STE WILLIAMS

D-Link and Vivotek have submitted their entries for “dumbest security vulnerability of 2013”, with Core Security turning up a variety of daft bugs in their IP cameras, including hard-coded backdoor passwords.

The advisories are here for Vivotek and here for D-Link. D-Link has told Core Security it is preparing a fix, but the researchers were unable to elicit a response from Vivotek.

The D-Link vulnerabilities include:

• Operating system command injection: The cameras’ Web interface parses incoming CGI scripts in a way that allows arbitrary commands to be passed to the operating system.
• Authentication bypass: Appending /upnp/asf-mp4.asf to the camera’s root URL accesses the video stream without authentication.
• Video leaks as ASCII: An ASCII stream of the video luminance is accessible without authentication using the path /md/lums.cgi.
• RTSP authentication bypass: This also allows unauthenticated access to the video stream.
• Hard-coded RTSP credentials: *? is a hard-coded backdoor into the cameras.

Vivotek’s blunders include:

• Plaintext password storage: Sensitive information is stored in files accessible with the URL paths /cgi-bin/admin/getparam.cgi and /setup/parafile.html.
• Remote buffer overflow: There’s a buffer overrun in the RTSP service.
• RTSP authentication bypass: A crafted URL sent to the Vivotek PT7135 camera provides unauthenticated access to the video stream.
• User credential leaks: Firmware version 0300a on Vivotek cameras allows remote attackers to dump the camera’s memory and extract user credentials. The juicy stuff is kept in the Linux virtual file system object /proc/kcore.
• Command injection: A binary file in the camera has a flaw allowing remote command injection.

Unless users get busy with upgrading their firmware, The Register imagines all kinds of unwanted “private” videos will start turning up. More seriously, however, it’s also likely – knowing the bad habits not just of users, but of many sysadmins – that leaked credentials will be replicated on other bits of network infrastructure.

Core Security’s advisories include a full list of devices confirmed as vulnerable.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/01/ip_cameras_with_dumb_vulns/

D-Link and Vivotek have submitted their entries for “dumbest security vulnerability of 2013”, with Core Security turning up a variety of daft bugs in their IP cameras, including hard-coded backdoor passwords.

The advisories are here for Vivotek and here for D-Link. D-Link has told Core Security it is preparing a fix, but the researchers were unable to elicit a response from Vivotek.

The D-Link vulnerabilities include:

• Operating system command injection: The cameras’ Web interface parses incoming CGI scripts in a way that allows arbitrary commands to be passed to the operating system.
• Authentication bypass: Appending /upnp/asf-mp4.asf to the camera’s root URL accesses the video stream without authentication.
• Video leaks as ASCII: An ASCII stream of the video luminance is accessible without authentication using the path /md/lums.cgi.
• RTSP authentication bypass: This also allows unauthenticated access to the video stream.
• Hard-coded RTSP credentials: *? is a hard-coded backdoor into the cameras.

Vivotek’s blunders include:

• Plaintext password storage: Sensitive information is stored in files accessible with the URL paths /cgi-bin/admin/getparam.cgi and /setup/parafile.html.
• Remote buffer overflow: There’s a buffer overrun in the RTSP service.
• RTSP authentication bypass: A crafted URL sent to the Vivotek PT7135 camera provides unauthenticated access to the video stream.
• User credential leaks: Firmware version 0300a on Vivotek cameras allows remote attackers to dump the camera’s memory and extract user credentials. The juicy stuff is kept in the Linux virtual file system object /proc/kcore.
• Command injection: A binary file in the camera has a flaw allowing remote command injection.

Unless users get busy with upgrading their firmware, The Register imagines all kinds of unwanted “private” videos will start turning up. More seriously, however, it’s also likely – knowing the bad habits not just of users, but of many sysadmins – that leaked credentials will be replicated on other bits of network infrastructure.

Core Security’s advisories include a full list of devices confirmed as vulnerable.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/01/ip_cameras_with_dumb_vulns/

Analysis You’d be forgiven for thinking this is the plot of a Saturday night BBC2 drama: hackers tinkering with smart electricity meters deliberately cut the power to whole neighbourhoods.

But, according to a UK computer security biz, weak authentication checks and a lack of other security controls on said equipment could allow just that.

Greg Jones, director at security consultancy and penetration testing firm Digital Assurance, discovered numerous shortcomings in three samples of two types of smart meters, which are installed in homes to monitor and control the use of gas and electricity. Typically, these devices are wirelessly connected to the supplier so data and upgrades can be easily transmitted over the air – some even using the mobile phone network.

A hacker could therefore crack the wireless communications between the meter and the supplier, and send his or her own mischievous messages back to base, or commands to other meters, it is claimed.

After buying the test samples through online auction sites, Jones wanted to find out what made the electronics tick. He said he discovered the protection against hardware tampering was far less stringent than that applied to comparable consumer security products, such as an Xbox game console.

“Smart meters are essentially crap computers in a crap box,” Jones claimed.

Attention in the past has predominantly focused on how power plants’ critical systems can be compromised over traditional wired computer networks.

Little consideration has been given to how they might be hacked wirelessly, it seems. The proprietary protocols used by power equipment can be intercepted and analysed using readily accessible software-defined radio (SDR*) equipment and a PC.

With up to 53 million smart meters (essentially miniature SCADA devices) installed in 30 million homes and businesses in Blighty between 2014 and 2019, the number of potential access points on suppliers’ networks is set to increase dramatically.

The data relayed between these devices and their headquarters can be intercepted, captured, jammed or replayed using SDR equipment, providing the hacker with network-wide access to individual home meters, control stations, generating stations and transmission facilities.

Armed with nothing more than a soldering iron and some basic programming, Jones explored how smart meters can be exploited, controlled and manipulated. He found security flaws in both the design and implementation of several devices.

‘We extracted all of its passwords’

“The meter is manufactured by a significant vendor who specialises in smart metering. The specific meter is MID/Ofgem certified (can be used in the UK on the grid) and is in use in the UK and extensively abroad,” Jones explained. “This meter on which nearly all of the work has been done supports the International Electrotechnical Commission’s protocol standards and currently uses the GSM mobile phone network for wide-area network communications.”

“We extracted all of its passwords from EEPROM [programmable read-only memory chip] and can use these to communicate with other meters from the meter supplier – and the vendor, as some of these passwords are factory defaults.”

Flipping the switch to disconnect or reconnect supplies is “fairly trivial” once you have the super-user password for the device and the necessary connectivity. This could be via several means, including local connection via wired serial, or GSM to run a fake base station attack.

Exploits could include remotely disconnecting a home or office building’s power supply; something that could even be applied across an entire neighbourhood.

“Some devices do feature authentication,” Jones explained. “But it’s a mixed bag and down to the manufacturer.”

Components of the electricity grid previously relied upon their relative obscurity to protect them but this is changing with the rollout of smart meters. Defences need to be built into the system, according to Jones.

“The only way of protecting a wireless device from an SDR attack at present is to ensure that it has been designed, configured and deployed to resist over-the-air attacks. Very few vendors of such equipment will give this type of assurance, so independent testing is currently the only option until the industry applies itself to developing a solution. Understanding exactly what radio systems have been deployed and ensuring adequate risk assessments have been conducted is an essential first step,” he explained.

Next page: Vulnerabilities that could switch off the electricity supply

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/30/smart_meter_hacking/

A security researcher is warning that an attack on the Apache Web server is increasingly showing up in the wild, and has published a free Python tool to check their configurations.

The attack is designed to avoid leaving disk footprints, according to this post analysing the backdoor. It exists as a modified httpd file that redirects HTTP requests to the well-known Blackhole exploit pack.

Redirected victims hitting the compromised server are remembered so they aren’t redirected a second time. The redirection looks like the original URL, with a base64 encoded string added, used by the backdoor to record parameters describing the redirected client to ensure the right payload is delivered (for example, identifying if it had originally requested a Javascript file).

Apart from the modified httpd file, everything associated with the exploit exists only in 6 MB of shared memory, with configuration pushed through obfuscated HTTP requests to evade logging.

The analysis has identified 23 commands in the binary, all of them two-character hex bytes (DU, ST, T1 and so on). Thos commands are invoked by a POST command to a crafted URL including “SECID=” as a cookie header. As the author of the post, Pierre-Marc Bureau notes, “we believe the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region.”

Other capabilities of the commands include:

• Setting redirection conditions;
• Whitelisting user agents; and
• Blacklisting IP addresses to avoid detection.

Because the attack sets loose permissions on the shared directory, other processors can access it. This tool, dump_dcorked_config.py, verifies the presence of the shared memory region and dumps its contents into a file for analysis. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/30/apache_dcorked_blackhole_vulnerability/

NATO has – not surprisingly – been named the winner of the Locked Shield online wargames held last week at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.

The 48-hour exercise, which has been held annually for the last five years, simulates a coordinated attack by “Red” forces (a continuing affectation from the days when the Red Flag of the Soviets still flew) on the electronic infrastructure of ten Blue teams, using and and all online means at their disposal.

NATO was up against national teams from Estonia, Finland, Lithuania, Germany, Holland, Italy, Poland, Spain, and Slovakia, so it’s hardly surprising that those worthies lost out to the combined might of one of the world’s most powerful military organizations. The hosts Estonia placed second, with their scratch team of government and commercial volunteers.

“It is good to see that the Blue Teams have really prepared well for this year’s exercise and the opposing team had to work a lot harder to keep the difficulty level high for the defenders,” said Jaan Priisalu, director general of the wargame’s organizers, the Estonian Information System’s Authority (EISA).

“This is a highly positive sign because it shows that the teams take the exercise very seriously and also that they are learning from the best practices and lessons from previous years.”

Estonia has possibly the largest practical experience of online warfare in Europe. It’s one of the most electronically advanced (and thus dependent) government systems in the region, in part as a reaction to getting temporarily pwned in 2007. While the EISA has no official input into NATO online battle plans, the lessons from the exercise are bound to be noted.

“The exercise has come a long way since the first event in 2008 and the fact that the teams are improving shows that the exercises do what they were developed for, namely train the IT specialists to work together and enhance their skills,” noted Colonel Artur Suzik, director of the NATO Cooperative Cyber Defence Centre of Excellence.

Stay alert, chaps

While the results of the wargames are all well and good, El Reg hopes this won’t induce a sense of complacency. Wargames are just that – games – and reality is going to be much more unpleasant. As the 19th century Prussian military strategist Helmuth von Moltke the Elder noted, “No human acumen is able to see beyond the first battle.”

Barely a decade ago we saw this demonstrated with the Millennial Challenge in 2002 – a simulated land, sea, air and electronic online wargame against a fictional Middle Eastern country (somewhat like Iraq). It was intended to be the first test of the switched-on, network-centric warfare beloved by former US Secretary of Defense Donald Rumsfeld, and in practice it failed miserably.

The Red team, controlled by Marine Lieutenant General Paul Van Riper, refused to play ball – using motorcycle couriers and pre-arranged signals at evening prayers to trigger attacks on the Blue team forces rather than easily-tapped radio or wired signals. By the second day, Van Riper had sunk one aircraft carrier, ten cruisers, and five of six amphibious ships of the attacking force, and the $250m exercise was shut down and reset.

Wargames of the kind carried out last week use only threats that we know about. We’d be far more impressed if the military had sought a scrap with white and grey-hats and won, but it’s likely the results would look rather lass pleasing to the military eye. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/29/nato_locked_shield_wargame/

Analysis Medical systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.

That’s according to research from security toolmaker Rapid7, which says it found plenty of essential electronics that can be freely remotely controlled via public-facing serial port servers.

These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device’s serial port over the internet. This allows workers to remotely control equipment – from sensors to factory robots – over the web or mobile phone network, which is handy when said machinery doesn’t offer an Ethernet connection.

These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.

Serial port servers are about the size of a home internet router with one or more serial ports on one side and an Ethernet interface on the other; some products feature wireless or mobile network connectivity.

Your common or garden serial port server (Credit: Rapid7)

A serial cable is plugged in between the port server and the target device – such as a router, server or industrial control system – and the port server is configured to allow remote access to the device: a user can log into the server via telnet, SSH or a web interface. This could involve typing in a correct username and password to satisfy the port server before the connection is passed onto the equipment.

A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.

That’s why a port server should be configured to authenticate remote users, such as requiring a correct username and password combination, before handing over the reins to the sensitive equipment. If you can bypass or defeat the port server, the equipment is yours to control.

Some more paranoid machines require a valid username and password combination to be sent over the serial line, adding an extra level of security beyond the port server’s defences. But, according to Rapid7, too many machines do not have even these minimal levels of security.

How it all falls apart

The equipment’s serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.

This configuration allows vendor-specific software, running on a separate computer, to command the equipment over the network or internet via the port server using a proprietary protocol. The software may exchange cryptographic keys with the device to prove it is an authorised controller.

Generally speaking, network connections over TCP/IP typically timeout and die if they are left idle for too long. But connections over serial cables tend to stay active as long as the equipment remains powered up.

Thus, the researchers found that once a device – whose serial port is exposed directly to the network by the port server – is satisfied that it is talking to a trusted user, it will continue to accept any commands fired its way, via the public-facing port server acting as a TCP proxy.

An attacker therefore just has to wait for a valid user to authenticate before hijacking the machinery by firing his or her own commands at the open TCP port. Cisco devices have addition controls to timeout sessions, but otherwise defences against the attack are few and far between, Rapid7 warns:

The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports exposed either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.

Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.

“You have to know how to look for these systems but they’re out there,” Guarnieri explained. “Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid.”

Next page: How the vulnerable systems were found

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/29/serial_port_security_threat/

the widely feared Chinese cyber-espionage crew known as APT1 is back in business two month after a high profile report that lifted the lid off its activities, according to security researchers.

Cyber Squared has been tracking numerous Chinese cyber espionage threat groups within ThreatConnect.com and crowd-sourcing threat intelligence with nearly 400 global security researchers. All signs suggest that “Comment Crew” and other Chinese APT threat groups are still conducting exploitation operations. In fact, there has been little change detected within “Comment Crew” operations. They have not significantly retooled their traditional implant technologies or command and control capabilities, nor modified their target selection process.

All this is contrary to earlier expectations that public exposure might result in dissolution or at least a significant long-term decrease of “Comment Crew” activity. Some even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Two month ago security consultancy Mandiant released a high-profile report on APT1 but despite this exposure “Comment Crew” tactics, tools, and procedures remain almost the same – or so says a blog post by Cyber Squared explains.

“The ‘Comment Crew’s’ current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns,” said Rich Barger, chief intelligence officer at Cyber Squared and a former US Army intelligence analyst.

“This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing.”

APT control hubs in almost every country worldwide

The Comment Crew are the most high profile example of groups in China that use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns.

Technology organisations are among the most frequent targets of advanced cyber attacks, according to a separate study by threat mitigation vendor FireEye.

Nine in 10 (89 per cent) of APT attacks feature use of Chinese attack tools, developed and disseminated by Chinese hacker groups, using utilities such as Gh0st RAT.

Some 184 nations house communication hubs, or command and control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity, according to FireEye. This compares to servers in 130 countries recorded by the same report three years ago.

Command and Control servers are used heavily during the life cycle of an attack to maintain communication with an infected machine using callbacks, enabling attackers to download and modify malware to evade detection, extract data, or expand an attack within a target organisation.

FireEye said it has blocked more than 12 million callback attempts to botnet CC servers in 184 countries from thousands of appliances during 2012. The Asian nations of China, Korea, India, Japan, and Hong Kong accounted for 24 percent of global callbacks. Eastern European countries of Russia, Poland, Romania, Ukraine, Kazhakstan, and Latvia accounted for 22 percent of phone home requests from compromised systems. An interactive CnC callback map can be found on FireEye’s website here. FireEye’s full CC callback report, Advanced Cyber Attack Landscape can be found here (registration required).

Technology companies experienced the highest rate of callback activity associated with the next generation of cyber attacks. Technology companies are targeted for the theft of intellectual property, sabotage, or modification of source code to support further criminal initiatives.

The FireEye report follows a report from Verizon last week that concluded that state-sponsored cyber-espionage was responsible for one in five data breaches last year. Verizon researchers recorded more cyber-espionage incidents than ever before. However the vast majority of cyber attacks remain profit motivated.

Verizon researchers said the vast majority of espionage attacks it investigated – 96 per cent – were traced back to China. By contrast the majority of (55 per cent) of criminally motivated attacks were traced back to either the US or Eastern Europe. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/29/apt1_still_going_strong/

Not content with hawking their wares in underground forums and other insalubrious parts of the darknet, criminals are now advertising their wares on Facebook, says RSA.

The Facebook page in question is now unavailable, but appears to have been packed full of handy info for the budding cyber criminal, according to Limor Kessem, one of the Cyber Intelligence team at RSA Security.

As well as containing info on botnets, exploits, cyber crime and the group’s Zeus toolkit (Zeus v 1.2.10.1), the page also linked to a demo of the botnet control panel they built, she wrote.

An Indonesian-speaking malware developer appears to be behind the “Casper Spy Botnet”, although others could be involved.

“Marketing cyber crime in such an open and accessible manner is not something common. Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research,” wrote Kessem.

“Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent.”

Kessem also argued that the leaking of Zeus source code in 2011 had effectively democratised the means to build such toolkits, giving rise to marketing efforts such as this Facebook page.

“The cybercrime underground may have lost most of the access it had to the major commercial Trojans after Zeus, SpyEye, Ice IX and Citadel’s developers all decided to quit vending their malware freely, but it seems that FaaS [Fraud as a Service] is definitely keeping things alive in the crime world,” she said.

“With affordable kits and readily available developers selling it, even an old Trojan like Zeus v1 can do the job, enticing would-be criminals to try their hand at harvesting bank credentials and online financial fraud scenarios.”

Indonesia itself takes a pretty dim view of cyber crime, as witnessed by the possible 12-year jail term facing a hacker who defaced the president’s web site. There’s no evidence to confirm whether the malware writer behind Casper is currently based there, however. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/29/facebook_malware_zeus_toolkit/

The Japanese government’s data protection policies have been called into question after it emerged that a decommissioned coast guard vessel was sold to a pro-North Korea organisation without any checks as to whether key data on board was first deleted.

The 106-ton Japan Coast Guard patrol boat Takachiho was taken out of service in 2011 and sold to a ship breaker run by a senior figure from the General Association of Korean Residents in Japan (Chongryon), according to the Yomiuri Shimbun.

Chongryon, whose senior officials include members of North Korea’s Supreme People’s Assembly, carries out many of the functions a NORKS embassy would have in Japan, as there are no formal diplomatic relations between the two countries.

Although radio equipment and weapons were removed from the Takachiho before its sale, it navigation system was left intact, with the 10th Regional Coast Guard Headquarters in Kagoshima admitting that no checks were made to ensure data records had been wiped.

According to the Yomiuri, the ship could have recorded as many as 6,000 locations over about 250 days when it was handed over.

“The vessel was sold in a state in which information regarding operational patterns of the patrol vessel could have been obtained by some party,” an official told the paper. “We were on low security alert at that time.”

That is certainly not the case these days, with heightened tensions on the Korean peninsula and the Japanese coast guard regularly involved in patrols around the disputed Diaoyu (Senkaku) islands.

Although the chairman of the demolition firm, and Chongryon official, claimed that all parts of the boat were scrapped, the revelations will be an embarrassment for Japan in theoretically putting its national security at risk.

To make matters worse, the Coast Guard admitted that there were no policies in place to remove data recording equipment or wipe data before selling decommissioned vessels, meaning the same thing could have happened on other occasions.

That oversight has apparently been corrected now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/29/japan_coast_guard_forgets_wipe_data_norks/

The Dutch police have confirmed the arrest of man suspected of taking part in a massive DDoS attack against the anti-spam group Spamhaus back in March.

The 35 year-old man is a Dutch national but was arrested at his home in Barcelona under a European arrest warrant, the Netherlands National Prosecution Office told the BBC. His computers and a mobile phone have been seized and he will be extradited to the Netherlands on charges of aiding “unprecedentedly serious attacks on the non-profit organization Spamhaus.”

“Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and the way they have worked with us,” said a Spamhaus spokesman.

“Spamhaus remains concerned about the way network resources are being exploited as they were in this incident due to the failure of network providers to implement best practice in security.”

Although the identity of the man hasn’t been released it has been suggested that he’s Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker, which has been feuding with Spamhaus for years and is claimed by some to be responsible for the DDoS attack.

Cyberbunker is a Dutch company based in a former nuclear bunker that provides anonymous hosting of anything except terrorist or child pornography websites. The firm denies being responsible for spam, but Spamhaus has listed it on its spammers blacklist, to the Dutch firm’s considerable annoyance.

Whether that irritation spawned the massive DDoS attack remains to be seen, but investigators in the Netherlands, UK, and US are very keen to find out who was behind it. Last month’s attacks on the Spamhaus servers saw 300Gbps of traffic coming from an estimated 30,000 unique DNS resolvers – including inadvertently from El Reg‘s own Trevor Pott – and internet traffic was slowed as a result of the enormous flows in data. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/26/police_arrest_spamhaus_ddos_suspect/