wonder how to - null byteRetrieved title: Null Byte « WonderHowTo, 1 item(s)
SMB (Server Message Block) is a protocol that allows resources on the same network to share files, browse the network, and print over the network. It was initially used on Windows, but Unix systems can use SMB through Samba. Today, we will be using a tool called Enum4linux to extract information from a target, as well as smbclient to connect to an SMB share and transfer files. Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. This process is essential for an attack to be successful, as wasting time with exploits... more
the hackers newsRetrieved title: The Hacker News, 1 item(s)
A 39-year-old login password of Ken Thompson, the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers. In 2014, developer Leah Neukirchen spotted an interesting "/etc/passwd" file in a publicly available source tree of historian BSD version
hackadayRetrieved title: Hackaday, 1 item(s)
A bug was recently fix in Signal that allowed a caller to force a call connection without any user interaction on the receiving side. We’ve seen this sort of problem in other chat applications, most recently the Zoom debacle.
The Signal client uses the same function to connect an outgoing call as an incoming call. This bit of code re-use allows a malicious client to initiate a call, and then send the “Accept Call” message. Because of the code re-use, this message triggers the same code as the accept call button on the receiving side. It’s as if the attacker uses reverse psychology to trick the other client into connecting.
It seems this bug only affected the Android client, and didn’t trigger a video call. It’s unclear whether the bug was discovered and exploited before it was fixed, but now that it has been announced, be sure to get Signal up to date.
WhatsApp Gif of Death
WhatsApp was discovered to be vulnerable to a malicious GIF image. This is a double-free vulnerability, triggered in the GIF processing library. The library allocates a buffer for the image frame, and re-uses that buffer for frames of the same size. In the event of GIF frames that are a different size, the library re-allocates the buffer to be the proper size. If a frame is set to zero size, reallocarray() is called with a new size of zero, which is undefined behavior. On Android, it has the effect of freeing the memory block, and returning a pointer to the now freed memory. Calling this again results in a double-free condition, also undefined behavior, which corrupts the memory management data.
Once this double-free operation has been carried out, the next two memory allocations of matching sizes will point to the same location. This means that the program acts as if it has two separate buffers, but they are actually one and the same, allowing the data from a GIF frame to overwrite a function pointer in the GIF data struct. A clever bounce through another function, and the GIF has suddenly run arbitrary code.
You know it’s going to be an interesting day when Google warns you that your account is being attacked by a government entity. Amnesty International started the week off by describing a coordinated attack against several Egyption organizations. This particular attack Isn’t the normal credential stealing attack, but instead tries to convince a user to authorize an OAuth application access to the account.
It may not be a particularly sophisticated attack, but the fact that the entire process happens while connected to the Google.com domain with a proper HTTPS certificate makes it just a little harder to spot. It does bypass two-factor authentication, in that once the malicious application has been given access to the account, no further logins are necessary.
Presidential Campaign Targeted
Microsoft has announced that one of the US presidential campaigns was targeted in an email compromise attempt. Nicknamed “Phosphorous”, the group’s attacks were simplistic, using personal data to attempt password resets and account recoveries. The fact that the attack included Iranian nationals living outside of that country leads one to suspect Iran as the sponsoring party.
We’ve briefly discussed attack attribution in the past, but this is a prime example of the difficulty of pinning down the people behind such an attack. What data does Microsoft have? The list of accounts targeted, the originating IP addresses, and perhaps some other metadata like browser user-agent strings. A naive look at that data would clearly reveal the attacker’s identity, but security, and history, should teach us not to take anything at face value. How difficult would it be for an attacker to include Iranian targets in their attack, launch from IP addresses that are associated with Iran, and spoof user-agents? It’s not likely, as this would be a more sophisticated effort than the attack itself, but such possibilities are extremely difficult to rule out.
These last two stories also touch on something else I found interesting. Apparently both Google and Microsoft have special procedures for dealing with state-sponsored attacks. It’s an interesting new world, when big companies are taking on nations, and vice-versa, for the sake of user security.
infosec writersRetrieved title: InfoSecWriters.com, 1 item(s)
Contributed by James Robinson
Appropriate and proper understanding and of IT security should be considered an essential and pertinent requirement within any modern business amongst its executives and employees. But, as we have seen throughout recent news, this has not been the case for many companies. This text explores the effectives of governance and regulations as it relates to protecting our information security. This text focuses on the different organizations’ businesses have implemented with hopes of increasing security standards. The articles, figures and tables used in this paper will further elaborate the importance of these organizations and practices within companies.
This document is in PDF format. To view it click here.
pen test partnersRetrieved title: Pen Test Partners, 1 item(s)
Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh attack surface for the airport.
When on the ground an aircraft’s communications with the airport and their company are prodigious, using Wi-Fi and other RF protocols to exchange data, notably Gatelink, but also simple crew laptops/tablets and phones in the briefing room.
The attack surface of an airport
Let’s look at some of the interfaces involved.
As a private pilot of many years I have personal experience of using a variety of these systems. I’ve been lucky enough to fly in to large commercial airports and mix it up with the ‘heavies’ in the same briefing rooms and security offices.
The biggest single challenge is the sheer volume of different entities that need access: passengers, crews, airline staff, security personnel, Police, Customs and other government agencies, freight, meal service and many more.
A crew access pass needs to work at multiple locations, sometimes over different sites. Access control systems therefore need to be interoperable. It’s not much use if the access card only gets a pilot in to London Heathrow’s crew areas for example.
The demands of interoperability cause a few security challenges: it means that there are access pass issuing locations in remote airports with fewer security controls in place. It also causes ‘legacy drag’ as upgrading one system requires that all are upgraded at the same time.
So security controls often see a race to the bottom to ensure interoperability, mag stripe + PIN is still very common. Access passes need to operate across multiple airlines too, adding further complexity.
I don’t have an aircrew access pass to try and clone, but tools such as the Proxmark create possibilities. Maybe I need to buy the next commercial pilot I see a beer or three?
Closely linked to access control is the building management system. Back in 2006 I noticed a press release from a BMS vendor announcing that they had won the contract to install building controllers at Heathrow’s then new Terminal 5.
So I bought an identical controller from eBay and got our team together to have a play with it. The results were a little scary.
BMS can control electronic door locks, HVAC, industrial process controllers and plenty more. Electronic door locks. Yes, those doors that keep airside separate from landside are usually electronically controlled. Hopefully alarms will go off if triggered, but we have discovered that some BMS have bypassable authentication and remote exploits. In most cases, they are behind access panels, but not always, and not always segregated on the network.
Many airports go ‘long’ on windows, miles of glass in some places. This makes managing temperature challenging, requiring powerful air conditioning. Sometimes the HVAC is controlled with a locally-managed BMS, though remote management by a specialist firm is very common.
Let’s say that again, remote access in to the HVAC by a third party. Nothing has ever gone wrong there, right?
Interfering with the HVAC may only cause discomfort for passengers and staff as temperature goes awry, but it’s the connectivity to other systems that is likely to be of more concern.
Most desks are ‘rented’ from the airport by the airline. If you’ve ever looked at the screens the agents are using, you may see old-school green screen apps running in a window. These can be the airlines own system, or can be outsourced systems from organisations such as Galileo etc.
Given these check-in counters can be used by different staff from different airlines, how good do you think the user authentication is likely to be?
Self-check in kiosks also pose a risk as they’re publicly-accessible devices (although I imagine you’d get a swift tap on the shoulder from the airport police if you started unscrewing one) and again, are often multi-airline devices provided by the airport so they can be quickly repurposed as passenger demand varies.
Want to see an airport in utter chaos? Go there when the baggage system has gone down.
Most baggage systems either have a degree of automation or are fully autonomous. They are controlled by industrial controllers such as PLCs, often managed by Windows systems.
Whilst the baggage system itself is rarely directly exposed on an airport network, usually residing on a dedicated serial network, interfaces to it are sometimes exposed.
Read our work on maritime serial networks if you want to see how much can be interfered with. Reflashing or bricking a few critical controllers or tampering with a small amount of serial data can be enough to snarl up a baggage system and bring the airport to a halt.
I do love it when a client comes to us and says ‘make it as real as you can’. We carried out some red teaming for an airport and noticed that the flight displays appeared to have security issues.
We asked for permission to carry out a proof of concept, which the client agreed to. So we injected our very own flight:
So what if the display boards go down or are tampered with? It happened fairly recently at Bristol Airport in the UK: a security incident, possibly ransomware, took out multiple systems including the flight displays.
The airport had to put significant numbers of additional staff out to replace the function of the displays. Not a security issue, but significant additional staffing costs were undoubtedly incurred.
I won’t dwell on this as the security issues in CCTV are well documented. However, CCTV in some airports is amongst the finest in the world.
I have been awed by the resolution and low light capabilities of high end CCTV that we’ve been asked to look at by various airports. I was also impressed by high end CCTV hardware security, though that didn’t stop us recovering a private key from one
Electronic passport gates fascinate me. I was under the impression that they used biometrics to automatically verify the passenger. What I now know is that those scanned passport images are simply sent in near real time to a border guard who compares them with the camera image of the passenger. More efficient I guess, but not as ‘smart’ as I first thought.
We’ve seen insufficiently segregated passport gates on the network at airports before, such that law enforcement systems are visible from the corporate network. That would be a strong ‘win’ for security to sort out that segregation!
Security scanning / x-ray machines are also networked in many cases. We really want to have a look at these, together with substance detectors, but recent models are simply too expensive for researchers like us to purchase.
Airside Concessions / Duty Free
As with check-in desks, concession spaces are rented from the airport. Each concession will be provided with dedicated, isolated network connectivity from which to run their retail operations.
We’ve found some that were not segregated. Access to wider airport systems was possible, perhaps to facilitate interaction of the concession with other parts of the airport.
The issues with Wi-Fi are well known, though an airport can present interesting challenges. Electronic Flight Bags and other legitimate aviation devices can accidentally be connected to the wrong network if not carefully managed.
Spoofing a network to try to attract some interesting kit or credentials is sometimes successful given the large number of devices connecting to them.
Ground power is essential for airport operations otherwise, airplanes would be left running their APU, burning expensive Jet A1 fuel and pumping out CO2, if on the ground for extended periods.
Guess what: the control and billing systems for ground power are networked.
Fuel delivery is arguably less networked, with most delivery carried out by a fuelling operator to the required load.
However, as evidenced by a lightning strike to the fuel depot at Stansted airport, knocking out high pressure pipeline pumps can cause trouble, so back to your OT hacking skills you go.
It’s probably not that well known that due to the huge volumes of fuel airports get through, they have dedicated pipelines to refineries, there would be no way to tanker in enough to keep up with demand – an A380 can hold 320,000 litres of Jet A1, which is over 250 tonnes.
Further, fuel delivery requests are becoming increasingly automated. The pilots Electronic Flight Bag can be used to specify the fuel load required, which is sent through an API to a tablet carried by the fueller, having been reviewed back at the airline’s flight operations for weight and balance.
An airport is a busy place. It’s important to keep vehicles away from taxiing planes.
As a result, airside vehicles will be equipped with ADS-B at some airports. This means that they will show up on ground radar and help controllers keep everything safe.
ADS-B is an unencrypted and unauthenticated protocol. I’ve seen it fitted to some high end drones for conspicuity for legitimate, authorised use near airports.
It wouldn’t take much to broadcast a rogue ADS-B signal with an SDR and place a phantom vehicle on a runway. In low visibility conditions, this would cause chaos.
Most airplanes will require pushback from the gate, so a tug is called on. The dispatcher walks back with the tug, keeping the pilot informed and providing an additional look-out over and above the tug driver.
Robot tugs are being trialled in several airports, where the dispatcher drives the tug by remote control, removing the need for two ground personnel to be involved.
So far, we believe that the tugs use both Wi-Fi and custom RF over 868MHz for remote control, but we haven’t had access to one to investigate thoroughly yet.
Hijack of a tug could be very troublesome, perhaps pushing one airplane in to another.
Aircraft are less reliant on ground navigational systems nowadays. The legacy VOR, ADB & DME navaids are being removed and have been largely superseded by inertial reference and GPS, although many airways still route VOR to VOR.
Instrument Landing Systems or ILS are still widely used, though often augmented or cross checked with GPS. This is a broadcast signal from a ground station at the end of the runway.
It has been shown that it’s not particularly difficult to spoof ILS and present a rogue signal that misdirects an aircraft. In good weather conditions, that offset would be obvious, but much less so in low visibility. Hopefully there is where Galileo can help as it’s supposed to be more resilient to spoofing.
Again, to reduce the need for manual direction of a taxying airplane with bats, automated docking systems are becoming increasingly common.
These use infrared lasers to work out the distance of the aircraft to the stop point, however the systems have to know the aircraft type to work correctly. You’d hope the flight crew would notice it had been changed from an A380 to an A320 though!
Pilot briefing systems are critical to the dispatching of an airplane. One needs load sheets, weather, routing, clearances and plenty more.
This is usually done on a Windows PC in the pilot briefing room. Multiple pilots from different airlines will use these systems, so security controls can be a challenge to implement.
No clearance = no flight. There are back-up systems in place, but they add time. At the worst, this may involve clearances being read out and acknowledged by radio, significantly increasing the time to dispatch an airplane.
Increasingly briefing data is sent to the Electronic Flight Bag, but the briefing room still plays a key part.
This is designed to reduce the manual paperwork requirements for any flight. Load sheets, passenger manifests and plenty more is sent to the airport and back to the plane once it’s on the ground
Most Gatelink systems use Wi-Fi, activated once the aircraft wheels touch the ground. The client on board probes for a wireless AP at the airport, authenticates securely (one hopes!) and can download passenger data to the airport.
Ground Wi-Fi is a great deal less expensive to use than satcom data or VHF ACARS messages. It’s also used for download of engine performance data and numerous other metrics that can help efficient operation of the airplane.
As you can see, an airport is a very complex environment, one that’s difficult to secure. What critical actions should airports start with?
No surprises here, but basic principles apply: segregation, least privilege and containment of systems that can’t easily be secured.
cso onlineRetrieved title: CSO Online, 1 item(s)
Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.
security weekRetrieved title: SecurityWeek RSS Feed, 1 item(s)
Blockchain, or distributed ledger, is sometimes described as a 'solution in search of a problem'. There are many valid applications outside of pure cybersecurity -- for example, reducing transaction costs in complex legal situations like house purchase, or tracking the location of physical goods in distribution or supply chains -- but improving cybersecurity has had few valid and proven proposals.
xkcdRetrieved title: xkcd.com, 1 item(s)
We've met! I remember you when you were thiiiis tall! [*holds a hand an inch above their head*]