STE WILLIAMS

Remember Certs? It was a candy mint. It was a breath mint. It was two! Two! Two mints in one!

The Facebook hoax du jour is like that: it’s a hoax about Facebook limiting your news feed to 26 people! It’s a hoax about users being able to copy and paste their way into a Whole New News Feed! It’s Two! Two! Two hoaxes in one!

Here are the hoax mongers’ instructions on how to dupe Facebook’s cursed (fictional) friend-limiting algorithm:

It WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years.
Here’s how to bypass the system FB now has in place that limits posts on your news feed.
Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, I ask you all a favor so I can see your news feed and you can see mine.
Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste.
This will bypass the system.

The 26-friends-only algorithm hoax dates back to the beginning of the year, coming as it did on the heels of a real Facebook announcement from 11 January about a major overhaul in how Facebook’s newsfeed works.

The change wasn’t about squeezing out your friends, though. In fact, Facebook had the opposite in mind: squeezing businesses out of your news feed. The point was to get more personal content from friends and family into our news feeds, as opposed to corporate posts, be they from corporations, businesses or media.

Back in February, Facebook sent out a statement saying that there was nothing to the 25- or 26-friend limit:

Friends don’t let friends copy and paste memes, and this one simply is not true. We rank News Feed based on how relevant each post might be to you, and while we’ve made some updates that could increase the number of posts you see from your friends, your News Feed isn’t limited to 25 of them.

But still, the rumor went viral, lying its way to the top of news feeds, and even spinning off a variation that said that Snopes had confirmed the nonsense it was sputtering. Snopes, of course, did no such thing.

Besides trotting out the 26-friends hoax again, the current Facebook hoax uses a notion that just won’t die: that doing something in a post will affect how Facebook algorithms work.

That, of course, is just another breath of nonminty garbage. Copy-paste is not a magical algorithm-baffle sauce.

That “copy and paste this to affect Facebook’s technology” notion is similar to a related hoax that keeps popping up: the “copy and paste this to stop Facebook from legally using your photos” chain letter, as if there’s some legalese that subverts the company’s terms of service.

As we’ve said multiple times, there’s not.

Snopes has debunked all of these hoaxes. So has Facebook.

You can do your part by not copying, not pasting, and definitely not sharing this junk. If you do, you’re misleading friends and family, and teaching others that it’s OK to click without thinking.

By interacting with hoax posts, you push them closer to going viral. Unfortunately, that’s true even if the interaction is your comment on the post, telling others that it’s bilge water. It’s better to keep your clicks away from the hoax post and instead to contact the poster directly, gently educating them and asking that they remove the post so it doesn’t keep spreading.

Here are three more tips to avoid Facebook hoaxes.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e4O4P4_h0ow/

At the DefCon Voting Village in Las Vegas last year, participants proved it was child’s play to hack voting machines: As Wired reported, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine.

This year, it was literally child’s play: the DefCon village this past weekend invited 50 kids between the ages of 8 and 16 to compromise replicas of states’ websites in the so-called “DEFCON Voting Machine Hacking Village.”

11-year-old Emmett Brewer is too young to vote, but it turned out that he’s not too young to learn how to change election results on a replica of Florida’s state website… in under 10 minutes, mind you, as the Voting Village announced on Friday:

Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 https://t.co/ovQs7uX7jK

—
DEFCON VotingVillage (@VotingVillageDC) August 11, 2018

The kids were given rudimentary instruction in performing SQL injection attacks: one of the web attacks that refuses to die.

The organizers are still analyzing the results of the project, but they said that they invited the kids to tamper with vote tallies, candidate names, and party names.

Mission accomplished: Nico Sell, the co-founder of the non-profit r00tz Asylum – an organization that teaches kids reverse engineering, soldering, cryptography, and responsible bug disclosure and which helped to organize the event – told PBS News Hour that more than 30 children managed to change state site replicas in under 30 minutes.

And here’s a vote for both gender equality and for there being serious problems with voting technologies: an 11-year-old girl tripled the number of votes on the Florida replica site within about 15 minutes. That’s pretty pathetic, Sell said:

These are very accurate replicas of all of the sites. These things should not be easy enough for an 8-year-old kid to hack within 30 minutes. It’s negligent for us as a society.

All but four of the kids managed to exploit the planted bugs – which included SQL injection flaws and similar common coding blunders. They changed vote tallies to number 12 billion, rewrote party names, and rechristened candidates. The new names included “Bob Da Builder” and, as a noted thumb’s-up for Matt Groening’s Futurama, “Richard Nixon’s Head.”

The National Association of Secretaries of State (NASS) responded to the news by telling DefCon to bring it on: it’s “ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections,” the association said in a statement.

But NASS isn’t convinced that the success the VotingVillage had in pummeling replica sites reflects reality. From its statement:

Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.

It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols. While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.

Sell disagrees. He told PBS News Hour that the NASS statement shows that secretaries of states aren’t taking the issue seriously. Even if the voting results that can be tampered with aren’t the “real” voting results, he said, the release of bogus results “could cause complete chaos.”

Besides, while the state websites were replicas, the vulnerabilities were not:

The vulnerabilities that these kids were exploiting were not replicas. They’re the real thing.

How do we fix this mess?

On Monday, University of Pennsylvania computer science professor and cryptographer researcher Matt Blaze said that the “overwhelming consensus” among experts is that, for one thing, we need voting systems that are backed up by a paper trail:

Number one question at @VotingVillageDC this week: given how insecure voting systems are, what should we do? Overwh… twitter.com/i/web/status/1…

—
matt blaze (@mattblaze) August 13, 2018

That, in fact, is what representatives from DefCon and the Atlantic Council concluded in October 2017.

Things have clearly not changed much in the past 10 months. As The Register reports, besides the kids’ success in flipping the replica state sites onto their backs, the results achieved by the adults in Voting Village included:

• Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old. One participant used physical access to upload a Linux operating system to the device and turn it into a music-playing device. (Somebody did the same to a WinVote last year: In fact, they Rickrolled it.)
• Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card that can be swapped out while voting. The card contains supervisor passwords in plain text, as well as unencoded personal records for all voters, including the last four digits of their taxpayer IDs, addresses, and driver’s license numbers. When election officials aren’t looking, meddlers can insert specially programmed memory cards and thereby change voting tallies and voter registration information. What’s more, the root password was, for the love of Pete, “Password.” Stored in plain text.

More results of three days of picking apart the country’s ramshackle e-voting technologies:

Voting Village Hack roundup, Day 1 / part 2 (of 2) https://t.co/vqAF4RmZ7C

—
DEFCON VotingVillage (@VotingVillageDC) August 11, 2018

Here’s the roundup of the Def Con Voting Machine Hacking Village discoveries, Day 2! @defcon #VotingVillage https://t.co/YncpPxuGnT

—
DEFCON VotingVillage (@VotingVillageDC) August 12, 2018

Voting Village discovery roundup, Day 3 (final day). Expect our official report later this year! https://t.co/TGpeCihm13

—
DEFCON VotingVillage (@VotingVillageDC) August 13, 2018

The upcoming midterm elections are right around the corner in November. Given the slow, slow progress we’ve seen with addressing vulnerabilities in voting technologies, it’s hard to imagine there won’t be election tampering.

But on the plus side, Blaze said that at least election officials were paying attention at DefCon:

It’s been incredible the response we’ve received. We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.

…and on the minus side, earlier this month, Republican senators blocked $250m in emergency election security funding proposed by Senator Patrick Leahy.

Hacking Village cofounder Jake Braun said that the sum needed to be 10x that amount to get the November elections “anywhere close to secure,” The Register reports.

Follow @LisaVaas
Follow @NakedSecurity

Image courtesy of R00tz.org / YouTube.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rMLLlRXngV4/

Police officers in the US often wear body cameras to protect themselves and reduce complaints from the public. Now, though, a security researcher has revealed that these cameras could put evidence – and even police officers themselves – at risk.

Josh Mitchell, a consultant at security firm Nuix, analysed cameras from five vendors who sell them to US law enforcement agencies. Presenting at the DEF CON conference last week, he highlighted vulnerabilities in several popular brands that could place an attacker in control of a body camera and tamper with its video.

Attackers could access cameras in several ways, Mitchell said. Many of them include Wi-Fi radios that broadcast unencrypted sensitive information about the device. This enables an attacker with a high-powered directional antenna to snoop on devices and gather information including their make, model, and unique ID. An attacker could use this information to track a police officer’s location and find out more about the device that they are using. They might even be able to tell when several police officers are coordinating a raid, he said.

Mitchell’s research found that some devices also include their own Wi-Fi access points but don’t secure them properly. An intruder could connect to one of these devices, view its files and even download them, he warned. In many cases, the cameras relied on default login credentials that an attacker could easily bypass.

Evidence tampering

One potential attack involves tampering with legal evidence. An intruder could delete video footage from a camera, or even download and manipulate it before uploading it again. This is a danger for many of these cameras because they don’t cryptographically ‘sign’ their video to prove that it hasn’t been tampered with, Mitchell points out.

Being able to tamper with footage raises some interesting scenarios. Deepfakes, which are videos that have been altered using AI technology, are increasingly realistic. Researchers have demonstrated how they can make individuals say things on video that they didn’t say in reality. Could an attacker use AI to edit a stolen body camera video, alter it to fake a conversation, and then upload it to a compromised camera?

The US government is worried enough about deepfakes to devote research funding to it, and the US Defense Advanced Research Projects Agency (DARPA) recently gave the threat more credence when it singled it out as an area of concern.

Or perhaps an attacker could just fake the officer’s voice using ‘Deep Voice’ software instead.

Vulnerabilities such as these raise some interesting legal questions. If a police force has not taken the appropriate measures to protect its footage and cryptographically sign it, could an enterprising defence lawyer one day use these weaknesses in a case to question the chain of custody of video evidence?

Turning a camera into a weapon

The lack of digital signing extends to the firmware that the cameras run too. Failing to check that firmware is authentic is a rookie mistake in IoT devices. If an attacker could get malicious firmware onto a body camera, it would put the device under their control. Because most of these devices connect to desktop or mobile applications that Mitchell said have their own vulnerabilities, it is theoretically possible to hijack a camera through some of these programs.

Body cameras could even become attack vectors for law enforcement networks, Mitchell warned. An attacker could plant a malicious file on a camera via a wireless link. The camera might then download the file to a desktop machine when a police officer connects it back at headquarters and infect the police network, he warned.

In the spirit of responsible disclosure, Mitchell contacted the vendors about these vulnerabilities and has been working with them to fix the issues, he said. In the meantime, it should leave police forces thinking hard about security audits for their wearable devices.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yXvDL0NR4Pc/

Cisco has pushed out an update for its internetwork operating system (IOS) and IOS XE firmware in advance of a Usenix presentation on circumventing cryptographic key protocol.

The networking behemoth is advising all customers running hardware that uses IOS and IOS XE to get the updates that address CVE-2018-0131, a security bypass vulnerability stemming from a weakness in the Internet Key Exchange (IKEv1) protocol.

Researchers Dennis Felsch, Martin Grothe, Jörg Schwenk, Adam Czubak, and Marcin Szymanek from Ruhr-University Bochum and University of Opole found [PDF] that an attacker could contact a device with ciphertext requests that, under the right circumstances, could cause the target device to disclose the encrypted nonces (single-use numbers for encryption keys) and potentially lead to the keys being broken.

The group, who plan to share their findings later this week at the conference, wrote that “reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers.”

Cisco let an SSL cert expire in its VPN kit – and broke network provisioning brokers

READ MORE

The attack would potentially be carried out either by eavesdropping on IP sessions or by performing a man-in-the-middle compromise and injecting code into packets.

The researchers say that, by deliberately sending bad cipher requests to the vulnerable machines, they could receive enough data to create a type of Bleichenbacher’s Oracle [PDF] attack on the keys. This would, given enough time, would potentially allow the attacker to decrypt shared keys and get around encryption protections.

The researchers noted that they have already disclosed their findings to Cisco and other vendors impacted by the issue, and all are believed to have issued patches for vulnerable products prior to the publication of the paper.

Cisco says in its advisory that, short of moving off of IKEv1, there are no workarounds for the vulnerability. Switchzilla is advising anyone using an IOS or IOS XE device that is configured with the ‘authentication rsa-encr’ option turned on to update their firmware and make sure they have the patched IOS version.

The latest available version will vary based on device and model, but in general IOS versions 15.5(3)M7.2 and later will be protected. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/cisco_patches_ios/

Video Corporations are open to hacking via a booby-trapped image data sent by fax, a hacker demo at DEF CON suggests.

The hack – discovered by security researchers at Check Point – relies on exploiting flaws in the communication protocols used in tens of millions of fax-capable devices globally, such as all-in-one fax-enabled printers.

Vulnerabilities in the protocols that faxes and all-in-one printers use to send receive faxes create a mechanism for miscreants to create an image file that bundles malware. This booby-trapped image can be sent to a targeted fax device.

The team demonstrated the vulnerabilities in the popular HP Officejet Pro All-in-One fax printers during a presentation at DEF CON hacker event in Las Vegas on Sunday.

Youtube Video

Prior to the presentation, Check Point shared its findings with HP, which responded by developing a software patch for its printers. HP’s advisory admits that, if left unaddressed, the security flaws created a means for hackers to push malware onto vulnerable Inkjet printers (many models are affected).

Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.

The same protocols are also used by many other vendors’ faxes and multifunction printers, and in online fax services such as fax2email, so it is likely that these are also vulnerable to attack using the same method, according to security researchers.

Hanging on the telephone

Fax may seem like an obsolete technology that only comes into its own on football’s transfer deadline day. However there are still over 45 million fax machines in use in businesses globally, with 17 billion faxes sent every year.

The NHS in the UK alone has over 9,000 fax machines in regular use, according to figures cited by Check Point. Fax machines are also widely used in sectors such as healthcare, legal, banking and real estate.

In many jurisdictions, emails are not considered as evidence in courts of law, so fax is used when handling certain business and legal processes. Nearly half of all laser printers sold in Europe are multifunction devices with fax capability.

“Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers,” said Yaniv Balmas, group manager security research at Check Point.

Tom B, red team leader at security consultancy ThinkMarble, said that even though hacking a combined fax machine and printer is possible, other attacks are more likely in practice; at least outside the arena of targeted assaults where money is no object.

Fax machines’ custom Linux allows dial-up hack

READ MORE

“Receiving a fax is essentially like receiving a telephone call – they are generally traceable,” he argued. “Furthermore, phone calls also cost money. Phoning millions of fax machines to find a vulnerable model is expensive, and this will dissuade the common cybercriminal.”

“While the exploitation of fax machines will be seldom seen in the wild, it is highly recommended that fax machines/printers/all in one devices are periodically updated and patched in-line with common cyber security best practices. It is our experience that network peripherals are often installed and forgotten about, leaving them vulnerable,” he concluded.

The area of security research is not entirely new – a bug in Epson multifunction printer firmware that posed a backdoor risk was discovered back in 2016, for example. Other examples are thin on the ground. The new research does however serve as a reminder that networked devices as well as PCs and servers, need patching.

To minimise the security risk, Check Point advises that organisations check for available firmware updates for their fax devices and apply them. Organisation are also urged to place fax devices on a secure network segment separated from applications and servers that carry sensitive information. Segmentation will limit the ability of malware to spread across networks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/faxploit_fax_hacking/

If you missed the OpenSSL update released in May, go back and get it: a Georgia Tech team recovered a 2048-bit RSA key from OpenSSL using smartphone processor radio emissions, in a single pass.

The good news is that their attack was on OpenSSL 1.1.0g, which was released last November, and the library has been updated since then. Dubbed “OneDone”, the attack was carried out by Georgia tech’s Monjur Alam, Haider Adnan Khan, Moumita Dey, Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic.

The researchers only needed a simple and relatively low cost Ettus USRP B200 mini receiver (costing less than $1,000/€900/£800) to capture the revealing radio noise from a Samsung Galaxy phone, an Alcatel Ideal phone, and a A13-OLinuXino single-board computer.

In Georgia Tech’s announcement, the group explained that its attack is the first to crack OpenSSL without exploiting cache timing or organisation.

Perhaps ironically, the attack point was created because of potential side-channel vulns in previous handling of OpenSSL exponentiation, as explained in the paper (at Semantic Scholar, PDF). So-called “fixed-window exponentiation” was adopted to fend off attacks on its previous exponent-dependent square-multiply sequences.

This comment at the OpenSSL GitHub from Prvulovic (aka milosprv) explains the vulnerability:

The OneDone attack, which is described in a paper to appear in the USENIX Security’18 conference, uses EM emanations to recover the values of the bits that are obtained using BN_is_bit_set while constructing the value of the window in BN_mod_exp_consttime.

The EM signal changes slightly depending on the value of the bit, and since the lookup of a bit is surrounded by highly regular execution (constant-time Montgomery multiplications) the attack is able to isolate the (very brief) part of the signal that changes depending on the bit.

Prvulovic said the Georgia Tech team was more than 90 per cent successful in recovering that bit change, and the group used a modified “branch and prune” approach to go from there to “recovery of the full RSA key”.

The good news is that not only was mitigation relatively simple, it improved OpenSSL’s performance. “Our mitigation relies on obtaining all the bits that belong to one window at once, rather than extracting the bits one at a time,” the paper stated. “For the attacker, this means that there are now billions of possibilities for the value to be extracted from the signal, while the number of signal samples available for this recovery is similar to what was originally used for making a binary (single-bit) decision”.

“This mitigation results in a slight improvement in execution time of the exponentiation,” the paper continued.

Here’s the link to the group’s upcoming Usenix talk. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/openssl_key_sniffed_from_radio_signal/

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great.

For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes.

The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate.

The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups.

All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.

(Various folks, including ex-NSA and Immunity Inc founder Dave Aitel, have argued the simulation was likely not particularly realistic.)

DEF CON plans to show US election hacking is so easy kids can do it

READ MORE

The children were able to change vote tallies so that they numbered 12 billion, and rewrite party names as well as the names of candidates. Kids being kids, these latter changes included “Bob Da Builder” or “Richard Nixon’s Head” – we spotted the Futurama fan there.

On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.

Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver’s license numbers.

Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.

At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl

— Rachel Tobac (@RachelTobac) August 12, 2018

More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds, and had a music player and CD ripper program built in. It is believed this music stuff was left lying around in unused and unallocated space on the disk.

The village also hosted a mock election between George Washington and Benedict Arnold, which was predictably hacked. Of the ballots cast, America’s first POTUS scored 26 votes, as did infamous traitor Arnold, but the winner was an unplanned candidate: DEF CON’s founder Dark Tangent, aka Jeff Moss, with 61 votes.

The machine’s software had been tampered with to insert Moss into the running, and make him win with faked votes. This could be done by infecting an election official’s PC so that when the ballot box is set up and programmed from that computer, the voting software is silently altered to later change vote totals and candidates.

It’s the second year DEF CON has hosted the village, and once again voting machines didn’t make the grade. In short: there just isn’t enough builtin security to stop people physically meddling with machines at the booths, or before and after polling day. There is little or no verification of the authenticity and legitimacy of the code running on the boxes. Anti-tamper seals on the cases have been shown to be ineffective, too.

It is seemingly impossible to know whether or not you are casting your ballot on a machine that is clean, or has been interfered. It may well not even be obvious to election officials.

And the final numbers on government websites may not be accurate, either. An error regarding the number of registered voters, thus suggesting more people voted than were allowed, on the US state of Georgia’s website sparked confusion this month.

Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don’t need physical access–we showed how malicious code can spreads from the election office when officials program the ballot design. pic.twitter.com/wa97HWqlv5

— J. Alex Halderman (@jhalderm) August 11, 2018

You can find summaries of the three-day hack-fest here:

• Day one, part one and part two
• Day two
• Day three

With the November elections due, it looks as though, once more, American voters will just have to hope no one is hacking their vote. But some in government have taken an interest.

“It’s been incredible the response we’ve received,” said village cofounder and University of Pennsylvania professor Matt Blaze. “We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.”

Fresh from his keynote, former NSA top hacker and White House cyber czar Rob Joyce popped in to chat as well. He praised the work done by those involved, which had been criticised indignantly by some manufacturers before and during the show.

Microsoft: The Kremlin’s hackers are already sniffing, probing around America’s 2018 elections

READ MORE

“Believe me, there are people who are going to attempt to find flaws in those [election] machines whether we do it here publicly or not,” he said “So, I think it’s much more important that we get out, look at those things, and pull on it.”

Incidentally, on Wednesday, US Republican senators shot down $250m in emergency election security funding proposed by Senator Patrick Leahy (D-VT) – a figure that Hacking Village cofounder Jake Braun told The Register was too small by a factor of 10 if the November elections were to be anywhere close to secure. Cost concerns were cited by the ruling party as a key factor in that decision.

A few days later the President of the Senate, Mike Pence, announced plans for a new super-duper Space Force for orbital warfighting, something the Air Force Space Command already has a firm grip on. The up-in-the-air scheme has an estimated cost of $8bn. ®

* Diebold Nixdorf sold off the US Elections systems Premier division of its business several years ago.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/13/defcon_election_vote_hacking/

More than 18 months after the design blunder was first brought to light, Intel is still working to iron out the creases in its Puma high-speed broadband modem chipsets.

In recent weeks, Chipzilla quietly put out an advisory as well as finally confirming a formal CVE entry – CVE-2017-5693 – for the security vulnerability.

When exploited by miscreants, this flaw causes Puma 5, 6, and 7 modem components – used in various high-speed broadband gateways – to suffer performance-wise. A particular pattern of packets exhausts resources within the chipsets, causing spikes in latency, which ruin online gaming and similar interactive tasks, or blowing the hardware off the internet entirely.

First detailed in December 2016, the vulnerability dates back to Puma’s Texas Instrument days, but more recently it had shown up in the Puma 5 chipset and Puma 6 and 7 SoCs built and marketed by Intel. The bug potentially allows an attacker to knock a targeted home modem offline or increase connection lag with a relatively small packet payload.

The vulnerability roped Intel into a class-action lawsuit against modem vendor Arris, which was accused of violating US consumer protection laws by selling devices containing the dodgy Puma SoCs.

Meanwhile, the mitigation for the Puma blunder, a modem firmware update to block the sequence of packets that triggers the performance hit, is now being rolled out albeit at a snail’s pace.

“Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic,” Intel stated in its advisory.

Intel Pumageddon: Broadband chip bug haunts Chipzilla’s past, present and future

READ MORE

“Intel is working with Internet service providers and manufacturers for retail devices to help deliver to affected devices the updated firmware which mitigates these issues.”

Even as Intel works to get the fix out, another problem with Puma may have cropped up. The same users and researchers at the DSLReports.com forums who discovered the underlying design shortcoming that would become CVE-2017-5693 have also found that, in Canada, Rogers modems using the Puma 7 hardware are falling over.

A company performing a security audit at an unnamed Canadian business found that when probing the Puma 7-powered Rogers routers on the WAN side, the boxes crashed and rebooted due to an unknown error, it is claimed.

It is not known whether the crashes are a result of triggering CVE-2017-5693, or the work of a completely new and different bug. Intel did not respond to a request for comment on the report. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/intel_puma_modem/

At Black Hat USA and DEF CON, researcher Christopher Domas showed how he found backdoors that may exist in many different CPUs.

When a room filled with hundreds of security professionals erupts into applause, it’s notable. When that happens less than five minutes into a presentation, it’s remarkable. But that’s what transpired when security researcher Christopher Domas last week showed a room at Black Hat USA how to break the so-called ring-privilege model of modern CPU security.

In the hardware, different types of accounts are assigned to different “rings of privilege,” with users at ring three and the system administrator at ring 0. Domas in his research hacked the ring with a string consisting of four hexadecimal characters. Such an attack could allow a program from a “regular” user to assume kernel-level control, executing at a higher privilege than most security software – and bypassing the vast majority of techniques used by anti-malware and hardware control systems today.

Domas, well-known in the security research community for his dissections of the X86 instruction set, titled his presentation “God Mode Unlocked: Hardware Backdoors in X86 CPUs.” In talks at both Black Hat USA and DEF CON in Las Vegas, he not only proved that he had done just that, but he also shared the “how” with the world.

There are, luckily for the global IT security community, limitations to the research. The target was an older processor, with the C2 Mehemiah core, generally used in the embedded systems market. As a proof-of-concept, though, the research has profound implications for IT security.

The secret, Domas found, was making use of model-specific-registers (MSRs) – special CPU registers used in addition to the normal registers used in programming – to instruct the CPU to do things that its designers don’t want it to do. And the secret isn’t in the existence of MSRs — those are known. It’s in the existence of so many MSRs, including many that the system designers and vendors don’t include in any documentation.

Domas’ research computer farm and methodology included multiple computers running specific instructions and reporting which ones returned fault conditions.

On the target CPUs, Domas found 1,300 MSRs. He said exploring all of those would have taken far too long, so he developed a method for understanding which were unique – and therefore not functional duplicates of one the other, more commonly used registers – based on how long it took to send and instruction and return a value.

Justification for this (and later) effort came from a series of patent filings Domas analyzed which hinted at a mysterious core to the x86 core in modern Intel-architecture CPUs. This DEC – a term Domas invented to describe a secondary core not generally known to software developers that is designed to enable functions also generally unknown to developers – shares portions of the instruction pipeline with the x86. But it’s also its own entity with its own architecture.

Getting access to the DEC, Domas speculated, would require a global configuration register and a launch instruction — neither of which is documented. And there, his research got very real.

Domas reverse-engineered both the architecture and instruction set of the DEC. The latter, he said, involved 4,000 hours of compute time which generated 15 gigabytes of logs. When analyzed, the logs yielded the instruction for launching the DEC, completing tasks, and completely bypassing all of the protections of the ring-privilege model.

So a limited user account could execute code as the system administrator without being known or challenged. This would break virtually every anti-malware and device security system in use.

This very specific CPU vulnerability is unlikely to be used in widespread attacks against an enterprise because of the age and limited application of the CPUs involved. As Domas says, though, this is a proof-of-concept that may lead other researchers to seek similar vulnerabilities in more modern and widely used CPUs.

Domas has released his toolset in Project Rosenbridge on GitHub, and is actively seeking other researchers to add to and continue the work.

Related Content:

• Xori Adds Speed, Breadth to Disassembler Lineup
• Researchers Release Free TRITON/TRISIS Malware Detection Tools
• The ABCs of Hacking a Voting Machine
• White Hat to Black Hat: What Motivates the Switch to Cybercrime

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hacker-unlocks-god-mode-and-shares-the-key/d/d-id/1332543?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An overhaul of a critical internet security protocol has been completed, with TLS 1.3 becoming an official standard late last week.

Describing it as “a major revision designed for the modern Internet,” the Internet Engineering Task Force (IETF) noted that the update contains “major improvements in the areas of security, performance, and privacy.”

One of the biggest is that it will make it much harder for eavesdroppers to decrypt intercepted traffic. The mass surveillance of internet communications by the US National Security Agency (NSA) revealed in 2013 by Edward Snowden, was a major driver in the design of the new protocol.

Work on 1.3 began in April 2014 and reached draft 28 before finally being approved in March this year. The protocol is so central to the encryption of internet traffic that it has taken until August 10 for engineers to check that nothing in it is going to cause any major problems.

The new version – which some argue could be called TLS 2.0 due to the significance of the changes – makes no less that three previous RFCs obsolete and updates another two. As things stand, there are currently no identified security holes in the algorithms used in TLS 1.3; the same cannot be said for 1.2.

And that points to the most critical part of the new RFC 8446: getting people to actually implement it.

Drag and drop

It shouldn’t be that hard. One of the editors of the TLS – and HTTPS – specs, Eric Rescorla, told The Reg earlier this month that a lot of work had been done to make it easy to deploy.

“It’s a drop-in replacement for TLS 1.2, uses the same keys and certificates, and clients and servers can automatically negotiate TLS 1.3 when they both support it,” he noted, adding: “There’s pretty good library support already, and Chrome and Firefox both have TLS 1.3 on by default.”

There have been problems: earlier drafts broke a lot of middleboxes and Google paused its plan to support the new protocol in Chrome when an IT schools administrator in Maryland reported that a third of the 50,000 Chromebooks he managed bricked themselves after being updating to use the tech.

The way TLS 1.3 works also sparked some last-minute pleading from the banking industry to make a change and effectively introduce a backdoor into the system because it could lock them out of seeing what was happening within their own networks. In response, engineers made a few improvements and the general view now is that if TLS 1.3 breaks your network monitoring, then you are probably doing it wrong in the first place.

The IETF is keen to point out that it put a lot of work into making sure that 1.3 has been tested in real-world situations before getting the official stamp.

“The process of developing TLS 1.3 included significant work on ‘running code’,” it noted, adding: “This meant building and testing implementations by many companies and organizations that provide products and services widely used on the Internet, such as web browsers and content distribution networks.”

Aside from the fact that the new protocol provides security improvements, there are also good networking reasons to put it in place. The new version is less resource hungry and more efficient, meaning you should be able to both reduce latency and benefit from lower CPU usage.

Hole in one?

If there is one downside it is concerns over the addition of a component called “0-RTT Resumption” which effectively allows the client and server to remember if they have spoken before, and so forego security checks, using previous keys to start talking immediately.

Facebook cracks opens its bottle of Fizz – a carbonated TLS 1.3 lib

READ MORE

That will make connections much faster but opens up a potential security hole that those seeking to exploit TLS 1.3 will almost certainly focus on. The change was pushed by big tech companies like Google that will massively benefit from faster communications between its billions of connections, but some fear it will come back to bite everyone. Some companies are not implementing 0-RTT as a result.

But that aside, TLS 1.3 represents a big jump in general security. And considering that implementation shouldn’t be too difficult, it’s a no-brainer for sysadmins. Of course, as much as moving to 1.3 will increase general security, so will getting people ditching earlier, insecure, protocols. There is even a push to officially kill off TLS 1.0 and 1.1.

You see, sometimes there is a good security story. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/13/tls_13_approved/