Skip to content

Monthly Archives: January 2016

I’ll take some Customer info with my Burger & Fries please

Windy's hacked
Quote

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations….“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

When will businesses start taking IT Security Seriously? (…not until a few get put of business I fear..)

Got to love Outsourcing that Support!

Quote

UK ISP TalkTalk is considering cutting ties with its Indian call center provider after three employees at the site were arrested for allegedly scamming customers.

The budget telco said police in Kolkata have nabbed a trio of Wipro call center workers as part of an investigation into security practices. Wipro runs the customer service call center for TalkTalk.

“Acting on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our contract with Wipro,” TalkTalk said in a statement posted Wednesday.

I am not a big fan of the outsourcing option.In my experience, it just builds customer resentment for the shoddy sub-standard service delivered. Best to keep these jobs at home.

Fortigate Back Door

Quote

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable…..”Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products,” said the company in a blog post.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS.”

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don’t delay – hackers are closing in on the backdoor management authentication issue.

“Looking at our collected SSH data, we’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” said Jim Clausing, a mentor with the SANS Institute.

“Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven’t already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.”

Evil OpenSSH servers can steal your private login keys to other systems

Quote

Patch now and consider regenerating your keys just in case

Malicious OpenSSH servers can silently steal people’s private SSH keys as they try to login, it emerged today.

This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user’s computer – allowing crooks to jump from server to server.

The security cockup, present in the default configuration of OpenSSH, has been patched today, and all users and administrators are urged to update as soon as possible. ….The bug lies in versions 5.4 to 7.1 of the OpenSSH client, specifically in a little-known default-enabled feature called roaming that allows you to restart an SSH session after the connection has been interrupted. The roaming code contains an information sharing flaw (CVE-2016-0777) and a mildly harmless buffer overflow (CVE-2016-0778) blunder……The OpenSSH team has released version 7.1p2 that fixes the issue and software houses are scrambling to lock down this latest threat. The latest builds of FreeBSD and OpenBSD have already been patched, as have Debian, Ubuntu, and Red Hat Enterprise Linux.

Comcast (monopolist) using browser injection Upsell New Modems

quote

We already know that Comcast can — and does — inject alerts into users’ web browsers to alert them to potential copyright infringement, but the nation’s largest Internet provider can also use this ability to interrupt your enjoyment of the web in order to remind you to upgrade your modem.

Consumerist reader and Comcast customer “BB” says that the cable company upgraded the network in his area in recent months, and has been writing and calling him regularly about upgrading his modem ever since.

“For months we received multiple letters in the mail, explaining how we were missing out on the great new capabilities of their network,” writes BB. “This eventually escalated to repeated phone calls from Comcast, stating that we should really upgrade our modem.”
Thing is, BB owns the modem he uses and he’s experienced no problems with service or speeds since the network upgrade. He’d rather not spend money on a new modem — or pay Comcast too much to rent one from the company — when what he has is working just fine.

And BB is not some minor Internet user with an ancient desktop computer that he only uses to check email once a week. In fact, he’s a software developer living — like many of us — in a home with multiple web-connected devices.

“We stream Netflix and YouTube and our Internet speed is great for everything we need,” he writes. “Why should I spend the money?” ….“Now they’ve moved to more aggressive measures to try to get me to upgrade,” writes BB. “The other day as I was browsing the web on my phone, on my home WiFi, I got a pop-up notice while browsing on wired.com.” (see screenshot above)

In big red letters, the notice alerts BB that there is some “Action Needed” on his service.

It reads:
“Our records indicate that the cable modem, which you currently use for your XFINITY Internet service, may not be able to receive the full range of our speeds. To ensure you’re receiving the full benefits of your XFINITY Internet service, please replace your cable modem.”

Use HTTPS and change your DNS to a non Comcast DNS. Above all, do not use any Comcast firewall/routers as they are cheap, insecure and feature COmcast’s ability to turn your paid for internet connection into a public wifi access point which they on-sell to others at your expense. That should be disabled.

Comcast is an example of what is wrong in the country. In many markets it acts and is a monopolist. It is time to separate content delivery from transmission and end the monopoly and duopoly market conditions.

Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC

Quote

If you thought MD5 was banished from HTTPS encryption, you’d be wrong. It turns out the fatally weak cryptographic hash function, along with its only slightly stronger SHA1 cousin, are still widely used in the transport layer security protocol that underpins HTTPS. Now, researchers have devised a series of attacks that exploit the weaknesses to break or degrade key protections provided not only by HTTPS but also other encryption protocols, including Internet Protocol Security and secure shell.

The attacks have been dubbed SLOTH—short for security losses from obsolete and truncated transcript hashes. The name is also a not-so-subtle rebuke of the collective laziness of the community that maintains crucial security regimens forming a cornerstone of Internet security. And if the criticism seems harsh, consider this: MD5-based signatures weren’t introduced in TLS until version 1.2, which was released in 2008. That was the same year researchers exploited cryptographic weaknesses in MD5 that allowed them to spoof valid HTTPS certificates for any domain they wanted. Although SHA1 is considerably more resistant to so-called cryptographic collision attacks, it too is considered to be at least theoretically broken. (MD5 signatures were subsequently banned in TLS certificates but not other key aspects of the protocol.)

“Notably, we have found a number of unsafe uses of MD5 in various Internet protocols, yielding exploitable chosen-prefix and generic collision attacks,” the researchers wrote in a technical paper scheduled to be discussed Wednesday at the Real World Cryptography Conference 2016 in Stanford, California. “We also found several unsafe uses of SHA1 that will become dangerous when more efficient collision-finding algorithms for SHA1 are discovered.”

The most practical SLOTH attack breaks what’s known as TLS-based client authentication. Although it’s not widely used, some banks, corporate websites, and other security-conscious organizations rely on it to ensure an end user is authorized to connect to their website or virtual private network. It works largely the same way as TLS server authentication, except that it’s the end user who provides the certificate rather than the server.

Avon Calling?

Quote

Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes.

The Ring allows punters to answer people knocking on your door from your mobile phone, even when you’re not at home. The kit acts as a CCTV camera, automatically activating if people approach your door, letting homeowners talk to visitors, delivery couriers and so on.

There’s an optional feature that allows the kit to hook up to some smart door locks, so users can let guests into their home even when they aren’t in. …The device is secured outside a house using two commonly available Torx T4 screws, leaving it vulnerable to theft. Ring offer a free replacement if the kit is stolen, so homeowners are covered in that scenario (at least).

However that’s not the end of the problems with the device. An easy attack makes it all too simple to steal a homeowner’s Wi-Fi key. To do this, hackers would need to take the kit off the door mounting, flip it over and press the orange “set up” button.

“Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point, Pen Test Partners consultant David Lodge explains in a blog post. “By connecting to a web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext,”

A colleague of calls the Internet of Things, the Internet of Targets — how true.

Comcast’s Xfinity home alarms can be disabled by wireless jammers

Comcast-security

If you trust your ISP to provide Network and Physical Security, you have a fool for an adviser

Quote

Some intruders no longer need to come in through the kitchen window. Instead, they can waltz right in through the front door, even when a home is protected by an internet-connected alarm system. A vulnerability in Comcast’s Xfinity Home Security System could allow attackers to open protected doors and windows without triggering alarms, researchers with cybersecurity firm Rapid7 wrote in a blog post today.

The security bug relates back to the way in which the system’s sensors communicate with their home base station. Comcast’s system uses the popular ZigBee protocol, but doesn’t maintain the proper checks and balances, allowing a given sensor to go minutes or even hours without checking in. The biggest hurdle in exploiting the vulnerability is finding or building a radio jammer, which are illegal under federal law. Attackers can also circumvent alarms with a software-based de-authentication attack on the ZigBee protocol itself, although that method requires more expertise. Attackers would also need to know a house was using the Xfinity system before attempting to break in, a major hurdle in exploiting the finding.

“The sensor had no memory of the break-in happening”

To prove his findings, Rapid7 researcher Phil Bosco simulated a radio jamming attack on one of his system’s armed window sensors. While jamming the sensor’s signal, he opened a monitored window. The sensor said it was armed, but it failed to detect anything out of the ordinary. But perhaps even more worrisome than the active intrusion itself is that the sensor had no memory of it happening and took anywhere from several minutes to three hours to come back online and reestablish communication with its home base.

Irked train hackers talk derailment flaws, drop SCADA password list

Train-Wreck-Keaton
Quote

32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action.

Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators.

Flaws affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

There are also possible paths between trains’ operational systems and passenger entertainment systems, they say.

Overlooked bugs in device drivers, even in apparently-benign applications, can also be exploited by clever attackers into more powerful vectors: “If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train,” Gordeychik says.

In place of vulnerability details they showed the December Chaos Communications Congress in Hamburg a blank screen.