STE WILLIAMS

Black Hat researchers plan on open sourcing a new framework they say can help organizations get a better rein on vulnerability fixes for kernel bugs.

The explosive disclosure of the Spectre and Meltdown vulnerabilities were like a detonator on the already incendiary field of kernel vulnerabilities this year. Security researchers had previously been ramping up their exploration of kernel bugs, but this year the discoveries have mushroomed considerably.

As CISOs and security personnel seek to mitigate the risk of kernel-level attacks, they’re going to need a better way to prioritize vulnerabilities for remediation. A group of researchers set to present at Black Hat USA in a couple of weeks are preparing to offer them a new exploit framework that they say can help security pros do exactly that. 

“Over the past eight months, Syzbot–an automated tool to identify kernel bugs and vulnerabilities–has flagged about 800 kernel bugs,” explains Jimmy Su, who leads the JD security research center in Silicon Valley. “However, the Linux kernel community has limited manpower to patch these bugs quickly.”

Together with academic researchers Wei Wu and Xinyu Xing of Penn State University, Su will present a new open source framework that they say can help security pros craft “powerful working exploits against arbitrary kernel vulnerabilities in a semi-automated fashion.” 

Along with the unveiling of the framework, the trio plans on disclosing a number of working exploits against several kernel vulnerabilities—about half of which had not seen confirmed examples of exploitability in the past. 

“The exploit automation technique is a tool the community can use to quickly assess the exploitability of these bugs, allowing them to prioritize their remediation efforts based on the ease of exploitation,” he says. “The goal is to patch kernel bugs with high risks in a timely fashion and reduce the amount of time Linux machines would remain vulnerable.”  

While automated exploit generation is hardly a new thing, generating exploits for operating system kernel flaws is notoriously tricky due to complexity and scalability issues, Su and his compatriots say. The new framework they present uses kernel fuzzing and symbolic execution to prod flaws for exploitability under a number of different kernel panic contexts. It provides analysts with three major capabilities; It’ll automate identification of system calls needed to exploit the vulnerability, it’ll offer automated security mitigation bypassing, and it will automatically generate exploits with different objectives, such as privilege escalation or data leakage.  

Su believes that security teams should generally be leaning on exploit automation as a method for prioritizing vulnerability remediation.

“Every week, an enterprise might handle hundreds or even thousands of software bugs and most organizations don’t have sufficient manpower to sift through and patch these bugs rapidly,” he says. “Exploitation automation techniques give an enterprise the ability to identify high-risk bugs and prioritize their remediation efforts accordingly.” 

This holds true whether the issues are kernel flaws or not. 

“Though our research demonstrates exploit automation in the context of Linux kernel, our techniques can be generally applied to other daily software,” he says. “As such, CISOs can use our technique to prioritize their remediation efforts (and scale) their software security for their daily operation.”

Related Content:

·      8 Big Processor Vulnerabilities in 2018

·      Software is Achilles Heel of Hardware Cryptocurrency Wallets

·      New Spectre Variants Add to Vulnerability Worries

·      6 Security Investments You May Be Wasting

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/automating-kernel-exploitation-for-better-flaw-remediation/d/d-id/1332418?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Happy SysAdmin Day!

If you’re a System Administrator at work, then you’re definitely IT support at home as well. In fact, if you’re reading an article on Naked Security then you’re almost certainly the least non-technical user in your family, and that means you’re IT support at home too.

And that makes you a sysadmin.

Home for Thanksgiving? You can relax just as soon as you’ve fixed the printer. Mystery phone call at 11pm? Somewhere there’s a PDF that just won’t open. About to walk out the door? This iPhone needs a new battery, the screen is cracked and it seems to be running really slow – is the internet broken?

To make things a little easier, we’re offering 40% off Sophos Home Premium today, and for the next month.

Sophos Home Premium is business-grade home security for ten devices, managed from your computer. You get:

• Real time antivirus protects against known viruses, malware, trojans, worms, bots, potentially unwanted apps (PUAs), ransomware, and more.
• Advanced ransomware protection steps in to stop the latest ransomware from encrypting your files and drives.
• Parental web filtering gives you control of the content your children can view online.
• Web protection stops connections to compromised or dangerous sites.
• Remote management puts you in charge of security on multiple devices.
• Privacy protection – Monitors access to your webcam and microphone.

There’s also a free version too, called Sophos Home. As you’d expect, it doesn’t have all features available in the premium version but it’s no slouch. You can use this comparison chart to help you decide which version is right for you.

Sophos Home Premium usually costs $50 (€40, £40) but we’ve got you a massive 40% off. Because #SysAdminDay.

Get Sophos Home Premium now

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lhLev_SjQnA/

Come the end of 2020, it will be time to stick a fork in Adobe Flash. That’s when, if you’ll forgive the mixed metaphor, the malware petri dish will officially be toast.

Unfortunately, that doesn’t mean that government agencies are going to toss Flash into the compost pile

After all, the government doesn’t have an easy time letting go. Take, for example, the zombie-like Windows XP: it’s still in use by US government agencies (and plenty of other people), despite Microsoft having pulled life support away from the operating system back in 2014.

Let’s not go there this time, said Oregon Senator Ron Wyden on Wednesday. The senator suggested in a letter sent to three government agencies, let’s come up with solutions and procedures to mandate removal of Adobe Flash content from all US government websites by 1 August, 2019.

The letter was addressed to officials at three agencies that should be on top of this well before Adobe’s Flash end-of-life date: the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Homeland Security (DHS).

Wyden pointed to the technology’s “serious, largely unfixable cybersecurity issues,” which can “allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life.” It’s bad enough now, he said. After 2020, when Adobe will provide neither technical support nor security updates, the situation will only get worse.

The three agencies provide the majority of cybersecurity guidance to government agencies, Wyden wrote in his letter, and as such, they should be ensuring that government workers are protected from cyber threats. Yet to date, they’ve issued no public guidance, he said, in spite of the looming, critical deadline.

To that end, Wyden would like to see the officials do these three things:

1. Mandate that government agencies shall not deploy new, Flash-based content on any federal website, effective within 60 days.
2. Require federal agencies to remove all Flash-based content from their websites by 1 August, 2019. To help them do so, expand the cyber-hygiene scans DHS routinely performs on federal agencies to include Flash content on the agencies’ websites. Also, provide each agency with a list of Flash content on their websites, along with guidance on how to promptly transition away from it.
3. Require agencies to remove Flash from desktop computers by 1 August, 2019, starting with a pilot program to remove it from a small number of employee desktop computers by 1 March, 2019.

According to web technology survey site W3Techs, only 4.5% of websites are now using Flash: a number that’s, thankfully, considerably less than the 28.5% market share the site recorded at the start of 2011.

But as pointed out by Bleeping Computer, that decline isn’t all that reassuring, given that it refers to “all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites.”

Given how dangerous Flash is, Wyden’s exhortations make sense. Let’s hope that somebody – a lot of somebodies, at that – are listening at DHS, NIST and NSA. The work to eradicate Flash should have started long ago, but “now” is much better than “never.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kggc7gQNNI4/

It’s an attack that will make many in the shipping industry feel very nervous for the second time in a year – the US network of one of the world’s largest shipping companies, COSCO (China Ocean Shipping Company), has been hit by a disruptive ransomware attack.

So far, the company has downplayed the incident, referring to it initially on 25 July as a “network breakdown”, elevated some hours later to the more specific “network security problem.”

The later statement said that the attack started in the Americas, which caused the company to isolate this region from the other parts of its global system:

As of now, all business operations have been back to normal in the regions with recovered networks.

The company’s US website and telephone network were reported to be down in an incident that centred on its Long Beach terminal.

According to shipping news sites that claim to have seen internal emails, the cause of the trouble was a ransomware attack which had prompted COSCO to tell its employees not to open suspicious emails.

This fits with a company statement that mentioned that “local email and network telephone cannot work properly at the moment”.

The whole sector has been on the lookout for this kind of incident since last year when industry behemoth Maersk reportedly lost hundreds of millions trying to combat the effects of the 2017 NotPetya attacks.

NotPetya affected a lot of other companies too – and not everyone was convinced its motive was straightforward ransomware to start with – but the huge financial losses suffered by the shipping giant showed the vulnerability of the industry to the worst-case scenario.

Fortunately COSCO’s attack doesn’t appear to be as serious, primarily disrupting its US email and phone networks. Its fleet of ships is operating normally.

One lesson from the Maersk experience was that mitigating an attack once it has started won’t be quick, or cheap.

One industry site described what is unfolding at COSCO as being a “proxy for the entire industry.” A sort of test case to see how well a big name in a sensitive industry can handle what amounts to a form of 21^st century digital piracy.

In most industries, cyberattacks are seen as a routine hazard of running a business. For shipping companies however, those days have long gone – there is nothing routine about the damage such attacks can cause.

Follow @JohnEDunn
Follow @NakedSecurity

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dXs0Yb7b1LM/

As you know by now – or can just pretend to know if you didn’t – it’s #SysAdminDay.

More precisely, it’s System Administrator Appreciation Day 2018 – the day when you are expected to appreciate your sysadmins, in word and in deed.

The sys in sysadmin, of course, means “the computer systems that you take for granted when they work and only really notice when something goes wrong.”

The admin part means “the computer-super-savvy person who not only spends 71% of their time valiantly trying to stop things going wrong in the first place, but also spends 141% of their time fixing stuff at short notice when it does go wrong, even – especially! – when it’s your fault for sneakily doing the very things they spent ages trying to stop you doing so things wouldn’t go wrong in the first place.”

Also, it’s your sysadmin’s fault if the batteries go flat in the Bluetooth mouse that you insisted you needed some time back in 2012 but then forgot at the back of your desk drawer and only rediscovered yesterday with verdigris from a pair of decaying AA cells all over the electrical contacts.

(Replacing dead batteries and powering on screens that “seem to have been infected overnight by some sort of mysterious firmware rootkit” take up the remaining 81% of a typical sysadmin’s day.)

Of course, appreciating your sysadmins in word and in deed raises the tricky questions, “What to say, and what to do?”

We think we can help, with the Sophos Naked Security Dodecahedron of Code.

Simply put, a dodecahedron is a regular 12-sided figure – a polyhedron, to use the jargon word – and can be used as a die (yes, that is the singular of the word dice) to make random choices in much the same way that you use 6-hedrons, better known as cubes, to play games of chance such as craps.

If you’ve ever played Dungeons and Dragons or the like, you’ll know this as a D12:

Rest assured, the Sophos Naked Security Dodecahedron of Code (or SnackDoc for short) is no ordinary D12.

The SnackDoc provides an ideal solution to the problem of religiosity, pomposity and parochialism in programming.

You see, sysadmins are programmers, but not in the way that It Says Developer On My Business Card programmers are programmers.

Sysadmins have to be better programmers than Programmers, because their code needs to do more, with less, at a faster speed, for more people…

…and it needs to do it THIS AFTERNOON, sometimes as an urgent fix to a problem brought on by unforeseen issues (as they are quaintly known) in the new version of a program that the Programmers have been working under a raft of different methodologies and management styles since 2009.

So, when Programmers With A Capital P tell sysadmins, “We need this NOW, and we need it written in a programming language that we lumbered you with”…

…well, you can see how that could cause friction.

What to do?

What you need is a total SURRENDER OF SUBJECTIVITY in how you choose the language that your Programmers are going to get their code written in.

It doesn’t matter if you don’t know or like the language – what matters is [a] that it was chosen by the unerring hand of non-deterministic forces and [b] the Programmers know and like it less than you do.

So, in accordance with the important software engineering maxim that if the code was hard to write, it should be hard to understand, what you need is:

• A hardware random number generator. (You can write software to generate fake random numbers, but, hey, what programming language would you use to do so?)
• An uninhibited and broad set of languages to choose from. (Because there is life before and after Python.)
• A device made of cardboard.. (Because there are some things even an Arduino can’t do.)

Build a Sophos Naked Security Dodecahedron of Code D12 for your sysadmins TODAY.

You KNOW it makes sense.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZeJNdnAHhuI/

A few years ago – make that quite a few, actually – Sophos was a lot smaller than it is now.

Recruitment was different too – back then we weren’t so much writing cybersecurity software as helping to invent the entire field of anti-malware research.

One of the somewhat paradoxical things that’s important in a small team is that you need people who are specialists but also generalists; focused programmers who can also think and work laterally when needed.

So, in the same sort of way that Bletchley Park recruited cryptographers by looking for chess players, crossword solvers, musicians and the like and then letting them loose to invent the needed cryptographic techniques…

…we used to ask prospective coders to write a limerick.

It didn’t matter if you didn’t know what a limerick was, or were no good at finding words that rhymed – what mattered was how you reacted to the idea of being asked to do something a bit out of the ordinary in the middle of an interview.

Could the problem be reorganised to make it easier to solve – would iambic pentameter be OK instead?

What was most important – meaning, metre, rhyme or wit – and how could these factors be traded off?

Would a program that could write limericks be considered a solution, even if its first output would only appear after the interview was complete?

How do you test a limerick? Can two people write a better poem than one? How do you even judge a limerick?

Most of all, we wanted to know – were you willing to throw yourself at an unexpected problem and have fun trying to solve it at the same time?

In those days, the limericks all had to start with the line There was a young lady called Prue, like this:

   There was a young lady called Prue
   Whose instruction decoder was skew.
      Her PUSHes were POPs
      And her POPs were NO-OPs,
   So she booted, and started anew.

Your mission for SysAdmin Day

As a bit of retrospective fun for #SysAdminDay, we’re inviting you to submit your very own limerick with the very specific aim of bringing a smile to a sysadmin’s dial.

You can start it off however you like, so you don’t need to mention Prue unless you want to.

Here are some samples to get you going:

   I am truly delighted to say
   That it’s annual SysAdmin Day.
      The folk in IT
      Really do it for me,
   Keeping malware and phishing away.

   Well, I clicked on a dubious link,
   And my laptop has gone on the blink.
      But in one mighty bound.
      A sysadmin came round -
   I think I should buy them a drink.

   If their patience has got a bit thin
   Give sysadmins a bit of a grin
      You’ll find T-shirts and more
      In our cool online store
   Shop dot Sophos dot Com FTW.

See what you can do!

What you need to know

Remember than the rhyme needs to go AABBA; the metre needs to follow the pattern in the examples above – try reading them aloud to get a feel for how the rhythm goes; and the mood needs to be positive and upbeat.

Post them as comments and let’s make some sysadmins laugh.

(If you are a sysadmin, we’ll allow you to write from the other side, as it were – you may berate and bemoan your fate, and even be a little bit critical of your users – but we still want the world to be a better place when we’ve finished reading your verse.)

Oh, just to be clear: the editor’s decision, as they say, is final, and there are no formal prizes.

Happiness is its own reward, etc. [No more truisms, thanks – Ed.]

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VF-ObKq2GBE/

Google took its efforts to protect online accounts up a notch this week, announcing its own hardware-based security key.

Announced at Google’s Cloud Next conference, the Titan keys are a two-factor authentication (2FA) solution, designed to combat one of the most prevalent forms of online attack: account hijacking. Without 2FA, attackers who guess or steal a person’s password can use it to log in and impersonate them.

With 2FA, people accessing an account must prove that they are legitimate by using a device that they physically own (or a physical feature like a fingerprint) to log in.

Google had announced earlier this week that it had stopped attackers gaining access to all of its 85,050 employees’ accounts since it began using hardware-based security keys internally in 2017. Now it seems that it wants to extend these benefits to its users.

There will be two versions of Google’s key: a USB one that plugs into your computer, and a Bluetooth one that must be paired with a device before use, aimed at users of mobile devices. They will both meet the Fast IDentity Online (FIDO) authentication standard, making them compatible with a range of other sites beyond Google’s own.

Google has been protecting people with 2FA access for years via its Authenticator app, launched in 2010. These new security keys will provide people with an easier way to secure their accounts because they won’t have to type in any codes.

Will Titan be enough to bolster the relatively poor adoption of 2FA, though? A 2016 University of Maryland and Johns Hopkins study of just over 500 users found that only one in four used 2FA on all of their devices, while 45% used it on some services, but not others. Of the latter, 68% said that they used it mainly when they had no choice, indicating that many users still aren’t taking responsibility for their own security, or don’t understand the risks and benefits.

On that basis, while this key will be available to everyone, don’t expect users to flock to it in droves. It will be of most use to those with the most to lose. Google acknowledges this on the Security Key product page, where it says:

While security keys are recommended for all users for stronger protection against phishing, enforcing security keys for admins and other high-value users should be the first step.

Google has gradually been tightening the security measures around account logins. In 2017, it replaced SMS codes with smartphone prompts as part of its two-step verification process, after the National Institute of Standards and Technology (NIST) deprecated SMS-based 2FA.

The Titan keys will compete directly with those produced by Yubico, which was also a participant in the Cloud Next conference. Yubico, which confirmed that it isn’t making the Titan keys for Google, said that it had considered a Bluetooth version but decided against it.

While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Coincidentally, the security of the Bluetooth protocol came under fire this week. A bug in the protocol potentially enables attackers who are in range of a Bluetooth communication to snoop on communications, although many vendors have already fixed the issue.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-tNKXJqtJ5U/

So you’re a sysadmin – blue team, red pill, grey hat.

Your brain works at the speed of a hyperloop inside a rocket ship slingshotting around a black hole that’s slingshotting around another black hole. You make the impossible possible, you make the improbable into the everyday and for everything else there’s a bash script. And then you make your first coffee of the day.

You don’t just firefight, you firewin.

If the other people in your company knew what you did all day, every day you’d blow their minds. If they understood your sendmail configs they’d hang them in the Louvre; your JIRA tickets should be required reading in school; your cabling would make Dijkstra blush.

But they don’t know because you don’t have time for their puny human words. When you do speak, you speak in compressed binary microbursts on a Slack channel they’re not invited to, and only if it’s the second Tuesday of a month beginning with Q.

To them your words are like the alien tones in Close Encounters of the Third Kind.

Well, it’s SysAdmin Day and we’re here to help.

To all of them we say this: here is your essential guide to what sysadmins really mean.

“We’re going to start doing DevOps”

We’ve had enough, we’re opening a crèche for the software developers.

“You’ll need to open a ticket”

I AM BUSY WORKING ON STUFF SO COMPLICATED IT WOULD MAKE YOUR EYES BLEED IF YOU WERE CLEVER ENOUGH TO WORK OUT WHICH OF MY 20 MONITORS YOU SHOULD BE LOOKING AT. AT THIS MOMENT THE FATE OF THE ENTIRE COMPANY HANGS IN THE BALANCE, EVERY SECOND COUNTS, AND YOU HAVE WALKED PAST TWENTY OTHER PEOPLE TO BREAK MY CONCENTRATION SO YOU COULD TELL ME YOU’VE SENT ME AN EMAIL?!?!?!?!?!??!

“Thank you for your ticket. Someone will get back to you shortly.”

You are in a maze of twisty little passages, all alike.

“Your ticket has been escalated”

If you think our automated ticketing system lacks finesse or social graces hold on to your hat, we’ve opened the trapdoor and you’re about to meet 3rd line support.

“We should have done it with %technology%”

I have just finished reading about %technology%.

“I told you we shouldn’t have done it with %technology%”

Beam me up, this planet’s about to explode.

“I’ll do it in PowerShell”

Fetch my cape.

“I’ll do it in bash”

I hate my colleagues.

“I’ll do it in perl”

You can never outsource my job. If I die you’ll have to reanimate my corpse.

“I’ll do it in node”

Sell all of your shares, we’re doomed.

“We fixed that years ago”

Technically the problem still happens but we’ve rigged it so that now when it overheats the wax melts, which inflates a balloon with a scary face drawn on it. That normally frightens off the mice and they go and build a nest somewhere else for a while.

“I’ll do it now, it’ll take five minutes”

See you here at the same time tomorrow.

“I’ll do it next week”

Your grandchildren will still be waiting for this.

“It’s on the road map for next quarter”

With a fair wind we’ll have it wrapped up before the sun runs out of hydrogen and engulfs the Earth.

“We operate a ‘read only Friday’ policy here”

We imbibe many, many powerful drinks on Thursday nights.

“The application relies on a library that’s in unstable and we’re not rolling that out until it’s been in stable for at least a year. I could spin up a VM with the right OS and try to install it on that but it would be in violation of our policy to attach it to the network so there’s no way for us to get the application on to the VM unless we use a USB key, and if you bring one of those into the office it’ll set off the bear trap under your seat and pin your leg to your chair like a pair of crocodile jaws. I suppose we could dust off a beige box and attach it to the internet directly but you’d have to organise your own dedicated phone line. The local regulations demand phones lines are buried underground. I can let you have a shovel if you just sign this 72,000 page waiver, hand over a DNA sample and leave one of your shoes in this basket. Also, facilities won’t let you use a keyboard, mouse or screen with it so you’ll have to open a JIRA ticket detailing all the commands you ever want to run and somebody in first line support will do those for you when they’ve run out of other things to do, which will be the second half of September 2051 at the earliest.”

No.

If you enjoyed that then you might like to find out what you sound like to a sysadmin, or read our sysadmins’ foolproof guide to fixing any computer problem.

Before you do those things though, you’re going to want to kit yourself out with a couple of essentials we’ve prepared for you, just ‘cos it’s SysAdmin Day:

• Download our Dodecahedron of Code so you’ll NEVER have to code in Python again.
• Get 40% off Sophos Home Premium and call it a thank you from us.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fRRu4ZX-h2E/

A few weeks ago, a headline popped up on the BBC that caught the eye of security researchers: “Swann home security camera sends video to wrong user”.

It was clear what happened: the camera uploaded a bunch of data on purpose, and then it sent it to the entirely wrong person. As in, Louisa Lewis started to get “motion detected” alerts on her phone that showed somebody else’s kitchen, in somebody else’s house, with somebody she didn’t know, washing their dishes.

But it wasn’t clear why it happened, beyond the camera manufacturer’s explanation that it was human error, caused by two cameras being manufactured with the same cryptographic key to secure communications with their owners, and the duplicate camera owner having ignored the warning prompt that the “Camera is already paired to an account.”

…Nor was it clear that it wouldn’t happen again. Which it did. Nor was any evidence given to support Swann’s promise that “this was a one-off incident.” Which, it’s now clear, it was not.

We know this because a team of Europe-based security researchers came together to pick apart the security on these internet-connected cameras, to get a better sense of the “why”: Ken Munro, Andrew Tierney, Vangelis Stykas, Alan Woodward and Scott Helme.

They published their findings on Thursday. Munro’s TL;DR version of what they found:

We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera.

“Anyone’s” camera? So much for Swann’s “one-off” claim. As Holme describes in his writeup, there’s no way that Swann could have known, as the company claimed, that “no further data was breached or accessed.”

How could they? If this was human error on the production line (which I think is nonsense) and they didn’t detect this one until someone told them, how do they know it hasn’t happened again?

Tierney said in his write-up that it was a “simple trick” to convince the Swann app that it was talking to some other camera and to begin streaming from another user’s device.

As first reported by the BBC, the new vulnerability has to do with the messages sent from the server – that would be OzVision servers – to the Safe by Swann app, which is the smartphone app used to view cameras’ motion-triggered recordings.

Those messages included a reference to a unique serial number given to each camera in the factory. Using commonly used, free security tools – they used Charles, Tierney said, though Burp or MITMproxy will do the trick – the researchers easily intercepted the messages. Then, they tweaked the serial numbers. In order to stay on the right side of privacy and avoid unethically/illegally turning into snoopers, the researchers only spied on webcams that they’d bought themselves.

But Vangelis checked the API and found that the serial number could be enumerated. The researchers didn’t have to guess at whether any given enumerated number would get them to a valid Swann camera: when they tried to add an existing serial number, the “device already paired” error popped up, signifying that they’d hit on an existing serial number.

Once they switched to another camera, they found that they could view its stream, with no username/password authentication needed, given that the cameras failed to check whether the person viewing the stream was an authorized user.

Tierney said that the researchers found it would be possible to enumerate every Swann camera serial number in three days.

Swann and OzVision – the provider of Swann’s cloud technology – said the issue is now fixed. According to the BBC, Swann said that the vulnerability only occurred in one model: the SWWHD-Intcam, also known as the Swann Smart Security Camera. You can pick one of them up for about USD $100 on Amazon, though the BBC says they’ve also been sold by Maplin, Currys, Debenhams, and Walmart.

So that’s the situation with camera maker Swann. OzVision, however, is another matter. Tierney says the researchers believe that the cloud service maker has known about the issue for some nine months: they came across a report about it from Depth Security back in October. When the issue was brought to its attention, OzVision deflected questions back to Swann. OzVision only fixed the vulnerability when Swann pressured it to, Tierney said.

The concern now is that OzVision provides cloud service to at least one other major camera brand; in fact, it claims to provide cloud service to 3 million smart cameras.

OzVision told the BBC that the vulnerability was fixed when the stream-swapping problem first came to light in June. Now, it’s working on making sure the problem has truly been fixed. The BBC quoted OzVision sales executive Uri Kerstein:

A security concern which was raised a few weeks ago was immediately addressed and resolved by the company and its partners. OzVision is conducting a thorough examination of the system to ensure that any remaining or potential security concerns are resolved within days.

That doesn’t particularly assure Munro, who noted that there’s always risk when you’re talking about an Internet of Things (IoT) security camera:

I’d make sure you don’t put them in very personal places like your bedroom. Just bear in mind someone might be looking in.

Tell us about it! Looking in is just the start of it. From there, you get to hackers blackmailing women into stripping in front of their webcams, CCTV feeds of kids at school being streamed live online, and oh, so many baby monitors being used to spy on kids (or to broadcast obscenities at babies, as the case may be).

Unfortunately, the Swann/OzVision situation is just one more case of the IoT chickens come home to roost. Put a “security” camera into the cloud, and you run the risk that you’ll be overrun by chickens.

Follow @LisaVaas
Follow @NakedSecurity

Image courtesy of Swann.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mpvSqV33Uvs/

Both data and the online controls on “connected cars” from Jaguar Land Rover remain available to previous owners, according to security experts and owners of the upmarket vehicles. The car maker has defended its privacy safeguards and security of its InControl tech.

El Reg began investigating the issue after talking to Matt Watts, a techie who blogged about the issue of connected cars and the data they collect, without initially naming Jaguar Land Rover (JLR).

Watts’ secondhand Range Rover came with the ability to remotely control the climate systems, call breakdown services, upload GPS/destination details and much more. The vehicle also keeps a record of much of this information and stores it in an online account.

Most drivers won’t use this functionality, but Watts is a self-admitted geek. After he downloaded the JLR app to his smartphone and started to experiment, Watts realised that he was able to use the eight digits of the vehicle identification number (VIN) to link his vehicle to an online account.

When doing so, the JLR website informed him that the vehicle was linked to another user’s account. After dealing with support centres and a JLR dealer, Watts was eventually told that the previous owners should have disconnected before selling on the car. He was initially advised to contact the previous owner, which is annoying enough in itself.

“The process to get the manufacturer to update the online details for the vehicle is for me to try and find the previous owner and get them to do it for me,” Watts wrote.

The issue goes far beyond Watts being unable to use the funky functionality of his secondhand motor, as he explained:

The previous owner of my car has control over it, they can unlock it, they can remotely set the climate control without me knowing about it, even when the car isn’t running, they potentially can even look at the sat-nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it.

Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.

Watts told El Reg: “Data is being collected about me and the vehicle’s location and simply provided to whomever previously connected the app to the car. JLR needs a bullet-proof method for this to be automatically disconnected when the vehicle changes hands. I don’t know how you do this but the current process is clearly not sufficient.”

According to another secondhand Land Rover driver and IT industry pro, who did not wish to be named, the issue is not just around the mobile app but also the online account with JLR. This account – which ties into the InControl service offered by JLR – needs the VIN/car data removed from it when a car changes hands.

El Reg contacted Jaguar Land Rover’s press office about the issue. “Matt’s situation could have been handled a lot better, with him receiving incorrect information throughout the process,” it said.

In a lengthy statement, the car maker went on to defend its procedure around the sale of connected cars against criticism from techie drivers we’ve spoken with.

If a customer sells a vehicle to a Jaguar Land Rover retailer, the retailer, as part of the purchasing process, will check that the customer has cleared all of their accounts and removed the vehicle from their InControl Portal. They will also advise the customer selling/exchanging the vehicle that the customer can unbind themselves too.

It is important to note that when the initial customer accepts the terms and conditions of Remote Premium services that they are agreeing to unbind the vehicle from themselves when they sell it on. If a private sale, Jaguar Land Rover or our retailers will have no sight of the vehicle between change of ownership so cannot check this process has been adhered to.

If the seller has not done this, the new owner can take their car to their local Jaguar Land Rover retailer to get the InControl Remote app and all InControl services reset. After ownership checks, the retailer will unbind the previous owner from that car.

This will mean that when the former owner goes onto their InControl Remote app or InControl Portal, they will receive a message stating that no vehicle is associated with this account and will no longer be able to view any information for that particular vehicle. The retailer will then set up a new account for the new owner, binding that vehicle to them. This process can also be done by the customer contacting the Jaguar Land Rover Customer Relationship Centre and providing suitable ownership documents.

If you have the VIN, you can press one button in the car to silently enable tracking. This enables a range of functions including remote unlock, start engine, and the ability to see where a car is, according to our unnamed tipster.

Watts added that “right now a previous owner of my Range Rover has the ability, from anywhere in the world with a data connection” to do all manner of undesirable things including but limited to:

• See the vehicle data remotely
• Look at my journey history
• Adjust the climate control
• Remote beep and flash the horn and lights
• Unlock the vehicle

Watts bought his car through an independent dealer. JLR said that the issues Watts had experienced wouldn’t have arisen if sales procedures known to its registered dealers had been followed. Watts was dissatisfied with this response.

Watts told El Reg: “I personally find it completely unacceptable that JLR simply pass on the responsibility for unbinding a previous owners app from the vehicle to the dealer, who I’m not convinced will always do it, to an independent dealer, who may not even be aware of it, or to the new owner, who unless they’re tech savvy and want to use these features may not even be aware of them.”

In response to JLR’s statement, he added: “It would appear that JLR’s view is that it’s the dealers’ problem, the previous owner’s problem or the current owner’s problem, without accepting any responsibility or liability. In fact it’s everyone else’s problem except theirs, yet they are the ones collecting all this data.”

User data and information should be a prime consideration in developing new connected car systems and capabilities. El Reg also asked JLR to comment on the GDPR implications of what had happened to Watts and our other source. The response was rather bland:

Customer confidentiality and the security and privacy of customer data is paramount to Jaguar Land Rover. We continually review our processes to identify further improvements to meet the security and privacy needs of our customers.

Watts plans to contact the dealer to get this sorted out while also raising awareness. “[The process] is full of holes and the manufacturers need to do something about it,” he said.

Our anonymous tipster has similar concerns: “Remember that some of the JLR dealers are not optimal in fixing issues. It could be that the dealers should be able to do this but don’t know how to. When I bought my approved used Disco, I didn’t even know I had the tracker installed and just Googled the buttons.”

The issue of the security of data collected by connected cars is far from limited to Jaguar Land Rover.

In response to his post about the issue, Watts has also been contacted by someone who said he had sold his previous “German” car through a main dealer in the Netherlands over a year ago. “He confirmed that he still has full remote control over it,” Watts explained. “During the sale/exchange process he said the dealer didn’t at any point ask about the app or make any mention about disconnecting it.”

El Reg contacted transportation security expert Chris Roberts, who said that he too had come across the same issue in another brand of car.

“I picked up a used S550 and had the previous owner’s info still in it,” US-based Rogers told El Reg. “[It] took a call to [Mercedes-Benz] to sort that out.”

Evil parking attendant

JLR also offered an explanation for how its InControl connected car tech is set up:

1. The activation process affects all the telematics features, names of which vary depending on what model year, vehicle line and market the vehicle is, hence the references to Remote Premium and InControl Protect.
2. Activation of the telematics features is a pre-meditated action – it can’t be done casually: the customer has to go through the InControl Portal; have the VIN ready; follow a series of steps including account creation; go to the vehicle and press a specific button for 10 seconds; then follow some further steps in the web browser before the activation is complete.
3. It also requires that: a) the customer has physical access to the vehicle – so they must have the keys and b) there is no other customer connected to the vehicle already – you cannot “kick an existing customer off” using this method.

Our unnamed tipster disputed this, in part. “You can bind a vehicle to your account if it is unbound. You [need to] have physical access to the car to press a button and know the VIN (from the dashboard or from some other system) – VINs are not confidential.

“Think not evil maid attack but evil parking attendant or evil valet attack. If it’s not set up, I, as an evil valet, could easily set it up for them and then gain at best knowledge of where the customer is but also the ability to unlock the car and start the engine.

“I don’t think it’s possible to drive off without the keys – the engine may start remotely but will not allow you to actually drive off without having the keys.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/27/jaguar_land_rover_connected_car_privacy/