wonder how to - null byteRetrieved title: Null Byte « WonderHowTo, 3 item(s)
Windows 10 and macOS have poor reputations when it comes to customer privacy and user policies. In addition, our steady flow of hacking Windows 10 and hacking macOS articles might make it seem like a reasonably secure operating system doesn't exist. But I'm here to tell you that there is a viable alternative that could provide some sense of security and trust. There are quite a few noteworthy Linux distributions with excellent development records and support communities to choose from. To name just a few, there's Manjaro, BlackArch, Parrot Security OS, and Kali, but I decided to feature... more
What appears to be an ordinary MP4 may have been designed by an attacker to compromise your Linux Mint operating system. Opening the file will indeed play the intended video, but it will also silently create a connection to the attacker's system. Understanding the Attack While this article uses Linux Mint as an example, the attack takes advantage of an issue in several Linux file managers. The below GIF demonstrates the attack. Two files are being extracted in the GIF. The first (real_video.mp4) is a real MP4 of a movie trailer. The second file (fake_video.mp4) is a .desktop file... more
Businesses leave paper trails for nearly every activity they do, making it easy for a hacker or researcher to dig up everything from business licenses to a CEO's signature if they know where to look. To do this, we'll dig into the databases of government organizations and private companies to learn everything we can about businesses and the people behind them. You can probably imagine why it might be useful to find out if a business is real or not. It can also be helpful to verify if a particular person works for a company they say that they do. While this information almost always exists... more
the hackers newsRetrieved title: The Hacker News, 3 item(s)
Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon's Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network. In case you don't own one of these, Amazon's Ring Video Doorbell is a smart wireless home
Cloud services and networking are driving the concept of digital businesses, yet traditional networking and cybersecurity architectures are far from meeting the demands of the digital business. Gartner's "The Future of Network Security Is in the Cloud" report spells out the potential for the transformation of networking and security in the cloud, built upon a new networking and security model
Do you always uncomfortable trusting companies with your data? If so, you're not alone. While companies do much to protect themselves from external threats, insiders always pose the highest risk to a company's data. Unfortunately, when we say companies can't eliminate insider threat completely, cybersecurity firms, who are meant to protect others, are not an exception. Cybersecurity firm
hackadayRetrieved title: Hackaday, 3 item(s)
Anyone who’s done a bit of metalworking will know how quickly your stockpile will pick up a coating of rust with even just a bit of humidity. While welding requires only a bit of wire brushing at the joint areas, cleaning a large frame for paint is a completely different story. The projects [Make it Extreme] gets himself into tend to involve a lot of steel, so he built his own electrolysis tank for rust removal.
Electrolytic rust removal involves placing the piece of steel to be cleaned into an alkaline electrolyte solution (water and baking soda) with a sacrificial steel anode and connecting a low voltage DC supply over the two pieces. [Make it Extreme] started with an old plastic container, around which he built a very neat trolley frame. He obviously put some thought into how the tank will be cleaned, since it can be removed by unscrewing six bolts and removing the top part of the frame.
The high current, low voltage power supply that is required for the process was built using an old microwave transformer. The secondary coil is removed and replaced with coil of thick insulated wire, to convert it into a step down transformer. After the rewinding the transformer outputs about 13 VAC, which is then run through beefy bridge rectifier modules to get a DC current. A custom machined copper bolt terminal is mounted through the side of the tank to attach the sacrificial anode plate to the positive lead of the power supply, while the negative lead is clamped to the rusty steel to be cleaned.
In the leafy suburbs of northern Virginia, a place ruled by homeowner’s associations with tremendous power to dictate everything from the color of one’s front door to the length of grass in the lawn, something as heinous as garage doors suddenly failing to open on command is sure to cause a kerfuffle. We’ve seen this sort of thing before, where errant RF emissions cause unintentional interference, and such stories aren’t terribly interesting because the FCC usually steps in and clears things up. But this story is a little spicier given the source of the interference: Warrenton Training Center, a classified US government communications station located adjacent to the afflicted neighborhood. WTC is known to be a CIA signals intelligence station, home to spooks doing spooky stuff, including running high-power numbers stations. The interference isn’t caused by anything as cloak-and-dagger as that, though; rather, it comes from new land-mobile radios that the Department of Defense is deploying. The new radios use the 380-400 MHz band, which is allocated to the Federal Government and unlicensed Part 15 devices, like garage door remotes. But Part 15 rules, which are clearly printed on every device covered by them, state that the devices have to accept unwanted interference, even when it causes a malfunction. So the HOA members who are up in arms and demanding that the government buy them new garage door openers are likely to be disappointed.
Speaking of spooks, if you’re tired of the prying electronic eyes of facial recognition cameras spoiling your illusion of anonymity, have we got a solution for you. The Opt-Out Cap is the low-tech way to instantly change your face for a better one, or at least one that’s tied to someone else. In a move which is sure not to arouse suspicion in public, doffing the baseball cap deploys a three-piece curtain of semi-opaque fabric, upon which is printed the visage of someone who totally doesn’t look creepy or sketchy in any way. Complete instructions are provided if you want to make one before your next trip to the ATM.
It’s always a great day when a new Ken Shirriff post pops up in our feed, and his latest post is no exception. In it, Ken goes into great detail about the history of the 80×24 (or 25) line standard for displays. While that may sound a bit dry, it’s anything but. After dispelling some of the myths and questionable theories of the format’s origin – sorry, it’s not just because punch cards had 80 columns – he discusses the transition from teletypes to CRTs, focusing on the very cool IBM 2260 Display Station. This interesting beast used an acoustic delay line made of 50′ (15 m) of nickel wire. It stored data as a train of sound pulses traveling down the wire, which worked well and was far cheaper than core memory, even if it was susceptible to vibrations from people walking by it and needed a two-hour warm-up period before use. It’s a fascinating bit of retrocomputing history.
A quick mention of a contest we just heard about that might be right up your alley: the Tech To Protect coding challenge is going on now. Focused on applications for public safety and first responders, the online coding challenge addresses ten different areas, such as mapping LTE network coverage to aid first responders or using augmented reality while extricating car crash victims. It’s interesting stuff, but if you’re interested you’ll have to hurry – the deadline is November 15.
And finally, Supercon starts this week! It’s going to be a blast, and the excitement to hack all the badges and see all the talks is building rapidly. We know not everyone can go, and if you’re going to miss it, we feel for you. Don’t forget that you can still participate vicariously through our livestream. We’ll also be tweet-storming and running a continuous chat on Hackaday.io to keep everyone looped in.
Too often when you see a build video, you only get to see the final product. Even if there’s footage of the build itself, it’s usually only the highlights as a major component is completed. But thankfully that’s not the case with the “V-Baby” CoreXY 3D printer that [Roy Berntsen] has been working on.
Watching through his playlist of videos, you’re able to see him tackle his various design goals. For example he’d like the final design to be both machinable and printable, which is possible, but it certainly adds complexity and time. He also transitions from a triangular base to a rectangular one at some point. These decisions, and the reasons behind them, are all documented and discussed.
Towards the end of the series we can see the final testing and torturing process as he ramps up to a final design release. This should definitely demystify the process for anyone attempting their first 3D printer design from scratch.
pen test partnersRetrieved title: Pen Test Partners, 3 item(s)
I had the misfortune of being at Schiphol last night as this unfolded:
All ended well, delayed by about an hour. Had the incident been real, it could have been much worse.
Here’s what the pilot had to say about it (thanks to @asantosb):
Our flight was at D16, the incident flight was directly the other side of the pier:
Initial reports on Twitter suggested a GRIP-3 situation. It was speculated, attributed to airport staff, that a hijack incident was in progress. Special forces and first responders were quickly on site.
There was also confusion around which gate. This could quickly have been determined by looking at ground ADS-B traffic, but I didn’t think about this until after the event was over. Fortunately my colleague Alex did:
It was quickly identified as Air Europa flight UX1094 AMS-MAD.
There was an alert at Utrecht station too, though this was quickly dismissed.
Then this was tweeted. So how did it happen?
All commercial aircraft have transponders. These give air traffic controllers far more precise information than a ‘blob’ on a screen as would be seen in a primary radar return.
Aviation transponders were invented during WWII to help radar operators distinguish friendly and enemy aircraft. The system was known in the US as IFF (identify Friend or Foe) and ‘Parrot’ in the UK.
Incidentally, this is where the term ‘squawk’ comes from – an operator request to the pilot to turn on the transponder was ‘squawk your Parrot’.
Developments allow the pilot to select a numeric transponder code. Most of the airplanes I learned on had simply rotary knobs, like this:
When selecting the code, one was taught to switch the transponder to ‘standby’ otherwise the controller would have a series of changing codes displayed on their screen.
Remember this, as it’s relevant to the Schiphol incident.
The ‘Alt’ setting also returned the airplane’s height to the controller. Also known as ‘Mode C’ – this is very useful around controlled airspace, which rises in ‘steps’. Hence knowing the height of all aircraft is very helpful for avoiding airspace busts.
The transponder interface on the Air Europa A330 would have looked more like this:
Just to the right and aft of the co-pilots trim wheel and the throttle:
The transponder in commercial planes has additional functionality – it integrates with the TCAS – the traffic collision and avoidance system. The rest of the transponder performs essentially the same task as the analogue-wheel version above.
The TCAS side is quite interesting. It provides traffic alerting AND actions for the pilot to take to avoid a crash. That’s the TA (traffic advisory) and RA (resolution advisory) switch on the right. It can be fooled by misreporting transponders in light aircraft, making it think traffic is at the wrong altitude and therefore a potential conflict.
So what went wrong?
Typically, a commercial airliner is given a squawk for its flight:
1200 is actually a special ‘conspicuity’ code in the US that light aircraft transmit even when they are not receiving a radar control service. It’s known as the VFR code, 7000 in the UK.
But, there are emergency codes. The idea being that a pilot can inform ground stations of an issue even if radios aren’t working or they aren’t able to transmit as a result of a threat.
- 7700 – general emergency
- 7600 – lost communications (often a radio failure)
- 7500 – unlawful interference (hijack)
My strong suspicion with the Air Europa flight was that the pilot was explaining the transponder functions to someone, showing how to punch in various codes.
Either through the transponder being set to ‘On’ instead of ‘standby’ during this demo, 7500 was inadvertently broadcast. This triggered a hijack response from the airport.
There’s one other possibility: I believe that ‘auto’ mode is present to ensure that the transponder doesn’t broadcast whilst on the ground. In the past, I’ve heard that transponder returns on the ground can cause issues for the radar operator.
This relies on the undercarriage microswitches working correctly. If those weren’t disabling the transponder correctly, it’s possible that the pilot believed that the transponder wouldn’t return data until he became airborne. I find this unlikely though, as those microswitches affect lots of other functions on the plane too.
Later transponders also support Mode-S which offers additional functionality. The most modern offer EHS, or enhanced surveillance, but that doesn’t really have much bearing on the Schiphol incident. Fat fingers and/or user error will always be a problem!
…or Why We Don’t Build Commercial IoT on a Raspberry Pi.
A positive story of disclosure and remediation.
We’re quite into our electric vehicles at PTP, so we started hunting for a smart car charger. There are plenty of industrial chargers out there and some research has been done in the past.
We got close with a Rolec charger that was being advertised, but discovered that it was vapourware at the time. I’ve since ordered one so watch this space…
Instead, we settled on the EO Car Charger which fortunately was real, available and had around 4,000 customers already.
This is the interesting part of the installation. It hooks up to the chargers through an RS485 connection, then on to a wired network through the below RJ45
Image credit: EO Charging
At £480 it wasn’t cheap but was capable of controlling up to 30 chargers. It clearly had the ability for OTA firmware updates, adding capability. Interesting:
Image credit: EO Charging
I had just acquired a FLIR One Pro thermal camera, so had a look at the box:
Hang on a sec – that looks very familiar. Opening it up:
Er – that’s a Raspberry Pi in a box. About £30 cost, plus the PSU and case. I’m expecting a lot of the software, given the ~£400 of remaining differential cost!
Yeah, not exactly 1337 skills required here: Remove the SD card, inject root account, boot up device and SSH onto it with newly created credentials. Root.
I wasn’t expecting it to be quite this easy. The device runs from two Python scripts, both of which were fully commented by the developers.
Gen.py (5078 Lines)
EOBootStrapper.py (1615 Lines)
Thus far (10mins) , we have:
- Full “Source Code” of device.
- An overview of the network topology from the hardcoded strings.
- FTP Credentials
- SMTP Credentials
- Encryption / Decryption Keys
What next? Let’s see how it talks back to the mother ship.
Boooo! Its all encrypted. Worry not as we have everything we need to decrypt the flow.
Reversing the Encryption
A few moments later we have DecryptEOr.py
The cleartext commands are defined in the source, meaning that we have a complete understanding of the underlying communication.
The developers set out to send this traffic over a VPN connection but have not actually implemented it.
To date, EO has made almost 4,000 chargers, with around three-quarters installed in the UK. We could push our own code to the device:
So now one could push rogue code and create a smart car charger botnet. If enough chargers could be compromised, it might be possible to create spikes on the power grid by synchronously turning all the charges on / off / on.
The Good News: Whilst the product itself was a bit of a security train wreck, the response to disclosure was definitely NOT the usual IoT car crash.
I think EO should be commended on their response. They responded fast, took detailed advice, engaged an expert third party and moved hell and high water to get fixes out within a 90 day disclosure deadline
Here’s what we sent them on 13th June
Then they proactively called the following morning to discuss the detail, following up with this:
The next step didn’t go quite to plan, as I don’t think they understood that the complete lack of identity, secure access control and secure authentication to the hub (as a result of building on a Pi) meant that the installed base couldn’t easily be securely updated.
I suggested instead that they needed external advice, so recommended a few options for IoT security implementation consultants. They chose David Rogers of Copper Horse, who we know well through involvement with the IoT Security Foundation and the DCMS IoT Security Code of Conduct.
They’ve helped them assess risk, come up with a reasonable plan and push updates.
Here’s what they sent us a few days ago. It’s very honest, it doesn’t try to cover up issues and takes the problem seriously.
Lack of strong identity of device
The identity of the device is used to determine what actions are to be completed on the hub, servers, and all involved APIs, either directly or via other means. The disclosing party reported that the identity of the device was not strongly associated with any single device and as such was easy to impersonate. PKI routines have been developed to enable a strong identity of all hubs in the network. Each hub will be issued with a certificate which is strongly bound to its identity.
This certificate then plays a key role in the ability for the hub to communicate using encrypted channels with the server. Furthermore, the heterogeneity that is inherent in these unique identities combined with strong access control makes us confident that attacks from one hub to another are now prevented.
Poor authentication for bootstrap/activation process
Activation and bootstrapping were not tied to any identity. This meant previously anyone could perform the bootstrapping and activation process. Bootstrapping and activation is only permitted with administrative interaction on the EO cloud. Further improvements have since been made that mean these actions are only possible inside known and trusted network segments. Future software upgrades will be communicated using the strong encryption and integrity provided by the strong identities which are also now implemented.
Inadequate transport encryption
The encryption techniques used provided no authentication, were malleable, and used a common shared key across all devices. The strong identities now in place enables strong and mutually authenticated encryption to be enforced between the hub and the server.
Multiple hard coded credentials of a variety of kinds were found in the device’s file system.Each stored credential has been independently reviewed and corrected. There are now no credentials stored in plaintext and no shared credentials between multiple devices. Wherever legacy code was found which included a credential, the associated services have been decommissioned and the code has been removed.
Inadequate protection from device takeover
There is no protection against a local attacker altering the file storage and gaining full access to the local device as “Root”. Plans are being drawn to replace the hardware with a suitable device and chipset that can prevent easy access to the file system. The replacement hardware platform will have a TPM / TEE or similar trust anchor by which keys and digital signatures can be validated, as well as the use of seamless Full Disk Encryption (FDE).
As this involves significant hardware updates, and those tasks can take many months, this vulnerability has not been corrected directly. Instead immediate and prioritised action was taken to ensure that vulnerabilities that could have been used for “lateral movement” or “pivot” attacks were corrected. Server-side monitoring is also being implemented in the meantime to provide a belt and braces to potential attacks.
I wish all IoT vendors were like this. Congratulations EO
Whilst it would have been much better for the product to have been secure in the first place, through a good response to disclosure and bringing in expert help, the problem is largely resolved.
What a refreshing end to an IoT security issue; a cool vendor.
I often hear objections to consumer IoT regulation, specifically IoT security regulation. It’s typically from industry lobby groups that have a vested interest in keeping regulation very ‘light touch’. Their mantra is:
It’ll stifle innovation and increase cost
I strongly disagree, and here’s why.
“Regulation stifles innovation”
The argument goes that mandating security in smart products will make it harder for companies to succeed as new entrants to the market. Either innovative products won’t be manufactured because the cost of entry is prohibitive, or they will be developed and manufactured overseas where there are fewer, or no, regulations.
The problem with that argument is that IoT security regulation is an enabler NOT a barrier.
That’s a bold claim, so let’s break it down.
Innovation comes from someone having an idea, “let’s make a smart thing”. No problem there, but it’s rare that the innovator has security expertise. The prime objective is getting a minimum viable product to market quickly, at least cost.
Development, prototyping, mobile app development, and platform provision often run concurrently. They are rarely all on schedule, and rarely work correctly first time. In this common scenario security is usually an afterthought, if it’s even considered at all.
Sadly, often the first time security becomes important to manufacturers is when a security researcher makes contact to say that their customer’s data is exposed. See our blog for numerous examples.
By that time, the cost of correcting mistakes can be prohibitive. A recall could take a start-up business under, yet not taking action can lead to significant brand damage, let alone the risk of class actions from users and regulatory enquiries from data protection authorities.
Catch 22: lose/lose. The start-up goes under. Innovation is stifled by a lack of security.
Instead, how about manufacturers implement one of the many secure IoT platforms instead of trying to roll their own? Time to market is reduced and security is improved. Innovation is enabled by security.
Caveat: only some of the 300+ IoT platforms are secure; some are terrible. Choose wisely!
“Regulation increases costs”
The argument here is that even one single penny of additional cost will make an IoT product economically unviable and so put it out of contention.
By implementing an existing IoT platform the product gets to market faster. IoT platforms provide an API and back end, and some offer the hardware for your IoT device’s PCB. Some platforms can even help develop your mobile app. That saves $$. It also means that you’re more likely to get first mover advantage.
But what about that cost? Economy of scale is the key here. As more start-ups realise the value of IoT platforms, economy of scale creeps in. Platforms can commission larger runs of hardware and development costs around that are amortised, so the cost per unit drops.
Most start-ups tend to only investigate these platforms and short cuts to market if they are mandated to. You can wave ‘good practice’ documentation all you like, but few will pursue it if there is no regulation to consider.
Various surveys have shown that a strong reason cited by consumers against adoption of IoT is their concerns around security. There’s a typical example here. We can remove that concern through regulation, removing an obstacle to growth.
In my opinion, regulation actually encourages innovation, reduces cost, reduces time to market and helps increase sales volume by removing consumer objections on the grounds of security.
Regulation can actually stimulate growth in the consumer IoT market.
infosec writersRetrieved title: InfoSecWriters.com, 3 item(s)
Contributed by Gregory Boykin
With the rapid expansion of internet access globally, Internet of Things (IoT) technologies have exploded onto the market, offering many connected and convenient devices to consumers and industry alike. With the proliferation of devices already connected and the increasing popularity of those devices, this trend in IoT growth will only continue to increase. The ongoing development and evolution of IoT devices has the potential to shape and benefit many industries, including agriculture, education, health care, automotive, and environmental. However, the improvement offered by these devices comes accompanied by potential security threats. These devices are a growing surface which cyber attackers can exploit, leading to exposure of business and consumer data. This risk is compounded by the interconnectedness and interaction between these new gadgets and often driven by a rush to market, which is itself a response to eager consumer and industrial buyers wanting more connected devices expanding convenience and automation. This paper will review the literature to look at the history and current state of the IoT in the marketplace. Possible emerging trends, benefits and concerns such as security will be addressed in relation to the growth of IoT. The paper will conclude with recommendations on how the developing IoT markets can thrive and garner increased device security, protecting the data being stored and accessed.
This document is in PDF format. To view it click here.
Contributed by Mark Heckle
In today’s environment, technology has become a way of doing business. Because of technology, information security has become a necessary factor in how we use technology in our companies. There are certainly ways to help protect the technology with additional hardware and software, but the human component plays a vital role in reducing security risks. It is necessary to make the employees more security aware by developing security awareness programs. This research will show how to develop a security awareness program for your organization. It will also present ways to engage employees in such a plan for your organization. The security awareness program is the first step in protecting your organization from such events as ransomware, phishing attacks, spam, and many more.
This document is in PDF format. To view it click here.
Contributed by James Robinson
Appropriate and proper understanding and of IT security should be considered an essential and pertinent requirement within any modern business amongst its executives and employees. But, as we have seen throughout recent news, this has not been the case for many companies. This text explores the effectives of governance and regulations as it relates to protecting our information security. This text focuses on the different organizations’ businesses have implemented with hopes of increasing security standards. The articles, figures and tables used in this paper will further elaborate the importance of these organizations and practices within companies.
This document is in PDF format. To view it click here.
security weekRetrieved title: SecurityWeek RSS Feed, 3 item(s)
The allegations of spying by former Twitter employees for Saudi Arabia underscore the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage.
Critical vulnerabilities impacting Medtronic Valleylab products could allow attackers to overwrite files and achieve remote code execution, the Department of Homeland Security (DHS) warns.
805,000 Cybersecurity Professionals Are Currently Estimated to be Working in the U.S., Study Finds
tech-wreck infosec blogRetrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Multiple bugs have been identified in the LEADTOOLS line of imaging toolkits. LEADTOOLS, which is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia, and imaging technologies into applications, offers prebuilt and portable libraries with an SDK for most platforms. The vulnerabilities could result in denial-of-service conditions and the execution of code remotely. Cisco's Talos team notified LEAD Technologies, the producer of LEADTOOLS, and the vulnerabilities have since been rectified.
Google released its November version of the Android Security Bulletin, which contains a number of fixes and updates. The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
The latest version of Google Chrome mitigates two security vulnerabilities. Version 78.0.3904.87, which has been released for Windows, Mac, and Linux alleviates a use-after-free bug in PDFium and a use-after-free issue in audio. Kaspersky found the use-after-free audio vulnerability, which has been used in watering hole-style attacks.
Honeywell released multiple advisories to mitigate risks in equIP series and Performance series IP cameras and recorders. The advisories discuss methods to use to mitigate these vulnerabilities.
The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros. It is unclear if a solution to this issue is available but an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) offers guidance.
NVIDIA has released a software security update for its GPU Display Driver. This update addresses issues that may lead to denial of service, escalation of privileges, or information disclosure.
Open-source network device configuration management utility rConfig contains two remote code execution bugs, a security researcher has found. The first bug affects the ajaxServerSettingsChk.php file while the second was discovered in the search.crud.php file. The researcher, who goes by the name of Askar, released proof-of-concept exploits for both bugs after contacting rConfig's main developer in September and getting no response.
Multiple vulnerabilities in Advantech's discontinued WISE-PaaS/RMM Internet of Things device remote monitoring and management platform could result in information disclosure, remote code execution, and system availability compromise. Advantech phased out WISE-PaaS/RMM in July 2019 and replaced this product with EdgeSense and DeviceOn. Users can obtain further information from an ICS-CERT advisory.
A vulnerability impacts the "Full Development" and "Runtime Only" packages of Omron's SCADA and HMI package "CX-Supervisor." Omron recommends users update to CX-Supervisor 3.51 (9). The ICS-CERT posted an advisory with further information. A second ICS-CERT advisory pertaining to Omron reflects an update to the vendor's Network Configurator for DeviceNet. A new version has been released to mitigate an untrusted search path vulnerability.
xkcdRetrieved title: xkcd.com, 3 item(s)