Home Tags Dictionary Attack

Tag: Dictionary Attack

Critical Vulnerability Patched in Roundcube Webmail

Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system. The flaw is serious because it’s relatively simple to exploit and can allow an attacker to access email accounts or move deeper onto the network. Researchers at RIPS Technologies, a German company specializing in PHP application security analysis, privately disclosed the bug Nov. 21. Roundcube had the vulnerability fixed on Github a day later, and made an updated version publicly available Nov. 28.
Versions 1.0 to 1.2.2 are vulnerable, and users are advised to update to 1.2.3. In a report published Tuesday, RIPS researcher Robin Peraglie explained how default Roundcube conditions create four conditions that enable successful exploits: Roundcube is configured to use PHP mail() and mail() is configured to use sendmail and have safe_mode turned off by default; an attacker must also know the absolute path of the webroot, Peraglie said. “All requirements are met by default,” RIPS chief security officer Hendrik Buchwald told Threatpost. “If you just install Roundcube you are vulnerable. You have to actively change the configuration to be not vulnerable.
So it is very common, there are probably tens to hundreds of thousands installations that meet these requirements.” The vulnerability happens because Roundcube fails to properly sanitize user input in the fifth parameter of PHP mail(). “This allows an attacker to modify the command line options of the program that is used to send emails,” Buchwald said. Peraglie explained in the report that an attacker may abuse the flaw to drop a malicious PHP file in the webroot directory of the web server. “To exploit this vulnerability the attacker needs an email account on the target system, because he has to write an email to trigger it.

Either he already has an account (e.g. organization, company, university, free email provider…) or he steals the login (e.g. dictionary attack, trojans…),” Buchwald said. “All that he has to do is to write an email and set a certain ‘from’ address.

This allows him to create arbitrary files on the target system.
If the attacker can create PHP files, he can execute system commands.

From there on he can reach other systems in the network, read emails ofeveryone else and the like.” Peraglie said that despite the vigilant community working to secure Roundcube (year-to-date there have been more than 221,000 downloads of Roundcube from Sourceforge), a fifth parameter vulnerability is fairly rare. “It is a rare vulnerability, because the fifth parameter of mail() is not used very often and as such there are not many known cases in widespread software where it is used wrongly,” Buchwald said.

Stolen passwords integrated into the ultimate dictionary attack

Humans still the weakest link Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes. In a paper [PDF] presented at the ACM Conference of Communication and Systems Security (CCS) in late October, security researchers from China and the UK describe a system for targeted password guessing that finds that a sizable fraction of people's online passwords are vulnerable to attack. The researchers – Ding Wang, Zijian Zhang and Ping Wang from Peking University, Jeff Yan of Lancaster University, and Xinyi Huang from Fujian Normal University – claim that this threat is significantly underestimated. Using a targeted password-guessing framework named TarGuess, the researchers achieved success rates as high as 73 per cent with just 100 guesses against typical users, and as high as 32 per cent against security-savvy users. The researchers used ten large real-world password datasets that have been exposed online, five from English sites, including Yahoo, and five from Chinese sites, including Dodonew. "Our results suggest that the currently used security mechanisms would be largely ineffective against the targeted online guessing threat, and this threat has already become much more damaging than expected," the researchers state in their paper. "We believe that the new algorithms and knowledge of effectiveness of targeted guessing models can shed light on both existing password practice and future password research." More or less everyone in the computer security industry and many internet users are aware that passwords offer inadequate security when poorly constructed.

As the report notes, between 0.79 per cent and 10.44 per cent of user-chosen passwords, depending on the sample breach data set, can be guessed using the ten most popular passwords, a list that includes perennial favorites "12345" and "password." Low-hanging fruit aside, the researchers note that a small percentage of people use their personal information in their passwords.

Between 0.75 per cent and 1.87 per cent of individuals use their full names as their passwords, for instance.

Among users in China, where numbers are commonly used in passwords, between 1 per cent and 5.16 per cent use their birthdays as passwords.

Email addresses and usernames also get used. What's more, people often reuse passwords, in whole or in part.

And thanks to security breaches that have resulted in the exposure of personal information for hundreds of millions of online accounts, this research shows that it's sometimes possible to use publicly accessible data about an individual, from hacked accounts or otherwise, to gain access to other accounts used by that person. The researcher's TarGuess algorithms – they made four of them – proved most successful when "sister" passwords – passwords for another account owned by the target – were known.

But even when sister passwords were not available, they still achieved success rates ranging from 20% with 100 guesses to 50% with 106 guesses. The researchers achieved higher success rates when more user information was available to them: They were able to guess the passwords of users of Chinese train ticketing site 12306 about 20 per cent of the time when they knew users' email addresses, account names, birthdays, phone numbers, and national identity numbers.

The success rate dropped to about 6 per cent when only users' names were known. "This suggests that the majority of normal users' passwords are prone to a small number of targeted online guesses," the researchers said, noting that this invalidates 2016 NIST guidance that service providers should limit the number of consecutive failed login attempts to 100 each month. The findings underscore the need for education about how to create strong passwords, and about tools like password managers that allow people to maintain dozens of sufficiently long, complicated codes that have no common patterns. ® Sponsored: Customer Identity and Access Management

Samsung: Hackers can’t pwn our NFC payment kit. No way, nuh-uh,...

The South Koreans doth protest too much, methinks A war of words has broken out after a security researcher claimed last week that Samsung's contactless mobile payment system is vulnerable to skimming and spoofing attacks. In talks at both the Black Hat and DEF CON security conferences, held last week in Las Vegas, Salvador Mendoza claimed that he was able to intercept a Samsung Pay token transmitted over the air using a gizmo hidden under his shirt cuff. Wait, what's a Samsung Pay token? Well, the token comes in three parts. One is generated by the payment networks, it is associated with a credit or debit card, and it is stored on the Samsung smartphone.

The second part is a counter that increments on every transaction in an attempt to thwart replay attacks.

The final part is a message authentication code generated from the payment network-provided token, the counter and a secret key embedded in the phone's ARM-compatible processor; this authentication code is used to prove the token was sent from a Samsung device and wasn't tampered with over the air. When someone wants to make a payment, their handset sends the complete token over the air to a nearby payment terminal. Mendoza found that the authentication code algorithm outputs just three 0-9 digits. He claims a thief "could implement a guessing method, a brute force attack or a dictionary attack." In other words, you could sniff someone's token on the airwaves, fiddle with its bits to come up with a correct authentication code, and replay it later elsewhere to make purchases using the victim's account. Also, it may be possible to receive the token and then jam or block the transmission so that the terminal can't receive it.

At that point, you've got a live token that you can reuse later on. After the talks, Mendoza released a slide deck [PDF], a white paper [PDF] and a video showing how the hack would work. He also said that other contactless payment systems might be at risk. The presentations sparked a string of responses from Samsung.
Initially the tech giant said Mendoza had been mistaken in his research and that the hack wasn't possible. "Recent reports implying that Samsung Pay is flawed are simply not true," it said in a statement. "Samsung Pay uses a multi-layer security system that works in tandem with the security systems of our partners to detect any emerging threats." However, Mendoza defended his claims and reiterated that his hacking system was valid.
Samsung then amended the statement in its security blog. "Keeping payment information safe is a top priority for Samsung Pay which is why Samsung Pay is built with highly advanced security features," it said. "It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms." In an FAQ [PDF] attached to the statement, Sammy admitted that the skimming attack was possible, but only under a very peculiar set of "extremely unlikely" circumstances.

The attacker would need to be very close to the victim to skim the token and would have to block the transmission of the original message from the phone. "In summary, Samsung Pay's multiple layers of security make it extremely difficult to make a purchase by skimming a token," it said. As anyone with a hacking mindset would tell you, these "difficult" circumstances wouldn't be too hard to set up.

The easiest method would be using a false point-of-sale terminal that would be able to skim the token but would refuse to process it – allowing the attacker 24 hours to make another purchase before it expired. As for Samsung's claim that it is impossible to create new tokens that would work, Mendoza has now shot back with another video appearing to demonstrate just that.

By manipulating the token's contents he was able to buy a bottle of Pepsi from a hotel vending machine. Youtube Video We're still waiting for further comment from Samsung on this latest video.

The biz should maybe consider the disciple Peter's record on denials and make sure it's in the right this time. ® Sponsored: 2016 Cyberthreat defense report