Bad actors are exploiting an obscure technology found in telecommunications networks around the world to track mobile users and engage in fraud, and they could be costing carriers millions of dollars in lost revenues.
The technology, called “SS7,” is a signal protocol developed in the 1970s for setting up phone calls.
“Every day, more people use the SS7 network than use the Internet, although few people have ever heard of it,” said Ciaran Bradley, chief product officer atAdaptiveMobile, which provides network security for a fifth of all mobile users in the world.
“It’s there in the background every time someone makes a phone call or switches cell towers or sends or receives a text message,” he told TechNewsWorld.
Compromise of the SS7 network can cause significant damage to the reputation and finances of carriers around the world, AdaptiveMobile noted in a statement released last week.
Fraud enabled by unauthorized access to the SS7 network can cost telecommunications operators millions of dollars that the operators have no hope of recovering, the statement said. Unless safeguards are implemented, Net marauders will be able to track subscribers at any time of the day or night, listen to their phone calls and read their text messages.
Too Much Access
When SS7 was introduced, a small number of trusted peers, essentially less than a dozen global telecommunications carriers, used it. For that reason, strong security wasn’t needed.
“Now, we’ve gone from 10 carriers connected to SS7 to more than 800 mobile carriers, plus aggregators and all sorts of other people with access to the network. That means it’s getting leaky around the edges,” Bradley said.
“You can’t police it once you get more and more entry points into this network,” he added.
What black hats have discovered is that the protocol can be abused by issuing commands in ways the system wasn’t designed for.
“So some smart guys on the bad actors side, or certain nation-states, have figured out you can use certain SS7 commands to do things like find a call’s location,” Bradley said.
“Once you have SS7 access and a mobile phone number, you pretty much can track anyone around the world,” he added.
In addition to tracking phones, researchers have demonstrated ways to use SS7 to intercept calls and text messages, as well as make free phone calls.
Until recently, abuse of SS7 was thought to be largely theoretical, but that’s not the case any more.
“We have definitely seen suspicious activity in virtually every region,” Bradley said. “There’s enough for the operators involved to be concerned.”
Flash Zero Day
Adobe last week rushed a security update to users of its Flash Reader application to address a zero-day vulnerability — a vulnerability previously unknown to the company — researchers found earlier in the week.
The vulnerability — CVE-2015-7645 — came to light just hours after the company released a new version of Flash — 19.0.0.207 — to address a number of security problems with the software.
Why didn’t Adobe catch CVE-2015-7645 in last week’s update?
“Flash has a huge attack surface because it is a complex execution environment, so we ought to expect to see many more zero days used in future attacks,” said Simon Crosby, CTO ofBromium.
“Adobe does what it can, but ultimately this is a game that favors the attacker,” he told TechNewsWorld. “They have to try to protect an enormous code base, whereas the attacker only needs to know about one flaw.”
Flash Panned
Adobe’s latest fix is temporarily reassuring at best.
“Once the patch is out, the hackers are going to reverse engineer what that vulnerability is and write exploits for it almost immediately,” said Ken Westin, a senior security analyst withTripwire.
“It’s come to the point now where, particularly in the enterprise, they probably don’t want to be running Flash at all,” he told TechNewsWorld.
“Flash has been on a decline for the last five years. Most security practitioners who I’ve talked to are trying to eradicate it from their environments,” Westin said. “Probably in the next five years, Flash will be dead or used in a very limited use case.”
Broken Padlock
Most Net rovers don’t know a lot about digital certificates, but they do recognize the padlock icon that appears on their browser’s address bar when they visit a website. It’s supposed to offer some measure of assurance that a website is safe to visit.
However, that measure is smaller than it should be, according to Graham Edgecombe, a software developer withNetcraft.
When a padlock appears on the address bar, it means that an SSL digital certificate has been issued for the Internet address for that website. Those certificates are issued by certificate authorities. CAs are failing to live up to their responsibilities to ensure the integrity of the certs they issue, he argued.
“In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks,” Edgecombe said.
“SSL certificates lend an additional air of authenticity to phishing sites, causing the victims’ browsers to display a padlock icon to indicate a secure connection,” he explained.
“Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com (issued by Comodo), ssl-paypai-inc.com (issued by Symantec), and paypwil.com (issued by GoDaddy),” Edgecombe continued.
Quick Responders
In August alone, 40 percent of all SSL certificates used in phishing attacks with deceptive domain names originated with CloudFlare, which offers its customers free “Universal SSL,” he noted.
“This is something that people have tried for years and years to do, so I’m not quite sure why Netcraft chose to write about it now,” said John Graham-Cumming, a programmer withCloudFlare.
When CloudFlare is alerted to a rogue domain, it can take down the site in six hours, he told TechNewsWorld.
“Some of these addresses they’re talking about they haven’t told us about,” Graham-Cumming said.
“As a full certification authority, we have put resources in place to revoke these certificates instantly the moment that we are made aware of them,” said Melih Abdulhayoglu, CEO of the world’s largest CA,Comodo.
“We encourage reporting of any suspicious use of our certificates so that we can take action on it immediately,” he told TechNewsWorld.
“Our concern going forward is that although we have resources to fight this kind of evil, other new automated systems might not have the same resources to revoke in a timely manner,” Abdulhayoglu continued.
Consumers and Businesses Vulnerable
Issuing certificates without proper review is becoming increasingly common, maintained Kevin Bocek, vice president for security strategy and threat intelligence atVenafi.
“In particular, we are seeing free CA offerings are particularly easy targets for hackers. This is bad for both businesses and consumers,” he told TechNewsWorld.
“When people see the padlock, they understandably believe they can trust that site. Now hackers are using this against us, which is a worrying situation,” Bocek said.
“As more and more hackers see the potential and ease for misusing keys and certificates, we’ll see more attempts of these kind that are designed to directly target consumers,” he added.
Businesses, too, ought to be concerned about bogus certificates.
“There are over 200 CAs in operation. All are afforded the same level of trust but the reality is that they are often very different in terms of the level of fraud and security controls they have in place,” Bocek noted.
“Businesses have no way of telling which CAs are better or worse, yet they also face a huge risk that they’re not responsible for creating,” he continued. “They are helpless to protect themselves since certificates are being issued in their names without their control.”
Breach Diary
- Oct. 12. America’s Thrift Stores discloses that malware planted on a third-party provider by Eastern European criminals has compromised payment card information for an unspecified number of customers. Shoppers who used their cards at the company’s stores between Sept. 1 and Sept. 27 may be at risk.
- Oct. 12. Reuters reports average cyberinsurance rates for retailers increased 32 percent in the first half of 2015 after remaining flat in 2014.
- Oct. 13. Sergey Vovnenko is extradited from Italy to the United States, where he’s charged with operating a botnet of more than 13,000 computers used to obtain information used for making unauthorized withdrawals from banks and fraudulent charges. Vovnenko, who allegedly plotted to frame cybersecurity blogger Brian Krebs on phony drug charges, faces up to 30 years in prison.
- Oct. 13. FBI issues a warning to law enforcement, merchants and the general public that new EMV payment cards may be vulnerable to exploitation by fraudsters. No single technology eliminates fraud, and cybercriminals will keep looking for opportunities to steal payment information.
- Oct. 14. Eset and the National Cyber Security Alliance release survey findings showing one in five American households received a data breach notice in the last year, and of those that received notices, 50 percent received multiple notices.
- Oct. 15. Mainstreet Federal Credit Union discloses that some 300 of its members have had their credit card credentials compromised. Its systems weren’t breached and fraudsters probably obtained information through a merchant breach.
- Oct. 16. The FBI, Secret Service and the Securities and Exchange Commission have been investigating for at least a year a breach of Dow Jones & Co. by Russian hackers seeking information that could be used for insider trading, Bloomberg News reports.
- Oct. 16. Electronic Arts finds no evidence that a list of user account credentials that appeared on the Internet this week were obtained through an intrusion of the company’s computer systems.
Upcoming Security Events
- Oct. 27. PBN Cybersecurity Summit. 8-10:30 a.m. ET. Crowne Plaza Hotel, 801 Greenwich Ave., Warwick, Rhode Island. Registration: individual, $50; corporate table for 10, $400.
- Oct. 27. The Right Security for the Internet of Things. 2 p.m. ET. Webinar sponsored by TechOnline. Free with registration.
- Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
- Oct. 28. Using Real-Time Threat Intelligence to Protect Patient Data. 1 p.m. ET. Dark Reading webinar. Free with registration.
- Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: after Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
- Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Nov. 7. B-Sides Dallas/Fort Worth. UT Dallas, Science Learning Center building. Free.
- Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
- Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Nov. 13-14. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free with registration.
- Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
- Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.