cybercops india

now browsing by tag

 
 

Incident Response Case Study: Bitly Account Compromise

There is an important update from the Bitly Account Users from the Bitly Team. The Bitly Team is having some strong reasons to believe that Bitly account credentials may have been compromised; however, they have no indication at this time that the user’s account has been accessed without permission.
Whenever a service provider is having some suspicion of account compromising incident, it is better to take precautions. In the same manner, to play safe in the cyberspace The Bitly Team had proactively disconnected any connections one might had done with Facebook and Twitter to publish the posts by using the URL Shortening Links using bit.ly or bitly.com . Once can safely reconnect these accounts in the next login.
If someone will login to their bitly account and if a user sees that their Facebook and Twitter accounts are still connected to their Bitly account, then this information is important for them:
“Those accounts are connected but the Bitly Team had disconnected the rights to publish to these accounts. To start republishing / to ensure the security of your Bitly account, the user must do the following steps:
  1. Go to Your Settings Profile tab and reset your password.
  2. Go to Your Settings Connected Accounts tab to disconnect and reconnect any Twitter or Facebook accounts. If you have any connected applications, disconnect and reconnect through the third-party application.
  3. Go to Your Settings Advanced tab to reset your API key. If you are a developer using your API key, copy the new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
The Bitly Team had already taken proactive measures and steps to secure all paths that led to the compromise and had ensured the security of all account credentials going forward. Rarely companies provides the insight that how the compromise happened. But the way The Bitly Team is taking it ahead is an interesting step to watch out. And to learn for that how to perform the incident response.

In one of the blog, the Bitly Team shares the insights as: 
“On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors. Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our user’s connected Facebook and Twitter accounts.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite  database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”

The way Bitly Team initiated their security assessments and later launched the proactive measures in itself hints that they are having a robust documented approach for carrying out incident handling and incident response plans in case of cyber security breach. The way Bitly Security Team had worked and provided the insight is applaudable.

Looking on to the some of the security measures implemented since the breach incident information received by the Bitly Team are:
  1. Invalidated all Twitter and Facebook credentials.
  2. Rotated all credentials for their offsite storage systems.
  3. Enabled detailed logging on their offsite storage systems. 
  4. Rotated all SSL certificates.
  5. Reset credentials used for code deployment.
  6. GPG encryption of all sensitive credentials.
  7. Enforced two-factor authentication on all 3rd party services company-wide.
  8. Accelerated development of our work to support two-factor authentication for Bitly.com
  9. Accelerated developmet for email confirmation of password changes.
  10. Added additional audit details to user security pages. This can be seen from the Security tab. This provides all the detailed logging e.g., the IP address of the last login, revoking shared account, adding shared account etc. alongwith the approximation in hours of the actions taken (say, 5 hours ago, 8 hours ago, …).
  11. Updated iPhone App to support updated OAuth tokens.

The interesting part is that they had stored the passwords as salted and hashed. Generally, the larger organizations do claim that they had stored the passwords as salted and hashed but later on when the hackers expose the hacked/ stolen information on the Internet, it is found that the credentials were instead stored as a plain text. The very case that comes in mind is the Microsoft India Store Account Hack case. Here also, the Microsoft India informed to all the Microsoft India store users that the passwords were encrypted, hence, their is no loss of data. But when the hacker opened the details in a public forum along with the screenshots of the database it was observed that the user’s credentials (e.g., passwords, credit card numbers etc.) were stored in as a plain text. Hence, this part is yet to be seen that whether the company Bitly had really stored the passwords as salted and hashed or not.
According to the Bitly Team’s Blog, if someone had registered, logged in or changed the password after January 8th 2014, the password was converted with BCrypt and HMAC (Hash-based Message Authentication Code)  using an unique salt. However, if someone had not logged in since 8th January, 2014 then their account was hashed with MD5 – a big security risk!! 
 
According to TechTarget article titled “MD5 Security: Time to migrate to SHA-1 hash algorithm?” dated May 2010:
 
“…hash algorithms create a short, fixed-length hash value to represent data of any size, it means that there are far more possible input values than there are unique hash values. This means there have to be multiple input values that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. In March 2005, two researchers created two X.509 digital certificates with different public keys but with the same MD5 hash; since then various methods have been published that can find an MD5 collision in under a minute. This is why MD5 is considered cryptographically broken and is being replaced by the SHA-2 family of hash functions.”

 
Hence, MD5 security is certainly not suitable for security-based applications and services. Hence, if someone is having bitly.com account then the user is encouraged to login immediately and change their passwords so that the risk factor because of MD5 hashing is eliminated.
 
Read more about BCrypt from here (Wikipedia), and HMAC from here (Wikipedia) and here (RFC 2104 from IETF).

 

 
 


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

Cyber Security Roadmap / Strategy (draft version 1.0.0)

It’s an attempt by Neelabh Rai to create a cyber security roadmap / strategy that can be implemented by any organization / country / corporate bodies. All its minute details are also in the development stage and will be hopefully completed at the earliest possible. The cyber security roadmap is created single-handedly by Neelabh Rai.

Since CYBER COPS India is a knowledge-sharing platform among the cyber security researchers, practitioners and experts hence, this very document is made available as a copyleft to all the esteemed readers and viewers.


Kindly have a look on this very document titled as “Cyber Security Roadmap / Strategy (draft version 1.0.0)” from here: 

http://www.cybercops.in/cyber-security-roadmap_pwp-neelabhrai-cybercopsindia.pdf

Your comments are welcome on this. Please feel free to comment via Contact Me webpage.

PS: 

  1. This cyber security roadmap is available to the public as a copyleft with a disclaimer policy. For the disclaimer policy details, kindly visit Cyber Security Framework / Strategy Disclaimer Policy.
  2. This was created in leisure/free time (i.e., when I am not employed anywhere) only so that my employers cannot claim their copyright on it.


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

Browser Forensic Tool (BFT) – A Benign Tool or Malign Tool??

Someone referred me to the UNREMOTE link where an interesting article was posted about a tool named as “Browser Forensic Tool (BFT)”. The link is given below:

About BFT:

According to the above given link, BFT is a software that will search in all kind of browser history (even archived) in few seconds. It will retrieve URLs and Title with chosen keywords of all matching search. One can use default example profiles or create a new one, with thematic search.

At first hand since never heard something like this, hence, it was obvious for me to take BFT for a test ride and to know whether it is worth using or not.

Additionally, the website BrotherSoft‘s Publisher also gives the following comment on BFT as:

You wan’t to search very quickly in the History of all common browsers
even archived ones by keywords list (manageable) ?

This software is made for you, for companies, anti cyber criminal companies,
 for particular this software will simplify your life and save hours of manual researching.
you can free download Browser Forensic Tool 1.0 now.

Hence, I installed it in a Virtual Machine having an Operating System of Microsoft Windows 7 Professional Version with all the necessary Security Tools installed viz. Anti-Virus, Intrusion Detection System (IDS), Wireshark etc.

On the first hand, the given link for downloading installs a file given below:


File Name: BrowserForensicTool_downloader_by_BrowserForensicTool.exe
CRC32: 461b63c5
MD5: 0e409b01ef99c9e6d65bdbb94d9e5592
SHA-1: b85f13c7255a6d52597860fd51a14b499729d583
File Size: 154.5 KB


The icon used by the above installer is: 

When the file’s properties were checked following information was observed:
It was interesting to find that this tool is having a digital signature signed by COMODO too:

After executing the file with a double click, it installs another executable named as “BetterInstaller.exe“. This file silently gets extracted in the following directory path:

C:UsersAppDataLocalTempDir

The Icon Image of the application is:

Further information about Better Installer is given below:

File Name: BetterInstaller.exe
CRC: 65f69cd7
MD5: d79b88bab3231ebebd3c6505ab68ce56
SHA-1: 3222e8dab740ba1d640cc66a9cd36070969deb80
Size: 207 KB
File Properties:



Once the user clicks on the above installer, it will show that it is preparing the Browser Forensic Tool (BFT) to initiate the process.

Since Endpoint Protection was installed in the Virtual Machine, following message was displayed:

As it can be seen from the above image, it was trying to connect to installer.filebulldog.com having remote IP address 78.138.98.55 which is based in Germany and is assigned to MESH GmbH. The IP Address route map is given below:

I had tried to connect to this IP via the above application numerous times but no installation continued. Instead it always showed that this file is in the mode of preparing BFT for installation to continue further installation.

From this point onwards, it was a matter of concern for me that why even having an internet connection of 4Mbps and other files still getting downloaded from other websites this file isn’t able to download anything!
Something is suspicious and probably malicious in nature!! Probably it is connecting to the remote location and extracting the user’s data and transferring it to the above mentioned IP Address. Possessing a Digital Signature was giving a signal that it is a benign file but the way it was working was looking like it is otherwise. Hence, it was decided to carry out the cyber investigation further.

Further information about this file BetterInstaller.exe was obtained after using the malware analysis tool – IDA Pro:

1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK “StringFileInfo”
{
BLOCK “000004e4”
{
VALUE “CompanyName”, “Somoto Ltd.”
VALUE “CompanyWebsite”, “www.FileBulldog.com”
VALUE “FileDescription”, “”
VALUE “FileVersion”, “1.0”
VALUE “LegalCopyright”, “”
VALUE “ProductName”, “Better Installer”
VALUE “ProductVersion”, “1.0”
}
}


BLOCK “VarFileInfo”
{
VALUE “Translation”, 0x0000 0x04E4
}
}

Information in XML format is:


Registry Details obtained was:



HKCR
{
NoRemove AppID
{
‘%APPID%’ = s ‘BetterInstaller’
‘BetterInstaller.EXE’
{
val AppID = s ‘%APPID%’
}
}
}


Furthermore it was found that on WOT (Web Of Trust), some users had posted it as Malicious Content, and blocked by ESET. Screenshot is attached for the same:

The comments and further information can be read from here: 

As the above comment shows a website link of scumware, as soon as I reached there it was more than sufficient to decide whether the Browser Forensic Tool is benign in nature or malign in nature. One can find this information right from the given link:

From the above website, following snapshot was taken:

The above image clearly shows that its’ a TrojanIn addition to this, after performing malware analysis on my virtual machine I had found that it is trying to inject an HTML Script in the browser which may read the installed cookies in the system.


By the way, MalwareBytes’ AntiMalware installed in the virtual machine showed following:


In nutshell, this tool does nothing as stated in the BrotherSoft website, hence, anything that sounds too good to be true must come under radar of suspicion and should not be allowed to go through after reading anything on the Software Download Provider’s websites. It can be deadly for your privacy, integrity of data, confidentiality of critical data as well as your computer system’s health.

Watch before taking another step in the cyberspace….


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

^