Zero Day: Super cookies, Gogo Inflight fakes certs, Microsoft security notice paywall
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 9, 2015. Covers enterprise, controversies, reports and more.
This week Microsoft put its advance security info behind a paywall, a Google engineer caught Gogo Inflight faking Google certs, super cookies showed that incognito mode is meaningless, Sony hack attribution infighting got weird, and more.
- Big news: Microsoft's advance security notification service is no longer publicly available. Mary Jo Foley reports, "Microsoft is 'evolving' its Advance Notification Service in a way that will make its advance security update information available only to customers with paid Premier support contracts and organizations 'involved in its security programs.' The change means the Advance Notification Service (ANS) is no longer going to be publicly available."
- Gogo Inflight Wifi Service got caught intentionally issuing fake Google SSL certificates. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites.
- "Super cookies" can be used to place permanent trackers on people's PCs, tablets and smartphones. Researcher Sam Greenhalgh revealed, "Super cookies can be created by abusing the "HTTP Strict Transport Security" (HSTS) security feature, which websites can use to tell browsers to enforce encryption, by using the HTTPS version of the site rather than the unprotected HTTP site." The super cookies aren't stopped by incognito mode -- nor private modes of Apple Safari, Mozilla Firefox and Opera (Microsoft's Internet Explorer is only protected because it doesn't support HSTS at all).
- The Moonpig vulnerability sounds cute -- but it's not. Online greeting card company Moonpig has been accused of ignoring for over a year a security issue that exposed the names, dates of birth, email and home addresses of the company's 3.6 million customers. The company has only disabled its mobile app "as a precaution".
- Android witnesses 300 times increase in malware: According to Quick Heal's Annual Threat Report for 2014, 536 new malware families and a further 616 new variants affecting the Android platform were detected
- A flaw discovered in Microsoft's Dynamics CRM could allow remote hackers to trick a logged-in user into inserting malicious code within input fields on vulnerable websites. Information security company High-Tech Bridge recently unveiled a security report documenting the flaw.
The Sony hack gets emotional
This week in Sony hack drama began when Sony CEO Kazuo Hirai said Monday night at the Consumer Electronics Show in Las Vegas, "How many of you went to see a great Sony movie this holiday?" "'Annie' is a fantastic movie, isn't it?" he quickly joked.
AR + VR
Hirai was referring to "The Interview", neatly sidestepping the fact that despite Sony and FBI claims that Sony was hacked specifically to prevent the showing of the film, Sony made it available across a number of online platforms and in roughly 580 independent movie theaters -- and absolutely nothing happened as a result.
Attribution this week became a sore spot for everyone -- everyone except Sony, anyway.
The FBI once again dug in with attribution to North Korea, with backup from the NSA and Mandiant, yet critics continued to ask pointed questions. The conversation became decidedly less adult with a little bit of passive aggressive name-calling from one of Mandiant's [apparently] more sensitive spokespeople.
FBI chief James Comey speaking at an event Wednesday said that hackers who targeted Sony's networks used proxy servers in an attempt to disguise their identity, but "several times they got sloppy."
Marc Rogers, voicing the questions of many security researchers, pointed out that the FBI director's additional information may have been intended to put questions to bed, but did exactly the opposite. Calling the complete statement "weak circumstantial evidence" Rogers, the Director of SecOps at DEF CON said, "Is the FBI really saying that they don't know what the vector was, or are they just being coy? If they genuinely don't know what the vector was, then I have even more concerns."
"In sophisticated attacks, finding the responsible party can be next to impossible," writes Accuvant's Jeff Horne in Diversionary Tactics 101. "In reality, any "mistakes" or "oversights" that clearly point toward a specific party are rarely done by accident; they are intentionally added to point response teams in the wrong direction."
After FBI's head honcho told us how he feels, on Thursday National Security Agency Director Admiral Michael Rogers expressed support for pointing the finger at North Korea. The NSA was asked to examine malware used in the Sony hack and played a supporting role in determining its origins, Rogers said.
Not surprisingly, Rogers also urged Congress to pass legislation that would encourage information sharing between private companies and the government on cyber threats -- which many fear may actually be where all this is headed.
FBI has finally admitted that NSA told them, and it's based on NSA SIGINT. So, that's basically that, then.
-- the grugq (@thegrugq) January 9, 2015
The Obama administration's extraordinary decision to point fingers at North Korea over the hacking of Sony Pictures Entertainment Inc. could lead to a courtroom spectacle in the event charges are ultimately filed against someone without ties to the isolated country, such as a disgruntled employee or an unrelated hacker.
Meanwhile, the pranks and hoaxes continued, fooling a few. Media unaccustomed to writing about infosec still struggled to understand even the very words they used, or, in some cases, came across as hacker groupies. Some came out with articles which did little to advance the conversation -- pitting the opinions of Mandiant and FBI believers against fans of infosec's NK-attribution critics.
Furthering the polarization have been the remakes and tweets of Mandiant/FireEye's strategist, Richard Bejtlich, who has taken to repeatedly referring to critics of North Korea attribution as anti-government "truthers" -- a smear that characterizes those asking questions as akin to 9/11's lunatic fringe.
Great scoop @janawinter. Furthermore, convincing SPE truthers, who wouldn't believe anyway, isn't worth exposing US intel sources & methods.
-- Richard Bejtlich (@taosecurity) January 7, 2015
No insult intended @Lerg. "Truther" is shorter than "those, based on beliefs & attitudes, highly unlikely to accept gov/IC/LE attribution."
-- Richard Bejtlich (@taosecurity) January 7, 2015
Tks @shaneharris for quoting me re: truthers. Your "2nd hack" hook reminds readers that orgs face constant intrusion. http://t.co/GUGCRWsSps
-- Richard Bejtlich (@taosecurity) January 7, 2015
"@verge: FBI Dir Comey: "We know who hacked Sony. It was the NKoreans." http://t.co/3wvxPd5Lcx pic.twitter.com/vVI5Dgfach" < truthers don't care
-- Richard Bejtlich (@taosecurity) January 7, 2015
Mr. Bejtlich didn't originate the term, but has latched onto it in a way that has caused distaste in wider (and respected) professional infosec circles -- and isn't winning the hearts or minds of critics in any way.
In complete Internet style, Bejtlich's insult has turned his perspective into a joke, ripe for ridicule.