Equifax breach

The data breach at credit bureau Equifax has gotten a lot of attention in the last week. It seems that the company has been guilty of at least two significant blunders: unpatched software and default authentication credentials.

Unpatched software

Equifax has at least one web application built on Apache Struts, a category of software called a web application framework. Web developers use frameworks to build their applications, because the frameworks provide components common to many web applications, components that do things like handling input typed into a web form, generating HTML for web pages, etc. Frameworks allow web developers to skip over routine tasks and focus on the business logic specific to the application.

Like any software, frameworks have versions and updates. Equifax was using a version of Struts that had at least one serious and widely-known security vulnerability. When the Struts developers (not Equifax, but the people who make the Struts framework) became aware of the vulnerability, they released an update to the Struts framework. The Struts developers released this update months prior to the Equifax data breach. For whatever reason, Equifax didn’t update Struts on their site.

Default authentication credentials

Equifax hosts a web application that their Argentinian employees use to manage credit report data. That web application had a poor choice of authentication credentials: the username was admin, and the password was also admin. Logging in with those credentials allowed an attacker to retrieve the usernames and passwords of Equifax employees, which would in turn allow the attacker to retrieve Equifax customer information.

How does this happen?

Why didn’t Equifax apply the Struts update? A few possibilities come to mind:

  1. The didn’t know about the update. Equifax must have developers, system administrators, and security analysts. Maybe they were all blissfully ignorant of the update for over four months.
  2. Maybe the update was incompatible with the web application they built on the Struts framework. If that were the case, they should have identified and fixed the problem and then run the update. That might take days, but it shouldn’t take months.
  3. They probably have change control processes that delay an update. They wouldn’t immediately run the update on their live production servers. First they’d load it in a test environment, and then they’d test their application after applying the Struts update. But that should take at most days, and probably hours, especially with an update that addresses serious security vulnerabilities.

None of these is an excuse for waiting months to run the update, and there’s really no defending the admin/admin thing at all.

What this might mean to you

Brian Krebs has been a long-time advocate for security freezes, and I’m considering doing this. The only reason I haven’t done this yet is that it just seems like one more pain in the ass when my day job, the current political climate, and other stuff leave me wanting to do little more than read a book or sit in front of the TV binge-watching The Flash and Supergirl (which is why I haven’t been posting on this blog much lately).

The implications of the Equifax breach to a story-teller are obvious enough. If your character needs to break into a web site or computer network, she should look for out-of-date software or default authentication credentials. This sort of thing isn’t supposed to happen to a big company that should know better about how to protect the personal information of millions of people. But it does happen, which can make it a plausible plot device in your fiction. I see that nmap has a test to look specifically for the Struts vulnerability found on the Equifax site, and there are plenty of open-source tools to run brute-force password attacks.

The implications of the breach on a computer user are obvious, too. This is why it’s so important to run software updates on everything. Criminals are well aware of security vulnerabilities and are actively exploiting them. We all need to be running updates:

1. operating system and application software updates on our computers and mobile devices

2. firmware updates on the routers we use for our broadband internet connections

3. updates to self-hosted blogging software like wordpress (plugins, too)

And we need to be picking good passwords for everything. Did you ever change the password on your broadband router? Does “facebook” appear in your facebook password?


CrashPlan discontinuing home plans

I’ve used Crashplan as an offsite backup solution for several years and have really liked it. Today the company announced that they are transitioning to being an enterprise-only solution, and that they are ending support for personal and family plans.

This is pretty disappointing. It’s been a good product at an affordable price, and now I have to find something else. The company is going about this in a nice way: they’re giving their users 14 months’ notice. I’ll post about this again when I figure out what I’m going to do. And I’m certainly open to suggestions.

Your printer may betray you

A recent story making the rounds tells about how an NSA contractor got caught leaking classified information to the media. The contractor wanted to give information in one or more PDF documents to an online publication (The Intercept). She could have just emailed the PDFs, but she was probably worried that the PDFs might contain some metadata that could link the documents back to her. So she printed the PDF files, scanned the printouts with a desktop scanner, probably destroyed the printouts, and then emailed the scanned pages.

It turns out that many modern printers add little yellow dots to every page they print. If you know how to read them, the dots identify the type of printer, the printer’s serial number, and the date and time the document was printed. The dots are hard for people to see, but the contractor’s scanner was sensitive enough to image them.

So when The Intercept sent some of the scanned pages to the NSA asking them to verify the authenticity, the NSA just had to read the dots, identify the printer, and look in server logs to see who used that printer at the time the dots indicated. They arrested the contractor, and a conviction will probably put her in prison for several years.

To me this is reminiscent of typewriter forensics, like how they convicted Ted Kaczynski (search that linked page page for Unabomber). The FBI had a copy of Kaczynski’s typewritten manifesto. He’d used an old typewriter, the kind where the little arms with the embossed letters strike an ink ribbon to mark the paper. The FBI were able to match those pages to the typewriters they found in Kaczynski’s cabin.

It’s easy to see how this kind of trick could be useful to your character. She could do something like what the NSA did and trace a printout back to a person. Or she might print something on someone else’s printer to incriminate the printer’s owner of something.

May 2017 news roundup

Target is still paying for their 2013 data breach

Remember Target’s data breach from a few years ago? They are still paying for that. Target recently agreed to an $18.5 million settlement with 47 states and the District of Columbia. That NYT article mentions a $202 million total for “legal fees and other costs since the breach” (I tried reading the linked SEC statement about those payments and lost interest immediately). I don’t know if that $202 million includes this $18.5 million amount, but that’s an expensive mistake any way you look at it.

Breaking news: IoT still terrible

New research shows that Internet of Things (IoT) devices can divulge a lot of information about their owners. The researchers found that a passive network tap on a home network allowed them to monitor traffic rates for several IoT devices. Even if they couldn’t read the traffic itself, the researchers were able to infer a lot just by watching DNS queries and changes in the traffic rates of devices like sleep monitors, motion-activated security cameras, and an Amazon Echo. (This technique of traffic analysis has a long history.)

So imagine that your story’s character needs to spy on someone. If she can identify an exploit for the wireless router the target uses for his home network, she could potentially eavesdrop on the traffic going in and out of his home. If the sleep sensor tells her that he’s sleeping, or if a camera shows movement in one part of the house, that might tell her something useful.

BTW, the Amazon Echo inspired what has become my favorite XKCD entry.

Defeating security cameras

This one is a little older, so vendors have at least partially addressed these specific vulnerabilities, but it’s pretty interesting. Someone published exploits against several consumer-grade security cameras. These cameras have a similar setup process:

  • Mount the camera somewhere
  • Download a vendor-supplied app to your phone
  • Use the app to configure the camera via bluetooth (your phone talks directly to the camera)
  • Configure the camera to connect to your home’s wireless network
  • The camera sends image data to the cloud: the camera has no local storage

The researcher found ways to interrupt the operation of several camera models. Sending certain specially-crafted bluetooth messages to the camera would cause it to reboot, taking it briefly offline. Sending another kind of bluetooth message would tell the camera to connect to a different wireless network. If the attacker brings along a wireless access point (WAP) transmitting the same SSID specified in the bluetooth message, the camera will connect to that WAP, rendering the camera ineffective.

This latter exploit provides a more plausible version of the overused trope of splicing into a camera’s feed, recording a few minutes of boring footage, and replaying it endlessly for the security guard. If the camera only sends data to the cloud when it detects motion, then the absence of data implies the absence of motion. The attacker just needs some off-the-shelf hardware, some publicly-available exploit code, and physical proximity (bluetooth range) to the camera.

Recent ransomware campaign

I’ve been trying to come up with an interesting way to tie this weekend’s worldwide ransomware attack into fiction, but I’m coming up short. Maybe it’s just too depressing. It just seems like a bunch of uninspired jackasses trying to steal money.

This malware is a bit more sophisticated than most, in that in comes in on email, a user clicks it and runs it (thinking it’s a link to a cat video or some damn thing), and then it spreads via file-sharing protocols to all the PCs on the local network, laughing at perimeter firewalls as it encrypts everyone’s files. For you sportsball fans, this is like the quarterback doing a fake to get the golden snitch past the goalie before the shortstop even hears the starter pistol. That’s called a slam dunk, friends.

The story has a couple of interesting points. It seems there was an ill-conceived but convenient kill switch. And it looks like this was a known vulnerability hoarded by the US government, so thanks for that, guys.

British hospitals seem to have been hit particularly hard, so much so that some have had to turn away patients. Pretend you’re a hospital that years ago purchased an expensive MRI machine operated by software that only runs on Windows XP. The company that sold the device and the software has long since gone out of business, so there’s no way to migrate to a supported operating system. People still need MRIs, so it’s not like you can just not use the thing. That kind of thing is likely why Microsoft released a patch for some of the legacy versions of Windows, so that was right neighborly of them.

This is a good reminder to run updates on your computers. All of them.

You can’t trust what’s on TV

A fellow named Rafael Scheel recently published some interesting research about hacking smart TVs. He discovered a way to use $150 worth of radio transmitter equipment to send signals to a smart TV. He combined this with a couple of other exploits (one involving the Adobe Flash player, one involving JavaScript, both supported by the web browser on the TV) to load malware on the TV.

Scheel’s attack in interesting, because it doesn’t require physical access to the TV, it’s virtually undetectable, and it’s very hard to remediate once exploited.

Imagine your book’s character parking her car outside her target’s business or residence, turning on her laptop, attaching a special transmitter, and tricking all the smart TVs in the area to upload an exploit. Then she could do any of several things:

  • use the TV’s wireless connection to attack other targets on the same network

  • join the TVs to a botnet to attack a web site

  • mine some bitcoins

  • capture audio using the TV’s voice control feature

Smart TVs are probably like most Internet of Things (IoT) devices. The manufacturer happily staples on all these features to add value but then falls short in addressing security problems discovered later. Have you ever heard of anyone applying a firmware update to a TV? My TVs are a few years old, making them somewhat antiquated. So maybe TV firmware updates are commonplace, but somehow I doubt it.

Do you have a smart TV? Is it connected to the internet?

Hacking medical devices

Stories about medical devices have come across my news feeds a few times in the last couple of months. Dutch security researchers found that they were able to hack several implantable medical devices.

implantable medical device, much smaller than a nearby writing pen

What’s interesting here is that the researchers were able to do this using a black-box approach: they just used radio equipment to eavesdrop on wireless signals between the implantable devices and the equipment used to maintain and control those devices. The researchers weren’t privy to the communication protocols the vendors use to control the devices, but the researchers were able to reverse-engineer these protocols and then send command signals of their own. These protocols typically used poorly-implemented encryption or no encryption at all.

The equipment the researchers used doesn’t come cheap, nor does the researchers’ expertise. Still, this makes it at least theoretically possible to do several things regarding devices like these:

  • Track the patient’s movements.
  • Trigger potentially fatal shocks in defibrillators and pacemakers.
  • Prevent a medical device from providing treatment.
  • Disable a device’s power-saving mode, causing its battery to drain too fast.

This isn’t entirely theoretical. Research like this has compelled at least one vendor to provide software upgrades to minimize these shortcomings. That’s probably an imperfect solution, but there are obviously some complications in providing firmware upgrades for already-deployed devices.

And in a case that’s presenting some interesting privacy questions, police arrested and indicted a man on charges of arson and insurance fraud. They used data from the suspect’s heart monitor as evidence that he set fire to his own house to collect the insurance money.

The radios in these implantable devices have a pretty short range, just around five meters. So your story’s character couldn’t run exploits like these from a great distance, but it provides some interesting possibilities.

Photo credit to ec-jpr for VVIR leadless St Jude Medical pacemaker