Stack Buffer Overflows – Old Exploits Never Die

Buffer overflows remain one of the most highly exploitable vulnerabilities on the Internet. Just last month (Feb 2016), researchers from Red Hat and Google discovered a bug in the GNU C Library a.k.a.  Glibc that made machines running the glibc package vulnerable to stack-based buffer overflow exploits.

The glibc package is found in several Linux distributions, including those running on servers as well as some routers and other network devices, so the potential scope of impact is quite extensive. Fortunately, a bug fix has already been released and hopefully the majority of the affected machines should have been patched by now. Nevertheless, it doesn’t change the fact that buffer overflows continue to be a threat to information security.

Continue reading Stack Buffer Overflows – Old Exploits Never Die

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g. letters.somedomain.com), received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g. abcfsaa.letters.somedomain.com), in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say cisco.com, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Google’s Latest Safe Browsing Update: The End of Fake Download Buttons?

You’ve probably browsed pages – some on well-known high traffic sites – that are full of ads with fake download buttons that took you further away from what you were actually searching for, to dark corners of the internet you’d never willingly visit and software you regret downloading. The real intent of these deceptive ads? Malware. Although they’ve been around for quite a while, they are becoming more prevalent. Some don’t even require a click to pass on an infection.

Here are some examples you probably recognize:

error1 error3error2

Good news for those of you who may not recognize these deceptive ads: Google’s Safe Browsing update aims to minimize your exposure to them. Recently, Google announced a new Chrome feature – as part of its Safe Browsing update – that warns users when they are about to visit sites with these call-to-malware ads. This means that any pages that mimic trusted entities (like your device, browser or the actual site) and trick you into disclosing sensitive information like passwords (that you’d typically only disclose to a trusted entity) will now be flagged by Google. Opening such site would give you the following warning:


The update is turned on by default in Chrome. You can switch it on and off by checking or unchecking the “Protect you and your device from dangerous sites” box located under Preferences in Chrome (Preferences → Settings → Advanced → Privacy).

The ultimate question is: will Google’s latest update keep you completely safe from call-to-malware ads? The answer is most definitely “no.” Even when combined with ad blocking software or applications, Google’s Safe Browsing may not be able to completely keep these ads at bay.

For example, earlier this year, Forbes forced visitors to disable ad blocking software before they could read its content. Since Forbes serves a ‘quote of the day’ and an ad before directing visitors to main content, Google does not accurately cache the page’s content/data. The result was that users were immediately served malware after they disabled ad blockers. Other high profile sites like the New York Times have been victim to similar attacks.

It also looks like it will take a while for Google to compile a comprehensive list of flagged sites. If your site has been flagged, you can follow these instructions to fix the issue.

While Google’s latest Safe Browsing update is an important step towards making the internet a safer space for us, we certainly won’t see the end of malware ads just yet.

Why ‘EmailGate’ Isn’t Just a Problem for Clinton

The U.S. elections of 2016 have resulted in some of the most heated debates across a number of contentious issues. The personalities involved in the run up to the November presidential election are an explosive mix and the resulting accusations and mudslinging makes for great TV.  The accusations range in tone from almost playground jibes, such as the one made towards Cruz, by Trump, saying his Canadian birth could make the senator “vulnerable”, to serious accusations that could materially impact the candidate’s status. Jibes like this may muddy the electoral waters, but the more serious accusations that we’ve seen recently against Hillary Clinton, can have much further repercussions.

Hillary_Clinton_Testimony_to_House_Select_Committee_on_BenghaziHillary Clinton and ‘Those Emails…’

Around this time last year, there was a bit of a storm around Hillary Clinton, then secretary of state, who had been revealed as using a private, home-based, server to manage her emails. At the time, she was accused of using this system to prevent freedom of information requests and searches. Clinton defended herself by saying the emails were not deemed as ‘classified’, something that has since been hotly disputed. The press lambasted her for creating her own, ‘homebrew’ email system; the security of which was uncertain and which gave her powers of control over her emails that rankled those wanting transparency from their politicians. This level of irritation over the use of a personal server was not unfounded. If an issue of state security did occur, it would be vital to have full disclosure of emails. We would then have to rely on Clinton’s word that she had disclosed them, or that she could prove no malicious disclosure had occurred – not an ideal situation for any government to have to deal with. Just to give you an idea of the scale of this issue, so far 1200 emails from that homebrew sever have been checked and retro-actively marked as ‘classified’.

The truth of the matter may never fully come to light, but the story of Hillary Clinton’s ‘EmailGate’, rumbles on. We are now finding out that some of those emails Clinton originally stated were not classified, were in fact, top secret emails.

Trump, a master of marketing, has of course used this to his own advantage. He is using ‘EmailGate’ to damage Clinton’s reputation because of her poor handling of security. Clinton may also find more than her reputation damaged if any subsequent issues come to light, especially around security.


Ignore Security at Your Peril

Poor security choices may well cost Clinton the presidency. But she isn’t the only one damaged by not taking security and privacy seriously. We are currently watching the world of cyber-crime explode; in fact, Senator John Kerry has described the situation as being, “…pretty much the wild west…” and stated that he fully expects the Russians and Chinese to be reading his emails.  In the last few years we have seen a general increase in the likelihood of a successful cyber-breach. Privacy Rights Clearinghouse which is a non-profit U.S. based organization, sets out to spot trends and quantifies breaches. You can go to their ‘data breaches timeline’ and see the level of breaches per year since 2005. In 2010 there were just fewer than 13 million records breached. In 2014 this figure had risen to almost 68 million breached records, and in 2015 there were a staggering 159, 436, 735 records compromised. This means an awful lot of organizations and the people who head them are seeing financial penalties and their reputations damaged.

Cyber-litigation On the Increase: Now it’s Personal

These cyber-breach figures are not only resulting in an awful lot of stolen data, they are translating into litigation. The Federal Trade Commission (FTC) can and does prosecute firms for poor security measures. In 2015 the FTC made a ruling that will impact all companies who are custodians of data, especially of customer data. The ruling came out of the case of the FTC vs. Wyndham Hotel and Resorts where Wyndham failed to give reasonable protection to personal customer details. The FTC can now more readily bring cybersecurity cases to court and prosecute businesses that do not put in place good measures to protect customer data.

The massive breach suffered by retailer Target has resulted not just in reputational damage, but major financial losses. Resulting lawsuits by banks and credit unions associated with the firm have amounted to $39 million; a class action by Target customers is also in progress against the retailer.

And now it’s also getting personal. There is a human impact too, above and beyond the affected customers and the class actions; Target’s CIO, Beth Jacob, ended up resigning over the cyber-breach debacle. Donna Seymour, CIO of the Office of Personnel Management (OPM), who experienced a breach of around 22 million employee records last year, is now being sued because she failed to protect those individuals’ identity data. If this lawsuit is successful and chances are it will be, then we should expect to see more personal lawsuits taken out against executives of breached companies.

Reputation and Security Go Hand-in-Hand

One thing that we can be sure of in the Hillary Clinton ‘EmailGate’ case is that her reputation has been irreversibly tarnished. Reputation on both a commercial and individual level is a very delicate matter and once lost is difficult to put right. Financial losses are one thing and very damaging they can certainly be, but to lose a reputation can mean a previously shining career is ruined. We can no longer hide behind our company lawyers. As executives we need to take control of our cybersecurity strategy and ensure that from the board level downwards, everyone takes security and privacy seriously.

Rotten to the Core – Thousands of Apps in Apple’s Store Infected

A multitude of apps in Apple’s Chinese App Store contained a form of malware that recently bypassed Apple’s code screening process. Researchers at FireEye have found approximately 4,000 apps to be infected with the XcodeGhost malware, affecting hundreds of millions iOS users worldwide. Once downloaded, these malicious applications have the potential to obtain and utilize device and user information, though Apple has saidthey’ve found nothing to suggest any malicious activity as of yet.

Xcode is an integrated development environment (IDE) which contains a suite of software development tools generated by Apple for the development of software for OS X and platforms. XcodeGhost is the malware found in unofficial versions of Xcode downloaded by Chinese rottenappledevelopers. It has the capability to modify Xcode and infects iOS applications. WeChat and Angry Birds 2 are just a couple of examples of popular infected applications that are now being updated in the App Store with malware free versions, while many other iOS applications identified as being infected with XcodeGhost are temporarily unavailable. In conjunction with this, Apple has sent email notifications to affected developers, thus instructing them to recompile their products by official Xcode, and to re-submit accordingly in order to prevent future breaches. Is it too late however? Has the damage been done?

Some are labelling this incident as a “first of its kind security breach” exposing a vulnerability and security gap in Apple’s mobile platform, which was once conceptualized as being the most secure of its kind. It is important to note that there was a failure to identify this malware prior to it infiltrating Apple and its users. How did this happen and how may this have been prevented? With modern day tools and technologies in place to protect against such occurrences, how will organizations such as Apple move forward in addressing this security gap?

What one can deduce from this incident is that, contrary to popular belief, Apple is not in fact more safe and secure than PC/Android. Does this incident mean reduced credibility and competitive advantage for Apple within the market? I suppose that is something yet to be determined. What we do know for certain, however, is that there is a security gap which is very much in existence today. Users, unfortunately, are not as aware as they should be when downloading files and applications, especially when the applications in question are being hosted by a “trustworthy” source such as the App Store.

Hackable Houses and Compromised Cars

The following is a guest post written by Lucy C., a co-op student from Lisgar Collegiate Institute in Ottawa.

The idea of having a smart home or a smart car is extremely tempting. Being able to live in a world that is fine tuned to exactly your needs seems like a sci-fi paradise. Cars that drive and park themselves, pre-programmed with GPS systems and traffic control, so you know exactly how long your drive to work each morning will be. A home that adjusts it temperature controls depending on your body heat and doesn’t require a key for entry as it recognizes your presence. A kitchen that can cook you breakfast each morning before you awake and a pillow that wakes you up at the exact right moment in your REM cycle.

All of these features and products sound great in theory, but in practice they do have a major downfall; your privacy and security will never be more at risk. All these useful devices will be collecting a slew of personal data about every aspect of your life and if any devices were hacked and controlled by an outside source, the ramifications would be unimaginable.

With your every action tracked and recorded, companies will have all the personal data they could ever want on every consumer. Even if the system is not compromised by a hack and the data is never stolen by an outside source, there is still the lurking possibility that the company will sell your data to other enterprises or to the government, who would then know the every movement of every citizen.

This lack of privacy is accompanied by a frightening lack of security. If someone were to gain control of your smart home or smart car, they could wreak havoc on your life. You could be unable to access your home or they could gain entry to your home by simply pressing a button. It would bring a new age to terrorism, imagine the power a group would hold if they had the capability to crash every car in a city in an instant. Or lock whole cities out of all their buildings.

And the scariest part of these new smart homes and cars? So far, they are surprisingly easy to hack. There are already stories of strangers gaining access to baby monitors and being able to speak through them. The Insteon home control system, a remote control system for turning on and off electronics and controlling temperature in your home, used to be based online with only occasionally password protection, so, if you discovered one of the sites, you could turn on and off any electronics in the home and have access to all the personal data that the system had gathered.


These potentially disastrous consequences of smart homes and cars bring about a burning question: are consumers ready to part with their security and privacy just to have all these cool new personalized gadgets?


Your Reputation after a Data Breach.

Whether you asked for it, had an active hand in making it, or even acknowledge it, you have a reputation. It can be built up, blown up, and is blended from both fact and fiction. It is a wild beast that is only tamed in the way an adult grizzly plucked from the forest can be tamed. Despite all volatility and fragility you must manage it as best you can, because when your reputation takes a hit the foundations of success begin to shudder.
A company’s reputation is the same. After Target’s data breach one year ago, their customer satisfaction and service reputation stayed in decline for many months after. S&P cut target’s credit rating due to the breach’s bigger than expected impact on traffic and sales. Their profits dropped 46% in Q4 of 2013 and their CEO was ousted five months after the breach went public.
There are plenty of tangible costs when a data breach occurs: lost productivity, forensic investigation, technical support, system availability, compliance and regulatory failure. Much of these costs, while significant, are manageable to an extent when the breach is kept under wraps. When word of a breach crosses over to the consumer side, the final tally of damage and cost is unpredictable.
42% of breached companies lost customers and business partners. 46% of a breached company’s clients would no longer recommend the organization.
Companies like Sony, Home Depot, P.F. Chang’s, Staples, Michaels, K-Mart have all been targets of data theft. Their damaged reputations will recover over time but the repair costs are significant. A Ponemon survey stated the average damage done to a brand ranges from $184 to more than $330 million and, at best, brands lost 12% of their value after a breach.

Every company needs to do more to keep their reputation secure. While some data breaches will be physical blunders, many of them will be malware forcefully or welcomely entering the network.

Defence Intelligence helps their clients keep their data and their reputation secure with their advanced malware protection services. Take a look at what we can do to help.
Don’t be the next victim.

The most interesting DDoS ever?

Those of you outside of Canada may not have been following this
story, but you might want to as this one seems to have it all:
  • Accusations of police ineptitude and overreach
  • Listening devices
  • Claims and counter-claims concerning Anonymous
  • Twitter sparring
  • Social engineering
  • Multiple DDoS attacks
  • Bureaucratic boilerplate statements aplenty

The abbreviated story goes something like this…

  • An Ottawa teenager is charged with 60 offences related to
    ‘swatting’ various targets across North America.
  • Hacker claims to have proof that said teen is innocent – identifies another as the culprit. 
  • Hacker contacts family of the accused and the media.  Listening devices apparently discovered at suspects home. 
  • Hacker takes down city, police and court websites to bring attention to the case. 
  • Officials assure the public that no data has been breached, but that hacker managed to get password from service provider via phone. 
  • Hacker continues to post via social media, promising proof. 
  • Father of the accused now says he is a ‘person of interest’ in the case.
We’ve seen hundreds of ddos attacks in the news over the years,
and thousands of them in the security community.  They usually aren’t all that noteworthy and barely get a second glance.  The attacks in Ottawa and Canada over the past couple of weeks are rather unique, however.  You can catch up on the saga via:

SecuriTea Leaves (Part Three): Future 2

The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for security enhancements?

In this series of posts I describe the possible futures of the privacy plate shift we’re riding right now and how it relates to the landscape of security.  See SecuriTea Leaves Part One for more detail.

Future 2. No privacy. Strong persistent security. Teleportation a maybe.

This future shares much with future 1 and is possibly just a stepping stone on the same trail. Like future 1 this world has voluntarily given away its privacy, leaving little of ones life out of public view. What differs here is that individuality is still very important.

People won’t mind if their emails are made public. They just won’t want someone speaking for them using their identity without permission. A person won’t mind being one voice amongst millions, but they will still desire the likes, the lols, the smiles, follows, ratings, and promotion. In this future every picture you take is immediately uploaded to the cloud, (now a shared international database), using facial recognition to automatically tag you and all your friends. Every step you take is logged, every purchase you make is known, each entertainment choice is tracked and it has your name on all over it, but the phrase invasion of privacy never crosses your mind.

This future requires significant security to maintain. To protect the integrity of the data for the individual, identification verification security and general information security becomes very important.

For security of identification there will have to be multiple checks, a verbal password with constant retinal presence. A perpetual presence indicator (PPI) is what maintains validity of the person to the action. If you’re not looking at what you’re creating, or if the eye isn’t yours, then the access is cut off. Security of the information itself will be difficult, keeping it both open but safe from alteration. Security priority here is not to keep it from public view but to keep the relationship of author to text or action valid.

This trust of the person-to-action relationship is most impactful and relevant with banking transactions, and that’s where both the consumer and industry will want to position a mutual fulcrum and where this future has its genesis.

At some point, in the not too distant future, banks will no longer foot the bill for every purchase on a stolen credit card or money transfer made with stolen login credentials. They will turn the responsibility back to the consumer.

“Protect yourself, because we won’t.”

People might then be a little more cautious when using their cc online or they might embrace encryption or additional personal security options, but it is more likely people won’t voluntarily change their habits at all. Security changes will have to be forced on them.

Banks will effectively pass the buck, requiring a user of their online services pass several security requirements in addition to the PPI (AV, non public wifi use) before being allowed access to their own accounts. If you don’t qualify, you don’t get in. Retailers won’t rush to join this security revolution but it will be forced on them as well. The banks will require new security regulations of payment processing groups to guarantee the validity of the end user which will then trickle changes into the entire online shopping experience.

With so much awareness of you and your actions, this future world is incredibly personalized. What lives now as targeted ads and improved directions to your home will be mood based music selection, automatic grocery list creation, calendar planning (including television viewing, exercise schedule, and party attendance responses). Decisions will be made for you and they’ll be the same ones that you would have made. Doctors send prescribed medicine to you without you visiting them or even knowing you have a problem. Spending habits are so guided that budgets don’t factor into the purchases. Each day is laid out before you. Life becomes a big to do list.

Do you think this is a possible future? Thinking about this future as a complete world, what doesn’t fit or what did I miss? Could this idea of a PPI provide enough assurance that an action or data transfer/creation was made by a certain user? Can data sharing ever be really secure, especially when databases are linked? Does taking away choice make life easier or happier, or do we need the chaos and uncertainty to be people of substance?

Other posts in this series: SecuriTea Leaves

Part One: The introduction
Part Two: Possible Future 1


SecuriTea Leaves (Part Two): Privacy, Security, and Their Possible Futures

The new Internet is one of openness and perpetual unfiltered documentation, not privacy and selective sharing. What impact will that have on the future of security, when the need for privacy lessens? If our dying generation is the last one concerned over privacy, what motivation is there for security enhancements?

In this series of posts I will describe the possible futures of the privacy plate shift we’re riding right now and how it relates to the landscape of security. (I will post each future separately so there may be comments on each.)

See SecuriTea Leaves Part One for more detail.

Future 1. No privacy. No security. Flying cars optional. (This future feels far away, but just how far I don’t know.)

 We have spent years sharing everything and voluntarily broadcasting our lives to the point where nothing is private. Who we know, how we feel, what we eat, our daily routine, are all available to the public. And if privacy is only a concern for the singular person, then a collective needs no privacy. Individuality is practically gone, lost amongst the vastness of so many people with so much data.

  Twitter (whatever repackaged variant it comes as) wouldn’t have a login. You would just tweet as a generic entry, possibly with demographic info tied to it, all performed automatically as you live. Whatever listening device you carry or is nearby, which is always on, will post your statement and question streams to join the river of worldwide conversation. Email won’t exist because there are only public forums for communication. Facebook and Linkedin (whatever face they wear) will auto update with every action and career move, complete with pictures you didn’t even initiate. 

 All data about you, including financial, medical, and family details are accessible by anyone, and you’re fine with that because community and government services to support needs or problems with any of these categories proactively extend their reach to your doorstep. You won’t care that every mistake you made or slur you’ve spoken is accessible as both an audio file and in transcript, or that everyone knows where you are at all times, because that is the way it is. 

 The upside of so much exposure is that it may provide more security. It will be more difficult to pull off financial fraud when every purchase by every person is documented publicly in multiple ways, matching shopping habits, visually recording the transaction, tracking an item in its full life cycle, not just shipment. Even clothes may require some ultimate biometric union with its intended owner, where no other person could successfully wear them. Financial spending could be restricted anyway, every dollar of yours so heavily tracked and tied to you personally that the initial fraudulent purchase could never happen. 

 In this future your health is constantly monitored, and with no delay in medical history or current condition, medical response and effectiveness could be vastly improved. Small changes in your health can inform your doctor while immediate changes can alert the hospitals. The likelihood of one person to harm another may be much lower when the whereabouts of every person, especially in proximity to everyone else, is well known.

 Sure, like any sci-fi movie tells us about dystopian totalitarian worlds, there will be a resistance. However, with everything public there is no need for login credentials. Everything and everyone knows who you are at all times so access is wide open. With little privacy and little security needed for that privacy, the ability of that resistance to be disruptive to the status quo may be incredibly easy, but ultimately pointless.

 Apart from a destructive “reset” of civilization, even a disruption of the system won’t change it. It only sounds like a dystopia from our current point of view. The people are happy to live in the world they’ve helped create. It wasn’t forced on them by the government or even put to a vote, other than the tiny “allow” vote made every time you accept the terms and conditions of the services and software you use. A building wave of “allows” created this new shoreline and the seaside residents moved closer together preventing any possible outliers. They even take comfort in the lack of privacy. Like confessing your sins, there is a cleansing effect to revealing your secrets, and in this future you’ll never have any.

 Do you think this is a possible future? Thinking about this future as a complete world, what doesn’t fit or what did I miss? Could complete lack of privacy provide total security?

Posts in this series will continue with other possible futures. See SecuriTea Leaves Part One: The Introduction.

-Matt Sully