerable to adaptive chosen ciphertext attack that potentially revealed SSL session keys.

  • Chosen plain text attack assumes that the attacker can obtain ciphertexts for any clear texts. It is more considerable in public key encryption where the public key is used for encryption. Consequently, an attacker can encrypt any plain text of their choice. Chosen Plain text attack can be Batch Chosen where all the plain text is selected without analyzing any of the ciphertexts. An attacker, however, can request ciphertexts of certain plain texts after carefully analyzing ciphertexts for some other set of plain texts. Such form of chosen Plain text attack is known as Adaptive Chosen plain text attack.

Impacted Algorithm: Vigenere Cipher that uses a series of different Caesar ciphers is found to be vulnerable to this attack.

In cryptography, plain text is encrypted predominantly using two distinct types of ciphers, stream and block. Block cipher uses a cryptographic key to encrypt a block of data (e.g. 64 contiguous bits) at a time. On the other hand, stream cipher encrypts one bit at a time.

Block ciphers fundamentally are deterministic algorithms, which while operating on a fixed block of data; always produce the same output given a particular input. Block ciphers today serve as important components in building any cryptographic protocols/systems that encrypt bulk data. Many block ciphers are designed based on the concept of iterated product cipher (sometimes also called as iterated block cipher) that carries out encryption in multiple rounds, each of which uses a different sub key derived from the original key. One common implementation of such cipher is DES. Most other designs of block ciphers like AES are based on a different type of iterated block cipher known as Substitution permutation networks. Substitution permutation network takes a block of plain text and key as input and applies several alternating rounds of substitution and permutation to produce ciphertext block.

Semantic security implies that the knowledge of ciphertext of some unknown plain text doesn’t reveal any information which could potentially be used to feasibly extract plain text. A block cipher primarily performs encryption only of a fixed block of data at a time and invariably produces same output for a given input. A block cipher by itself is only suitable for cryptographic transformation (encryption/decryption) of a block of data. To achieve semantic security, several so-called modes of operation have been designed. A mode of operation describes how to repeatedly apply a cipher’s single-block operation to securely transform large volumes of data. Most modes require a unique sequence called initialization vector (IV) for each encryption operation. The IV ensures that distinct ciphertexts are produced even when same plain text is encrypted multiple times with the same encryption key.

Block ciphers could be operated under varying block sizes of data, but during transformation (encryption/decryption) the block size remains fixed. Block cipher modes operate on entire blocks and necessitate that the last part of data be padded to a full block if it is smaller than current block size, also it’s essential to build continuity in the blocks to add additional security.

The Electronic Code Book (ECB) mode of operation, splits a message (plain text) into blocks of data (possibly extending the last block with padding bits), and then each block is encrypted/decrypted independently. However, such a simple method is highly insecure as equal plain text blocks always generate equal ciphertext blocks (for same key), so patterns in plain text message are apparent in ciphertext output.

The Cipher Block Chaining (CBC) mode of operation, uses an IV along with plain text message. This IV is added in an exclusive-or (XOR) manner to the first plain text block before it is being encrypted. The resultant ciphertext block is then used as new IV for the next plain text block. So on, all the blocks of data are XORed with previous ciphertext before being encrypted. This way, each ciphertext block depends on all plain text blocks processed up to that point. CBC has been the most commonly used mode of operation. During decryption with incorrect IV, the first block of plain text would be corrupt but all subsequent plain text blocks would be correct. This is because a plain text block can be recovered from two adjacent blocks of ciphertext. Note that a single bit change to ciphertext causes complete corruption of corresponding block of plain text and inverts the corresponding bit in the following block of plain text, however, rest of the blocks remain unbroken. This unique behavior is exploited in padding oracle attacks, such as POODLE.

The CipherFeedback (CFB) mode turns a block cipher into a self-synchronizing stream cipher. The initialization vector is first encrypted and then added to the plain text block. CFB decryption is almost identical to CBC encryption performed in reverse.

The OutputFeedback (OFB) mode turns a block cipher into a synchronous stream cipher. It generates key stream blocks, which are then XORed with plain text blocks to get the ciphertext. Just as with other stream ciphers, changing a bit in ciphertext impacts a similar bit in plain text at the same location.

The Counter (CTR) mode creates a key stream but has advantage of requiring unique (and not necessarily random) values as initialization vectors; the essential randomness is computed internally by using initialization vector as a block counter and encrypting this counter for each block.

In the example below, it is evident that ECB mode ciphertext reveals too many patterns compared to the other modes.

clip_image002_0005       clip_image004_0001            clip_image006

Original image Encrypted using ECB mode Encrypted using non ECB mode

Some modes such as the ECB and CBC operate only on complete plain text blocks. So, consider a case where the plain text couldn’t be split down to an exact multiple of blocks. How do you encrypt the last set of plain text bytes that falls short of some more bytes to form a valid block? Here comes padding to our rescue. You, in essence, pad those vital extra bytes in order to form a valid block. While decrypting though, the receiving party must know how to remove the padding bytes in an unambiguous manner.

This article details out various mechanisms of padding used in ECB and CBC mode of operation with block ciphers. I am going to use ECB mode to demonstrate the use of padding, as it is the simplest to explain (and understand too), thereby implying the significance of it. However, reader is advised to note the security issues outlined here:

  • There are major security issues in using ECB mode (as identical plain text blocks produce indistinguishable ciphertext blocks) and its use is generally discouraged.
  • CBC mode can leak information if handled incorrectly.
  • Caution must be exercised while generating unique initialization vector (IV) with algorithms that require one.
  • There are limits on the amount of plain text that can be safely encrypted with a given (key, IV) pair.

The plain text is ASCII representation of actual data to be encrypted. Let us assume we need to encrypt a sentence ‘Now is the time for’. Now the plain text (ASCII encoded) form of his sentence would be the 19-byte sequence ‘4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72’. We will encrypt this plain text using DES algorithm run in ECB mode. Though, we shouldn’t be using DES with ECB in the real world, we are using it in order to demonstrate and help you understand the underlying concepts of padding effortlessly. Let us consider ‘0123456789ABCDEF’ will be our cryptographic key.

The data block size for DES algorithm is 64 bits (8 bytes). To encrypt, we break the plain text into blocks of 8 bytes each.

The original plain text:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
N o w   i S   t H e   t i m e   f o r
4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72

The original plain text breaks up into two blocks of 8 bytes each and a third block of three bytes.

1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3
N o w   i S   t H e   t i m e   f o r
4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72

However, in this encryption scheme we need data blocks to be of 8 bytes in size. In ECB mode, each 8-byte block is encrypted independently.

First Block:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK N o w   i s   t
HEX 4E 6F 77 20 69 73 20 74
DES OUTPUT BLOCK 3F A4 0E 8A 98 4D 43 15

Second Block:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK H e   t i m e  
HEX 68 65 20 74 69 6D 65 20
DES OUTPUT BLOCK 6A 27 17 87 AB 88 83 F9

Third Block:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK F o r X X X X X
HEX 66 6F 72 X X X X X

So what do we do with the third data block of 3 bytes, which is falling short of 5 bytes to reach a block size of 8 bytes? We pad the last block with 5 bytes to make it up to the expected length.

1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
N o w   i s   t h e   t i m e   f o r X X X X X
4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72 X X X X X

There are many standards followed to pad a data block to reach the expected length.

  1. PKCS5/PKCS7: Padding is done in whole bytes, all of the same value as the number of padding bytes required.

By far the PKCS5/PKCS7 is the most popular and is usually referred to as "PKCS5 padding".  It recommends to Pad the plain text with a padding string of anywhere between 1 and 8 bytes to make the total length an exact multiple of 8 bytes. The value of each byte of the padding string is set to the number of bytes added – i.e. 8 bytes of value 0x08, 7 bytes of value 0x07, …, 2 bytes of 0x02, or one byte of value 0x01.

Our third block of plain text data block is padded with 5 bytes of value 05:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK F o r X X X X X
HEX 66 6F 72 05 05 05 05 05
DES OUTPUT BLOCK FD 29 85 C9 E8 DF 41 40

    

At the receiving end after decrypting, read the last character decrypted and strip off those many bytes from the trailing end. This method can be used with any plain text, ASCII or binary. Don’t forget to check first, that the number of characters to be stripped is between one and eight. This also gives you an extra check that the decryption has been carried out correctly.

  1. ISO/IEC 7816-4: Pad is done by appending 80 to the message followed by as many zero bytes as required. Add a single padding byte of value 80 and then pad the balance with enough bytes of value zero to make the total length an exact multiple of 8 bytes. If the single 80 byte makes the total length an exact multiple then do not add any zero bytes. This is known as "OneAndZeroes padding".

Our third block of plain text data is padded with 80 followed by 4 bytes of value 00:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK F o r X X X X X
HEX 66 6F 72 80 00 00 00 00
DES OUTPUT BLOCK BE 62 5D 9F F3 C6 C8 40

At the receiving end after decrypting, strip off all trailing zero bytes and the 80 byte. This method can be used with any plain text, ASCII or binary. Cryptographers who work with smart cards seem to prefer this method.

  1. ANSI X.923: Padding is done with zeroes except the last byte is made equal to the number of padding bytes added.

Our third block of plain text data is padded with 00 followed by a byte of value 05:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK F o r X X X X X
HEX 66 6F 72 00 00 00 00 05
DES OUTPUT BLOCK 91 19 2C 64 B5 5C 5D B8

At the receiving end after decrypting, read the last character decrypted and strip off those many bytes from the trailing end. Don’t forget to check first, that the number of characters to be stripped is between one and eight. This also gives you an extra check that the decryption has been carried out correctly. This method can be used with any plain text, ASCII or binary. The convention with this method is usually always to add a padding string, even if the original plain text was already an exact multiple of 8 bytes. The final byte could, therefore, have a value between 01 and 08.

  1. Zero Padding: Padding is done with zero (null) characters.

Our third block of plain text data is padded with 00 followed by a byte of value 05:

  1 2 3 4 5 6 7 8
DES INPUT BLOCK F o r X X X X X
HEX 66 6F 72 00 00 00 00 00
DES OUTPUT BLOCK 9E 14 FB 96 C5 FE EB 75

At the receiving end after decrypting, trim all null characters found at the end until you find a non-null character. You cannot use this method when the plain text could contain a null value. This is not a problem if you are dealing with ASCII text, but would be if encrypting binary data like an EXE file.

The resulting ciphertext from these padding methods would look like:

  1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
  N O w   i s   T h e   t i m e   f o r X X X X X
1 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 FD 29 85 C9 E8 DF 41 40
2 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 BE 62 5D 9F F3 C6 C8 40
3 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 91 19 2C 64 B5 5C 5D B8
4 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 9E 14 FB 96 C5 FE EB 75

Note that how different the last block of ciphertext is for each of the padding mechanisms.

Now you know about encryption, algorithms, modes and padding, in our next article we continue our journey in designing cryptographic solutions.