Skip to content

Avon Calling?

Quote

Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes.

The Ring allows punters to answer people knocking on your door from your mobile phone, even when you’re not at home. The kit acts as a CCTV camera, automatically activating if people approach your door, letting homeowners talk to visitors, delivery couriers and so on.

There’s an optional feature that allows the kit to hook up to some smart door locks, so users can let guests into their home even when they aren’t in. …The device is secured outside a house using two commonly available Torx T4 screws, leaving it vulnerable to theft. Ring offer a free replacement if the kit is stolen, so homeowners are covered in that scenario (at least).

However that’s not the end of the problems with the device. An easy attack makes it all too simple to steal a homeowner’s Wi-Fi key. To do this, hackers would need to take the kit off the door mounting, flip it over and press the orange “set up” button.

“Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point, Pen Test Partners consultant David Lodge explains in a blog post. “By connecting to a web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext,”

A colleague of calls the Internet of Things, the Internet of Targets — how true.

Comcast’s Xfinity home alarms can be disabled by wireless jammers

Comcast-security

If you trust your ISP to provide Network and Physical Security, you have a fool for an adviser

Quote

Some intruders no longer need to come in through the kitchen window. Instead, they can waltz right in through the front door, even when a home is protected by an internet-connected alarm system. A vulnerability in Comcast’s Xfinity Home Security System could allow attackers to open protected doors and windows without triggering alarms, researchers with cybersecurity firm Rapid7 wrote in a blog post today.

The security bug relates back to the way in which the system’s sensors communicate with their home base station. Comcast’s system uses the popular ZigBee protocol, but doesn’t maintain the proper checks and balances, allowing a given sensor to go minutes or even hours without checking in. The biggest hurdle in exploiting the vulnerability is finding or building a radio jammer, which are illegal under federal law. Attackers can also circumvent alarms with a software-based de-authentication attack on the ZigBee protocol itself, although that method requires more expertise. Attackers would also need to know a house was using the Xfinity system before attempting to break in, a major hurdle in exploiting the finding.

“The sensor had no memory of the break-in happening”

To prove his findings, Rapid7 researcher Phil Bosco simulated a radio jamming attack on one of his system’s armed window sensors. While jamming the sensor’s signal, he opened a monitored window. The sensor said it was armed, but it failed to detect anything out of the ordinary. But perhaps even more worrisome than the active intrusion itself is that the sensor had no memory of it happening and took anywhere from several minutes to three hours to come back online and reestablish communication with its home base.

Irked train hackers talk derailment flaws, drop SCADA password list

Train-Wreck-Keaton
Quote

32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action.

Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators.

Flaws affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

There are also possible paths between trains’ operational systems and passenger entertainment systems, they say.

Overlooked bugs in device drivers, even in apparently-benign applications, can also be exploited by clever attackers into more powerful vectors: “If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train,” Gordeychik says.

In place of vulnerability details they showed the December Chaos Communications Congress in Hamburg a blank screen.

Crooks stole my bikes after cycling app blabbed my address

Quote

An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage.

Mark Leigh, 54, of Failsworth, said his two bicycles – worth £500 ($750) and £1,000 ($1,500) – were nicked shortly after he made his address and details of his bikes public on the popular biking app Strava, the Manchester Evening News reports.

The app includes an optional privacy setting that conceals the exact location of your home, but Leigh was not aware of this switch when he shared details of his bike rides via the software. Strava encourages people to publish their routes and journey times to make the application more engaging among enthusiasts.

Unfortunately, doing so tips off crooks as to where bikes are kept and when they are not in use.
….
All of which is a timely reminder to people over why they should be careful about what apps they use, what information they share, and why it’s worthwhile spending a bit of time digging into the privacy settings that many apps now offer.

….and this guy was an IT “expert” (??)

If you let in the Feds, you’ll let in anyone

Quote

Juniper’s VPN security hole is proof that govt backdoors are bonkers

Juniper’s security nightmare gets worse and worse as experts comb the ScreenOS firmware in its old NetScreen firewalls.

Just before the weekend, the networking biz admitted there had been “unauthorized” changes to its software, allowing hackers to commandeer equipment and decrypt VPN traffic.

In response, Rapid7 reverse engineered the code, and found a hardwired password that allows anyone to log into the boxes as an administrator via SSH or Telnet.

Now an analysis of NetScreen’s encryption algorithms by Matthew Green, Ralf-Philipp Weinmann, and others, has found another major problem.

“For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual EC DRBG algorithm,” wrote Green, a cryptographer at Johns Hopkins University in Maryland, US.

“At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters.”

The Dual EC DRBG random number generator was championed by the NSA, although researchers who studied the spec found that data encrypted using the generator could be decoded by clever eavesdroppers.

ScreenOS uses the Dual EC DRBG in its VPN technology, but as a secondary mechanism: it’s used to prime a fast 3DES-based number generator called ANSI X9.17, which is secure enough to kill off any cryptographic weaknesses introduced by Dual EC. Phew, right? Bullet dodged, huh?

No. In Juniper’s case there’s a problem. The encrypted communications can still be decoded using just 30 or so bytes of raw Dual EC output. And, lo, conveniently, there’s a bug in ScreenOS that will cause the firmware to leak that very sequence of numbers, undermining the security of the system.

Also, worryingly, ScreenOS does not use Dual EC with the special constant Q defined by the US government – it uses its own value.

Armed with those 30 bytes of seed data, and knowledge of Juniper’s weird Dual EC parameters, eavesdroppers can decrypt intercepted VPN traffic.

….
Green points out that this is a classic example of why backdoors are a bad idea all round. It’s something politicians and law enforcement officials may want to ponder the next time they call for mandatory government access to encrypted communications.

If they are going to build backdoors into encryption, such as by fiddling with the mathematics or sliding in convenient bugs, someone else is going to find the way in.

Hello children, my I steal your personal data?

Quote

Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand’s online community SanrioTown.com, a security researcher has discovered….The exposed records include users’ names, birthdates, gender, nationality, email addresses, unsalted SHA-1 password hashes, and password hint questions.

“While having sensitive details exposed is bad enough for adults, when the information relates to a child it’s far worse.

“If someone managed to compromise a child’s identity, the fraud might not be detected for years because most parents don’t monitor their child’s credit record,” noted Salted Hash writer Steve Ragan.

In addition to the primary Sanriotown database, two additional backup servers containing mirrored data were also compromised, it said.

The earliest known date of publication for the private information was 22 November this year

Sanrio, as well as the ISP being used to host the database itself, have all been notified, reported the site.

Earlier this month Toymaker VTech admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared. ®

Best to keep toys that require “membership” on the no-go list. That includes the likes of Farcebook

Balware hijacks PC’s boot process to gain stealth, persistence

Quote

Bootkit targeting banks and payment card processors hard to detect and remove.

Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer’s boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads.

The so-called bootkit has been in operation since early this year and is part of “Nemesis,” a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled.

Great read. In one of comments to the article it was noted that secure boot would mitigate this kind of an attack (win7 onward), but as note “That said, this attack is against a population with a penchant for running ancient, decrepit systems so they may be vulnerable for some time going forward. Inexcusable, really, but they’ll react only after losing enough money. ”

That made me laugh as it is not just the banks that short change Cyber Security, it is by in large the majority of businesses.

Malware caught checking out credit cards in 54 luxury hotels

Quote

Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware.

The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash registers.

Starwood said the 54 compromised hotels [PDF] were scattered throughout the US and Canada, and were infected from as early as November of 2014 to June 30 of this year. Malware was found in payment systems in gift shops, restaurants, and sales registers.

Data stolen by the software could include customer names, credit card numbers, card security codes, and expiration dates. Starwood said that customer addresses, reservation data, and reward card information were not exposed in the breach.

When will the business community take security seriously? My experience working with businesses is that few do. Small businesses are the worse, but you never hear about that. Yet their data, including customer data, is being hoovered up faster than you can imagine. That said, mid and large enterprises are not much better. Attacks are one every few seconds on average on a typical firewall that we manage.

Hillary Clinton: Stop helping terrorists, Silicon Valley – weaken your encryption

Sorry Hillary, you are just proving yourself as clueless as ever.

There remains no evidence the attackers used encryption to communicate. The Paris police found unencrypted text messages concerned the attack, and a public Facebook post from one of the attackers has also been uncovered. Early reports that the attackers used PlayStation 4s to communicate surreptitiously have also been dismissed.
it now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks. On top of that, as Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them: sources: 1) 2)

Time and again throughout history, governments have used fear to strip people of their rights and increase their power. This is no different. This is a failure of intelligence. These thugs are smart and use face to face communications more than anything else. Studies (read more) have shown that the US Gov’s massive hoovering of data has had the perverse affect of making them more blind to what is really happening – than the other way around.

And I leave leave you this: If the gov weakens encryption, how long will it take for other miscreants to find the holes and exploit them for nefarious reasons? No long. That is why corporations are pushing back. Hillary, if you want to lead, better do your homework instead of pandering to fear.

Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

Quote

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

Unplug your PC mic when not used, get smart about Android and iPhone (IOS) permissions and limit access to sound recorder/mic to only the dialer and trusted apps. Of course it should not be this way. It should be all off by default. And as I said before: You pay for this date data rape.