Security-related events and commentary from around the web, with emphasis on issues that affect physical, electronic, and data security management.
Dark Reading (12/06/13) Chickowski, Ericka
A newly discovered Linux worm targeting embedded devices is the latest example of such attacks aimed at the Internet of Things. The Zollard worm was identified shortly before Thanksgiving by Symantec researchers, and targets a PHP vulnerability that was patched in May 2012, but remains in many older and unpatched embedded devices such as printers, conference call equipment, and security cameras, as well as network routers and switches. Such devices, which often run a basic version of Linux and remain freely accessible fro the Internet in their default configurations, are proving to be a vexing problem for enterprise information security. “They’re small enough that a lot of administrators forget they’re there and forget to patch them, change default passwords, and things like that,” says SecureState researcher Spencer McIntyre. Cisco researcher Craig Williams says these devices are easy targets for attacks that can be used to spread malware or serve as base to further infiltrate networks. Rapid7’s HD Moore expects to see a proliferation of botnets composed of compromised embedded devices in coming years. Williams says the best defense against attacks targeting embedded devices is network level protection, such as IDS systems that can identify and block attacks against vulnerabilities such as the one leveraged by Zollard.
The Electronic Frontier Foundation (EFF) has updated their report on the support of various encryption and security methods by popular online service providers. Best to check out the original post directly, but you can also download the full graphic here that is current as of this post.
The IZON surveillance camera sold in Apple Stores and Best Buy outlets is filled with security holes that enable a hacker to easily commandeer the device, a security researcher said.
In this case, the cameras were reportedly hard-coded with a default username/password for the administrator account. According to the researcher, accessing the camera with these credentials allowed full access to view video and change settings. It’s bad enough when brute-force or unknown vulnerabilities are exploited on a camera, but a hard-coded default login?? If accurate, that’s inexcusable.
Read the full article here.
We learned this week about an unbelievably bad idea in the way of an online business called “Keys Duplicated” that will copy mechanical keys from a photograph submitted via their site. Users are reassured that this is secure because they require a photograph that includes fingers (supposedly proving ownership – or at least physical control of the key) and the fact that they ship to a street address…
The company decodes the bitting of the key from the photo and cuts a duplicate according to the appropriate manufacturer’s depth and spacing specifications. We have warned for years about the vulnerabilities of standard mechanical keys and the ease of access to code-cut duplicates – but this process seems especially friendly to those with malicious intent.
Hopefully, you are careful about where you leave your keys at the office, and you most certainly use a valet key (or remove house and office keys from the ring) when parking, right?!
Vulnerable terminal servers reflect bigger security problem
April 26, 2013 — CSO — Security weaknesses uncovered in terminal servers used to provide an Internet connection to a wide variety of business and industrial equipment exemplify the risk inherent in adapting older systems to modern technology, experts say.
A recent study by the security firm Rapid7 found more than 114,000 terminal servers, mostly from Digi International or Lantronix, configured to let anyone gain access to the underlying systems. A terminals server, also called a network access server, makes any equipment with a serial port accessible through the Internet.
The systems found vulnerable to tampering included industrial control equipment, traffic signal monitors, fuel pumps, retail point-of-sale terminals and building automation equipment. A hacker scanning the Internet for the serial ports on these devices could easily use a command line program to gain administrative privileges and control the equipment.
The numbers are amazing – and should concern anyone with critical systems that rely on IP connectivity, and those operating in data centers with this kind of “attractive” bandwidth… (emphasis below was added)
Fueled by Super Botnets, DDoS Attacks Grow Meaner and Ever-More Powerful
Ars Technica (04/17/13) Goodin, Dan
Prolexic reports that the average amount of bandwidth being used to carry out distributed denial-of-service (DDoS) attacks has surged dramatically in the last three months. Prolexic estimates that the average bandwidth used in DDoS attacks was 48.25 Gbps in the first quarter, nearly eight times the average during the same period last year. The duration of the average attack also grew in the first quarter, from 28.5 hours in 2012’s first quarter to 34.5 hours this year. Prolexic says it has seen attacks using as much as 160 Gbps and expects to see attacks using up to 200 Gbps by the end of June.
This massive surge in attack volume has been blamed on the growing use of super-botnets, which send malicious traffic using infected servers rather than infected personal computers, with hackers targeting servers for common Web applications. The most well-known of these new DDoS attacks have targeted major U.S. banks and been attributed to the militant wing of Hamas, but Prolexic says the manpower, technical skill, organization, and resources required to pull them off suggest they are the work of highly coordinated bands of veteran cybercriminals, likely hiring their services out to third parties.
This is worth keeping an eye on. If the perpetrators’ focus shifts to private enterprise or provider central monitoring stations, it could create entirely new problems for our industry:
From CSO Online:
Your emergency call centers may be under attack soon
Federal law enforcement officials are reporting a rise in attacks in which the telephone lines of emergency call centers are flooded with bogus calls by extortionists whose demands for cash are refused. The entire number of attacks is rising,” said Rod Wallace, vice president of services for SecureLogix. The increase is seen across organizations, public and private. Typically, the motivation is to extort money or to protest a particular political or social cause. In the latest attacks, someone with a heavy accent calls the center, known as a public-safety answering point, claiming to be with a collections company for payday loans. The caller then demands a payment of $5,000 to cover the outstanding debt of a former employee or sometimes for someone who never worked at the center. When the demands are refused, the TDoS attacks begin, lasting for intermittent periods over several hours.
The concerning trend of malware being used to create mayhem within an organization or across a large population of disparate devices seems to be here to stay.
Within the security industry, one must think about what the response needs to be if, for example, enterprise security systems were targeted in such a way as to bring them down for days at a time. Whether through a vulnerability in the OS, connected devices (IP cameras, etc…), or software that manages the system(s), the threat is real. It is plausible that targeting physical security systems will be especially attractive due to the potential for capturing “private” video, interacting with the physical world (door control, sounding alarms), or gaining notoriety for breaching systems that are perceived as more secure than others.
More on the topic can be found here.
… if you haven’t already, that is.
There has been a barrage of coverage lately addressing ongoing security issues with Java and Universal Plug-and-Play (UPnP). Summarizing a mountain of detail that is only relevant to a small percentage of users, the takeaway is that almost everyone should: (1) Disable Java in the browser OR uninstall it completely; and (2) Disable UPnP on your router AND test it for remote UPnP vulnerabilities.
As for UPnP, the technology is built into many routers, and is supposed to make connection of networked devices easier by automatically opening ports and configuring network settings. Unfortunately, convenience doesn’t always coexist with security, and UPnP has been shown to have a number of vulnerabilities. Your best option: Turn it off in the router’s administration portal, and also run a Shields Up test to ensure that your router is not exposed to attack from outside the network. Keep in mind that some routers have been found to leave UPnP on regardless of the setting in their configuration screen, while others reportedly do not offer an option to disable it, so your mileage may vary…
From Microsoft Research comes an interesting article about the viability of password stealing as a criminal business (in the context of committing financial fraud/theft). Here is a summary:
Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.
Link to the full report.