Mathematicians have their beloved Erdös Numbers (coauthors of the prolific Paul Erdös are a 1, their coauthors have an Erdös Number 2, and so on), and movie lovers have the game “Six Degrees of Kevin Bacon,” which posits that because Bacon has appeared in so many films, it is possible to link him to any other actor within six steps of relatedness.
In the past week, the world of computer security experienced something analogous, with the top stories demonstrating the interrelatedness of things on the Internet. In this case, a mass transit operator in Turkey can be linked in a few steps to an energy manufacturer in the United States.
On 3 January, the Kaspersky Lab Threatpost reported that Capstone Turbine Corp., a company specializing in power generation equipment for utilities, had become the most recently discovered victim of malware exploiting a vulnerability in Microsoft’s Internet Explorer 6, 7, and 8 browsers. The cybercriminals carried out a so-called watering hole attack. Instead of attacking the desired victims directly, the hacker profiles the individuals or companies, finding out what websites they frequent. The attacker scans those sites for vulnerabilities. Having found one or more whose defenses can be penetrated, the attacker injects code at those sites that causes the victim’s computer to automatically redirect to a separate site. The site to which the victim is diverted hosts a zero-day exploit that is lying in wait—like a lion at a watering hole—to give the attacker access to the victim’s computer so he or she can install more malware, steal data, or monitor the victim’s activities. According to Kaspersky Labs, “Attackers are generally state-sponsored and hope to spy on their victims’ activities and siphon off business or military intelligence.”
The revelation that Capstone had been attacked at the watering hole comes just days after it was reported that the website of the U.S. Council on Foreign Relations, a high-level think tank, has been compromised by the same code since early December, and security firm FireEye confirmed that the site was still hosting malware as of 26 December. “We can confirm that the malicious content hosted on the [CFR] website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” wrote FireEye’s Darien Kindlund on the company’s blog. “We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”
Microsoft released a temporary patch on 31 December and noted that it is still working on a security update for the browser vulnerability, says Kaspersky’s Threatpost. Computerworld reports that in addition to the announcement about the fix—which offered no timetable about when an update that would eliminate the zero-day exploit would be ready—Microsoft announced on 3 January that it will release seven security updates next week “including one rated critical for Windows 8 and Windows RT -- to patch 12 vulnerabilities in Windows, Office, SharePoint Server and the company's website design software.”
Microsoft also took that opportunity to warn computer users that hackers were using digital certificates wrongfully obtained from a Turkish certificate authority and urge them to make sure that they have installed a Windows update that handles the decertification process whenever warranted.
On the same day, Google noted in a corporate blog post that someone attempted to impersonate Google.com on 24 December with the aim of carrying out a man-in-the-middle attack. What did the hacker use as a disguise? A fraudulent certificate generated after the Turkish trusted root certificate authority Turktrust mistakenly gave the power to issue certificates to two companies that were not supposed to have it. One of the two firms, which maintains a site at ego.gov.tr, is a Turkish transit authority.
Google Chrome detected and blocked the errantly issued certificate, says Wired. If the man-in-the-middle attack using the certificate had been successful, the hacker would have been able to “intercept and read any communication that passed from users on the ego.gov.tr network to any google.com domain, including encrypted Gmail traffic,” says Wired.
Image: Marcellus Lindsay
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.