STE WILLIAMS

The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated “secret” and even “top secret,” according to an audit.

An inspection [PDF] of the department’s IT infrastructure found huge security gaps, including the fact that 136 systems had expired “authorities to operate” – meaning that no one was in charge of keeping them updated. Of the 136, 17 were classified as “secret” or “top secret.”

Unsurprisingly, with so many systems not undergoing active maintenance, the audit found that many did not have up-to-date security patches, leaving them open to hacking efforts. The problems extended from browsers to PCs to databases. It also found a large number of weak passwords.

“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the department’s inspector general noted in a 66-page report. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”

The report details a year-long effort to get the DHS to address its security issues, and a seemingly bureaucratic effort to delay a report announcing the flaws in its systems.

The report notes that “improvements have been made,” but highlights a series of worrying discrepancies. “For example, DHS does not include its classified system information as part of its monthly information security scorecard,” says the report. In other words, it is lacking basic security reviews of its systems. The audit also found “inaccurate or incomplete data” in the DHS’ management systems.

Recommendations

The report makes six recommendations, two of which have since been resolved. Homeland Security has 90 days to fix the remainder, which are: adding its classified systems to the monthly scorecard (a recommendation the DHS has actually formally disagreed with); running compliance programs the whole year “instead of peaking during the months leading up to annual reporting”; checking that the data inputted over security checks is actually accurate; and making the monthly scorecard accurate.

Overall, despite the dense, jargon-filled reporting, it is clear that the DHS’ security is dire. Worse, however, is the fact that it doesn’t know how bad its security is because its own security audits are lacking. In short, it is a disaster waiting to happen – if it hasn’t happened already.

In case you are interested in the worst parts of the DHS in terms of unsecured databases, top of the list comes the Coast Guard with 26, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11.

Best of bunch was the Secret Service with just two, but even it failed miserably to hit overall targets. It managed to put just 75 per cent of its secret or top secret databases through the proper security checks, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/homeland_securitys_secret_unpatched_pcs_dbs/

UK crime tip-off service Crimestoppers has revamped its weak website crypto after months of running a system that relied upon obsolete protocols.

Crimestoppers “secure” form was previously insecure – rating an “F” in tests using the industry standard SSL Labs service last month – chiefly because of the site’s use of the SSLv2 protocol.

Crimestoppers has since fixed (or at least made slightly better) its TLS, so that it now is rated as “B” by Qualys’ SSL Labs service.

“The original ‘F’ was due to the SSLv2 protocol, something which should be been dropped nearly 20 years ago [the technology was deprecated in 1996],” UK infosec consultant Paul Moore told El Reg. Moore publicly flagged up the issue in October shortly before the site’s security was improved. Problems had existed since January 2015.

The class of security risk here is one that banks (here) and UK government secure webmail providers (here), among others, have had issues with in the past.

Crimestoppers allows members of the public to report crime anonymously, either by phone or through its website. Its work is overseen by the Crimestoppers Trust, a UK charity.

Risk audit

We asked Crimestoppers how its site security came to be weaker than it should have been, and what about the confidentiality of sensitive information sent to it whilst its crypto was weak.

In response, the Crimestoppers Trust supplied a statement playing down security concerns, saying that it regularly monitors the security and confidentiality of the web component of its services. Roger Critchell, director of operations at the Crimestoppers Trust, did however admit that a recent risk audit had thrown up issues which have since being resolved.

The trust in our service from the public is paramount to our charity and to make sure that we gain that trust. We monitor our security regularly to ensure that it is robust and up to date to deal with the thousands of pieces of information we receive each year, whilst still making it compatible with the majority of public operating systems.

We know that the promise of anonymity is critical to our success, with 96 per cent of people surveyed stating it was the reason they contact Crimestoppers. This is why we are ISO27001 certified, obtained in 2013, which was followed by a further review in 2014 and again last month (October).

The public can be reassured that, as this certificate proves, we have robust procedures in place to highlight potential risk areas and deal with them effectively.

A risk audit was performed earlier this year, which identified that the window of opportunity for compromising the security of information was extremely small. All information provided is immediately diverted to our main system which is highly secure.

In addition, contact was made with the ICO to seek its view earlier this year, and after joint analysis of risk, it was deemed to be acceptable.

The charity can reassure the public that there has never been a security breach of any information provided via our website or any other means in the 27 years we have been running.

Moore was less than satisfied with the Crimestoppers Trust’s response to security concerns he was instrumental in raising, which were there for any tech savvy person to identify long beforehand.

“SSLv2, SSLv3 and RC4 are not a solid foundation on which to run a charity reliant upon anonymity,” Moore told El Reg. “If, after a collaborative risk assessment with the ICO, these defunct and insecure protocols were deemed ‘acceptable’… I’d question the effectiveness of the ICOs involvement in previous cases.”

Policing the beat

Moore has also been campaigning to highlight security concerns about the website cryptography of UK policing organisations in the hopes that affected organisations would act to fix their sites. These spirited efforts have not, as yet, born fruit outside of the Crimestoppers case.

The National Crime Agency been insecure for more than a year but rather than fix it the UK policing organisation blocked Qualys SSL Labs so nobody would know, Moore alleges. This block has since been lifted.

Moore ran tests on the NCA site using Qualys SSL Labs earlier this week which revealed it had removed the restriction to allow Qualys to assess the site.

“Unfortunately, there are still three serious failings,” according to Moore. For one thing the certificate hasn’t been installed correctly, so some browsers throw security warnings. In addition it’s “vulnerable to OpenSSL’s CCS, which is a straight fail,” and “it’s also vulnerable to MiTM attacks, also a straight fail,” Moore added.

“I’ve no idea how insecure crypto and a misconfigured certificate would find its way into a live environment, but it doesn’t reflect well … especially as I reported it last year,” Moore told El Reg.

We put this these criticisms to the NCA, which acknowledged our initial query but is yet to respond to concerns about its website crypto.

Other UK policing organisations are also falling short in providing robust website cryptography.

If you want to file a complaint about UK policing by filing a concern with the IPCC (Independent Police Complaints Commission), its “secureforms” site… isn’t secure, according to Moore.

The main domain is http://ipcc.gov.uk, which is a B, according to Qualys SSL Labs. But, more importantly, the domain they use to collect and process personal information is https://secureforms.ipcc.gov.uk/Pages/form_complaint.aspx, which is an F.

The organisation is yet to respond to El Reg’s query about its website crypto. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/crimestoppers_weak_crypto/

Newly revealed documents (not from Snowden this time) show that the NSA has continued to collect Americans’ email traffic en masse using overseas offices to get around curbs introduced domestically.

Shortly after the September 11 attacks, President Bush authorized the NSA to collect bulk metadata on emails sent by Americans (although not the content) to help The War Against Terror (TWAT). The surveillance was authorized by the US Foreign Intelligence Surveillance Court, which mostly rubberstamped such requests.

But the collection was stopped in 2011, the NSA said, although it still monitored emails from Americans to people outside the nation’s borders. However, a Freedom of Information Act lawsuit started by The New York Times against the NSA’s Inspector General has uncovered documents showing that the NSA carried on collecting domestic data.

To get around the restrictions on operating in the USA, the NSA simply started using its overseas offices to do the collection. Stations like RAF Menwith Hill in Yorkshire were tasked with collecting the metadata and feeding it back to the NSA headquarters in Maryland.

There’s no evidence that the content of emails was being examined by NSA analysts. Instead the metadata was used to try and divine linkages between individuals the agency was looking to monitor. But that metadata is very useful.

“We have known for some time that traffic analysis is more powerful than content analysis,” said Dan Geer, chief information security officer of the CIA’s venture capital firm In-Q-Tel.

“If I know everything about you, about who you communicate with, when, where, with what frequency, what length, and at what location, I know you. The soothing mendacity of proxies from the president that claim that it is only metadata, is to rely on the profound ignorance of the listener.”

The NSA has declined to comment on the documents. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/remember_mass_email_slurping_nsa_stopped/

Hillary Clinton has joined a growing number of politicians using the Paris attacks earlier this month to argue for a weaker encryption.

Speaking at Council on Foreign Relations in Washington Thursday, the presidential candidate talked extensively about Islamic State, the recent attacks in Paris and what the US government could do in response.

Part of that response was in tackling the technological means by which the Islamic State communicates, she said. “[One] challenge is how to strike the right balance of protecting privacy and security. Encryption of mobile communications presents a particularly tough problem.

“We should take the concerns of law enforcement and counterterrorism professionals seriously. They have warned that impenetrable encryption may prevent them from accessing terrorist communications and preventing a future attack. On the other hand, we know there are legitimate concerns about government intrusion, network security, and creating new vulnerabilities that bad actors can and would exploit.”

Part of the problem, according to Clinton, is a tech sector that has become resistant to government efforts to pressure it into introducing backdoors into its products. Said Clinton: “So we need Silicon Valley not to view government as its adversary. We need to challenge our best minds in the private sector to work with our best minds in the public sector to develop solutions that will both keep us safe and protect our privacy. Now is the time to solve this problem, not after the next attack.”

Clinton’s thoughts were echoed in an editorial Friday by the Washington Post in which the paper also argued that tech companies needed to work with government to find solutions to encrypted communication.

The paper argued: “The technology giants and their allies have resolutely insisted that giving law enforcement any kind of extraordinary access would be disastrous, weakening encryption for all. When we suggested earlier that there must be some kind of technical compromise, we were told bluntly: No compromise exists, period.”

It then seemingly questions that statement: “We understand the benefit of encryption, including for citizens living under authoritarian regimes. But we also do not underestimate the risks to the public that terrorists and other criminals may pose. It seems obvious that, if there is a terrible attack in the United States, privacy advocates and tech companies instantly will lose this argument. We don’t have a solution, but it would be in everyone’s interest to keep looking for one, before the next catastrophe.”

This approach of acknowledging the fundamental technical problem of providing a backdoor to encryption while at the same time insisting that a way be found to work around it has been called “magical thinking” and is something that the top levels of the US government has explicitly referenced, including an FTC Commissioner who is for encryption and the FBI’s top lawyer, who still wants a workaround.

Meanwhile on Thursday, the tech industry again reiterated its refusal to be pressured into undermining their encryption services by putting out a statement through the Information Technology Industry Council (ITI), which bills itself as the “global voice of the tech sector” and contains such giants as Apple, Google, and Microsoft, put out a statement Thursday that said in part: “Weakening security with the aim of advancing security simply does not make sense.”

What’s happened this week?

The debate over encryption was thought to be largely over after President Obama said last month that his administration would not be seeking new legislation on the issue. That decision followed a leak of a review of the topic by his National Security Council.

But the Paris attack have renewed calls for the security measure, even though there remains no evidence as yet that the attackers used encryption to communicate. The Paris police found unencrypted text messages concerned the attack, and a public Facebook post from one of the attackers has also been uncovered. Early reports that the attackers used PlayStation 4s to communicate surreptitiously have also been dismissed.

Regardless, senator Dianne Feinstein (D-CA), who chairs the US Senate Intelligence Committee, went on TV and said: “If you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents – whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airline – that is a big problem.”

She was joined by Manhattan’s district attorney Cyrus Vance who wrote an opinion column in the New York Times that argued that “encryption blocks justice.”

And senator John McCain (R-AZ) also said he would be proposing new laws on the issue, noting: “In the Senate Armed Services we’re going to have hearings on it and we’re going to have legislation.”

Pushing back on the other side at the tech companies including Google – which has encrypted of its data after it was revealed by Edward Snowden that the NSA was taping the search giant’s own data centers – and Apple, which has implemented an encryption system that gives the user control over the encryption keys. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/clinton_silicon_valley/

More than 50 Sheraton, Westin, other hotel chains in North America affected.

‘Tis the season for retail breaches: Starwood Hotels today announced that malware was found on more than 50 of its hotels in North America, exposing payment card information. 

“Based on the investigation, we discovered that the point of sale systems at certain Starwood hotels were infected with malware, enabling unauthorized parties to access payment card data of some of our customers. We want you to know that the affected hotels have taken steps to secure customer payment card information, and the malware no longer presents a threat to customers using payment cards at our hotels,” Sergio Rivera, president of Starwood  Hotels Americas, said in a letter to customers today.

For more details on the attack and the affected hotels, see Starwood’s post here.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/starwood-hotels-hit-with-pos-malware-payment-card-info-exposed/d/d-id/1323257?_mc=RSS_DR_EDT

More than $500 million of that is from victims located outside the borders of the former USSR, Kaspersky Lab reveals.

Russian cybercriminals stole at least $790 million between 2012 and 2015 from individuals, businesses, and financial institutions around the world, a new report from Moscow-based Kaspersky Lab shows.

Of this, some $509 million was stolen from victims in the US, the European Union, and other countries outside what used to be the former USSR.

Impressive as the amounts are, the actual financial damages caused by Russia’s cybercriminals could much greater, the Kaspersky Lab report says. The current loss estimates are based only on an analysis of information gathered from over 160 arrests of Russian-language speaking cybercriminals over the last three years as well as Kaspersky Lab’s own data. It does not reflect the damages caused by those who have not been caught yet.

“Over the last few years, cybercriminals have been increasingly attacking not just the customers of banks and online stores, but the enabling banks and payments systems directly,” the report says.

The number of people arrested for such activities increased significantly this year, but the arrests appear to have hardly made a dent. If anything, Russia’s cyber underground has become even more crowded.

Russian cyber gangs have recruited about 1,000 people over the last three years, many of whom are involved in creating the infrastructure and writing and distributing the malware code used to steal money from targets. Interestingly, many of those arrested are still not in prison, highlighting the challenges involved in getting people involved in such crimes extradited out of Russia.

Kaspersky’s research showed that there are at least five organized cyber groups focused specifically on financial crimes. Each of the groups has been operating for at least two years and range in size from 10- to 40 people. Two of the groups are actively engaged in attacking targets in the US, France, UK, Australia, Germany,and Italy.

Many of the top operators in the Russian-language underground function like regular businesses, offering a suite of products and services. Products typically include malware for breaking into computers and mobile devices, exploits that take advantage of known and unknown software flaws, and databases of stolen credit and debit card data.

The services run the gamut from spam distribution, DDoS attacks, antivirus detection, and exploit pack rentals to credit card data evaluation and validation services, SEO services for promoting malicious services, and stolen cash withdrawal services.

Most of the products and services are geared towards enabling theft of personal information, theft of money from financial institutions, domestic and international corporate espionage, ransomware schemes, and DDoS attacks. The preferred currency for carrying out transactions in these markets includes e-payment systems such as Bitcoin, Perfect Money, and WebMoney, the Kaspersky Lab report said.

One indication of the flourishing nature of the Russian cyber underground is the fact that it offers plenty of job opportunities for aspiring cybercriminals. Those with the requisite skills can find employment in roles like programming and virus writing, web designing for phishing pages for instance, system administration, and testing. Even cryptographers have opportunities as ‘cryptors’ for packing malicious code so as to evade malware detection.

In terms of a pecking order, virus writers and those in charge of money mules sit at the top reporting directly to the leader. Systems administrators and money mules sit at the bottom.

Employees are typically recruited through underground websites but in some cases ads are placed on legitimate job search websites and labor exchanges. “By advertising ‘real’ job vacancies, cybercriminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe,” the Kaspersky report says.

People working for such criminal endeavors typically fall into two categories: those who are fully aware of the illegality of their work but embrace it anyway, and those who at least initially are unaware of the true nature of their employers.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/russian-cybergangs-stole-some-$790-million-over-3-years/d/d-id/1323265?_mc=RSS_DR_EDT

No, we did not sell Tor users out to the FBI for $1 million, Carnegie Mellon (more or less) has said.

Carnegie Mellon on Wednesday tersely wrote that recent media reports – one assumes it’s talking about reports that its Software Engineering Institute had accepted such a payment – were “inaccurate.”

No, the university implied, no money exchanged hands.

In fact, this seems to have been more of a legalistic mugging than a sale.

From the statement:

In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.

That’s not how the Tor Project was telling it.

Tor’s director, Roger Dingledine, said in a blog post last Wednesday that an unspecified party told Tor that Carnegie Mellon had received a payment of “at least $1 million.”

Ever since Operation Onymous – a far-flung, multination bust that snared 410+ supposedly hidden services running 27 dark web markets, by stripping away the concealing layers of the Tor anonymizing service to lay identities bare – the Tor Project has been trying to figure out how it was done.

The Tor Project came to the conclusion that the technique used to pierce the anonymizing layers of Tor was the same as that discovered by Carnegie Mellon researchers.

Specifically, in the months before the Operation Onymous attack, research from CMU described a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.

Two Carnegie Mellon researchers subsequently canceled a Black Hat 2014 talk about how easy they found it to break Tor.

The trail of evidence provides yet more clues that link the FBI’s penetration of Tor to Carnegie Mellon’s research.

But if Carnegie Mellon is to be believed, no researchers profited from the FBI’s use of its technique – if in fact that’s how the FBI did what it did.

Questions remain, particularly as far as the Tor Project is concerned.

Tor Project spokesperson Kate Krauss told Wired that Tor would still like to learn how the FBI might have known what to subpoena from Carnegie Mellon, and whether Carnegie Mellon’s Institutional Review Board approved of its Tor research.

Wired posed those questions to a Carnegie Mellon public relations staffer, but the university declined to comment beyond its statement.

Follow @NakedSecurity

Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/clWeF2pnYOc/

He had the eBay/PayPal/parcel insurance scam chugging away, with dozens of accounts set up to file claims on packages. In actuality, the packages were empty boxes, sent to switched addresses, that purportedly never showed up.

But why stop there, when you can also pull some identity fraud on the special agent assigned to investigate your fraud?

…And then use that agent’s personal information to open even more fraudulent accounts?

That’s exactly what 25-year-old Rohit Jawa did, ratcheting his crimes up from switching addresses on packages, sending out empty boxes, and filing bogus insurance claims, to impersonating an agent for the US Postal Service Office of Inspector General (USPS-OIG).

On Monday, Jawa pleaded guilty to eight counts of wire fraud and one count of aggravated identity theft, according to the Eastern District of Virginia US Attorney’s Office.

According to court documents, in January 2013, a set of at least 19 eBay and 18 PayPal accounts started to run a scheme to defraud eBay buyers and eBay’s third-party parcel insurance company, which pays a claim to a seller’s PayPal account if the postal service loses or damages an insured package.

That third-party insurance is offered through eBay’s ShipCover program.

ShipCover administrators, smelling a rat, in December 2013 began investigating a set of accounts – linked by overlapping eBay and PayPal accounts and identity information – that were filing claims on nearly all of their insured parcels.

But when insurance investigators interviewed three people whose identities had been used to open the accounts, they all said they hadn’t opened the accounts that were in their names.

Same thing for the USPS OIG: agents interviewed three more people associated with the accounts, and they all denied knowledge of the accounts and said they never granted their consent to open them.

Two sets of accounts all had something in common: one group of accounts used similarly formatted Yahoo accounts with a consistent prefix. The prefix was either “rbox009,” “tohaven,” or “twaron,” followed by a hyphen and a varying suffix.

Another 91 email addresses were associated with accounts hosted by 11 Mail and Media Inc. – a provider that lets users register numerous addresses under a single account.

So agents got a search warrant for 11 Accounts, and that’s the path that wound to Jawa – as well as to having an agent’s identity stolen.

Agents had found numerous complaints wherein buyers complained to a seller that they hadn’t received a purchased item, despite tracking histories that showed the items had been delivered.

When agents compared the shipping addresses given to the postal service at time of purchase with those seen on the labels the postal service actually processed, they found that the addresses had been changed to another address in the same ZIP code: a “strong indication of fraud,” USPS OIG special agent John Watson wrote in the affidavit.

The USPS OIG actually started investigating one of the fraud victim’s complaints in July 2014 to determine if a postal service employee was stealing mail.

An agent wrote to the seller in question, who had one of those 11 addresses.

OK, the seller responded, that’s fine, just send over a copy of your credentials to verify your identity.

Which the agent did.

That seller was Jawa.

With the agent’s proof of identity, along with another of those 11 email accounts, Jawa filed an application for an account at Law Enforcement Online (LEO): a web portal run by the FBI that provides access to criminal intelligence and other highly privileged information for law enforcement officials.

Then, again pretending to be the agent, Jawa called FBI technical support, which gave him a temporary username and password for the account.

From there, Jawa used the @leo.gov email that came with the LEO account to correspond with six police forces, asking that accounts be made for him on their internal services.

He only convinced one of those police forces, but that was enough to grant him access to data he never should have gotten his hands on.

Jawa got sensitive personal information on at least 9 people, including the USPS OIG agent whose identity he’d already stolen to get the LEO account.

Using the stolen identities, he opened even more fraudulent eBay, PayPal, and financial accounts.

A federal grand jury had indicted Jawa on 13 August 2015. He’s now facing between 2 (minimum) and 20 (maximum) years in prison.

He’ll be sentenced on 12 February 2016.

Follow @NakedSecurity

Follow @LisaVaas

Image of ebay HQ courtesy of Katherine Welles / Shutterstock.com

Image of faceless man courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EWGlrPgOWkU/

Sophos Security Chet Chat – Episode 222 – Nov 19, 2015

Join Sophos experts John Shier and Paul Ducklin for the latest episode of our security podcast.

The week’s news made fun, informative and educational – all in a tight, quarter-hour format.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In this episode:

• [0’19”] It’s our “Double Nelson” edition
• [1’26”] Three indicted for JP Morgan hack
• [3’32”] Instagram password stealer malware
• [5’35”] Google VirusTotal now does OS X
• [8’08”] Sophos Home Beta – free home security!
• [8’52”] BadBIOS is back, now on your TV

Other podcasts you might like:

• Chet Chat 221 – No, ransomware does NOT make the world safer

• Chet Chat 220 – What would YOU do with a $1,000,000 exploit?

• Sophos Techknow – Malware on Linux – When Penguins Attack

• Sophos Techknow – Dealing with Ransomware

Get this and other Sophos podcasts:

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w2HBFSXI4lo/

Security bod Bernardo Rodrigues has found a backdoor-within-a-backdoor affecting some 600,000 Arris cable modems.

The broadband kit company said, in a statement to El Reg, that it is working “around the clock” to fix the problems.

Rodrigues (@bernardomr), a vulnerability tester with Brazil’s Globo television network, reported the undocumented library in three Arris cable modems.

The Shodan exposed device search engine reveals some 600,000 are affected, he says.

The initial backdoor – an admin password based on a known seed – was disclosed in 2009.

Now Rodrigues has found a backdoor within the hidden administrative shell that can own the cable modems.

“The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password,” Rodrigues says.

“When you log using the password of the day, you are redirected to a restricted technician shell (‘/usr/sbin/cli‘)

“They put a backdoor in the backdoor [which gives] a full busybox shell when you log on the Telnet/SSH session using these (serial number -based) passwords.”

That backdoor backdoor uses a password based on the last five digits from the modem’s serial number, Rodrigues says.

Arris dubbed the flaw “low risk” and is unaware of related attacks.

“The risk related to this vulnerability is low, and we are unaware of any exploit related to it,” a spokeswoman says.

“However, we take these issues very seriously and review them with the highest priority. Our team has been working around the clock on modem updates that address this reported vulnerability.”

Professional box popper Rodrigues also generated an old-school keygen, complete with a chiptune, that can produce passwords for the backdoor backdoor.

“The chosen font was ROYAFNT1.TDF, from the legendary artist Roy/SAC, and the chiptune is Toilet Story 5, by Ghidorah.

He reported the flaws to CERT/CC which is working with the vendor to produce a fix.

The disclosure follows a vulnerability (CVE-2015-0964) revealed April affecting Arris Surfboard models that could allow web interfaces to be hijacked.

A Metasploit hacking module was produced to exploit that flaw. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/20/arris_modem_backdoor/