Category: security

Mid-January 2019 news roundup

Here are a few interesting items that have come through my news reader recently.

uPNP abuse

Universal Plug-and-Play (uPNP) is a feature that is enabled by default in most home routers. uPNP allows a network-enabled device on your home network to tell your router to allow external connections back to the device, like a gaming console or a media server.

While this feature might be useful in some cases, it has a history of security-related problems. A recent example involves tricking chromecast and other google-friendly devices into playing a video promoting someone’s youtube channel. You might enjoy reading that article if you want an idea of how a character in your story could get a victim’s TV to show a video of your character’s choice. Imagine getting someone’s TV to show a forged emergency broadcast system alert, for example.

You might also want to consider disabling uPNP on your home router.

Non-technical cyberwarfare

Gizmodo has an article reminding us that sometimes you don’t need mad skills to crack a network. The FBI was able to acquire evidence against drug kingpin El Chapo by persuading his sysadmin to give them the keys to decrypt encrypted voice-over-IP conversations. If your story’s character needs to compromise an otherwise secure computer network, bribing or blackmailing an insider might be a good alternative.

Biometrics v. photography

Have you ever seen a movie where someone is only able to enter a lab or operations center after putting their palm on a handprint scanner? Apparently that’s a real thing: the scanner looks at how the user’s veins are arranged. It turns out that a photograph FROM SEVERAL METERS AWAY reveals enough detail to create a wax hand that will fool some of these scanners.

I recently watched Die Another Day (2002), and I think they used a severed hand to get through one of these things. So, that kind of messy unpleasantness isn’t even necessary any more!

And if you’re a Bond villain with a lair under a volcano that you access with a handprint scanner, think about wearing gloves in public.

Advertisement

2018 absence

I knew it had been a while since I’ve posted here, but I hadn’t realized that it’s been over ten months. Lately it’s been hard to prioritize this blog when the world seems like a burning clown car hurtling toward a sinkhole filled with angry, ravenous bears. I’ll try to do better in 2019. In the meantime, Naked Security is running a series of blog posts about securing social media accounts. So if, like me, you haven’t quite managed to lop off these gangrenous appendages, these might be worth your time:

 

Netgear router update

If you use a Netgear router for your home network, please log on to your router and use the upgrade feature to apply an important security update. That feature is probably located under the Advanced and/or Administration sections of the router’s web-based menus.

This update addresses several vulnerabilities, some of which are remotely exploitable. The linked page indicates which vulnerabilities affect which routers, and I found that my router was affected by one of the vulnerabilities.

If a character in a story you’re writing needed to exploit this kind of thing against a target, it’s not a great stretch of the imagination. If your character emailed her target an email with a link to a web page she controls, and if the target clicked the link while on a computer at home, she’d have the target’s IP address (she could get that from looking at server logs). Once she knew the target’s IP address, she could interrogate the address herself with readily-available network tools, or she could use something like shodan to try to identify the kind of router her target uses. If the target has remote administration enabled (which may be a default settings in some router models), she could use publicized vulnerabilities like the ones linked above to break into her target’s home network.

You should probably run updates on your home router even if it isn’t made by Netgear.

Flash Player Zero-Day

A zero-day vulnerability is a software defect that doesn’t yet have a patch from the vendor. One of these currently exists for Adobe Flash Player, and it is being actively targeted by a working exploit. This particular defect (CVE-2018-4878) is a use-after-free vulnerability which allows remote code execution. This means that Flash Player tries to read instructions from a memory address that is no longer valid, and that the exploit is able to put malicious code at that memory address, causing Flash Player to execute the malicious code introduced by the exploit.

South Korean security researchers say that North Korea developed this exploit and have embedded it in Microsoft Word documents in an effort to attack South Koreans doing security research on North Korea, and that this has been going on for two or three months.

This zero-day started making news on 1 February, and Adobe says it’ll release a patch the week of 5 February. As in this case, it can take the vendor a while to address a defect like this. So if your character needs to compromise someone’s computer, she might search Dark Web forums for a recent zero-day like this and send it to her target in a phishing email, especially if she knows that her target is not diligent about keeping their computer up-to-date.

And if you use Flash Player, make sure you apply the patch when Adobe releases it. Version 28.0.0.137 is the affected version.

Equifax breach

The data breach at credit bureau Equifax has gotten a lot of attention in the last week. It seems that the company has been guilty of at least two significant blunders: unpatched software and default authentication credentials.

Unpatched software

Equifax has at least one web application built on Apache Struts, a category of software called a web application framework. Web developers use frameworks to build their applications, because the frameworks provide components common to many web applications, components that do things like handling input typed into a web form, generating HTML for web pages, etc. Frameworks allow web developers to skip over routine tasks and focus on the business logic specific to the application.

Like any software, frameworks have versions and updates. Equifax was using a version of Struts that had at least one serious and widely-known security vulnerability. When the Struts developers (not Equifax, but the people who make the Struts framework) became aware of the vulnerability, they released an update to the Struts framework. The Struts developers released this update months prior to the Equifax data breach. For whatever reason, Equifax didn’t update Struts on their site.

Default authentication credentials

Equifax hosts a web application that their Argentinian employees use to manage credit report data. That web application had a poor choice of authentication credentials: the username was admin, and the password was also admin. Logging in with those credentials allowed an attacker to retrieve the usernames and passwords of Equifax employees, which would in turn allow the attacker to retrieve Equifax customer information.

How does this happen?

Why didn’t Equifax apply the Struts update? A few possibilities come to mind:

  1. The didn’t know about the update. Equifax must have developers, system administrators, and security analysts. Maybe they were all blissfully ignorant of the update for over four months.
  2. Maybe the update was incompatible with the web application they built on the Struts framework. If that were the case, they should have identified and fixed the problem and then run the update. That might take days, but it shouldn’t take months.
  3. They probably have change control processes that delay an update. They wouldn’t immediately run the update on their live production servers. First they’d load it in a test environment, and then they’d test their application after applying the Struts update. But that should take at most days, and probably hours, especially with an update that addresses serious security vulnerabilities.

None of these is an excuse for waiting months to run the update, and there’s really no defending the admin/admin thing at all.

What this might mean to you

Brian Krebs has been a long-time advocate for security freezes, and I’m considering doing this. The only reason I haven’t done this yet is that it just seems like one more pain in the ass when my day job, the current political climate, and other stuff leave me wanting to do little more than read a book or sit in front of the TV binge-watching The Flash and Supergirl (which is why I haven’t been posting on this blog much lately).

The implications of the Equifax breach to a story-teller are obvious enough. If your character needs to break into a web site or computer network, she should look for out-of-date software or default authentication credentials. This sort of thing isn’t supposed to happen to a big company that should know better about how to protect the personal information of millions of people. But it does happen, which can make it a plausible plot device in your fiction. I see that nmap has a test to look specifically for the Struts vulnerability found on the Equifax site, and there are plenty of open-source tools to run brute-force password attacks.

The implications of the breach on a computer user are obvious, too. This is why it’s so important to run software updates on everything. Criminals are well aware of security vulnerabilities and are actively exploiting them. We all need to be running updates:

1. operating system and application software updates on our computers and mobile devices

2. firmware updates on the routers we use for our broadband internet connections

3. updates to self-hosted blogging software like wordpress (plugins, too)

And we need to be picking good passwords for everything. Did you ever change the password on your broadband router? Does “facebook” appear in your facebook password?

Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.

Conclusion

I bet you think twice about leaving your laptop unattended. Remember to…

  • RUN YOUR OPERATING SYSTEM UPDATES!!!!!
  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything

 

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack dyn.com, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like http://www.amazon.com) into the IP address you browser needs (54.239.26.128) in order to connect to the remote server hosting the web page you want to visit. dyn.com is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use dyn.com services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at dyn.com, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.