Archive | Editorial Articles RSS feed for this section

It’s Time to Change Passwords Again; 1.2B Stolen

If you follow me on Twitter (@SecAdept), you probably noticed me mention last week’s huge credential leak. If not, take note as it’s probably time to change your passwords again.

Last week, The New York times released a story about Russian hackers sitting on a dump of over 1.2 billion stolen credentials (usernames and passwords)… Yes, that’s billion with a b.

The New York Times based their story on information from Hold Security, a research firm that helped track the Adobe and Target breaches. According to a blog post, Hold Security’s researchers identified a Russian cyber gang (who they call CyberVor) sitting on a dump of 4.5 billion credentials; 1.2B actually being unique. They say the group also has over 500 million unique email addresses. This huge repository of data wasn’t the result of a single attack, rather a long term botnet campaign that allegedly leveraged SQL injection (SQLi) attacks to steal this information from over 420,000 vulnerable web sites.

Other than that, not much is publicly known about this campaign of credential thefts. In fact, some find this news somewhat suspicious, since Hold Security hasn’t shared all the relevant details yet. For instance, they haven’t said whether or not the stolen credentials are hashed, which would at least impose a small roadblock on those trying to leverage them. They also haven’t shared any physical data about this leak, at least publicly. Furthermore, they seem to be charging for a subscription service to tell you whether or not you are affected. That said, Hold Security is a well-known and respected group that even has the backing of Brian Krebs. Lying about a breach of this magnitude would be business suicide.

So the obvious question is, what should you do? It’s pretty simple actuallyif not a bit irritating. Change all your passwords! I know it’s a pain in the butt, but if this is true, bad guys probably have access to at least one of your passwords. You should use this as an excuse to change your password on every important site. I highly recommend using a different password on every site, and using a password vault to help you create and remember all these strong passwords.

One last aside. A few folks have asked me if they should get new credit cards. So far, there have been no reports that these Russian hackers are sitting on any credit card details. So currently, there is no need for any panic there. If news of credit card leaks comes out, your credit card company will likely inform you if you’re affected. — Corey Nachreiner, CISSP (@SecAdept)

Black Hat 2014 – Briefing Summary – Day 1

If you’ve never been to Black Hat, the week long security conference is separated into two parts; a four day (optional) period for technical training courses, followed by two days of security briefings, where researchers share their latest discoveries and vulnerabilities. While the trainings I’ve attended have been excellent, most of the week’s security headlines get generated from the new research shared at the Black Hat briefings (and from DEF CON, later in the week).

In hopes of giving you a virtual Black Hat experience, I’ll summarize the more interesting talks I attended over the past two days, giving you the highlights. Let’s start with briefing day one.

Cybersecurity as Realpolitk

Topic: General state of information security and the Internet

Speaker: Dan Geer

This talk began with a short introduction by Jeff Moss (@TheDarkTangent), the founder of Black Hat and DEF CON, who mostly commented on the disparity between security and complexity. We need to start simplifying overly complex systems if we have any hope of securing them.

 

Dan Geer is a well-known computer security expert, who has warned about potential computer and network dangers long before it was popular to do so. In this talk, Geer covered a wide-range of topics, sharing his thoughts on ten subjects relevant to information security. With so many topics to cover, I can’t summarize it all, but I can share some highlights:

 

  • Freedom, security, convenience… CHOOSE TWO.
  • The CDC is effective at stopping pandemics because they force mandatory disease reporting, have expert away teams, and analyze historical data. Infosec experts should do the same. Perhaps there should be mandatory breach reporting for big incidents, and voluntary, anonymous reporting for small hack incidents.
  • On Net Neutrality: ISPs should have only two choices. Either they can charge what they want for services, but be liable for the content on their wires, or they are protected from liability and don’t inspect content at all.
  • On strike back: Don’t do it (as much as I can understand the desire to).
  • Embedded systems require remote management, or an finite lifetime (because without updates their vulnerability grows over time)
  • US Gov. should pay 10x the price of anyone else to corner the 0day market, and then help vendors fix the issue to quickly decrease the amount of 0day that any attacker can use. I disagree with Geer a bit. While I think it’s a nice idea, I don’t have confidence the US Gov. would share the info with vendors, rather than sit on the exploits for use in their own operations.
  • On Privacy: We have the right to be forgotten.
  • Internet voting: Nope!

 

Geer covered many other topics, but that at least gives you a quick taste of his talk.

 

Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol

Topic: Attacking mobile phones using the Carriers management protocol

Speaker: Matthew Solnik & Marc Blanchou

 

This talk had a ton of potential, but fell flat due to execution issues. In a nutshell, the presentation highlighted the Over-the-Air (OTA) remote management tools that mobile carriers built into phones on their network, and how attackers could exploit these built-in tools to hijack your phone, launching man-in-the-middle (MitM) attacks, or even executing remote code on your phones.

 

The presentation included a ton of technical information, which was interesting to fellow researchers, but it was presented in a dry, hard to follow manner. Worse yet, the actual demo at the end, which could have saved the whole talk, failed before it even started. That said, it still covered a very interesting and relevant topic, and I hope phone carriers read Solnik and Blanchou’s slides and research.

 

A Survey of Remote Automotive Attack Surface

Topic: Which cars are the most vulnerable?

Speaker: Charlie Miller & Chris Valasek

 

Even knowing this talk wouldn’t include any new research, I attended it just because Miller & Valasak are such charismatic speakers—and they didn’t disappoint. Last year, this research pair made a splash by demonstrating hacks against a Toyota Prius and Ford Escape. Despite getting tons of media attention, their talk was turned down by Black Hat last year. This year, Black Hat seemed to be making up for that flub, but Miller and Valasek didn’t really have any new technical or hands-on research to present.

 

Rather, in this presentation the duo mostly explored the potential of a remote attack surface against cars, and also enumerated a bunch of different cars using online information, measuring how vulnerable they think various models are.

 

As far as the remote attack surface, Miller and Valasek didn’t uncover anything new, or do any real tests, but instead shared research from others, such as the UW’s attack on tire pressure sensors, etc… They also discussed how built-in Bluetooth, Radio data systems, cellular, Wi-Fi, and car apps all present remote attack service. However, they didn’t uncover or share any new vulnerability or prove one exists.

Next they described how they measured the vulnerability level of various cars from many manufacturers. Essentially, they got mechanic accounts to all these manufacturers and used the mechanical technical docs to figure out which systems a certain model car used. The more remote systems a car presents, and the closer those systems connections are to other mechanics on the car, and the more vulnerable it is. They also brought up the idea of “cyberphysical” systems, such as cars that have self-parking or proximity detection and response. These “drive-by-wire” cars allow digital systems to actually turn the wheel or brake, so obviously they present a lot of real-world risk.

 

In the end, the talk was a lot of fun to listen to, but didn’t add a whole lot new to the car hacking conversation. They did say they are releasing a big paper covering the most vulnerable cars they found sometime at the end of the week. So go check it out if you’re interested.

 

Government as Malware Authors: The Next Generation

Topic: Exploring evidence that governments are writing malware

Speaker: Mikko Hypponen

 

I’ve always liked Hypponen’s engaging presentation style, and recently had the pleasure to dine with and present along side him at WatchCom’s Paranoia conference in Norway. If you’ve seen his TED talk, you probably have heard his views on the Snowden NSA leaks and governments involvement in Stuxnet and other advanced attacks. This presentation was essentially more of the same, other than he also shared a little government hacking history from F-Secure’s perspective; showing and sharing some spear phishing attachment examples they’d collected as early as 2003. He also covered the some of the latest phishing attachment tricks like the right-to-left unicode trick I mentioned in one of my weekly videos. It was an interesting talk that I’d recommend to anyone, but one I’d essentially seen before.

 

Pulling the Curtain on Airport Security

Topic: Vulnerabilities in TSA scanning equipments

Speaker: Billy Rios

 

This was a great talk; one of the best I saw. Billy Rios is a soft-spoken, but wicked smart security researcher who’s found many flaws in embedded devices. This time he researched some of the scanning equipment used by the TSA in airports. First, here are some interesting TSA stats:

 

  • TSA employees around 50,000 people at 400 airports in the US.
  • They spend $7.39 billion a year.
  • They are REQUIRED to spend $250 million on new screening gear.
  • We (as taxed citizens) pay for all this, so should consider its efficacy and usefulness important.

 

In any case, Rios found and bought a bunch of scanning equipment on Ebay that the TSA uses. He then reversed it and found a lot of very basic, low-hanging vulnerabilities… Circa 1990 security flaws like hard-coded service credentials and the like. He tested devices like x-ray scanners, fingerprint time clocks, and itemizers (the systems that sniff for drugs). I won’t go into all the details, but he basically found pretty big, often remotely exploitable issues in all these embedded systems.

 

His take-aways? First, if you use embedded devices you should audit them for risks and vulnerabilities. Second, you should trust, but always verify.

 

Breaking the Security of Physical Devices.

Topic: Radio signal reversing, and embedded device security

Speaker: Dr. Silvio Cesare

 

At a high-level, this talk was very similar to the last one, in that Dr. Cesare targeted embedded devices. He gathered together various, common home automation systems consumers might get at Home Depot or Target. Things like an analog baby monitor, various types of home alarm systems, and even the keyless entry fobs we use to unlock our cars. Then he showed how to defeat all these systems by analyzing and reversing their radio signals. Once the signal was reverse, he could either eaves drop or launch various key replay attacks.

 

If you are into radio signal tech and security, this was a very interesting talk. He shared how you could use cheap software defined radio equipment to do the capture and analysis, and even shared how to get relatively cheap spectrum analyzers. He also shared how to demodulate various types of radio signals, whether AM or PWM, and covered details on how you might crack rolling key codes. It was very interesting stuff, but very technical, and mostly for those into radio frequency hacking.

 

So that’s it for day one. As you can see, Black Hat briefings cover a wide gamut of interesting infosec related topics. You always learn something new, and it’s great just to hang out around people who are as passionate about the topic as you. I’ll return tomorrow with my summary of the day two briefings.

— Corey Nachreiner, CISSP (@SecAdept)

 

 

 

 

 

Good News! You Might Get Your Cryptolocker Encrypted Files Back

You probably remember Cryptolocker; a very nasty piece of ransomware that successfully encrypted files on many computers, and made its authors millions in ransom.  If not, you can learn more about it here. Though it wasn’t horribly advanced, it did use industry standard public/private key encryption, making it almost impossible for good guys to actually crack the encryption and get your files back.

However, there’s some great news on that front!

This week, FireEye and Fox-IT published a site called decryptcryptolocker.com. If you share your email address, and one of your Cryptolocker infected files with this site, they will email you the private key and a tool that can decrypt all your Cryptolocker files. If you were one of the folks that didn’t have a good backup, you finally have an option to recover files other than just paying the criminals (never a good idea).

So how did FireEye and Fox-IT accomplish this? Essentially, by gaining control of, and taking down Cryptolocker’s command and control (C&C) infrastructure (where the criminals stored all their private keys). If you’d like to know more about it, I suggest checking out FireEye’s blog post.

This is awesome work, and hopefully a big relief to anyone that still has Cryptolocker infections. That said, there are many Cryptolocker copycats and variants. This takedown has gained access to a specific group’s C&C servers and keys, but not all ransomware variants. There is a chance this tool won’t decrypt the files for every Cryptolocker variant, and it surely won’t help with the copycats.

In any case, it’s great to see a score for the good guys.

— Corey Nachreiner, CISSP (@SecAdept)

BadUSB – WSWiR Episode 115

Android Fake ID, Backoff PoS Attack, and BadUSB

With Blackhat and DEF CON only a week away, it’s not surprising to see news of new vulnerabilities and attack vectors popping up as researchers hint at their upcoming presentations. If you are interesting in this threat news, but have no time to track it down yourself, this weekly video can fill you in.

Today’s show shares details about the Android Fake ID vulnerability, talks about a new PoS system attack campaign, and warns of an industry-wide USB problem researchers will disclose at Blackhat. Check out the video for the details and some advice, then scroll down to the Reference section if you are interested in other infosec news from the week.

As an aside, I will be attending Blackhat next week, which means I may not post the video at its regular time. However, it also means I’ll cover my favorite briefings from the show, so if you can’t attend be sure to tune in to get a taste of the popular security conference. Have a great weekend.

(Episode Runtime: 10:52)

Direct YouTube Link: https://www.youtube.com/watch?v=51VT-CJJKB4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

iOS Backdoor – WSWiR Episode 114

Firefox 31, Tails 0day, and iOS Backdoor

Are you curious about the latest network breaches, dangerous new zero day exploits, or breaking security research, but too busy to find all this information on your own? No worries. We summarize the most important security news for you in our weekly security video every Friday.

In this week’s episode, you’ll learn how the latest Firefox update makes it harder to download malware, why you can’t rely on some anonymizers, and whether or not you should worry about the rumored backdoor in iOS. Check out the video for the full scoop, and don’t forget to peruse the extra stories in the Reference section below.

(Episode Runtime: 7:51)

Direct YouTube Link: https://www.youtube.com/watch?v=qg1wsjzjC4Q

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Weak Passwords are Good? – WSWiR Episode 113

Oracle Patches, Project Zero, and Password Problems

Another week, another big batch of InfoSec news. If your IT job is already overwhelming you with tasks, leaving you no time to keep up with computer and network security, “I’ve got ya bro.” Check out our weekly security news summary for all the important action.

Today’s episode covers Oracle’s quarterly Critical Patch Update (CPU), a neat security project from Google, and a bevy of password security related news and issues. It’s all in the video, so give it a play. Also, don’t forget the Reference section below for other interesting news.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 8:59)

Direct YouTube Link: https://www.youtube.com/watch?v=yOtbuwhqZVo

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Hardware Malware – WSWiR Episode 112

Tons of Patches, Facebook Botnets, and Infected Hand Scanners

After a couple weeks of hiatus, we’re finally back with our weekly security news summary video. If you want to learn about all the week’s important security news from one convenience resource, this is the place to get it.

This episode covers the latest popular software security updates from the last two weeks, and interesting Litecoin mining botnet that Facebook helped eradicate, and an advanced attack campaign that leverages pre-infected hardware products. Watch the video for the details, and check out the Reference’s for more information, and links to many other interesting InfoSec stories.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=oAHYUW1KkM0

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,580 other followers

%d bloggers like this: