Archive for March, 2016


March 26, 2016

badlock

 

 

Security researchers have discovered a nasty security vulnerability that is said to affect almost every version of Windows and Samba and will be patched on April 12, 2016, the Samba development team announced Tuesday.

 

So, Save the Date if you are a Windows or Samba file server administrator.

 

Developers from Microsoft and Samba are working on a security patch to fix a severe vulnerability that affects almost every version of Windows and Samba.

 

Samba, which is present in nearly all Linux distributions, is a free software which implements the SMB/CIFS networking protocol to provide file and print services. Samba is also installed as a component of *BSD and OS X systems, it can integrate with Windows Active Directory and can act as a domain controller or as a domain member, Samba it popular because it allows a stable integration between Linux systems and Active Directory.

 

In 2015, Another Samba critical flaw was patched, it was a remote code execution vulnerability (CVE-2015-0240) that received a CVSS score of 10.

 

The flaw dubbed Badlock has been discovered by Stefan Metzmacher from SerNet firm which is also a member of the Samba Core Team. Badlock is a critical vulnerability that Microsoft and Samba developers plan to fix in the next Patch Tuesday, on April 12, 2016.

 

The researchers are sure that the Badlock flaw will be exploited once they will publicly disclose its details.

 

“Badlock was discovered by Stefan Metzmacher. He’s a member of the international Samba Core Team and works at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem.” is reported on the website.
The experts at SerNet have developed a website that will include all the information related to the Samba issue.

 

Details about the Badlock vulnerability will be disclosed on April 12, when the developers of Microsoft and Samba release security patches to fix the flaw.

 

With a proper name, website and even logo, Badlock seems to be another marketed vulnerability that will likely be exploited by hackers once its details become public.

 

Here’s what Badlock.org website reads:

On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.

 

Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It’s April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.

 

Although this sort of pre-notification is appreciated, especially for system administrators to help them apply the patch as soon as possible, the security blunder could also benefit the bad guys.

 

Security experts also believe that the available information might be enough for malicious hackers to independently find Badlock and exploit the vulnerability before a patch is released.

Share

313095-android-trojan

 

An evolutionary malware, known as the “Accessibility Clickjacking”, has been discovered by SkyCure, a US-based global mobile threat Security Company, and revealed to the world at the 25th annual RSA conference, which is the world’s biggest cyber-security event, that just ended on Friday the 4th of March.

 

The Accessibility ClickJacking” malware is a critical and dangerous discovery

 
In their study, the company discovered that the start of the advanced mobile malware had already impacted more than half a billion Android devices globally. This very modern mobile malware had the capability to not be detected in scanner detection, which is usually based on signatures, static and dynamic analysis approaches, the company had pointed out in its report.

 
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent.

 
If you want to see accessibility clickjacking in action, just watch the video from Skycure below, which utilizes a free ‘Rick and Morty’-themed game to get users to unknowingly enable certain accessibility features:

 

 

A number of functions and capabilities had been put into web browsers and web servers in order to limit the clickjacking risk, the mobile platform was still a vulnerable platform and, therefore, it showed that Android is still susceptible to similar kinds of threats.

 

Smartphone users of the Android operating system were advised to be careful when playing games or running applications, as hackers were able to create simple so-called “benign” games that could automatically trigger the “Accessibility ClickJacking” in the background unbeknownst to the owner of the device.

 

The malware could allow malicious apps to get hold of all text based sensitive information on the affected Android devices and take automated actions via other apps or even the operating system. Malicious apps include emails, text messages, data from messaging apps, and important business applications such as CRM software, marketing automation software and more. This makes Android users vulnerable to the games and applications they download.

 

When let inside the victim’s device, the hackers could, therefore, change passwords. However the security did mention that the malware was only active on older versions of the Android operating system accounting for 65 percent of these devices and said that there was no reason to worry for users of the latest operating systems, Lollipop and Marshmallow platforms. Anything between Android 2.2 Froyo to Android 4.4 KitKat was most likely to be affected by ClickJacking, SkyCure noted.

Share

March 4, 2016

shodan

 

Each and every day we’re becoming increasingly connected. This has been driven by an acceleration of the Internet of Things – a highly complex network of physical devices and systems with embedded electronics and network connectivity – that enable devices to communicate and exchange data.

 

This rapid uptake has been largely made possible by the transition into IPv6 – the latest version of the IP networking protocol that underpins every aspect of our digital lives. This new protocol provides us with 340 Trillion Trillion available addresses, which to give you some perspective – is 1021 addresses per square meter on earth. This new version solved a serious problem that was inherent in its predecessor IPv4 – that there were not enough addresses available to cope with the blistering expansion of the internet.

 

In the future every single device that we own will be interconnected to every other – but has anybody thought about the security implications that this presents? The evidence to date suggests not. Building security into these devices appears to be an after-thought. Security has become a bolt-on addition to products following their development cycle, rather than being integrated into the product design from the ground up.

 

As the result?

A network of interconnected & insecure devices that are publicly accessible from the internet. You may not have known but a project exists that aims to automate the detection and cataloguing of these devices.

 

Screenshot from 2016-03-04 21:39:51

 

Shodan is a search engine much like Google, however that’s where the similarities end. Rather than indexing web content over ports 80 (HTTP) or 443 (HTTPS) like Google – Shodan crawls the web searching for devices that respond on a host of other ports including 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 80, 443, 3389 (RDP) and 5900 (VNC). Once Shodan discovers a host that’s responding on a given port it connects to the machine and pulls down the port banner. This information then becomes indexed along with the devices geolocation data.

 

Since launching in 2009 Shodan has discovered and indexed a wide range of internet connected devices, including webcams, traffic signalling equipment, routers, firewalls, CCTV systems, industrial control systems for nuclear power plants and electrical grids, domestic home appliances and much more. These devices have been connected to the internet without any thought for security – often without even implementing basic protections such as a strong username and password.

 

 

 

Screenshot from 2016-03-04 21:42:49

 

Screenshot from 2016-03-04 21:42:13

 

Searching on Shodan is simple and powerful and gives you the ability to find what you’re looking for with ease. Your number of results is limited with a basic account – so you may need to upgrade if you’d like to access and make use of premium features. These include accessing the full search listings, plotting the host locations on maps and finding exploits for ports and services based upon version information.

 
Like any good search engine Shodan also gives you the option to search using various filters – which makes it much easier to narrow your results down and find what you’re looking for.

 
city: find devices in a particular city

country: find devices in a particular country

geo: you can pass it coordinates

hostname: find values that match the hostname

net: search based on an IP

os: search based on operating system

port: find particular ports that are open

before/after: find results within a timeframe

 

We could for example use these filters to search for apache city:”Newyork” to find Apache servers in Newyork or even Server: “Apache” country:”US” to find all webcams in the United States.

 

 

Screenshot from 2016-03-04 21:40:47

 

 

While it’s frightening to learn how many Internet of Things devices are completely unsecured – there’s also another story behind the ones that are. Many of the devices that Shodan detects and indexes do have some security in place – requiring authentication for example, but even these devices aren’t 100% safe from unauthorised access. In the ever-changing world of cyber security nothing remains static, and new exploits and vulnerabilities are being discovered and disclosed all of the time.

 

A significant example involves one of the largest and most well-known computer networking companies in the world – Juniper. In a recent public disclosure Juniper revealed that the firmware running on some of their devices contained a hard-coded back-door password that would allow anybody connecting to a vulnerable device to simply supply that password against a valid user account to gain full administrative access to the device over Telnet or SSH. This exploit for against a vulnerable NetScreen firewall. You can read the full disclosure here: CVE-2015-7755.

 

Using Shodan we can search for Juniper firewalls and browse through the list to find those that are running a vulnerable version of the ScreenOS firmware. Once we’re connected we’d be able to supply the known backdoor password with a default ScreenOS user account (system) and be able to begin remote management of those devices.

 

Screenshot from 2016-03-04 21:45:32

 

We’re  talking about firewalls that are live on mission critical networks all over the world. And how many of these potentially vulnerable NetScreen firewalls has Juniper indexed? More than 18,000. Assuming only 10% of those are vulnerable (which is an extremely conservative estimate) that’s 1,800 vulnerable Juniper firewalls that are currently sitting targets right now on the internet.

 

At DefCon 2012 an independent security researcher and penetration tester Dan Tentler demonstrated how he was able to use Shodan to find control systems for evaporative coolers, pressurised water heaters and even garage doors. He was also able to find a hydroelectric plant in France, a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with the click of a button. He even found a city’s entire traffic control system was connected to the internet and could be interrupted with some simple commands.

 

If these large enterprises haven’t got the resources to lock down and protect their infrastructure then what chance do we have? It’s up to manufacturers to build security into our products and services so that it removes the responsibility from ourselves.

 

Attacks on critical infrastructure until now have been minimal to non-existent. Unfortunately it’s only a matter of time before this changes. Attacks on networked industrial control systems are going to become a significant threat to our safety and security – given that computer systems regulate the treatment plants that deliver our drinking water, the traffic lights that allow us to drive safely, the signalling systems on a transport networks and the nuclear reactors that deliver our energy.

 

As consumers we need to think carefully about the smart products that we purchase and consider the security implications that come with many of these devices. As businesses we need to make sure that we have a proper risk management framework in place – and that the person or organisation that’s looking after our technology is also capable of looking after our security.

Share