We keep learning more about the White House email breach from last year, and the news gets worse and worse. Today we learned the attackers may have had access to more of President Obama’s email correspondence than first suspected. Watch today’s vlog post to for the details, and to learn tips to protect your organization’s email.
Two weeks ago experts blamed China for a DDoS attack against Github. This week, researchers describe the Great Cannon tool that China allegedly uses for these sorts of attacks. Press play to learn more, and to hear how I think we should combat this threat.
If you’ve never been to Black Hat, the week long security conference is separated into two parts; a four day (optional) period for technical training courses, followed by two days of security briefings, where researchers share their latest discoveries and vulnerabilities. While the trainings I’ve attended have been excellent, most of the week’s security headlines get generated from the new research shared at the Black Hat briefings (and from DEF CON, later in the week).
In hopes of giving you a virtual Black Hat experience, I’ll summarize the more interesting talks I attended over the past two days, giving you the highlights. Let’s start with briefing day one.
Cybersecurity as Realpolitk
Topic: General state of information security and the Internet
Speaker: Dan Geer
This talk began with a short introduction by Jeff Moss (@TheDarkTangent), the founder of Black Hat and DEF CON, who mostly commented on the disparity between security and complexity. We need to start simplifying overly complex systems if we have any hope of securing them.
Dan Geer is a well-known computer security expert, who has warned about potential computer and network dangers long before it was popular to do so. In this talk, Geer covered a wide-range of topics, sharing his thoughts on ten subjects relevant to information security. With so many topics to cover, I can’t summarize it all, but I can share some highlights:
Freedom, security, convenience… CHOOSE TWO.
The CDC is effective at stopping pandemics because they force mandatory disease reporting, have expert away teams, and analyze historical data. Infosec experts should do the same. Perhaps there should be mandatory breach reporting for big incidents, and voluntary, anonymous reporting for small hack incidents.
On Net Neutrality: ISPs should have only two choices. Either they can charge what they want for services, but be liable for the content on their wires, or they are protected from liability and don’t inspect content at all.
On strike back: Don’t do it (as much as I can understand the desire to).
Embedded systems require remote management, or an finite lifetime (because without updates their vulnerability grows over time)
US Gov. should pay 10x the price of anyone else to corner the 0day market, and then help vendors fix the issue to quickly decrease the amount of 0day that any attacker can use. I disagree with Geer a bit. While I think it’s a nice idea, I don’t have confidence the US Gov. would share the info with vendors, rather than sit on the exploits for use in their own operations.
On Privacy: We have the right to be forgotten.
Internet voting: Nope!
Geer covered many other topics, but that at least gives you a quick taste of his talk.
Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol
Topic: Attacking mobile phones using the Carriers management protocol
Speaker: Matthew Solnik & Marc Blanchou
This talk had a ton of potential, but fell flat due to execution issues. In a nutshell, the presentation highlighted the Over-the-Air (OTA) remote management tools that mobile carriers built into phones on their network, and how attackers could exploit these built-in tools to hijack your phone, launching man-in-the-middle (MitM) attacks, or even executing remote code on your phones.
The presentation included a ton of technical information, which was interesting to fellow researchers, but it was presented in a dry, hard to follow manner. Worse yet, the actual demo at the end, which could have saved the whole talk, failed before it even started. That said, it still covered a very interesting and relevant topic, and I hope phone carriers read Solnik and Blanchou’s slides and research.
A Survey of Remote Automotive Attack Surface
Topic: Which cars are the most vulnerable?
Speaker: Charlie Miller & Chris Valasek
Even knowing this talk wouldn’t include any new research, I attended it just because Miller & Valasak are such charismatic speakers—and they didn’t disappoint. Last year, this research pair made a splash by demonstrating hacks against a Toyota Prius and Ford Escape. Despite getting tons of media attention, their talk was turned down by Black Hat last year. This year, Black Hat seemed to be making up for that flub, but Miller and Valasek didn’t really have any new technical or hands-on research to present.
Rather, in this presentation the duo mostly explored the potential of a remote attack surface against cars, and also enumerated a bunch of different cars using online information, measuring how vulnerable they think various models are.
As far as the remote attack surface, Miller and Valasek didn’t uncover anything new, or do any real tests, but instead shared research from others, such as the UW’s attack on tire pressure sensors, etc… They also discussed how built-in Bluetooth, Radio data systems, cellular, Wi-Fi, and car apps all present remote attack service. However, they didn’t uncover or share any new vulnerability or prove one exists.
Next they described how they measured the vulnerability level of various cars from many manufacturers. Essentially, they got mechanic accounts to all these manufacturers and used the mechanical technical docs to figure out which systems a certain model car used. The more remote systems a car presents, and the closer those systems connections are to other mechanics on the car, and the more vulnerable it is. They also brought up the idea of “cyberphysical” systems, such as cars that have self-parking or proximity detection and response. These “drive-by-wire” cars allow digital systems to actually turn the wheel or brake, so obviously they present a lot of real-world risk.
In the end, the talk was a lot of fun to listen to, but didn’t add a whole lot new to the car hacking conversation. They did say they are releasing a big paper covering the most vulnerable cars they found sometime at the end of the week. So go check it out if you’re interested.
Government as Malware Authors: The Next Generation
Topic: Exploring evidence that governments are writing malware
Speaker: Mikko Hypponen
I’ve always liked Hypponen’s engaging presentation style, and recently had the pleasure to dine with and present along side him at WatchCom’s Paranoia conference in Norway. If you’ve seen his TED talk, you probably have heard his views on the Snowden NSA leaks and governments involvement in Stuxnet and other advanced attacks. This presentation was essentially more of the same, other than he also shared a little government hacking history from F-Secure’s perspective; showing and sharing some spear phishing attachment examples they’d collected as early as 2003. He also covered the some of the latest phishing attachment tricks like the right-to-left unicode trick I mentioned in one of my weekly videos. It was an interesting talk that I’d recommend to anyone, but one I’d essentially seen before.
Pulling the Curtain on Airport Security
Topic: Vulnerabilities in TSA scanning equipments
Speaker: Billy Rios
This was a great talk; one of the best I saw. Billy Rios is a soft-spoken, but wicked smart security researcher who’s found many flaws in embedded devices. This time he researched some of the scanning equipment used by the TSA in airports. First, here are some interesting TSA stats:
TSA employees around 50,000 people at 400 airports in the US.
They spend $7.39 billion a year.
They are REQUIRED to spend $250 million on new screening gear.
We (as taxed citizens) pay for all this, so should consider its efficacy and usefulness important.
In any case, Rios found and bought a bunch of scanning equipment on Ebay that the TSA uses. He then reversed it and found a lot of very basic, low-hanging vulnerabilities… Circa 1990 security flaws like hard-coded service credentials and the like. He tested devices like x-ray scanners, fingerprint time clocks, and itemizers (the systems that sniff for drugs). I won’t go into all the details, but he basically found pretty big, often remotely exploitable issues in all these embedded systems.
His take-aways? First, if you use embedded devices you should audit them for risks and vulnerabilities. Second, you should trust, but always verify.
Breaking the Security of Physical Devices.
Topic: Radio signal reversing, and embedded device security
Speaker: Dr. Silvio Cesare
At a high-level, this talk was very similar to the last one, in that Dr. Cesare targeted embedded devices. He gathered together various, common home automation systems consumers might get at Home Depot or Target. Things like an analog baby monitor, various types of home alarm systems, and even the keyless entry fobs we use to unlock our cars. Then he showed how to defeat all these systems by analyzing and reversing their radio signals. Once the signal was reverse, he could either eaves drop or launch various key replay attacks.
If you are into radio signal tech and security, this was a very interesting talk. He shared how you could use cheap software defined radio equipment to do the capture and analysis, and even shared how to get relatively cheap spectrum analyzers. He also shared how to demodulate various types of radio signals, whether AM or PWM, and covered details on how you might crack rolling key codes. It was very interesting stuff, but very technical, and mostly for those into radio frequency hacking.
So that’s it for day one. As you can see, Black Hat briefings cover a wide gamut of interesting infosec related topics. You always learn something new, and it’s great just to hang out around people who are as passionate about the topic as you. I’ll return tomorrow with my summary of the day two briefings.
Hostage RDP Servers, Pin Pad Hacks, and PS3 Key Leak
Are you ready for some Friday water-cooler security gossip? Did you hear about a bunch RDP servers at Fortune 500 companies getting hacked? How about the story about Dutch law enforcement legally hijacking suspect computers? If not, you’ve come to the right place. I cover those stories and more in today’s WatchGuard Security Week in Review video.
This week’s video comes to you from the road. During the week, I attended Gartner’s Symposium ITxpo, where Gartner analysts covered the trends driving IT innovation. The four main topics included the Cloud, Mobile, Social, and Big Data; many of which match our security predictions themes from this year. In any case, today’s episode is slightly abbreviated due to my travels.
If you are interested in this week’s big RDP hack, a Barnes and Noble pin pad breach, and even a “pwned” gaming console, check out the video below. You can also find links to all the stories I cover in the Reference section of this post.
There was once a time when I had to subscribe to many obscure mailing lists, lurk on underground forums and channels, and visit a ton of buried pages at vendor sites to learn about the latest vulnerabilities, exploits, and breaches. That’s no longer the case.
Today, mainstream media reports on more information and network security news every week than most IT administrators can keep up with. Thus, this weekly security news round-up video. We consolidate and concentrate all the most important security stories into one digestible video each week—throwing in some practical security tips along the way.
This week’s episode includes security updates from Oracle and Apple, a new advanced nation-state threat called miniFlame, and a few fun security stories involving popular gaming platforms and zombie apocalypses. Watch the video below for quick highlights, and check out the Reference section for more details.
Nation State Cyber Espionage, WoW Death Hack, and Lots of Patches
Another week has blown by, and if you had a week like mine, you’ve barely gotten a chance to catch your breath between each new task. If that’s the case, you probably also missed this week’s security news. Fear not! WatchGuard Security Center is coming to the rescue. Grab a cup of joe, settle into your seat, and let the security news video below brief you on the latest in about ten minutes.
By far, the biggest story this week concerns cyber espionage accusations between nation states. Today’s episode covers that fiasco, as well as a bunch of security updates, some interesting game and social network hacks, and even a quick mobile security tool tip. Click play (or follow the YouTube link) for all the details.
Too embarrassed to watch a video at work? No problem. Just check the Reference section below for links to these stories’ sources. And if you have any suggestions, leave a comment. Until next time, stay safe out there.
For the new listeners out there, Radio Free Security (RFS) is a monthly podcast, dedicated to spreading knowledge about network and information security, and to keeping busy IT administrators apprised of the latest security threats they face online. WatchGuard’s LiveSecurity team started RFS back in January, 2007. However, we’ve been off the air since 2009 — but that all changes today, with our first return episode!
In this return episode, we look back at WatchGuard’s 2011 security predictions. Every year, the WatchGuard security team and I pull out our magic tarot cards to try and predict the security threats and trends you can expect for the upcoming year. In this episode, Tim Helming, Ben Brobak, and I revisit these predictions, which include a wide range of topics (Cyberwar, APTs, and Facebook attacks to name a few). Did we call 2011 correctly, and what did we learn from the results? Listen below to find out.
In the future, I will post Radio Free Security’s monthly podcast to its original RSS feed, which also links to an iTunes version. However, right now we are dusting off those old mechanisms, to get them up again. For now, you can listen to this month’s episode with the SoundCloud link below. If you are new to RFS, I also recommend you check out our archive (iTunes archive) of old shows. Though some of the Security Stories of the Month are old, the general security content and advice is still quite relevant.
[UPDATE] The original SoundCloud link for this episode had a repeated segment (from 00:49:49 to 01:13:49). We have uploaded a fixed version of the episode. I’d like to thank @pdbrown811 for letting us know. If you downloaded the episode before, I recommend you download it again from the new link below. — Corey Nachreiner, CISSP (@SecAdept)
Railway Hacks, VideoConferencing Espionage, and Security Professionals Gone Bad
Another week, another WatchGuard Security Week in Review. While this week wasn’t quite as action packed as last, there’s plenty of security stories to cover in this episode. I summarize them in the brisk video below (runtime: 6:03 minutes).
If you prefer text to moving pictures, you can also find a quick descriptions of these stories, as well as reference links, underneath the video. Let us know what you think in the comments.
Anonymous continues their online riot, taking down more recording industry sites, and defacing a US government internet security site:
Zappos Breach, Middle Eastern Cyberwar, Anonymous Returns, & More
Welcome to my first ever episode of WatchGuard Security Week in Review. This vlog — which I hope to bring you weekly — is dedicated to quickly summarizing the biggest network and information security stories from each week. When appropriate, I’ll also share quick tips on how you can protect yourself from some of the threats I talk about.
Normally, I plan to post this weekly vlog late Friday. However, I posted last week’s episode a bit late, due to unexpected production issues with my first attempt at making this. I believe I have my production wrinkles ironed out for next time. So expect the next episode this Friday.
You’ll find the first episode below. Let me know what you think by leaving a comment.
If your office gets quiet around the week leading up to Christmas and New Years, as many seem to, you may have missed a few interesting security stories during this lull. Let me catch you up in one fell swoop.
Below, I quickly highlight a menagerie of interesting security stories, which you may have missed over the past two weeks:
Unpatched Vulnerability in Windows Win32k.sys Component – According to reports, a “researcher” calling himself webDEViL found a memory corruption flaw in Windows’ win32k.sys component. By enticing you to a web site containing malicious code, an attacker could exploit this flaw to execute malicious code on your computer, with your privileges. So far, webDEViL has only been able to exploit the flaw via Safari, which isn’t a very popular web browser for Windows systems. That said, it does affect fully patched Windows 7 64-bit systems, thus poses a fairly severe risk to Windows-based Safari users. Microsoft has not released a patch yet, but I will follow up when they do. For more information, see Secunia’s advisory.
Siemens Accused of Security Cover-up – Siemens has received a lot of attention from the security industry lately. It first started with the infamous Stuxnet malware, which owned Siemens-based software and equipment, and opened many peoples eyes to the possibility of digital SCADA and ICS attacks. Since then, many researchers have focused on SCADA system vulnerabilities, including a recent example where a researcher found a SCADA system exposed on the internet with only a three character password. The latest drama comes from a security researcher’s blog, where he accuses Siemens of lying about a security flaw in one of their products. In short, Billy Rios (the researcher) is unhappy that a Siemens PR person claimed there are no open issues regarding authentication bypass bugs in Siemens products. As a result, Rios decided to publicly disclose just such an issue.
Free iPad 2 Offer Lures Gaga Fans – As they say on the Internet (and Star Wars), “It’s a trap!” According to PC Advisor, many users following Lady Gaga on Twitter and Facebook almost had their credentials stolen by following links about a free iPad 2 promotion.
Anonymous Still Up to No Good – During the holiday, Anonymous breached Stratfor, a “global intelligence” company in Texas. They reportedly stole 200GB of email, and a client list of 4000, including credit cards info. In the last week, Anonymous has also threatened to attack Sony and Nintendo due to their support of SOPA. As I predicted for 2012, I expect to continue to see these sort of Anonymous-related hacktivism incidents throughout the year.
That’s a small taste of some of the security stories that surfaced over the last few weeks. In general, we’re seeing more security stories a week than we have in years past. I expect 2012 to busy year for security professionals and the unprotected. — Corey Nachreiner, CISSP (@SecAdept)