Security Resources

Archive for the Passwords and Data Security Category

Linux Worm Targets Embedded Devices

newsDark Reading (12/06/13) Chickowski, Ericka

A newly discovered Linux worm targeting embedded devices is the latest example of such attacks aimed at the Internet of Things. The Zollard worm was identified shortly before Thanksgiving by Symantec researchers, and targets a PHP vulnerability that was patched in May 2012, but remains in many older and unpatched embedded devices such as printers, conference call equipment, and security cameras, as well as network routers and switches. Such devices, which often run a basic version of Linux and remain freely accessible fro the Internet in their default configurations, are proving to be a vexing problem for enterprise information security. “They’re small enough that a lot of administrators forget they’re there and forget to patch them, change default passwords, and things like that,” says SecureState researcher Spencer McIntyre. Cisco researcher Craig Williams says these devices are easy targets for attacks that can be used to spread malware or serve as base to further infiltrate networks. Rapid7’s HD Moore expects to see a proliferation of botnets composed of compromised embedded devices in coming years. Williams says the best defense against attacks targeting embedded devices is network level protection, such as IDS systems that can identify and block attacks against vulnerabilities such as the one leveraged by Zollard.

Encrypting the Web: Who is Doing What?

The Electronic Frontier Foundation (EFF) has updated their report on the support of various encryption and security methods by popular online service providers. Best to check out the original post directly, but you can also download the full graphic here that is current as of this post.

Internet Scans Turn Up More Unsecured Hardware


Vulnerable terminal servers reflect bigger security problem

April 26, 2013 — CSO — Security weaknesses uncovered in terminal servers used to provide an Internet connection to a wide variety of business and industrial equipment exemplify the risk inherent in adapting older systems to modern technology, experts say.

A recent study by the security firm Rapid7 found more than 114,000 terminal servers, mostly from Digi International or Lantronix, configured to let anyone gain access to the underlying systems. A terminals server, also called a network access server, makes any equipment with a serial port accessible through the Internet.

The systems found vulnerable to tampering included industrial control equipment, traffic signal monitors, fuel pumps, retail point-of-sale terminals and building automation equipment. A hacker scanning the Internet for the serial ports on these devices could easily use a command line program to gain administrative privileges and control the equipment.

Can Your Systems Withstand a 200Gbps DDoS Attack?

SandThe numbers are amazing – and should concern anyone with critical systems that rely on IP connectivity, and those operating in data centers with this kind of “attractive” bandwidth…  (emphasis below was added)

Fueled by Super Botnets, DDoS Attacks Grow Meaner and Ever-More Powerful
Ars Technica (04/17/13) Goodin, Dan

Prolexic reports that the average amount of bandwidth being used to carry out distributed denial-of-service (DDoS) attacks has surged dramatically in the last three months. Prolexic estimates that the average bandwidth used in DDoS attacks was 48.25 Gbps in the first quarter, nearly eight times the average during the same period last year. The duration of the average attack also grew in the first quarter, from 28.5 hours in 2012’s first quarter to 34.5 hours this year. Prolexic says it has seen attacks using as much as 160 Gbps and expects to see attacks using up to 200 Gbps by the end of June.

This massive surge in attack volume has been blamed on the growing use of super-botnets, which send malicious traffic using infected servers rather than infected personal computers, with hackers targeting servers for common Web applications. The most well-known of these new DDoS attacks have targeted major U.S. banks and been attributed to the militant wing of Hamas, but Prolexic says the manpower, technical skill, organization, and resources required to pull them off suggest they are the work of highly coordinated bands of veteran cybercriminals, likely hiring their services out to third parties.

Web Link

Destructive Malware – The New Trend?

newsThe concerning trend of malware being used to create mayhem within an organization or across a large population of disparate devices seems to be here to stay.

Within the security industry, one must think about what the response needs to be if, for example, enterprise security systems were targeted in such a way as to bring them down for days at a time. Whether through a vulnerability in the OS, connected devices (IP cameras, etc…), or software that manages the system(s), the threat is real. It is plausible that targeting physical security systems will be especially attractive due to the potential for capturing “private” video, interacting with the physical world (door control, sounding alarms), or gaining notoriety for breaching systems that are perceived as more secure than others.

More on the topic can be found here.

Is Everything We Know About Password Stealing Wrong?

note_encryptedFrom Microsoft Research comes an interesting article about the viability of password stealing as a criminal business (in the context of committing financial fraud/theft). Here is a summary:

Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.

Link to the full report.

DVR Flaw Discovered – Swann, Lorex, Others Affected

RaySharp_DVRThe latest in a string of DVR and IP camera vulnerabilities was posted last week by a blogger using the pseudonym “someLuser” and affects an OEM design from RaySharp whose products are reportedly sold under a number of brand names, including Swann, Lorex, KGuard, Zmodo, Hi-View, Soyo, and others. These are often sold direct-to-consumer in kit form, bundled with several cameras and remote viewing software.

In the post, the blogger provided example scripts to demonstrate several exploitable weaknesses in the DVRs, including:

  • Unauthenticated access to the device configuration files
  • Ability to view usernames and passwords in clear text
  • Ability to execute system commands as root (after obtaining the passwords)

The security researchers at Rapid7 (who help maintain and distribute the Metasploit framework) attempted to determine the number and location of systems exposed to the Internet by searching for the devices’ web interface signatures. This effort identified over 58,000 unique IPs in over 150 countries running these vulnerable platforms – 19,000 of which were located in the U.S.  (A chart of the geographic distribution can be seen here)

As discussed previously, embedded systems are often found to have similar vulnerabilities, but are usually hidden by a firewall, limiting the ability of a hacker to locate or attack them. Since DVRs are routinely placed in DMZs or otherwise exposed to the Internet, their vulnerabilities are much easier to exploit. For devices inside the firewall that also communicate on a private LAN/WAN, the risks posed by insecure devices is potentially significant.

As of this writing, there are no known patches or updates that address the problem. Concerned users should consider removing the devices from their network, or disabling access via the Internet.


Curious About Ransomware? Read On…

monitor-lockIt is bad enough to experience a “typical” virus or malware infection on your computer. With luck, you catch it early and scrub the problem with software tools. Worst case, you reformat and reinstall your OS, restoring files from your [always up to date!] backups. “Ransomware,” however, introduces a particularly insidious component that justifies extra caution and preparation…

In short, and as the name implies, this malware variant is intended to hold your files and/or system “hostage” until a fee is paid. This is often done by encrypting personal files on the hard drive. You haven’t lost any data (yet), but without the key, you can not access it. As you might expect, it is common for victims to pay the hacker and never receive instructions for decrypting their files.

An interesting twist on the scheme involves locking the operating system itself, and displaying a screen that accuses the user of a range of crimes, from copyright violations to child pornography. The message claims to be sent from the FBI, and instructs the user to pay a “fine” in order to unlock their machine. Here is a screenshot of one such scam:


The best defense against ransomware is, of course, a good offense. The use of quality anti-virus and anti-malware tools is a must, and limiting the use of scripting and plug-ins within your browser will also help (check out NoScript for this). Most important is a good backup strategy. Full “offline” backups should be done frequently, with incremental backups to protect the most recent files. These measures will reduce your exposure, but are still no guarantee that you won’t be hacked. Also important is resisting the temptation to pay the hacker for what seems like a “quick fix.” You’ll never be sure that your data will be released, and the thieves could easily leave behind spyware or otherwise target you again – after all, you paid once…

More Information and Resources:

TechWorld: Ransom malware gangs making huge profits, Symantec discovers
Here is the Symantec report referenced in the article above.
New York Times: For PC Virus Victims, Pay or Else
Malwarebytes: Ransomware

BYOD InfoGraphic

Here is a visual summary of the Bring-Your-Own-Device trend, and the impact on IT and data security. I did not personally review the sources for the statistics – and some of them are probably debatable – but it is interesting nonetheless… You can click the image to read the original post and view a larger version.

Why You Should Care About Mobile Security

Infographic by Veracode Application Security
12-07-2012 Additional Reading on BYOD

DVR and IP Camera Hacking – Only the Beginning

There have been a number of articles and proof-of-concept hacks in recent years illustrating vulnerabilities in IP camera software, access control systems, and the like. Some have raised awareness about fundamental flaws in technology – like the relative insecurity of common proximity card readers, unprotected programming access to a locking system, and simple methods to access a camera’s video feed. Most of the attention following these announcements is focused on the ability of a device to be bypassed or viewed (in the case of a camera), which misses a critical point.

While it is concerning that a replay attack can spoof an access card, and that an IP camera may not provide adequate security against unauthorized viewing, the real danger lies in the potential of these systems to be hacked and modified to serve some other purpose. Here are a few examples – and a prediction: We will see one or more of these in the wild within 24 months.

Scenario One:  The IP Camera Worm
Many IP cameras are designed using FPGAs, not microprocessors, so their ability to run arbitrary code is limited. This trend is changing, however, and as cameras adopt a more standards-based architecture, they will become powerful edge devices running operating systems that can be attacked like any other. Some higher-end models can already run cron scripts, handle video analytics, and manage local storage of data. They are, without exaggeration, computers with a lens and network connection. They are also commonly thought of as “appliances,” with a plug-and-play approach applied to many projects. It is feasible that a worm or other malware could infect these devices as early as the point of manufacturing, or when they are plugged into the installer’s laptop for programming. The software might lie dormant or attempt to infect other cameras or computers on the same network. Affected devices could even be used to launch a Denial of Service (DoS) attack against the recording server or some other target. The common practice – at least in larger systems – of segmenting cameras onto their own LAN might help to reduce this potential, but since the recording server is usually connected to other network(s) for remote viewing and administration, malware capable of infecting the server is a logical progression of this threat.

Scenario Two:  The surveillance DVR/NVR (Network Video Recorder) as a point of entry into corporate networks
Executives like video surveillance systems – and for good reason. As networks and video quality have improved, these systems have saved organizations tremendous amounts of money. Investigations can be performed more efficiently, guards can be reduced, travel costs can be cut, and the list goes on. This means, of course, that the video systems need to be accessible to various departments via the corporate network. Most implement some type of basic security, like requiring a remote user to connect over a VPN, but few have taken steps to totally isolate the video traffic from other network systems. Since many DVRs and NVRs are full-fledged PCs running Windows or Linux, they are vulnerable to the same kinds of attacks as any other server or workstation, but they are easily overlooked and could become a “zero-day” vulnerability or convenient back door into the network.

Scenario Three:  Unintended “Integration”
Every year, security hardware and software moves closer to delivering on the promise of interoperability. It has been a long road, and there are still miles to go, but today’s systems come equipped with protocols for a variety of devices, in order to enable integration. This means that building a “security network” within an enterprise often makes sense. To gain the full benefit from your systems, they need to be able to interact, and since capabilities are sure to be added later – anything that might need to share data ends up on the same segment. When industrial controllers, manufacturing equipment, or other critical systems make this list, the scene is set for security devices to be used as a launchpad for espionage or manipulation. It can seem logical to group these systems together – after all, the “security network” should be a safe place for any important devices, right?

So, why is a hack inevitable?
Fundamental to the problem is that these systems and devices are routinely installed without sufficient thought given to security, and without a plan for ongoing monitoring and maintenance. Furthermore, some of the latest features of alarm panels, home automation controllers, IP cameras and DVRs require Internet access or remote server connections just to function properly, opening a vector of attack that, again, is not well understood or monitored. This means that segmenting a network or “sandboxing” the application may not be an option unless the owner is willing to sacrifice functionality.

I realize that it is not much of a stretch to predict that a hackable device connected to a network might be used in a new and nefarious way… but let’s hope I’m just plain wrong.


For More:

DVRs are being targeted by hackers, says security expert – Article discussing vulnerabilities in consumer DVRs

Bypassing IP Camera Authentication (example)

OpenIPCam site, dedicated to hacking various cameras and the development of custom firmware

Page 1 of 212