Search This Blog

Sunday, November 27, 2016

Air Gapped Systems (Part 3) - DiskFiltration

The past two post were about extracting data or compromised from air gapped systems via USB flash drive such as Stuxnet or through acoustic sounds generated by the machine's processor and cooling fans called Fansmitter. Researchers at Israel's Ben Gurion University using noises emitted from the device's hard drive.

The attack does require malware be installed on the target. The malware generates the acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm to specific audio frequencies that can be picked up by a nearby receiver, such as a smartwatch, laptop, or smartphone. It doesn't require the presence of speakers or audio hardware from the target. The attack is effective in a range of six feet at a transfer rate of180 bits per minute.

Countermeasures:

Hardware
SSD
Quite HHD
Dampener cases
Noise detectors
Jammers
Software
HIDS/HIPS
Automatic Acoustic Management (AAM)
Procedural
Zone seperation



Saturday, August 27, 2016

Air Gapped Systems (Part 2) - Fansmitter

In May 2016, I wrote about air gap systems infected via USB flash drive. This posting is a follow-up dubbed Fansmitter. Late June of 2016, it was divulged that a team of researchers at Israel's Ben Gurion University developed malware that extracts data from an isolated computer through acoustic sounds generated by the machine's processor and cooling fans. Extraction of data has been proven using ultrasonic waves from a machine's speakers; however, this method works by controlling and listening to the speed of the machine's fans and CPU (Kopstein, 2016). In this case, it can be analyzed to extract usernames, passwords, and full encryption keys.

For this type of attack to succeed, there are a few prerequisites: target computer has to be physically compromised like Stuxnet, configure the computer's fan to act like a transmitter, and a smartphone as a receiver within 24 feet of the target computer (Olenick, 2016). Two fan speeds represented the 1s and 0s of their code (1,000 and 1,600 RPM) and listened to the sequence of fan-whines to keep track. Their maximum bandwidth is about 1,200 bits an hour which equates to about 150 alpha-numeric characters in an hour (Templeton, 2016). The frequency of this sound depends on the number of blades and their rate of rotation.



This method can also be used to leak data from different types of information technology equipment, embedded systems, and Internet of Things devices. Ones first reaction might be to bury the hatchet by strengthening the physical controls with better locks, doors, frames, cameras, and guards. Or policy and procedures to protect sensitive computers in restricted areas where mobile phones and other recording devices are banned. One might even implement a technical control such as generating background noise so that acoustic transmissions are impossible or replacing fans with specialized quiet ones or using water cooling instead (Emerging Technology, 2016).

These controls are good; however, they don’t address larger issue: insider threat and transmission media of the malware. Many air gapped systems receive data from USB drives that obtained the data from a general support system that has Internet capabilities. The days of saying, “It’s air gapped” as a means of security are over. Theft of data is not the only issue. These air gapped machines are more critical and more often than not run national infrastructure, thus destruction, data modification, and availability is more important. 

References:

Kopstein, J. (2016, June 25). Researchers Make Malware That Steals Data by Spinning Your Computer's Fans. Retrieved August 27, 2016, from http://motherboard.vice.com/read/researchers-make-malware-that-steals-data-by-spinning-your-computers-fans

Olenick, D. (2016, June 27). Fansmitter malware steals data through a computer's cooling fans. Retrieved August 27, 2016, from http://www.scmagazine.com/fansmitter-malware-steals-data-through-a-computers-cooling-fans/article/505643/

Emerging Technology. (2016, June 30). How “Fansmitter” Malware Steals Data from Air-Gapped Computers. Retrieved August 27, 2016, from https://www.technologyreview.com/s/601816/how-fansmitter-malware-steals-data-from-air-gapped-computers/

Templeton, G. (2016, June 29). Computer coughs up passwords, encryption keys through its cooling fans | ExtremeTech. Retrieved August 27, 2016, from http://www.extremetech.com/extreme/230933-computer-coughs-up-passwords-encryption-keys-through-its-cooling-fans

Monday, May 23, 2016

Air Gap Systems Infected via USB Flash Drive (Week 11)

An air-gapped device or system is one that is neither connected to the Internet nor connected to other systems that are connected to the Internet. Air gaps generally are implemented where the system or network is a classified, payment networks that process credit and debit card transactions, or industrial control systems that operate critical infrastructure. Traditionally, air gap means the device or network is physically isolated from the Internet and data can only pass to it via a USB flash drive, CD/DVD, other removable media, or a firewire connecting two computers directly.

If had a nickel for every time I heard, “We are secure because the system is not connected to the Internet thus there is no need to implement information system control because physical controls are sufficient,” I would be rich. In the past and still today, people and organizations believe air gap is more secure, since it would required an attacker to have physical access to breach them. However, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief.

One of the most famous compromises of an air-gapped system is Stuxnet, which was designed to sabotage centrifuges used at a uranium enrichment plant in Iran. More recently, evidence has shown that air-gapped systems can also be attacked through radio waves (Zetter, 2014).

I came across two different attacks over the last two months for air gapped system involving USB flash drive malware. First is the "USB Thief" that is also described as Win32/PSW.Stealer.NAI which was found by ESET. The malware consists of six files: four are executables and the other are configuration data. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system and protects itself from being reproduced or copied. The malware is designed to exfiltrate data from the target system, however If there is no control server then it indicates a hands on campaign, where the communication of the device takes place at a personal or insider level. Furthermore, there are indications that the USB Thief developers conducting testing to make sure the trojan worked properly under a variety of different scenarios. The malware won't install itself in the event the target machine is running antivirus software from Kaspersky Lab or G Data (Owano, 2016). For more information, see http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-gapped-pcs-leaves-no-trace-of-infection/?utm_medium=email&utm_source=flipboard.

Second, a nuclear power plant in Germany has been found to be infected with computer viruses. The viruses found included W32.Ramnit and Conficker at the Gundremmingen's B unit and on 18 removable data drives. W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software and is intended to give an attacker remote control over a system when it is connected to the Internet. Conficker has infected millions of Windows computers worldwide since 2008. It is able to spread through networks and by copying itself onto removable data drives (Steitz & Auchard, 2016).

Air gap devices and networks can give a false sense of security through obscurity. Obscurity is not a control method and security professionals have to methodically determine assets and determine the threats to include the vulnerabilities that can be exploited in every device and system.  

References: 

Zetter, K. (2014, December 08). Hacker Lexicon: What is an Air Gap? Retrieved May 23, 2016, from https://www.wireed.com/2014/12/hacker-lexicon-air-gap/ WIRED

Owano, N. (2016, March 26). USB malware goes after air-gapped computers. Retrieved May 23, 2016, from http://techxplore.com/news/2016-03-usb-malware-air-gapped.html?utm_medium=email

Steitz, C., & Auchard, E. (2016, April 27). German nuclear plant infected with computer viruses, operator says. Retrieved May 23, 2016, from http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS?utm_medium=email

Saturday, May 21, 2016

Physical Controls are Susceptible to Cyber Attacks (Week 10)

Information security is not complete without securing physical access to information resources. Physical break-ins into locations that contain information system components have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. Physical security includes more than stopping human intruders and these controls are more than ever reliant on computing devices and connect to information systems. This posting is to bring attention that protecting the asset is more than logical but a defense-in-depth strategy to minimize the impact of a threat by protecting the physical controls. 

On April 4, 2016, it was reported that there was a devastating vulnerability in doors at airports and hospitals through hacking or jamming methods from remote computers over the Internet. The vulnerabilities affect HID's flagship VertX and Edge controllers. The attack only requires a command injection to send a few UDP packets to vulnerable LED blinking lights service. This attack does not require any authentication. The command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system. Instead of a number of times to blink the LED, a Linux command wrapped in backticks, like `id` will get executed by the Linux shell on the device. Furthermore, the discovery service runs as root, so every command sent will be run as root, thus giving the attacker complete control over the device (Pauli, 2016).

In a separate article, hackers demonstrated how to gain access to offices through clone access cards from components purchasing from Amazon and eBay worth $700. The test was conducted on a power company. The researcher pretended to visit the company by posing as a student who requested a tour. The researcher was carrying a laptop which was capable of intercepting unencrypted communication (RFID badge reader) between an employee access card and the access control systems used to open/close doors. The attacker then can write the data captured on a fake employee badge (Paganini, 2016).

For more information on RFID hacking tools with videos then go to 
http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/ and http://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/.

References:

Pauli, D. (2016, April 4). 'Devastating' bug pops secure doors at airports, hospitals. Retrieved May 21, 2016, from http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/?utm_medium=email

Paganini, P. (2016). Hackers can break into a facility by spending $700 on Amazon or eBay. Retrieved May 21, 2016, from http://securityaffairs.co/wordpress/47125/hacking/rfid-access-card-hack.html?utm_medium=email

Friday, May 13, 2016

Bangladesh Heist - Programmatic Issues (Week 9)

The Bangladesh Bank Heist is one of the largest amounts of money stolen from a bank at once in history, $81 million. In February 2016, the attacker(s) obtained credentials and then initiated dozens of requests from the Federal Reserve Bank of New York to move money from Bangladesh to accounts in the Philippines and Sri Lanka. The transactions were stopped because the attacker(s) made a spelling typo, “foundation” as “fandation,” which caused a routing bank to question the Bangladesh Bank transactions. This error was the saving grace between $81 million to $1 billion. Initial investigation into this incident determined that gaining access to the Bangladesh Banking System required little effort based on vulnerabilities in programmatic policies. The Bangladesh Bank didn’t implemented basic fundamental network architecture such as implementing a firewall and the router that connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) global payment network appeared to be inadequate from a security and functional standpoint because the device itself or configuration of it didn’t allow logging of traffic based on cost (Beck, 2016).

Early in the investigation SWIFT indicated that the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised. It appears that the Bangladesh Bank focused more on physical security than the security of logical access. The SWIFT room is roughly 12 feet by 8 feet that is window-less located on the eight floor of the bank's annex building in Dhaka. There are four servers and four monitors in the room. All transactions from the previous day are automatically printed from a printer in the room. It wasn’t till after the initial incident that SWIFT officials advised the bank to upgrade the switches because it was old. Furthermore, it appears that the SWIFT system at the Bangladesh Bank is part of the bank network instead of it segregated to reduce lateral movement by the attacker(s) (Quadir, 2016).

SWIFT is a cooperative owned by 3,000 financial institutions and the messaging platform is used by 11,000 banks and other institutions around the world. In further investigation of the incident up to April, 2016, SWIFT has indicated that the global financial system could be more vulnerable than previously understood due to the vulnerabilities that enabled the attacker(s) to modify SWIFT’s client software. The client software was attacked by malware dubbed “evtdiag.exe”. This malware was designed to hide the attacker(s) tracks by changing information about transfer requests on a SWIFT database at Bangladesh Bank and the malware was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. Once the malware established a foothold; it delete records of outgoing transfer requests from the database, intercept incoming messages confirming transfers, manipulate account balances on logs, and manipulated the printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts (Finkle, 2016).



For a more detail on the intricacies of the malware see http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email&utm_source=flipboard.

In continued investigation through May 13, 2016, there is further evidence backing my initial assessment that the root cause were programmatic failures. The country’s law enforcement agency indicated that technicians with the network introduced weaknesses when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year. The technicians missteps include: going against security protocols such as  “simple password”; established a wireless connection with remote access to computers in the locked SWIFT room; linked the RTGS 5,000 publicly accessible central bank computers to SWIFT; failed to disconnect a USB port on the SWIFT system; use of a rudimentary old switch they had found unused in the bank; and failure to implement a firewall between RTGS and the SWIFT room. Furthermore, it was the responsibility of SWIFT to check for weaknesses once they had set up the system, yet artifacts haven’t been produced to show that this action has been conducted (Brook, 2016). 

On May 12, 2016, SWIFT stated that it had been hit by another malware attack on its systems. SWIFT is urging customers to review controls in their payments environments, messaging, and e-banking channels. This includes everything from employee checks to password protection to cyber defense. The new malware involves the PDF reader that banks use to open SWIFT messages, which are sent to financial institutions telling them what money to send where. The experts believe this new discovery his not a single occurrence, but part of a wider and highly adaptive campaign where the attacker(s) clearly exhibit a deep and sophisticated knowledge of specific operational controls (Smith, 2016).

BAE Systems has been conducting the investigation on this incident since the beginning. As of today, May 13, 2016, BAE Systems has linked this attack to the November 2014 Sony hack. There are similarities in the attacks that include: names of the programming elements and encryption keys which is consistent with a single consistent coder. This is likely to come with scrutiny because the White House has implicated the Sony attack on North Korea.

It is very easy to point to the technical errors, however these missteps can be reduces and caught if the programmatic programs administering cyber security and operation management were in-place. Programmatic functions include basic fundamentals, baseline standards, management support, technical expertise, oversight, continuous monitoring in a for of formal and informal reviews. The security posture in most cases are indicative to the programmatic elements.

References:

Beck, K. (2016, April 22). Hackers steal $81 million from a bank that had no firewall. Retrieved May 13, 2016, from http://mashable.com/2016/04/22/bank-hackers-firewall/?utm_medium=email

Quadir, S. (2016). Bangladesh Bank exposed to hackers by cheap switches, no firewall: Police. Retrieved May 13, 2016, from http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO

Finkle, J. (2016). Exclusive: Bangladesh Bank hackers compromised SWIFT software, warning to be issued. Retrieved May 13, 2016, from http://www.businessinsider.com/r-exclusive-bangladesh-bank-hackers-compromised-swift-software-warning-to-be-issued-2016-4?utm_medium=email

Shevchenko, S. (2016, April 25). BAE Systems Threat Research Blog. Retrieved May 13, 2016, from http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email

Brook, C. (2016). Police Allege SWIFT Technicians Left Bangladesh Bank Vulnerable. Retrieved May 13, 2016, from https://threatpost.com/police-allege-swift-technicians-left-bangladesh-bank-vulnerable/117937/?utm_medium=email

Smith, M. N. (2016). One of the world's biggest money transfer systems discovered a 'wide and highly adaptive' hacking campaign. Retrieved May 13, 2016, from http://www.businessinsider.com/swift-cyber-attack-hack-malware-wide-highly-adaptive-2016-5?utm_medium=email

Fox News. (2016). Cyber security firm reportedly ties Bangladesh bank heist to Sony attack | Fox News. Retrieved May 13, 2016, from http://www.foxnews.com/tech/2016/05/13/cyber-security-firm-reportedly-ties-bangladesh-bank-heist-to-sony-attack.html?utm_medium=email

Friday, May 6, 2016

Free ins't Free (Week 8 - We Cause Our Own Privacy Breach)

The weakest link to any system is the human factor. Most people live their lives and read about breaches of governments, corporations, financial institutions, and small businesses including other peoples privacy. Yet, we don’t think twice that we are the ones making our privacy vulnerable and breach it ourselves. 

Why do we put our privacy at risk? We risk our privacy for free applications and services because of legalized social engineering attack close to “Baiting”. Baiting is the promise of an item or good to entice for the exchange of our privacy. 

Who hasn’t heard of tech companies such as Microsoft and Google, yet their business models violate our privacy. For some time now, Windows 10 has been free for those that are upgrading from Windows 7 and 8. Windows didn’t used to be free and nothing in life is ever really free, right? This month Microsoft announced its Q3 results and stated the free operating system created a $1.5 billion hole in its revenues. If Windows 10 is “free” why the hard lining Windows 10 upgrades for Windows 7 and Windows 8 users (see video below)?

Using default settings gives Windows 10 an incredible amount of user data, although anonymized, and absolute control over updates and the installation of new features and services. Microsoft clearly feels more entitled to use Windows 10 to push users towards its own products. Several Windows 10 updates switched user preferences back to Microsoft solutions, then automatically deleted some third party apps and tools. Since then the company has declared all attempts to use rival search engines in the Windows 10 search bar would be blocked and all results must load in Edge, no matter the user’s default browser (Kelly, 2016). You can help protect your privacy by reviewing your settings, http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229.

When you use Google, you are making a deal. You get to use services like Gmail, Drive, search, YouTube, and Google Maps for free. In exchange, you agree to share information about yourself that Google can share with advertisers so their ads are more effective. No longer content to vacuum up, scan, index and sell analytics based on the content of our texts, emails, searches, locations and more, Google now has a new target: tapping, mapping and colonizing the networks wiring our lives. An example, being sued by 38 states, Google admitted that its cars outfitted with roof cameras facing four directions were not just taking pictures; they were collecting data from computers inside homes and structures, including “passwords, e-mails and other personal information from unsuspecting computer users,” the New York Times reported. Another example is, a federal judge refused to dismiss a potential class-action lawsuit brought by Gmail users who objected to its practice of analyzing the content of all the messages on its network and selling byproducts to advertisers (Rosenfeld, 2014). You can see what Google is watching, what Google thinks it knows about you, and what it's telling advertisers.

Here is some of the things companies/brokers collect about people (some are more common than others):
  • Name, age, birthday, and gender
  • Physical address, phone numbers, email address
  • Social Security Numbers and drivers license 
  • Height and weight
  • Language you speak
  • Marital status
  • Who lives with you
  • Education level and occupation
  • Political party
  • What you buy
  • Friends on social media
  • How much social media you use: Facebook, Twitter, and LinkedIn
Note: To see a more complete list of data that is collected visit, http://time.com/money/2819049/data-brokers-online-privacy-tools/.

This in not an exhaustive list. The mass population doesn’t know that it only takes two data points of personnel identifiable information to uniquely identify someone. How do companies know that? Whenever you post information online, register on a website, shop, or submit a public record like a mortgage or voter registration. Data brokers collect information and then turn around and sell what they have on you.

The only way to fully protect yourself is to live in a box and never crawl out of, however there are some actions that a person can take to reduce the data leak that they created themselves:
  • Delete Cookies: cookies let websites collect information about what else you do online.
  • Log Out of Social Media Sites While You Browse the Web
  • Change Your Smartphone’s Privacy Settings
  • Employ Advanced Online Tools: disconnect.me, DuckDuckGo, Tor
  • Opt-out of Data Collection
  • Digital Checkup: check privacy setting on popular sites like Facebook, Amazon, and Twitter
  • Online Profile: never give out any real information about yourself unless absolutely necessary and create a disposable email account
  • Delete your unused online accounts
  • Block "third-party" cookies
  • Go private with your browsing
  • Use anti-tracking software (Ghostery)
  • Use HTTPS whenever possible
  • Sign up for a VPN service
  • Do not reply to spammers
Remember that YOU decide what information about yourself to reveal: when, why, and to whom. Note, this topic mentioned two services that may garner attention from government authorities. Newly approved rule change (Rule No. 41) by the U.S. Supreme Court will allow FBI to search and seize any computer around the world, found to be using privacy tools like VPN or Tor (TechWorm, 2016).

References:

Kelly, G. (2016, April 29). 'Free' Windows 10 Reveals Its Expensive Secret. Retrieved May 06, 2016, from http://www.forbes.com/sites/gordonkelly/2016/04/29/free-windows-10-cost-expensive-secret/?utm_medium=email

Rosenfeld, S. (2014, February 5). 4 ways Google is destroying privacy and collecting your data. Retrieved May 06, 2016, from http://www.salon.com/2014/02/05/4_ways_google_is_destroying_privacy_and_collecting_your_data_partner/

Google. (n.d.). One account. All of Google. Retrieved May 06, 2016, from https://history.google.com/history/

Google. (n.d.). Control Your Google Ads. Retrieved May 06, 2016, from https://www.google.com/settings/ads/anonymous?hl=en

Brandeisky, K. (2014, June 5). 7 Ways to Protect Your Privacy Online. Retrieved May 06, 2016, from http://time.com/money/2819049/data-brokers-online-privacy-tools/

Mitchell, R. L. (2014). The paranoid's survival guide, part 1: How to protect your personal data. Retrieved May 06, 2016, from http://www.computerworld.com/article/2488068/data-privacy/the-paranoid-s-survival-guide-part-1-how-to-protect-your-personal-data.html?page=4

McCandlish, S. (2002). EFF's Top 12 Ways to Protect Your Online Privacy. Retrieved May 06, 2016, from https://www.eff.org/wp/effs-top-12-ways-protect-your-online-privacy

TRUSTe. (n.d.). Personal Privacy Tips - TRUSTe. Retrieved May 06, 2016, from https://www.truste.com/consumer-resources/personal-privacy-tips/

Prabhu, V. (2016). Tor & VPN users labeled as criminals will be hacked & spied by FBI under new law. Retrieved May 06, 2016, from http://www.techworm.net/2016/05/tor-vpn-users-labeled-criminals-hacked-spied-fbi-new-law.html

Tuesday, April 26, 2016

Signaling System No 7 (SS7) Vulnerability in Mobile Phone Networks (Week 7)

Signaling System No 7 (SS7) is a system that connects one mobile phone network to another. SS7 is a suite of protocols that were standardized in ITU-T Q.700 series. New protocols to support additional services such as roaming, Short Message Service (SMS), and data. As with many legacy technologies, SS7 was designed with little security. Concepts such as authentication and authorization were hardly present or discussed. The SS7 security was solely based on trust. The protocol was regarded as a closed network, and researchers had no access to SS7 networks. However, the SS7 network is no longer closed. Network providers are opening up their SS7 networks to third parties as part of their commercial offerings.

This legacy technology has vulnerabilities. Malicious actors can exploit the vulnerabilities which was brought to attention in 2010 and still exist today. The actors can transparently forward calls, record or listen to calls, read SMS messages sent between phones, and track the location of a phone. The attack surface is vast. There are over 800 cell phone networks around the world, each with roughly 100 to 200 interlocking roaming agreements with other networks.That means virtually every cell phone network is interconnected allowing hackers to potentially tap any phone regardless of location.

Since the exposure of security holes, some organizations have setup a series of services that monitor abuses of the networks and employed security contractor researchers to perform analysis of the SS7 systems in use to try and prevent unauthorized access. The main risk to users are their privacy of listening voice calls, text messages, and tracking people and their habits from the criminal hacker to government surveillance. However, there are other dangers like interception of two-step verification codes that are often used as a security measure when logging into email accounts, banks, or other secure institutions to verify a user’s identity.

For an attack to occur, the bad actor sufficiently know how to build a node to emulate that of a mobile operator. To access an SS7 network, attackers can acquire an existing provider’s connection on the black market and obtain authorization to operate as a mobile carrier in countries with lax communications’ laws. In addition, any hacker who happens to work as a technical specialist at a telecommunications operator, would be able to connect their rouge equipment to the company’s SS7 network. In order to perform certain attacks, legitimate functions of the existing communication network equipment must be used.

There are multiple attacks and how these attacks can be accomplished. This post will only provide an example of intercepting SMS. However, the Signaling System 7 Security Report from Positive Technologies and The Fall of SS7 - How Can the Critical Security Controls Help in the SANS Institute InfoSec Reading Room are a great resource for in-depth look at the attacks.

Intercept SMS Attack:

The updateLocation message is used to update the subscriber’s location in the network. It informs the network of which Visitor Location Register (VLR)/Mobile-services Switching Center (MSC) the subscriber is currently connected to. Using a fake updateLocation message the attacker claims that the victims mobile station is connected to their MSC. In this case, the subscriber SMSs will be forwarded to the attacker’s SMS center to be delivered to the MS. In addition to intercepting personal SMSs of the target, this attack can be used against authentication systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could lead to the compromise of the target’s identity.


Glossary:

The Mobile-services Switching Center: constitutes the interface between the radio system and the fixed network. It performs all the needed functions to handle the circuit switched services to and from the mobile stations. The MSC usually consists of two systems: the MSC server, responsible for the signaling, and the media gateway (MGW) handling the user traffic.

The Visitor Location Register (VLR): is a database of the subscribers who have roamed into the jurisdiction of the MSC which it serves. When a Mobile Station (MS) enters a new location area it starts a registration procedure. An MSC in charge of that area notices this registration and transfers to a Visitor Location Register the identity of the location area where the mobile station is situated. If this MS is not yet registered in the VLR, the VLR and the HLR exchange information to allow the proper handling of CS calls involving the MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC.

References:

Gibbs, S. (2016). SS7 hack explained: What can you do about it? Retrieved April 26, 2016, from https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

Bennett, C. (2016). Serious weaknesses seen in cell phone networks. Retrieved April 26, 2016, from http://thehill.com/policy/cybersecurity/277329-serious-weaknesses-seen-in-cell-phone-networks?utm_medium=email

Mourad, H. (2015). The Fall of SS7 – How Can the Critical Security Controls Help? Retrieved April 26, 2016, from https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225

Positive Technologies. (n.d.). SIGNALING SYSTEM 7 (SS7) SECURITY REPORT. Retrieved April 26, 2016, from http://www.ptsecurity.com/upload/iblock/083/08391102d2bd30c5fe234145877ebcc0.pdf

Monday, April 18, 2016

URL Shortening - Week 6

Uniform Resource Locators (URLs) are the standard method for addressing Web content. URLs often grow to hundreds of characters in length. The Hypertext Transfer Protocol (HTTP) doesn't specify a limit on the length of a URL, but implementations impose various restrictions, 2048 characters in practice. Long URLs are difficult to distribute and remember (Georgiev & Shmatikov, 2016). Thus, a service called URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter in length and still direct to the required page. This is achieved by using a redirect on a domain name that is short, which links to the web page that has a long URL. For example, the URL "http://en.wikipedia.org/wiki/URL_shortening" can be shortened to “http://tinyurl.com/urlwiki" (URL shortening, n.d.).


URL shorteners provide a useful, simple, way of sharing links; however security researchers Vitaly Shmatikov and Martin Georgiev discovered that web URL shorteners operate in predictable way in which these links can disclose sensitive information. The researchers analyzed the most popular URL shorteners: services implemented by Google, Bit.ly and Microsoft. It was found that the shortened URLs can be enumerate by brute force.  Their scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.

Google and Microsoft have introduced fixes to secure new shortened URL links, however old links remain vulnerable. The researchers explained that shortened URLs are predictable by combining domain names and a sequence composed of five to seven-character. The short URL and the knowledge of the generation mechanism introduces the basic vulnerabilities to brute force attacks.

The actual URLs are public and can be discovered. The scan of 100 million URLs resulted in the discovery of more than 1.1 million publicly accessible OneDrive documents including documents and executables. In their sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42 percent resolved to actual URLs. Of those,19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.


The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 percent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs (Paganini, 2016). The researchers suggested five approaches to mitigate the vulnerability: make short URLs longer, inform users about the risks of URL shorteners, do not rely on universal URL shorteners, employ CAPTCHAs or other methods to separate human users from automated scanners, and design better APIs for the cloud services that use short URLs.

References: 

Georgiev, M., & Shmatikov, V. (2016, April 10). Gone in Six Characters: Short URLs Considered Harmful for Cloud Services. Retrieved April 17, 2016, from http://arxiv.org/pdf/1604.02734v1.pdf

URL shortening. (n.d.). Retrieved April 17, 2016, from https://en.wikipedia.org/wiki/URL_shortening

Paganini, P. (2016). Watch out! URL shorteners could leak sensitive content. Retrieved April 17, 2016, from http://securityaffairs.co/wordpress/46377/hacking/url-shorteners-flaws.html?utm_medium=email

Monday, April 11, 2016

Hardware Vulnerability - Week 5

Over the last four weeks, this blog has covered vulnerabilities ranging from instituting a permanent vulnerability in every Apple iOS device, Android patch management flaws, meatware (humans) as the weakest link in the information system security, and the latest malware crazy exploiting meatware. This week is a review of a firmware flaw in Arris SURFboard SB6141 cable modem (hardware) affecting over 135 million users deployed by Comcast, Time Warner Cable, and Charter which was discovered by David Longenecker.

Attackers can exploit the flaw through remote measures that cause a denial-of-service by rebooting the SURFboard modems without authentication due to the presence of cross-site request forgery. The modems have a static Internet Protocol address that is not consumer-changeable and the web user interface does not require authentication, no username or password, to access the administration web interface at 192[.]168[.]100[.]1 from a local attacker.

Restarting the cable modem will disable the victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet which is an annoyance. However, there is a much larger issue. An attacker can also reset the modem, as the application doesn't verify whether the reboot or reset the modem command comes from the user interface or an external source through the use of social engineering techniques to trick users into clicking on a specially crafted web page or email.

For example: A web page including <img src="http://malicious_url/">  tag could call any of the following URLs:
  • http://192.168.100.1/reset.htm (for restart)
  • http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
If an attacker chooses this option, the modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. 

The Arris modem vulnerability has existed since 2008, because it was present in Motorola which was bought out by Arris, VU#643049. There's no practical fix for the flaw, the simplest solution would be a firmware update requiring a username, password, and validate that a request originated from the application and not from an external source. However, there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, the modems need to wait for Internet Service Providers to apply the fix and push the update.

References:

Paganini, P. (2016). More than 135 million ARRIS cable modems vulnerable to remote attacks. Retrieved April 10, 2016, from http://securityaffairs.co/wordpress/46117/hacking/arris-cable-modems-attack.html?utm_medium=email

Whittaker, Z. (2016, April 8). Over 135 million modems vulnerable to denial-of-service flaw | ZDNet. Retrieved April 10, 2016, from http://www.zdnet.com/article/millions-of-routers-vulnerable-to-unpatched-reboot-flaw/

Vulnerability Note VU#643049. (2008, April 29). Retrieved April 10, 2016, from http://www.kb.cert.org/vuls/id/643049

Khandelwal, S. (2016, April 9). No Password Required! 135 Million Modems Open to Remote Factory Reset. Retrieved April 10, 2016, from http://thehackernews.com/2016/04/hack-modem-internet.html

Longenecker, D. (2016, April 3). Full Disclosure: Unauthenticated CSRF reboot flaw in ARRIS (Motorola) SURFboard modems. Retrieved April 10, 2016, from http://seclists.org/fulldisclosure/2016/Apr/8