Privacy Pies

A blog about security, privacy and open web

Security recap: 2017 in Review

Tags: security December 31, 2017

A brief recap of 2016: On the offensive side, attacks like HEIST, DROWN, Sweet32 and Dirty C0W got media attention that they deserved. On the defensive side, Transport Layer Security (TLS) 1.3 design was finalized, which includs the standardization of elliptic curves - Curve25519 and Curve448 (RFC 7748) to ensure a high level of practical security.

However, 2017 is almost over now, and yet TLS 1.3 is not in browsers. There is no doubt about the difficulties of upgrading a security protocol in the Internet; it requires both the servers and clients (browsers in this case) to adopt this changes at the same time. While many server vendors have taken the first step to upgrade to TLS 1.3, the browser vendors are still lagging behind to enabled it by default. Even though the browser vendors blame the middleboxes, the real reason is the original design of TLS 1.3 was incompatible with the way the Internet has evolved over time - says Nick Sullivan, the Head of Cryptography - ‎Cloudflare, Inc.

2016 in review, Nick’s blog post and middlebox test tool.

Fast-forward to 2017

Security breaches are one of the most recurring columns of most of the news media, because they happen every year, every now and then. The year 2017 is no exception to that!

While some of them could expose previously unknown vulnerabilities or intorduce a new bug, many of the rest are just reusing well-known vulnerabilities on a different attack surfaces. Reasons could range from inefficient threat models and anlysis to incorrect implementions while bringing theoretical security to practice. Irrespective of the reasoning, public disclosures of the security breaches help us learn from the mistakes and build more secure systems.

Research: New vulnerabilities

1. SHAttered - (Practical) collision of SHA-1: Cryptographic hashes form one of the backbones of modern information security, because many authentication (e.g. digital signatures or message authentication codes) rely on it. These hashes must ensure several properties, out of which collision-resistance is one of the most fragile points. In theory, the only way to find a collision is by brute-force, however, this has been tampered every time the computer architecture gets improvised, or when a clever way of reducing the complexity is discovered. Ever since, the theoretical collisions were found for SHA-1 (2005, 2011), it has been deprecated. However, being one of the major hash algorithms, it is still used in many legacy systems including up to 10% of credit card payment systems.

In Feb 2017, researcher from Google and CWI Amsterdam together found the first ever practical collision (based on the previous theoretical work) using highly efficient GPUs. Given the fact that the cost of such collision (75-150K USD), it is out of reach for individual hackers, unless they are part of nation-state hacking regimes. However, this breakthrough attack has affected real word applications such as code repositories (e.g. webkit, svn) and payment systems.

SHAttered, their paper, and possibly this .

2. KRACK - Pit in the WiFi: In spite of the fact that WPA2 has been formally analyzed for its security already in 2005, this flaw came as a surprise to the security community to become one of the most discussed attack disclosures of 2017. Since it is a flaw within the WiFi protocol (WPA2: IEEE 802.11i), it would potentially affects any device that uses WiFi. WPA2 encrypts the messages (WiFi frames) using a stream cipher (generally with AES-CCM), which offers security only if the keys, specifically the initialization vectors are never re-used. Initialization vector in WPA2 is constructed using a packet number counter, which starts from “zero” (when a device tries to connect to a WiFi access point). And it increments every now and then upto its maximum limit is reached, at which the rekeying should start again. This approach as it is has no defect, because, the packet number counter is automatic and can never be reset.

However, there is a small caveat! The aforementioned key used for encryption is derived by a four way handshake negotiation between the WiFi access point and the client device. KRACK attack exploits this handshake mechanism, specifically by blocking the third message of the handshake. When an attacker blocks this message (to be sent to the client), the access point falls back to its initial point, where the packet number counter resets to “zero”, thereby causing the re-use of the stream cipher’s keystream i.e. Key Reinstallation Attack (KRACK). At this point, the attacker tricks the client to connect to his malicious network and gains man-in-the-middle position between the access point and the benign client. Since the encryption provided by WiFi is broken, the attacker can decrypt all the WiFi frames and intercept all the traffic generated from the client. If the Internet traffic (via browsers) is secured using HTTPs, the man-in-the-middle position of the attacker gives him an opportunity to strip the ‘s’ from HTTPs using tools like sslstrip.

KRACK Attack, their paper, and this blog post by Matthew Green.

3. ROCA - Destruction of crypto by the coppersmiths: The gist of public key cryptography e.g. RSA is that a pair of keys are generated - a public key and a matching private key. While the private key is neaver revealed to anyone, the public key can be distributed everywhere without fear of any compromise on security of the communication. Anyone can encrypt a message using this public key, however, it can only be decrypted by the private key by it’s owner. What if the public key reveals some information about the private key? As one can guess, it could be disasterous!

In 2016, Švenda and Nemec observed an interesting statistical properties extracted from a large number of public keys, in which the bits of an RSA public key could leak information about design and implementation choices such as the prime generation algorithm (refer The Million-Key Question and the tool). Based on that, they extended their investigation just to realise in 2017 that a remote attacker can compute an RSA private key from the value of a public key based on an improvised variant of coppersmith’s attack. More specifically, they discovered that the prime numbers generated by the library (RSALib) of a major manufacturer of cryptographic hardware (Infineon Technologies) significantly lacks entropy. Due to this, when these primes numbers are used to generate RSA public-private key pair, just based on the public key, the matching private key can be derived.

Once the private key is derives, it can be misused to impersonate its legitimate owner, decrypt sensitive messages or forge digital signatures. This creates a huge mess where the flawed library is used for mass production, for example, Estonian electronic ID (eID) cards.

ROCA Attack, their paper, and tools (by keychest and cryptosense) to test the RSA keys.

Another attack called DUHK is worth reading. DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using ANSI X9.31, a deprecated Random Number Generator (RNG) in conjunction with a hard-coded keys in VPNs that uses specific versions FortiOS.

Nation-state got pwned

1. Wikileaks CIA Vault 7: Wikileaks published a trove of more than 8,761 documents that are claimed to be from the US Central Intelligence Agency (CIA), which is possibly the largest intelligence publication in history. These leaked documents provide details about activities and capabilities of CIA regarding malwares targetted for phones(iPhone, Android) and smart TVs, operating systems (Windows, OSx, Linux) on PCs and routers, and zero-day bugs for iOS and Android. Furthermore, these leaks reveal a framework (dubbed by Wikileaks as Marble) which allegedly assists the CIA to write customised malware that disguises their authorship, making it difficult for forensic investigators and anti-virus companies from attributing these malwares to the CIA. In addition to that it uncovers the techniques used by CIA to gain persistant access on Apple devices.

Vault7 dump, Wired series, Guardian article, and Vault8 - the source code + analysis of Vault7.

2. ShadowBrokers -Bro(ker)s behind the shadow: An anonymous hacking group, self-named as ShadowBrokers came into existance in 2016 by announcing an auction of what it claimed as “cyber weapons made by the NSA”.

They continued in 2017 as well with their public embarrassing of the NSA by mocking its intelligence-gathering capabilities. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows (e.g. e-mail client bugs and privilege escalation exploits) and other major firewall products. Furthermore, they allegedly gave the authors of the WannaCry ransomware the exploit they needed to infect a large number of computers. Similar to that of the CIA’s tools exposed in Vault7, the leaks from shadowbrokers include executables used by the NSA to bypass for antivirus programs, disguise techniques and other zero-days.From August 2016 to April 2017, ShadowBrokers have leaked different arsenals with humurous names - Equation Group Cyber Weapons Auction - Invitation, TrickOrTreat, Black Friday / Cyber Monday Sale, Don’t Forget Your Base and Lost in Translation.

Blog post by Tek which covers a wide range of pointers, article by TechCrunch.

3. Macron hack - The email macaroni: It has happened in the past (e.g. John Podesta, Hillary Clinton, Democratic National Committee or Erdogan), and it happened in 2017 too! In 2017, this unfortunate glory was credited to Emmanuel Macron, the then French presidential candidate. The 9GB worth of email dump just 48 hours before France’s election, first over PasteBincontaining links to torrent files, followed by an archive on Wikileaks.

Whether or not Wikileaks dumping emails on public domains passes Public Interest Test, they probably put women in danger, for no reason. On the positive side, they lead to some nice visualization projects to learn about the networks or the metadata.

Wikileaks dump and article by Wired.

Citizen Lab’s report called Tainted Leaks - Disinformation and Phishing With a Russian Nexus on an extensive phishing and disinformation campaign. This research uncovers Russian-led large phishing operation, with over 200 unique targets spanning 39 countries.

Corporates got hit

1. Cloudbleed - Leak in the memory: Cloudfare, Inc. provides different kinds of service to companies like Uber, OK Cupid, and Fitbit, who transport sensitive user information (including Personally Identifiable Information) via Cloudfare. In Feb 2017, Tavis Ormandy - a security researcher from Project Zero team, noticed a serious issue in Cloudfare’s proxy servers which was spilling sensitive data belonging to arbitary users of companies (including Uber, Ok Cupid and Fitbit) in spite the data being protected by HTTPS.

Cloudfare parses the HTML pages of their clients and modify specific HTML tags on the fly. For example, to rewrite http:// links of a HTML page to https://, or obfuscate email addresses for privacy reasons. Earlier, these parsing task was done using an open source software called Regal, and in conjunction with that, an year before this bug was reported, Cloudfare started using another parser called cf-html. Both cf-html and Ragel parsers were implemented in such a way that one of them would parse and modify buffers (blocks of memory) containing specific HTML tags before passing it on to the other parser. Due to an implementation error by Cloudfare while writing the Regal code, a well-known security vulnerability called buffer overflow would spill information of arbitary users when webpages had a particular combination of HTML tags. While frankly admitting this incident and reacting quickly to minimize the impact, “Only a very small portion of web traffic was affected by this bug” - says John Graham-Cumming, the CTO of Cloudflare.

The bug report by Tavis, Cloudfare’s incident response and the article by The Register.

2. Equifax - the SSN spiller: Credit card giant Equifax faced a massive data breach in September 2017 where sensitive information such as names, birthdates, addresses, driver’s license numbers, as well as Social Security Numbers 143 million consumers were exposed to the hackers. Due to its sensitivity the company as well the FTC tried to take measures to identify and lessen the harm. However, seems like it was too late.

This blunder was due to failure of Equifax to patch an earlier reported exploit in an open source software called Apache Struts. While the exploit is almost 9 years old, a security patch was released by Apache in March 2017. This exploit allowed the hackers to misuse the file upload functionality to remotely execute malicious codes on the server.

Announcement by Equifax, their online tool and Apache’s reponse.

3. Cellebrite hack - (bad) Hackers got hacked: In January 2017, a hacker reported Mother Board with 900GB worth of data related to Cellebrite, which included Android, Blackberry and iOS cracking tools. Cellebrite is one of the most popular mobile phone hacking companies, known for their flagship product called Universal Forensic Extraction Device (UFED) which can extract data (e.g. SMS messages, emails) from mobile phones. As a surveillance tech company, Cellebrite offers service to wide range of organizations including law enforcement agencies, repressed regimes (of Russia, the United Arab Emirates, and Turkey) as well as the banks.

Phone Crackers series by Joseph Cox, Motherboard .

Another disaster where 198 million voters got exposed from a misconfigured storage server. Interestingly, they shed some light on (big)data-driven election campaigns.


Since malwares catch easy attention of everyone, especially, when it is linked with Bitcoins. WannaCry is one such malware, which is popularly dubbed as ransomware. This ransomeware encrypts the data on computers running the specific versions of Microsoft Windows OS, and demands ransom payments in the Bitcoin to decrypt it. Initially it was blamed that this massive cyber attack was due to the tools released by Shadow Broakers. However, the blame was eventually shifted towards North Korea.

Petya/ NotPetya/ Nyetya/ Goldeneye as well as Bad Rabbit also became equally popular malwares/ransomwares of the year 2017.

“Ransomeware 1H 2017” - review by Microsoft and article by The Guardian.

built with , Jekyll, and GitHub Pages — read the fine print