Developers Club geek daily blog

2 years, 9 months ago
Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright futureThe Chaos Communication Congress conference became an important event of the end of December. Materials from it can be found on a key word 32c3 where 32 — sequence number of action, since 1984. In Hamburg there were many interesting researches on action. For example, experts Felix Domke and Danielle Lange in detail told about a technical aspect of "dizelgeyt", including features of work of modern managing systems of cars. And here it is possible to look at the monumental 110-page presentation about vulnerability of railway systems and to come to a conclusion that IT in trains is applied widely, much, everywhere differently, and it is frequent using standard software (Windows XP) or standard protocols of a wireless communication (GSM) which shortcomings from the point of view of safety are widely known and are actively operated (fortunately, so far in other places).

And here news (the presentation and the link to research work inside) that unique features of programming style filter even into compiled code. Though this subject also is rather highly specialized, I see in it something bigger: perhaps in the near future the picture will finally lose relevance on the right. Not because all will monitor all, and thanks to the behavioural analysis — the user can be identified how it vzamodeystvut with the website, the application or something else the same as the programmer — how that writes a code. Here by the way Apple purchased the startup specializing in the analysis of human emotions just yesterday. Generally, the 2016th year begins interestingly. And we continue supervision. The previous series are available here.

The racketeer on JavaScript with the partner program, potential multi-platform architecture, preference and poetesses
News. Research.

This news obviously does not belong to the category "all of us will die": well the new racketeer, well a little non-standard packaging appeared. The partner program — too not news. The only interesting moment — use of JavaScript and the NW.js environment allowing to execute a code not as a sandbox in the browser, and with the rights of system. Collateral feature of such approach is large volume of the Trojan — 22 megabytes — as it switched on the Chromium browser and other utilities, quite legitimate. Researchers of the Emsisoft company in details understood a code, but never mentioned attack vectors. However, on the practice of division of labor accepted nowadays between toilers of cybercrime, "infection" other people can be engaged absolutely.

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

Such non-standard approach can be compared to loading and the Microsoft Office installation for operation of vulnerability in is as follows: in general, not the most effective method. But features of the partner program organized by the Trojan's authors are interesting. For 25% of revenue (given Bitcoin purse — the only thing that is required at registration) decided to go on a slippery track of cyberracketing provide the configured Trojan in whom it is possible to set independently even the redemption sum. Results of work ostlezhivatsya in the console (naturally, through Tor). Well, such interesting example of business of c2c — from the criminal to the criminal. In more detail about it (on the example of Brazil) — here.

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

And here what the user sees as a result. Farther everything usually: the requirement of the redemption, raising of rates through certain time, an opportunity to decrypt one file on test, and this process it is automated. As it usually happens, to decrypt files because of vulnerabilities in algorithm it will not turn out — each separate document is ciphered by the key. Only confiscation of the managing server by law enforcement agencies with the subsequent analysis of contents as it happened in a case to CoinVault will help.

Zerodium pays up to 100 thousand dollars for the Adobe Flash exploit

About the Zerodium company we already wrote — last year it declared a record award in 3 million dollars for an effective exploit for iOS. A key word here — effective, that is allowing to crack the device far off, without involvement of the owner by methods of any social engineering. In November the company declared that the winner (one of expected three) is found, but that was specifically found — we do not learn, because of specifics of this broker. The company uses the found holes for resale doubtful from all directions to government institutions — for maintaining the corresponding sort of operational activity.

The desire of Zerodium to leave the decent sum is caused by changes in the Adobe Flash code. On December 21 the Adobe company declared implementation of the Heap Isolation technology, and it, in turn, made impossible some attacks like use-after-free. In other words, Flash (if you, of course, updated it) became much safer. The background of this innovation is interesting — Adobe in the blog speaks about implementation of a new measure thanks to interaction and exchange of experience with Microsoft and Google Project Zero (earlier this group submitted recommendations about improvement of security of Flash). Interesting and positive example of interaction of experts from the different companies.

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

And, apparently, rather effective that "dark side" decided to fork up. By the way, last summer Adobe declared own bug bounty program which, however, does not provide money payments. And typical payments which vendors promise researchers almost never reach the six-digit sums declared by Zerodium and the similar companies. The difference between them is also that process of search and publication of bugs on the party of good is usually open and transparent, and here that as well as to whom pays Zerodium — is not known. The actual sums can be be quite lower. So, introduction of financial interest to process of search of bugs changes nothing — the researcher needs still to decide on questions, so to speak, ethically - the criminal plan.

The father (and mother) modern cryptography announced completely anonymous PrivaTegrity system. With the built-in backdoor.

David Chaum — the theorist, famous in narrow circles, in the field of data encryption, network anonymity and electronic currencies. Famous and dear participant of community, he developed an information protection subject in a network when the network was not yet — one of its main works on saving of anonymity in mail correspondence is published (PDF) in 1981. On January 6 in the Wired log article about new development of Chaum — the PrivaTegrity system appeared. The system allows to communicate in a network completely anonymously, more effectively and more safely, than in the existing Tor networks and I2P. Technical details were not disclosed (they are not also on Chaum's website), but for rough debate in community it was and it is not necessary.

Feature of system is the algorithm allowing to deprive of anonymity of one of participants. According to Chaum to give a possibility of control over communications to one structure or the state it is really unsafe, and distribution of responsibility between nine "administrators" can solve a problem. This advice to nine can expose the potential malefactor, only in case of acceptance of an unanimous solution (it is supposed, probably, that participants of council will be able to agree only in case of some explicit crime). Anyway, it means what in superprotected (we will assume) to system by default there is a backdoor. By this disputable part of the project observers were not slow to be trampled. For example so:

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

Or so:

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

Chaum's initiative, thus is an attempt to reach compromise between desire of normal users to remain anonymous and desire of law enforcement agencies (and societies in general) not to give to criminals, terrorists and other declassed elements an impregnable communication channel. Opinion of opponents: any initially mortgaged vulnerability of algorithm will be operated sooner or later. It is impossible to give access to one and to hope that more nobody will receive it. Chaum began to be accused of a political connivance at all to state structures (you see Christopher Sogoyan's quote above) — when most of cryptographers tries to prove to the state that backdoors — it is bad, one of pillars theorists gives to the state strong argument pro.

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

It would be interesting to look at technical details of system (if they in general are opened ever after such "warm welcome"). Meanwhile on Chaum's website it is possible to contemplate a fine picture: the certain 25 experts who wished to remain unknown allegedly approved the concept. Generally, the interesting metamorphosis continues to happen to cryptography — remaining a subject especially technical, it purchases considerable political weight. And in the future security of our data will be defined, perhaps, not by(with) technologies (with them and without Chaum everything is normal), and how the state, society, all interested persons are shorter, among themselves will agree.

What else occurred:
Interesting vulnerability in the Blackphone protected smartphone — it is possible to get data access through the communication module which, as we know, in any phone has the highest priority, represents the state in the state and contains what the hell.

Found vulnerability in system of house signaling Comcast in states. The signal from penetration sensors (2,4 GHz) was very simple to be muffled — a glushilka or (naturally!) hats from a foil, and the system reacts to such actions slowly or in any way. The quote from the representative of Comcast: "Our signaling system uses the same front lines conforming to industry standards of technology as at other providers of similar solutions". Ugu.

Holland does not approve backdoors in encryption systems. And not somebody, and Minister of Justice!

Found a bug which can be used for MiTM-attack in the XMPP client of Cisco. Reason: an opportunity to force to transfer the client given by clear text, but not within the session protected by the TLS protocol.

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright futureAntiquities:

Rezidenten, strikes. COM-and EXE files, MBR winchester. Files are surprised standardly. MBR is infected at start of the infected file, continuation of a virus and MBR sector remain, since the address 0/0/2 (track/head/sector).

Memory catches when loading from the infected disk. Then the virus affects only files. Intercepts int21h, contains the lines "Anthrax", "Damage, Inc".

The quote according to the book "Computer Viruses in MS-DOS" of Evgeny Kaspersky. 1992. Page 105.

Disclaimer: This column reflects only private opinion of her author. It can match a position of the Kaspersky Lab company, and can not match. Here as will carry.

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus