Online investigations outfit Bellingcat has found that fitness tracking kit-maker Polar reveals both the identity and daily activity of its users – including soldiers and spies.

Many users of Polar’s devices and app appear not to have paid attention to their privacy settings, as a result a Bellingcat writer found 6,460 individuals from 69 countries. More than 200 of them left digital breadcrumbs around sensitive locations.

Bellingcat’s report claimed the Polar Flow social-fitness site produces more compromising data than other fitness-trackers than previous leaks: “Compared to the similar services of Garmin and Strava, Polar publicizes more data per user in a more accessible way, with potentially disastrous results.“

“Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.”

Bellingcat notes that the big difference between Polar and Strava is that the former offers more comprehensive data, more easily, covering everything a user has uploaded to the platform since 2014.

Source: Fitness app Polar even better at revealing secrets than Strava • The Register

Security researchers say the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier.

Both Diameter and SS7 (Signaling System No. 7) have the same role in a telephony network. Their purpose is to serve as an authentication and authorization system inside a network and between different telephony networks (providers).

SS7 was developed in the 1970s and has been proven insecure for almost two decades [1, 2, 3, 4, 5]. Because of this, starting with the rollout of 4G (LTE) networks, SS7 was replaced with the Diameter protocol, an improved inter and intra-network signaling protocol that’s also slated to be used with the upcoming 5G standard.

The difference between these two is that while SS7 did not use any type of encryption for its authentication procedures, leading to the easy forgery of authentication and authorization messages, Diameter supports TLS/DTLS (for TCP or SCTP, respectively) or IPsec.

4G operators often misconfigure Diameter

But according to research published last month by Positive Technologies detailing Diameter’s use among mobile networks across the globe, the protocol’s features are rarely used.

In practice telecom operators almost never use encryption inside the network, and only occasionally on its boundaries. Moreover, encryption is based on the peer-to-peer principle, not end-to-end. In other words, network security is built on trust between operators and IPX providers.

The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks that resemble the ones found in older networks that use SS7, and which Diameter was supposed to prevent.

Researchers say that the Diameter misconfigurations they’ve spotted inside 4G networks are in many cases unique per each network but they usually repeat themselves to have them organized in five classes of attacks: (1) subscriber information disclosure, (2) network information disclosure, (3) subscriber traffic interception, (4) fraud, and (5) denial of service.

1+2) Subscriber and network information disclosure

The first two, subscriber and network information disclosure, allow an attacker to gather operational information about the user’s device, subscriber profile, and information about the mobile network in general.

Such vulnerabilities can reveal the user’s IMSI identifier, device addresses, network configuration, or even his geographical location —helping an attacker track users of interest as they move about.

3) Subscriber traffic interception

The third vulnerability, subscriber traffic interception, is only theoretically possible because both SMS and call transmission often establish channels with previous-generation protocols that do not use the Diameter protocol for authentication.

Nonetheless, Positive Technologies researchers warn that if the attacker is set on SMS and call interception, he can at any time downgrade a Diameter-capable 4G connection to a previous-generation connection and use flaws in SS7 and other protocols to carry out his attack.

For example, SMS interception is possible because most 4G networks send SMS messages via a 3G channel where SS7 is used instead of Diameter for user and network authentication, while phone call channels are handled via VoLTE, a protocol that has been proven insecure and susceptible to such attacks in 2015.

Even if networks handle SMS and phone calls via a pure 4G channel, then the attacker only needs to pose as an inferior network to carry out a MitM attack via an older protocol.

4) Fraud

Attackers can also use Diameter flaws to allow free use of the mobile network for a specific subscriber profile, leading to financial losses for the operator.

There are two types of such attacks, each of which is based on modifying the subscriber profile. The first type involves modifying the billing parameters stored in the subscriber profile and is quite difficult to implement in practice, since it requires knowledge of the operator’s network configuration on the part of the attacker. The values of these parameters are not standardized and depend on the specific operator; they could not be retrieved from a subscriber profile in any of the tested networks. The second type of attack is the use of services beyond restrictions, causing direct financial damage to the operator.

5) Denial of service attacks

Last but not least, Diameter flaws allow denial-of-service attacks that prevent a 4G user from accessing certain 4G features or allow an attacker to limit the speed of certain features, causing problems for a connected device.

Positive Technologies experts warn that the denial-of-service Diameter vulnerabilities “could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms, and video surveillance.”

This is because these types of devices often use 4G SIM card modules to connect to their servers when located in a remote area where classic Internet connections are not possible.

All mobile networks are vulnerable to either SS7 or Diameter flaws

The cyber-security firm says that from all the mobile networks it analyzed in the past years, since it began looking into SS7 and Diameter vulnerabilities, all mobile networks it examined are vulnerable to one or another, or both, leading to unique cases where any mobile networks it inspected ws vulnerable to some sort of network-level hacking.

Positive Technologies warns that with the rise of Internet of Things devices, some of which rely on 4G connections when a WiFi network is not in range, such flaws are the equivalent of having an open door for hackers to target such equipment via the 4G network.

“Such frightening consequences are only the tip of the iceberg,” experts wrote in their latest Diameter report. The company, which is known for providing security testing and monitoring of mobile networks, urges 4G operators to get with the times and invest into the security of their networks.

The “Diameter Vulnerabilities Exposure Report 2018” is available for download here. Positive Technologies previous analyzed the SS7 protocol in 2016 and the Diameter protocol in 2017.

In March 2018, ENISA (European Union Agency for Network and Information Security) published an official advisory about SS7 and Diameter vulnerabilities in modern 4G networks.

Last week, a team of academics disclosed a set of vulnerabilities in 4G (LTE) networks at the “data layer,” the one responsible for data transfer, and not the signal level where Diameter is located at.

Source: Newer Diameter Telephony Protocol Just As Vulnerable As SS7

Almost all Android devices released since 2012 are vulnerable to a new vulnerability named RAMpage, an international team of academics has revealed today.

The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack.

Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory.

In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

RAMpage is the latest Rowhammer attack variation

The first Rowhammer attack on Android devices was named DRammer, and it could modify data on Android devices and root Android smartphones. Today, researchers expanded on that initial work.

According to a research paper published today, a team of eight academics from three universities and two private companies revealed a new Rowhammer-like attack on Android devices named RAMpage.

“RAMpage breaks the most fundamental isolation between user applications and the operating system,” researchers said. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”

“This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” the research team said.

RAMpage may also impact Apple devices, PCs, and VMs

Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets.

The researcher team also believes RAMpage may also affect Apple devices, home computers, or even cloud servers.

Source: Every Android Device Since 2012 Impacted by RAMpage Vulnerability

A little-known, Florida-based marketing firm called Exactis may be responsible for a significant amount of personal data being exposed. According to a report from Wired, the firm left 340 million individual records on a publicly accessible server that any person could have gotten ahold of.

The leak was discovered earlier this month by security researcher Vinny Troia, founder of the New York-based security firm Night Lion Security. He reported his find to the FBI and Exactis earlier this week, and while the company has since protected the data, it’s unclear just how long it sat exposed.

So just how bad is the leak? It’s pretty bad! The data stored on the server amounts to about two terabytes worth of personal information.

Troia told Wired the database from Exactis appears to have data from “pretty much every US citizen” in it, with approximately 230 million records on American adults and 110 million records on US business contacts. That falls in line with Exactis’ own claim on its website that it has data on 218 million individuals. If the leak is truly as big as estimated, it would make for one of the largest exposures of personal information in recent memory.

Those records contain a variety of data points, including phone numbers, home addresses, and email addresses connected to an individual’s name. It also included more than 400 characteristics about a person, ranging from if the person is a smoker or not, their religion, if they own any pets, if they have kids, their age, gender, etc. It also included interests like scuba diving and plus-sized apparel, per Wired.

Notably, financial information and Social Security numbers were not discovered in the database. (Don’t worry, all that information was likely already exposed by Equifax last year.) That doesn’t mean the information doesn’t have value, though. Were this data to have been accessed by a malicious actor, they could easily pair it with previous breaches to create an even more complete profile of an individual or use it to carry out social engineering attacks.

There are plenty of troubling things about the Exactis leak, not the least of which is the sheer breadth of information exposed. First, there’s the question of just where this small marketing firm based in Palm Coast, Florida got its hands on the personal interests and contact information of hundreds of millions of Americans.

Troia said he didn’t know where the data was coming from exactly, but called it “one of the most comprehensive collections” he’s ever seen. Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center, theorized to Wired that the information may have come from a variety of sources including magazine subscriptions, credit card transaction data, and credit reports.

Then there’s the fact that no one has any idea if this massive database was accessed by anyone prior to Troia. Only Exactis would have any idea how long the server has sat unprotected, and could potentially see who accessed it. The company has not yet publicly responded to the leak and did not respond to request for comment.

Odds are, someone—a hacker or just a random person—likely stumbled across the server before Troia. The security researcher found the database while using the search tool Shodan, which allows just about anyone to scan publicly accessible, internet connected devices. Anyone with access to the same tools could have just as easily discovered the same server Troia found.

These types of leaks, where a server containing sensitive information is left unsecured, happen with surprising regularity. A conservative data firm accidentally leaked information on more than 200 million Americans last year. 12,000 social media influencers had their information exposed in a similar mishap, as did US military veterans and government contractors. All of this goes to show that companies in the business of collecting data aren’t in the business of protecting it.

Source: Personal Information of 340 Million People and Businesses Leaked By Florida Marketing Firm

The home WiFi network is a sacred place; your own local neighborhood of cyberspace. There we connect our phones, laptops, and “smart” devices to each other and to the Internet and in turn we improve our lives, or so we are told. By the late twenty teens, our local networks have become populated by a growing number of devices. From 📺 smart TVs and media players to 🗣 home assistants, 📹 security cameras, refrigerators, 🔒 door locks and🌡thermostats, our home networks are a haven for trusted personal and domestic devices.

Many of these devices offer limited or non-existent authentication to access and control their services. They inherently trust other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home. They use protocols like Universal Plug and Play (UPnP) and HTTP to communicate freely between one another but are inherently protected from inbound connections from the Internet by means of their router’s firewall 🚫. They operate in a sort of walled garden, safe from external threat. Or so their developers probably thought.

Source: Attacking Private Networks from the Internet with DNS Rebinding

This is a good explanation of the attack including some POCs and test links

How your ethereum can be stolen through DNS rebinding

http://rebind.network/rebind/index.html

One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.

The vulnerabilities’ IDs in Mitre are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664.

Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera. An attacker with such control could do the following:

• Access to camera’s video stream
• Freeze the camera’s video stream
• Control the camera – move the lens to a desired point, turn motion detection on/off
• Add the camera to a botnet
• Alter the camera’s software
• Use the camera as an infiltration point for network (performing lateral movement)
• Render the camera useless
• Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)

The vulnerable products include 390 models of Axis IP Cameras. The full list of affected products can be found here. Axis uses the ACV-128401 identifier for relating to the issues we discovered.

To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers.

We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways. See instructions in FAQ section below.

We also recommend that other camera vendors follow our recommendations at the end of this report to avoid and mitigate similar threats.

Source: VDOO Discovers Significant Vulnerabilities in Axis Cameras – VDOO

For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks.

This time around, the hardcoded password was found in Cisco’s Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management.

Harcoded SNMP community string

This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon.

[…]

The string came to light by accident, while security researcher Aaron Blair from RIoT Solutions was researching another WaaS vulnerability (CVE-2018-0352).

This second vulnerability was a privilege escalation in the WaaS disk check tool that allowed Blair to elevate his account’s access level from “admin” to “root.” Normally, Cisco users are permitted only admin access. The root user level grants access to the underlying OS files and is typically reserved only for Cisco engineers.

By using his newly granted root-level access, Blair says he was able to spot the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.

“This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances,” Blair says.

Source: Cisco Removes Backdoor Account, Fourth in the Last Four Months

German researchers reckon they have devised a method to thwart the security mechanisms AMD’s Epyc server chips use to automatically encrypt virtual machines in memory.

So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP or HTTPS requests.

[…]

a technique dubbed SEVered can, it is claimed, be used by a rogue host-level administrator, or malware within a hypervisor, or similar, to bypass SEV protections and copy information out of a customer or user’s virtual machine.

The problem, said Fraunhofer AISEC researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, is that miscreants at the host level can alter a guest’s physical memory mappings, using standard page tables, bypassing the SEV’s protection mechanism. Here’s the team’s outline of the attack:

With SEVered, we demonstrate that it is nevertheless possible for a malicious HV [hypervisor] to extract all memory of an SEV-encrypted VM [virtual machine] in plaintext. We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection.

While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory. This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside.

This is not the first time eggheads have uncovered shortcomings in SEV’s ability to lock down VMs: previous studies have examined how the memory management system can be exploited by hackers to poke inside encrypted guests. Fraunhofer AISEC’s study, emitted on Thursday this week, takes this a step further, demonstrating that, indeed, the entire memory contents of a virtual machine could be pulled by a hypervisor even when SEV is active.

To show this, the researchers set up a test system powered by an AMD Epyc 7251 processor with SEV enabled and Debian GNU/Linux installed, running the Apache web server in a virtual machine. They then modified the system’s KVM hypervisor to observe when software within the guest accessed physical RAM.

By firing lots of HTML page requests at the Apache service, the hypervisor can see which pages of physical memory are being used to hold the file. It then switches the page mappings so that an encrypted memory page used by Apache to send the requested webpage sends a memory page from another part of the guest – a page that is automatically decrypted.

That means Apache leaks data from within the protected guest. Over time, the team was able to lift a full 2GB of memory from the targeted VM.

“Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from a SEV-protected VM within reasonable time,” the researchers wrote. “The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered.”

Source: Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins • The Register

Barely a year after South Africa’s largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines related online system.

Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan and Hunt, we’ve managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa.

[…]

They further added that the database which contains just under 1 million personal records, was discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa. iAfrikan was able to view the publicly available database and, just like the 2017 data leak of 60 million personal records of South Africans, it appears to be a possible case of negligence and carelessness when handle citizens data directory listing/browsing were enabled on the directory where their “backups” were saved.

Source: Over 900,000 personal records of South Africans leaked online

Intel is finally confirming that its computer processors are vulnerable to an additional variant of Spectre, the nasty security vulnerability that affects nearly every CPU currently in devices and in the marketplace.

German computing magazine C’t first reported the additional flaws, which can be exploited in a browser setting using a runtime (think Javascript), on May 3. When we reached out to CPU makers, including Intel and AMD, at that time they declined to comment. Instead they made lose allusions to an embargo—which is when companies (as well as security researchers and often journalists) withhold information until an agreed upon time.

But that didn’t stop Germany from taking the newly reported threats seriously. Last week, the country’s Federal Office for Information Security (BSI) asked that the makers of the affected CPUs fix the flaws as soon as possible and issued a warning to consumers in defiance of the embargo.

Gizmodo was not privy to this embargo or the details within it. However, now Intel is confirming C’t’s report. In a blog post Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, confirmed that additional vulnerabilities did exist.

The vulnerabilities appear to be of the Spectre variety, which takes advantage of speculative computing—a computing practice used by almost all modern microprocessors. Called Variant 4, this new exploit can be used in a browser. Thankfully all major browser makers, including Chrome and Firefox should be patched for the vulnerability. So make sure you’re browser is up to date and stays up to date.

A patch for the vulnerability is expected to be released by most major computer makers in the coming weeks and a beta of the patch has already been released to those manufacturers.

Source: Processor Makers Confirm New Security Flaws, So Update Your Shit Now

Cisco’s issued 16 patches, the silliest of which is CVE-2018-0222 because it’s a hard-coded password in Switchzilla’s Digital Network Architecture (DNA) Center.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco’s admitted.

As you’d expect, “An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

Oh great.

Cisco’s been here before, with its Aironet software. And who could forget the time Cisco set the wrong default password on UCS servers? Such good times.

The company’s also reported a critical vulnerability in the way the same product runs Kubernetes and a nasty flaw in its network function virtualization infrastructure.

Source: Seriously, Cisco? Another hard-coded password? Sheesh • The Register

For at least a few hours overnight, owners of Nest products were unable to access their devices via the Nest app or web browsers, according to Nest Support on Twitter. Other devices like Nest Secure and Nest x Yale Locks behaved erratically. The as of yet unexplained issues affected the entire lineup of Nest devices, including thermostats, locks, cameras, doorbells, smoke detectors, and alarms. Importantly, the devices remained (mostly) operational, they just weren’t accessible by any means other than physical controls. You know, just like the plain old dumb devices these more expensive and more cumbersome smart devices replaced.

While not catastrophic (locks still worked, for example), it’s a reminder just how precarious life can be with internet-connected devices, especially when you go all-in on an ecosystem. As of 12:30AM ET, Nest says it’s working to bring all devices back online and restoring full arm / disarm and lock / unlock functionality to Nest Secure and Nest x Yale Locks.

Source: Entire Nest ecosystem of smart home devices goes offline  – The Verge

The dangers of centralised cloud based services

On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.

NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.

[…]

Legacy Protocols and Poor Security Practice

Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to

• identify vulnerable devices;
• extract device configurations;
• map internal network architectures;
• harvest login credentials;
• masquerade as privileged users;
• modify
  • device firmware,
  • operating systems,
  • configurations; and
• copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.

Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:

• devices with legacy unencrypted protocols or unauthenticated services,
• devices insufficiently hardened before installation, and
• devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).

[…]

Solution

Telnet

Review network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.

SNMP and TFTP

Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors’ SNMP tactics.

Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor’s devices.

SMI and TFTP

Review network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 91.207.57.69(3) and 176.223.111.160(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors’ SMI tactics.

Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.

Determine if SMI is present

• Examine the output of “show vstack config | inc Role”. The presence of “Role: Client (SmartInstall enabled)” indicates that Smart Install is configured.
• Examine the output of “show tcp brief all” and look for “*:4786”. The SMI feature listens on tcp/4786.
• Note: The commands above will indicate whether the feature is enabled on the device but not whether a device has been compromised.

Detect use of SMI

The following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.

• alert tcp any any -> any 4786 (msg:”Smart Install Protocol”; flow:established,only_stream; content:”|00 00 00 01 00 00 00 01|”; offset:0; depth:8; fast_pattern;)
• See Cisco recommendations for detecting and mitigating SMI. [9]

Detect use of SIET

The following signatures detect usage of the SIET’s commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:

• alert tcp any any -> any 4786 (msg:”SmartInstallExploitationTool_UpdateIos_And_Execute”; flow:established; content:”|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|”; offset:0; depth:16; fast_pattern; content:”://”;)
• alert tcp any any -> any 4786 (msg:”SmartInstallExploitationTool_ChangeConfig”; flow:established; content:”|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|”; offset:0; depth:16; fast_pattern; content:”://”;)
• alert tcp any any -> any 4786 (msg: “SmartInstallExploitationTool_GetConfig”; flow: established; content:”|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|”; offset:0; depth:16; fast_pattern; content:”copy|20|”;)

In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to “any”. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.

GRE Tunneling

Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.

Mitigation Strategies

There is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.

General Mitigations

All

• Do not allow unencrypted (i.e., plaintext) management protocols (e.g. Telnet) to enter an organization from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organization should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
• Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
• Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
• Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys. See NCCIC/US-CERT TA13-175A – Risks of Default Passwords on the Internet, last revised October 7, 2016.

Manufacturers

• Do not design products to support legacy or unencrypted protocols. If this is not possible, deliver the products with these legacy or unencrypted protocols disabled by default, and require the customer to enable the protocols after accepting an interactive risk warning. Additionally, restrict these protocols to accept connections only from private addresses (i.e., RFC 1918).
• Do not design products with unauthenticated services. If this is not possible, deliver the products with these unauthenticated services disabled by default, and require the customer to enable the services after accepting an interactive risk warning. Additionally, these unauthenticated services should be restricted to accept connections only from private address space (i.e., RFC 1918).
• Design installation procedures or scripts so that the customer is required to change all default passwords. Encourage the use of authentication services that do not depend on passwords, such as RSA-based Public Key Infrastructure (PKI) keys.
• Because YARA has become a security-industry standard way of describing rules for detecting malicious code on hosts, consider embedding YARA or a YARA-like capability to ingest and use YARA rules on routers, switches, and other network devices.

Security Vendors

• Produce and publish YARA rules for malware discovered on network devices.

ISPs

• Do not field equipment in the network core or to customer premises with legacy, unencrypted, or unauthenticated protocols and services. When purchasing equipment from vendors, include this requirement in purchase agreements.
• Disable legacy, unencrypted, or unauthenticated protocols and services. Use modern encrypted management protocols such as SSH. Harden the encrypted protocols based on current best security practices from the vendor.
• Initiate a plan to upgrade fielded equipment no longer supported by the vendor with software updates and security patches. The best practice is to field only supported equipment and replace legacy equipment prior to it falling into an unsupported state.
• Apply software updates and security patches to fielded equipment. When that is not possible, notify customers about software updates and security patches and provide timely instructions on how to apply them.

Owners or operators

• Specify in contracts that the ISP providing service will only field currently supported network equipment and will replace equipment when it falls into an unsupported state.
• Specify in contracts that the ISP will regularly apply software updates and security patches to fielded network equipment or will notify and provide the customers the ability to apply them.
• Block TFTP from leaving the organization destined for Internet-based hosts. Network devices should be configured to send configuration data to a secured host on a trusted segment of the internal management LAN.
• Verify that the firmware and OS on each network device are from a trusted source and issued by the manufacturer. To validate the integrity of network devices, refer to the vendor’s guidance, tools, and processes. See Cisco’s Security Center for guidance to validate Cisco IOS firmware images.
• Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). The indicators in Appendix A may be applicable to your device.

Detailed Mitigations

Refer to the vendor-specific guidance for the make and model of network device in operation.

For information on mitigating SNMP vulnerabilities, see

• NCCIC/US-CERT Alert TA17-156A – Reducing the Risk of SNMP Abuse, June 5, 2017, and
• NCCIC/US-CERT Alert TA16-250A – The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, September 6, 2016 Updated September 28, 2016.

How to Mitigate SMI Abuse

• Configure network devices before installing onto a network exposed to the Internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation.
• Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via SMI.
• Prohibit outbound network traffic to external devices over UDP port 69 via TFTP.
• See Cisco recommendations for detecting and mitigating SMI. [10]
• Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). Check with your ISP and ensure that they have disabled SMI before or at the time of installation, or obtain instructions on how to disable it.

How to Mitigate GRE Tunneling Abuse:

• Verify that all routing tables configured in each border device are set to communicate with known and trusted infrastructure.
• Verify that any GRE tunnels established from border routers are legitimate and are configured to terminate at trusted endpoints.

 

Source: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices | US-CERT

Careem, a ride-hail startup based in Dubai and operating in 14 countries, announced today that hackers stole data belonging to 14 million riders and drivers.

The company discovered the breach on January 14 but waited to notify its customers because the investigation was ongoing. “Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people,” Careem said in a statement, noting it worked with cybersecurity experts and law enforcement to investigate the breach.

The stolen data includes customer names, email addresses, phone numbers, and trip history. Careem said that it discovered no evidence that passwords or credit card information had been breached.

However, the company is recommending that its users change their passwords anyway, especially if they used their Careem password on other websites. Careem also warned its users to watch their bank statements for signs of fraud or suspicious activity.

Source: Hackers Steal Data on 14 Million Users From Ride-Hail App Careem

The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world’s largest ever computer security breaches.

Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions – had been grabbed by Russian hackers back in December 2014 – just days after the break-in occurred.

Security staff informed senior Yahoo! management and its legal department, who then demonstrated the same kind of business and strategic nous that saw the company fold into itself when they decided to, um, not tell anyone.

It wasn’t until two years later when telco giant Verizon said it wanted to buy the troubled company that Yahoo! finally revealed the massive breach.

The SEC is, understandably, not overly impressed. “Yahoo! failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors,” it said Tuesday, before the co-director of its enforcement division, Steven Peikin, gave what amounts to a vicious burn in the regulatory world.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Peikin. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

Another SEC staffer – director of its San Francisco office, Jina Choi, also piled in, noting that: “Yahoo!’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

So, about that…

Yahoo! should have let investors know about the massive breach in its quarterly and annual reports because of the huge business and legal implications to its business, the SEC said.

But it didn’t of course – probably because it was already desperate to get someone to buy it following years of abortive efforts by CEO Marissa Meyer to turnaround what was once the internet’s poster child.

The SEC also found that Yahoo! did not share information on the breach with either auditors or its outside lawyers. The Canadian who helped the Russians gain access to the data faces eight years in jail.

Source: Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup! • The Register

Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.

 

The news highlights the going dark debate, in which law enforcement officials say they cannot access evidence against criminals. But easy access to iPhone hacking tools also hamstrings the FBI’s argument for introducing backdoors into consumer devices so authorities can more readily access their contents.

“It demonstrates that even state and local police do have access to this data in many situations,” Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, told Motherboard in a Twitter message. “This seems to contradict what the FBI is saying about their inability to access these phones.”

As part of the investigation, Motherboard found:

• Regional police forces, such as the Maryland State Police and Indiana State Police, are procuring a technology called ‘GrayKey’ which can break into iPhones, including the iPhone X running the latest operating system iOS 11.
• Local police forces, including Miami-Dade County Police, have also indicated that they may have bought the equipment.
• Other forces, including the Indianapolis Metropolitan Police Department, have seemingly not bought GrayKey, but have received quotations from the company selling the technology, called Grayshift.
• Emails show the Secret Service is planning to buy at least half a dozen GrayKey boxes to unlock iPhones.
• The State Department has already bought the technology, and the Drug Enforcement Administration is interested in doing so.
• The FBI is also looking to buy GrayKey, according to online procurement records.

[…]

The GrayKey itself is a small, 4×4 inches box with two lightning cables for connecting iPhones, according to photographs published by cybersecurity firm Malwarebytes. The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants. Marketing material seen by Forbes says GrayKey can unlock devices running iterations of Apple’s latest mobile operating system iOS 11, including on the iPhone X, Apple’s most recent phone.

The issue GrayKey overcomes is that iPhones encrypt user data by default. Those in physical possession normally cannot access the phone’s data, such as contact list, saved messages, or photos, without first unlocking the phone with a passcode or fingerprint. Malwarebytes’ post says GrayKey can unlock an iPhone in around two hours, or three days or longer for 6 digit passcodes.

Source: Cops Around the Country Can Now Unlock iPhones, Records Show – Motherboard

If you want your computer to be really secure, disconnect its power cable.

So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev.

The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates CPU utilisation and creates fluctuations in the current flow that could modulate and encode data. The variations would be “propagated through the power lines” to the outside world.

Put the receiver near the user for highest speed, behind the panel for greatest secrecy

Depending on the attacker’s approach, data could be exfiltrated at between 10 and 1,000 bits-per-second. The higher speed would work if attackers can get at the cable connected to the computer’s power supply. The slower speed works if attackers can only access a building’s electrical services panel.

The PowerHammer malware spikes the CPU utilisation by choosing cores that aren’t currently in use by user operations (to make it less noticeable).

Guri and his pals use frequency shift keying to encode data onto the line.

After that, it’s pretty simple, because all the attacker needs is to decide where to put the receiver current clamp: near the target machine if you can get away with it, behind the switchboard if you have to.

Source: Data exfiltrators send info over PCs’ power supply cables • The Register

Under Armour Inc., joining a growing list of corporate victims of hacker attacks, said about 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached earlier this year.

An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week and took steps to alert users about the incident, the company said.

Shares of Under Armour fell as much as 4.6 percent to $15.59 in late trading following the announcement. The stock had been up 13 percent this year through Thursday’s close.

The data didn’t include payment-card information or government-issued identifiers, including Social Security numbers and driver’s license numbers. Still, user names, email addresses and password data were taken. And the sheer scope of the attack — affecting a user base that’s bigger than the population of Japan — would make it one of the larger breaches on record.

Source: Under Armour Data Breach: 150 Million MyFitnessPal Accounts Hacked | Fortune

Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices.

An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants.

Half of the incidents investigated involved corporate and internal networks (up from 43 per cent in 2016) followed by e-commerce environments at 30 per cent. Incidents affecting POS systems decreased by more than a third to 20 per cent of the total. This is reflective of increased attack sophistication, honing in on larger service providers and franchise head offices and less on smaller high-volume targets in previous years.

In corporate network environments, phishing and social engineering at 55 per cent was the leading method of compromise followed by malicious insiders at 13 per cent and remote access at 9 per cent. “CEO fraud”, a social engineering scam encouraging executives to authorise fraudulent money transactions, continues to increase, Trustwave added.

Targeted web attacks are becoming prevalent and much more sophisticated. Many breach incidents show signs of careful planning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40 per cent of attack attempts, followed by SQL Injection (SQLi) at 24 per cent, Path Traversal at 7 per cent, Local File Inclusion (LFI) at 4 per cent, and Distributed Denial of Service (DDoS) at 3 per cent.

Last year also witnessed a marked increase, up 9.5 per cent, in compromises at businesses that deliver IT services including web-hosting providers, POS integrators and help-desk providers. A breach of just one provider opens the gates to a multitude of new targets. In 2016 service provider compromises did not even register in the statistics.

Although down from the previous year, payment card data at 40 per cent still reigns supreme in terms of data types targeted in a breach. Surprisingly, incidents targeting hard cash was on the rise at 11 per cent mostly due to fraudulent ATM transaction breaches enabled by compromise of account management systems at financial institutions.

North America still led in data breaches investigated by Trustwave at 43 per cent followed by the Asia Pacific region at 30 per cent, Europe, Middle East and Africa (EMEA) at 23 per cent and Latin America at 4 per cent. The retail sector suffered the most breach incidences at 16.7 per cent followed by the finance and insurance industry at 13.1 per cent and hospitality at 11.9 per cent.

Trustwave gathered and analysed real-world data from hundreds of breach investigations the company conducted in 2017 across 21 countries. This data was added to billions of security and compliance events logged each day across the global network of Trustwave operations centres, along with data from tens of millions of network vulnerability scans, thousands of web application security scans, tens of millions of web transactions, penetration tests and more.

All the web applications tested displayed at least one vulnerability with 11 as the median number detected per application. The majority (85.9 per cent) of web application vulnerabilities involved session management allowing an attacker to eavesdrop on a user session to seize sensitive information.

Source: Gosh, these ‘hacker’ nerds are only getting more sophisticated • The Register

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.”

Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea

— T-Mobile Austria (@tmobileat) April 4, 2018

@Korni22 What if this doesn’t happen because our security is amazingly good? ^Käthe

— T-Mobile Austria (@tmobileat) April 6, 2018

That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it’s late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it’s not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.

But that doesn’t excuse the plain-text password storage.

Source: T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more • The Register

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage.

Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Remote Keyboard” to let you mimic a keyboard and mouse from afar.

But now Chipzilla’s canned the app.

The reason is three nasty bugs that let attackers “inject keystrokes as a local user”, “inject keystrokes into another remote keyboard session” and “execute arbitrary code as a privileged user.” The bugs are CVE-2018-3641, CVE-2018-3645 and CVE-2018-3638 respectively.

Rather than patch the app, Intel’s killed it and “recommends that users of the Intel® Remote Keyboard uninstall it at their earliest convenience.”

The app’s already gone from the Play and App Stores (but Google’s cached pages about it for Android and iOS in case you fancy a look).

The Android version of the app’s been downloaded at least 500,000 times, so this is going to inconvenience plenty of people … at least until they get RDP working on Windows boxes and VNC running under Linux. The greater impact may be on Intel’s reputation for security, which has already taken a belting thanks to the Meltdown/Spectre mess.

Source: NUC, NUC! Who’s there? Intel, warning you to kill a buggy keyboard app • The Register

It seems as if last year’s data breaches were characterized by increased regularity, yet somehow, according to the latest research from IBM Security, fewer records were actually exposed.

The year saw a 25 percent dip in exposed records—2.5 billion down from 4 billion the previous year—according to IBM’s latest X-Force report. The cause: Cybercriminals have largely turned their focus to launching ransomware attacks that encrypt data locally.

“Last year, there was a clear focus by criminals to lock or delete data, not just steal it, through ransomware attacks,” said Wendi Whitmore, global lead at IBM X-Force Incident Response and Intelligence Services (IRIS).

Notwithstanding, 2017 also saw an unprecedented 424 percent increase in breaches caused by misconfigured cloud storage devices, which the researchers attributed mostly to human error. More often now, configuration mistakes by careless employees are doing hackers’ work for them.

Of the records tracked by IBM, nearly 70 percent were leaked due to the inadvertent activities of owners, reflecting a “growing awareness among cybercriminals of the existence of misconfigured cloud servers.”

Additionally, researchers found that roughly a third of all security incidents caused by “inadvertent activity” were driven by phishing attacks. The bulk of the attacks are not highly targeted, but launched en mass as spam. Over one four-day period, IBM reports, criminals sent 22 million emails using the infamous Necurs botnet, the largest purveyor internet botnet spam worldwide.

According to IBM, financial services, formerly the most targeted industry, has fallen to third place, behind IT & communications and manufacturing, which, respectively, absorbed 33 percent and 18 percent of attacks observed by the researchers.

Source: Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force.

During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites, and Network Attached Storage (NAS) drives.

This included documents spanning payroll data, tax returns, medical records, credit cards and intellectual property. A staggering 64,176,425 files came from the UK alone.

The trove amounts to more than 12PB (12,000TB) of exposed data – more than 4,000 times larger than the Panama Papers leak, which weighed in at a measly 2.6TB.

The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. However, consumers were also at risk from 14,687 instances of leaked contact information and 4,548 patient lists. A large volume of point-of-sale terminal data – transactions, times, places, and even some credit card details – was publicly available.

Although misconfigured Amazon S3 buckets have hogged headlines recently, in this study (registration required) cloud system leaks accounted for only 7 per cent of exposed data. Instead it is older, yet still widely used, technologies – such as SMB (33 per cent), rsync (28 per cent) and FTP (26 per cent) – which have contributed the most.

Business-critical information also leaked. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another case included a document containing proprietary source code submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records, as well as details about the copyright application.

Third parties and contractors were identified as one of the most common sources of sensitive data exposure. The leaked information included security assessment and penetration tests. In addition, Digital Shadows identified consumer backup devices that were misconfigured to be internet-facing and inadvertently making private information public.

Source: 1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak • The Register