Nov 17 2017

Microsoft abandons typical Patch Tuesday playbook to fix Equation Editor flaw

Enlarge (credit: Flickr user: Ivan T)

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.

Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.

Curious how a buffer overflow works? Previously on Ars we did a deep-dive explanation. (video link)

Read 7 remaining paragraphs | Comments

Nov 16 2017

IoT Devices: The Gift that Keeps on Giving… to Hackers

You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year[1] and, unfortunately, security has sometimes become a casualty of the race among manufacturers to be the first to sell these smart gadgets into millions of homes. This has provided potentially millions of opportunities for hackers to see what devices they can compromise and possible even control. In the past year hackers and security researchers were able to bypass the security of a range of these IoT devices.

Toys

It was discovered early this year the Cayla doll could allow hackers to take control of the toy and record video and audio without the user’s consent. A demonstration by the National Cyber Security Centre in London also shows the doll could be used to unlock smart locks allowing criminals to compromise your home through the front door.[2] The flaw is so serious Germany’s Federal Network Agency required retailers to pull the dolls off shelves, banning them throughout the country.[3] In the United States, the Federal Bureau of Investigations (FBI) also released a public service announcement alerting the public to the potential risk Internet connected toys pose.[4] The defect in the Cayla doll lies in the insecure Bluetooth connection, allowing anyone to listen and converse through the doll using an ordinary mobile phone.

Similar security flaws were recently found in multiple children’s watches being sold across Europe and the UK.[5] Security experts commissioned by the Norwegian Consumer Council found the smart watches could allow outsiders to track the child through the GPS signal, access personal data on the device, disable the emergency SOS function, and remotely listen to the youngster without the knowledge of a parent or guardian. On a positive note, the manufactures behind the watches have responded responsibly and either have or are in the process of correcting the defects.

Cameras

Internet connected cameras and baby monitors have been around for a few years, but manufactures are still shipping insecure devices. A quick search on the IoT search engine Shodan for the word “IPCamera” shows more than 39,000 in total. This year saw multiple stories surface involving hackers able to remotely control cameras, record video and audio, and even speak to children.[6] We often see consumers configure cameras with remote access, but fail to put in place the correct security controls. Failure to change default passwords or use of weak passwords is a common offense among users. In other instances, the manufacturer of the device uses outdated third party software or leaves ports open by default.

*Top Countries – Shodan results for searching “IPCamera.”
*HTTP banner of an IoT device on the Internet leaking the default credentials.

 Digital Assistants

Controlling your smart devices with digital assistants from Apple, Amazon, Google, and others are a neat way to control lights, appliances, and the home’s A/C unit. Researchers from Zheijiang University in China released a report[7] in August showing it’s possible to interact with the assistant using inaudible ultrasound commands. The scientists dubbed their findings the “DolphinAttack” and could issue commands to the device at a very high frequency that is too high for humans to hear but was still understood by a range of assistants, including Siri, Google Now, Cortana, and Alexa. The researchers demonstrated it’s possible for someone to issue a range of commands from a distance without anyone near the device realizing the assistant was being controlled remotely.[8] Although no real-world hacks are known at this time it’s safe to say hackers are well aware of the vulnerability.

Drones

Drones will most certainly be at the top of many a Christmas list this year. The market has exploded and the sale of drones for personal use are expected to be over $2 billion globally in 2017.[9] With that many drones in the sky, and ample evidence that the devices can be hijacked, the security world has taken serious notice.  Security researcher Jonathan Andersson[10] demonstrated how he was able take control of a drone mid-flight, resulting in the owner losing complete control. The flaw lies in the wireless transmission control protocol DSMx, which is used in the communication between radio controllers and many remote-control devices, including drones. The researcher created a hardware device which takes advantage of the DSMx protocol flaw, and allows him to make the hijacked drone perform a range of movements, including stopping, starting, and steering. The good news is the hacking device was not made public, but that won’t stop hackers from attempting to make their own similar gadget to take control of drones from unsuspecting users.

It’s not uncommon for hackers to prey on the latest popular Internet connected devices. Millions of IoT devices will be purchased this holiday season, and consumers will be well-served to do their homework. You don’t need to become an expert, but reading the user’s manual before connecting a device to the Internet is a good practice to make sure the gadget is setup properly. Make sure to also keep the device’s firmware up to date, downloading any manufacturer updates to safely fix any newly discovered vulnerability flaws. If you’re purchasing an IoT device as a gift, make sure to research it first for known vulnerabilities to make sure you don’t get caught giving a gift that could turn out to be security risk. It only takes one hacked device that is connected to your home’s Wifi to allow personal data to be stolen, devices to be hijacked, or your connected gadgets themselves becoming part of a botnet of infected systems that hackers use to launch attacks on other home and business systems.[11]

[1] https://www.cta.tech/News/Press-Releases/2016/January/Record-Year-Ahead-Consumer-Enthusiasm-for-Connect.aspx

[2] http://www.bbc.com/news/av/technology-38966285/how-hackers-could-use-doll-to-open-your-front-door

[3] https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html

[4] https://www.ic3.gov/media/2017/170717.aspx

[5] http://www.dailymail.co.uk/sciencetech/article-4991102/Is-stranger-hacking-child-s-smart-watch.html

[6] http://www.americanow.com/story/society/2017/03/16/parents-warn-others-after-baby-monitor-gets-hacked

[7] https://arxiv.org/pdf/1708.09537.pdf

[8] https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google

[9] https://www.gartner.com/newsroom/id/3602317

[10] https://thehackernews.com/2016/10/how-to-hack-drone.html

[11] https://en.wikipedia.org/wiki/Botnet

The post IoT Devices: The Gift that Keeps on Giving… to Hackers appeared first on McAfee Blogs.

Nov 15 2017

Krebs on Security 2017-11-15 10:25:58

root9B Holdings, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011 as root9B Technologies, the company touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department.

The company’s founders remained upbeat even into mid-2017. On June 6, 2017 it announced that Michael Hayden, the four-star general who until recently served as director of the U.S. National Security Agency, had joined the company’s board.

On June 23, 2017, root9B issued a press release reminding everyone that the company had remained #1 on the Cybersecurity 500 for the 6th consecutive quarter. The Cybersecurity 500, by the way, rates cybersecurity firms based on their “branding and marketing.”

Nobody ever accused root9B of bad marketing. But all the press releases in the world couldn’t hide the fact that the company had never turned a profit. It lost more than $18.3 million in 2016, more than doubling a $8.03 million loss in 2015.

Since August 2017, shares of the company’s stock have fallen more than 90 percent. On Sept. 28, 2017, all of root9B Holdings’ assets were acquired by venture investment firm Tracker Capital Management LLC, and then sold at auction.

On Nov. 13, root9B Holdings issued a press release saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year.

“With the absence of any operating assets remaining after the Foreclosure, the Company will cease any and all operations effective, December 31, 2017,” the (final?) root9B press release concludes.

Several followers on Twitter say it’s too soon to sound the death knell for root9B as a whole, pointing out that while root9B Holdings may have been gutted and sold, for now it appears the security company root9B LLC is intact and is merely going back to being a private concern.

In any case, the demise of root9B Holdings resonates loudly with that of Norse Corp., another flashy, imploded cybersecurity startup that banked heavily on attracting and touting top talent, while managing to produce very little that was useful to or actionable by anybody.

Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent. There is no shortcut to knowledge, success or mastery, and this goes for infosec students as well as active practitioners of the craft. Focus on consistently producing quality, unique content and/or services that are of real value to others, and the rest will take care of itself.

Update, 10:30 a.m.: Added perspective from Twitter readers.

Nov 15 2017

SNIFFlab – Create Your Own MITM Test Environment

SNIFFlab – Create Your Own MITM Test Environment

SNIFFlab is a set of scripts in Python that enable you to create your own MITM test environment for packet sniffing through a WiFi access point.

Essentially it’s a WiFi hotspot that is continually collecting all the packets transmitted across it. All connected clients’ HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis

What is SNIFFLab MITM Test Environment

In our environment, dubbed Snifflab, a researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test.

Read the rest of SNIFFlab – Create Your Own MITM Test Environment now! Only available at Darknet.