Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

DNS Cache Poisoning Allows Website Account Takeovers

DNS cache poisoning has long been identified as a potential attack vector. The problem is this: DNS requests for name->address lookups contain a randomly-set ID field, and the client resolver or caching DNS that sends such a request will only accept a reply that contains the matching ID. But with only a 16-bit ID field, this is vulnerable to a birthday paradox attack - by triggering lots of such requests, and jamming in spoofed replies with his chosen IP address, the attacker can eventually (and surprisingly quickly) insert the address he wants to send victims to as part of a pharming or other attack.

The fix for this is to add more randomness by randomizing the UDP (or TCP, for large queries) port that sends the request and expects the reply; this will give roughly a 60,000-fold increase in the difficulty of this attack. Other mitigations include using DNSSEC, or running DNS over TLS.

However, by using a clever trick of getting web servers to send email confirmations for account sign-ups, researchers at SEC Consult have been able to profile several thousand domains, and discovered that a significant proportion of web servers have not implemented these controls and remain vulnerable to cache poisoning. They have gone on to develop a proof-of-concept attack that will inject a fake MX (mail exchanger) record into a caching DNS or resolver, allowing a password reset email to be sent to the attacker, leading to account takeover. Although they have used this to achieve the full takeover of fully patched WordPress instances, the same technique could be applied to most web servers and sites.

Longin, Timo and Clemens Stockenreitner, Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style, blog post, 6 October 2022. Available online at https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style/.

BazarCall Evolves, Ramps Up Attacks

The BazarCall spin-off of the Conti ransomare gang, which we first mentioned in Security News: 2022-08-12, is ramping up its attacks around the world and evolving new social engineering tactics. The basic tactic starts with a fake email containing an invoice with a unique number, together with a phone number which the recipient can call to cancel a renewal or otherwise dispute the transaction.

Now, researchers at Trellix have captured samples of BazarCall emails and called the phone numbers to learn their tactics and their scripts - of which there are now many. The initial emails now impersonate many brands such as Geek Squad, Norton, McAfee and others. A common tactic to all the phone scripts that follow is that the scammers ask for the unique invoice number and use it to look up the victim's email address, along with their name, address, the amount of the supposed invoice, etc. This all makes the scammer sound like an authentic customer service agent.

From there, the scripts diverge; but in general, the scammer will alarm the victim into thinking their account has been compromised, possibly through some kind of malware that has infected their computer. From there, the script begins to resemble a classic tech support scam call; the scammer will convince the victim to download a trojan dropper which will, in turn, download either remote access software or some other malware which gives persistent access and allows credential stealing, or perhaps ransomware.

Kapur, Daksh, Evolution of BazarCall Social Engineering Tactics, blog post, 6 October 2022. Available online at https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html.

Microsoft (Optionally) Locks Out Admin Accounts

One of the classic attacks on Windows machines is brute forcing local admin accounts, using protocols like RDP (Remote Desktop Protocol). I suspect some readers weren't even born in the heyday of tsgrind and similar tools, which worked because Windows did not support account lockouts on admin accounts.

All this changes today. As of the 11 October 2022 or later cumulative updates, Microsoft has implemented account lockouts. The policy can be found in the registry under

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies

The policy is not enabled by default on existing installs, and Microsoft recommends also setting the related policies to 10/10/10 - that is, 10 failed login attempts within 10 minutes will cause a 10-minute lockout. However, the policy will be enabled by default on new system installs.

Colour me sceptical; the original reason for leaving admin accounts out of lockout policies was that an attacker could implement a very effective DoS attack by simply trying a few logons and locking the legitimate admin - possibly the main user account with admin privileges - out of his own machine, and it will be interesting to see how many threat actors pick up on this technique.

Microsoft claims brute force attacks are "becoming trivial with modern CPUs/GPUs", although in practice the limiting factor is network latency, and compute power is really only relevant to offline attacks such as dictionary and Rainbow Tables attacks

In other dubious moves, Microsoft is now enforcing password complexity on new machines if a local administrator account is used, requiring at least three of the four basic character types (lower case, upper case, numbers and symbols). I thought we had abandoned password superstitions like these - in fact, NIST SP 800-63B advises against them. Still, it's good to see Not Invented Here syndrome is still rampant in Redmond.

Uncredited, KB5020282 - Account lockout available for local administrators, web page, 11 October 2022. Available online at https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00.

Google Ups Gmail, Android, Chrome Security

At its annual Next conference, Google has announced that it will extend client-side encryption to more Enterprise and Education plans. This will provide end-to-end encryption for email users, but details are sparse, and it is not clear what protocols will be supported (OpenPGP?S/MIME?) and whether other email clients will be supported. However, enterprise customers will be able to control the keys.

In another security-related announcement, the company has added support for FIDO/W3C passkeys to both Android and Chrome, making the feature available to developers immediately via the Google Play Services beta and Chrome Canary. On Android, passkeys will allow users to sign into a website by simply confirming which account they want to use and then presenting their fingerprint, face image or screen unlock pattern/PIN when prompted. The phone passkey can also be used to sign into a website on a nearby computer. This will include cross-platform support, since passkeys are also supported by Apple and Microsoft.

Finally, Intel and Google have launched a new chip called an E2000 Infrastructure Processing Unit (also codenamed 'Mount Evans'), which offloads some network protocol processing and I/O and also improves the separation of virtual machines in cloud servers. The chip will be sold to other companies, but Google are already using it in a new class of VM's they call 'C3'.

Khalili, Joel, Gmail is getting the security upgrade it's always needed, TechRadar Pro, 12 October 2022. Available online at https://www.techradar.com/news/gmail-is-getting-the-security-upgrade-its-always-needed.

Lee, Jane Lanhee, Intel and Google Cloud launch new chip to improve data center performance, Reuters, 11 October 2022. Available online at https://www.reuters.com/technology/intel-google-cloud-launch-new-chip-improve-data-center-performance-2022-10-11/.

Mehta, Nirav, The next wave of Google Cloud infrastructure innovation: New C3 VM and Hyperdisk, Google Cloud blog, 11 October 2022. Available online at https://cloud.google.com/blog/products/compute/introducing-c3-machines-with-googles-custom-intel-ipu.

Zavala, Diego, et. al., Bringing passkeys to Android & Chrome, Android Developers Blog, 12 October 2022. Available online at https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.