header-image

Cyber Security Experts

Blog

top feature image

Texas Shooter’s Phone Encrypted

Texas Shooter’s Phone Encrypted
Texas Shooter’s Phone Encrypted

Government and law enforcement officials may soon reignite the debate over encryption after the FBI today revealed that the dead suspect in Sunday’s Texas church shooting was using an encrypted cellphone.

FBI special agent Christopher Comb did not reveal what type of phone alleged shooter Devin Kelley was using, only that it was sent to the FBI research center in Quantico, Va.

“Unfortunately at this point in time, we are unable to get into that phone,” Comb said. “So it actually highlights an issue that you’ve all heard about before, with the advance of the technology and the phones and the encryption, law enforcement whether it’s at the state, local or federal level is increasingly not able to get into these phones.”

In early 2016, a federal magistrate ordered Apple to help the FBI break into the San Bernardino terrorist’s iPhone 5C, which was locked with a four-digit passcode that would be automatically wiped after 10 incorrect guesses.

Apple CEO Tim Cook stood nose-to-nose with the government for close to two months, before the FBI found a still-unnamed third party to access the device. It’s unknown whether the FBI and its mysterious outside party was able to exploit a vulnerability on the device, or use a hardware hack to access the shooter’s protected data.

The iPhone in question was Syed Farook’s work-issued device; two other personal phones owned by Farook and his wife had already been destroyed, police said. The issue raised a weeks-long debate over the legal precedent this would set in compelling a private company to build a backdoor into its product. The original court order mandated that Apple assist the FBI in unlocking the phone. To do so, Apple would have to build new firmware that would bypass security on the phone that protects against brute-force attacks against the passcode.

Apple pushed back, stating along with the backing of dozens of experts that cryptographically weakening the security of the iPhone would put all of its users at risk. Apple devices are encrypted once the user sets a passcode and the key resides with the user on the device and Apple says that key is never in its possession.

Even though the FBI found a way onto Farook’s phone, it publicly lobbied hard for some sort of mechanism that would allow the government and law enforcement onto locked devices. Former FBI director James Comey, fired earlier this year by President Donald Trump, said in March during a talk at Boston College the growth and mainstream adoption of encrypted apps such as Signal and WhatsApp impedes law enforcement investigation and maims the intended power of judicial warrants that allow officials to seize devices related to investigations.

Current FBI director Christopher Wrap said two weeks ago that the FBI has 7,000 encrypted mobile devices in its possession that it cannot unlock, calling it a “huge, huge problem.”

Comb said that the FBI will continue to work on unlocking the shooter’s device.

“We’re going to keep working on that phone and the other digital media we have, and we’re going to turn that over to the [Texas] rangers,” Comb said.

top feature image

Privacy Clouds Form Over Mantistek Gaming Keyboard

Privacy Clouds Form Over Mantistek Gaming Keyboard
Privacy Clouds Form Over Mantistek Gaming Keyboard

Allegations a keylogger is embedded in the software of a popular gaming keyboard are dogging PC peripheral maker Mantistek.

The Chinese manufacturer is facing a blizzard of accusations that its popular GK2 Mechanical Gaming Keyboard has spyware installed and is sending keystroke data back to the company’s servers.

Roots of the claims trace back to user forum posts at online retailer Banggoood’s website and on Reddit. Users there claimed a forensic analysis of network traffic revealed the keyboard was sending data that appeared to be keylogger data without a user’s explicit permission.

Keyboard sleuths maintained the Mantistek GK2 Mechanical Gaming Keyboard was using a “cloud driver” that was sending keyboard data to a Mantistek server located on Alibaba Group’s cloud infrastructure.

“So apparently the software of the Mantistek GK2 is sending all our keypress to an Alibaba.com server! This is sick, imagine the level of information they have about passwords and logins,” wrote a Reddit user on Sunday.

Within the same timeframe, a number of other privacy-minded Mantistek GK2 Mechanical Gaming Keyboard owners began more closely monitoring their keyboard’s communications. In a forum post at the site Asia, users reported that the keyboard sent keypress statistic files (/cms/json/putkeyusedata.php and /cms/json/putuserevent.php.) in plain text to two Alibaba destinations.

However, the story changed two days later.

Now, according to reports by Tom’s Hardware, prior allegations were incorrect. Further analysis of the keyboard’s behavior indicate the keyboard captured “how many times keys have been pressed” and not what keys were pressed.

“In a closer look, it seems that the Cloud Driver software doesn’t send the key presses to the Alibaba server but only how many times each key has been pressed,” Tom’s Hardware wrote Tuesday.

The theory has now shifted from Mantistek offsetting low price of the keyboards (under $50) by selling user data to now the company just wanting to better understand durability and failure rates of its keyboards.

Mantistek could not be reached for comment. Alibaba Group and large online sellers of Mantistek keyboards such as Amazon and Banggoood did not return email requests for comment.

Despite glaring privacy concerns being snuffed, users are still irked Mantistek is capturing any keystroke data at all. Several simple workarounds have been posted online, include disabling the keyboards Cloud Driver software to blocking network access.

top feature image

Assessing Weaknesses in Public Key Infrastructure

shutterstock_164017499-680x400
shutterstock_164017499-680×400

Spreading malware with a legitimate digital certificate is an adversary’s dream come true, with plenty of successful examples tracing back to nation-state attacks such as Stuxnet and Flame, and other misuse that crops up on a regular basis.

For a group of University of Maryland researchers, the nagging problems surrounding certificate abuse illustrate a shortcoming to the code-signing public key infrastructure. In an academic report released last week at the ACM Conference on Computer and Communications Security called Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI, the researchers highlighted three weaknesses.

After reviewing more than a 150,000 malware samples from a 2014 data set, below, researchers found 325 malicious software programs signed with either a valid, revoked or malformed certificate.

“Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade antivirus programs, which often forego scanning signed binaries,” wrote University of Maryland researchers Doowon Kim, Bum Jun Kwon and Tudor Dumitras.

Researchers said certificate abuse boils down to three types of weaknesses in the code signing PKI: inadequate client-side protections of certificates, publisher-side key mismanagement, and certificate authority-side verification failures.

In an example of the case of inadequate client-side protections of certificates, researchers said simply copying an Authenticode signature from a legitimate file can reduce AV detection by 20.7 percent.

In the case of publisher-side key mismanagement, the report found 72 likely compromised publisher certificates from its sample of 325. When researchers contacted eight of the publishers to notify them of the undermined certificates five were unaware of the abuse.

Researchers said 27 certificates it examined were issued to malicious actors impersonating legitimate companies, underscoring certificate authority-side verification failures.

Researcher Kim, in an interview with Threatpost, said that nagging problems with code-signing are systemic and PKI abuses are getting worse and not better. “We found that 80 percent of abusive certificates remain a threat for almost six years after they are fist used to sign malware,” Kim said.

The study identified revoking certificates was a major problem. “We found that only 27 certificates were revoked after they should have been. The remaining untrustworthy certificates may still be trusted today as long as they carry a trusted timestamp,” according to Kim.

Researchers explain, where previous research into abuses in the code-signing ecosystem have focused on potentially unwanted programs (PUPs) such as adware, their focus was on threats that breached the trust in the Windows code-signing PKI.

“While Windows operating systems have the ability to verify code-signing signatures, they often allow unsigned or improperly signed software to be installed and executed,” the report said. “If a program requires elevated privileges, UAC notifies the user and includes a message about the publisher’s identity (or lack thereof, if the signature is invalid). However, if the user chooses to grant the privilege, Windows does not take further enforcement actions.”

Part of the research also included tests against Google Chrome and Microsoft Internet Explorer 9 and their respective Safe Browsing and SmartScreen features which protect against malicious downloads. In a test using a malformed digital certificate, researchers found by remove the file extension (.exe), the browsers do not block the download and bypass the browser protections.

“Windows provides minimal protections against executables using forged signatures, while browser defenses apply only to files downloaded from the Web and can be bypassed. The last line of defense, therefore, is antivirus products,” according to researchers.

However researchers said that sometimes incorrect implementation of Authenticode signature checks in some AV products allow malware authors to evade detection. “We believe that this is due to the fact that AVs take digital signatures into account when filter and prioritize the list of files to scan, in order to reduce the overhead imposed on the user’s host,” researchers said.

Researchers said they have cautioned some AV companies of the potential for incorrect implementation of Authenticode signature checks. Kim said that AV vendors have been extremely responsive.

top feature image

Google Patches KRACK Vulnerability in Android

Android-patches
Android-patches

Google this week finally addressed the KRACK vulnerability in Android, three weeks after the WPA2 protocol flaw was publicly disclosed.

The KRACK patches are the most high-profile fixes in the November Android Security Bulletin, which includes three patches levels; the KRACK patches are in the Nov. 6 patch level, Google said.

A separate Google Pixel and Nexus security bulletin was also released, but it does not contain patches for KRACK.

Apple was the most recent giant tech firm to patch KRACK prior to Google. Its recent iOS 11.1 update patched KRACK in the iPhone 8, 8 Plus and X. Apple said the iPhone 7 and earlier are not impacted.

KRACK is short for key-reinstallation attacks and can be exploited by an attacker within range of a victim’s Wi-Fi network to read encrypted traffic.

The vulnerability surfaces in the four-way handshake carried out when clients join WPA2-protected networks. A pre-shared network password is exchanged during this handshake, authenticating the client and access point. It’s also where a fresh encryption key is negotiated that will be used to secure subsequent traffic.

It is at this step where the key reinstallation attack takes place; an attacker on the network is able to intercede and replay cryptographic handshake messages, bypassing a mandate where keys should be used only once. The weakness occurs when messages during the handshake are lost or dropped—a fairly common occurrence—and the access point retransmits the third part of the handshake (re-using a nonce), theoretically multiple times.

An attacker sniffing the traffic could replay it offline and piece together enough information to steal secrets.

Google shared the updates with its Android partners and OEMs last month and said source code patches should be available in the Android Open Source Project repository some time today.

In addition to KRACK, Google warned of critical vulnerabilities in its Media framework, a monthly ritual since the Stagefright vulnerabilities. Remote attackers could use crafted media files in order to execute arbitrary code on Android devices through these bugs.

Google said that none of the bugs it patched have been publicly attacked.

The Nov. 1 patch level addresses seven bugs in the Media framework, five of them rated critical affecting most versions of Android.

The Nov. 5 patch level contains patches for a handful of worrisome Qualcomm component vulnerabilities that enable kernel-level access.

Researcher Scott Bauer privately disclosed six flaws that were patched this week that could be remotely exploited. Bauer said in a report he published this week that two other remotely exploitable flaws he disclosed remain unpatched.

The most critical of fixed bugs is CVE-2017-11013, Bauer told Threatpost.

“They’re all kernel bugs. But this one is the one that scares me the most, Bauer said. “The reason why this is the worst one is because it is a bug in the kernel that a remote attacker can hit. This bug also, without getting technical, has the possibility for real hackers to start using.”

Bauer said the vulnerabilities are in the qcacid Qualcomm/Atheros Wi-Fi- driver. He said he’s aware of the driver shipping in at least two Android phones: the Pixel (and Pixel Gen2 and 5x).

Bauer said this particular flaw is most dangerous because it is remote and a proximal bug into the kernel.

“All that would have to happen is someone would have to trick you into connecting onto a wireless access point. They could name it the same as your home Wi-Fi, with the same MAC address as your home Wi-Fi and your phone would connect automatically,” Bauer said. “Once the connection happens, your phone is compromised with no sign to the user.”

top feature image

Hundreds of Millions in Digital Currency Remains Frozen

Hundreds of Millions in Digital Currency Remains Frozen
Hundreds of Millions in Digital Currency Remains Frozen

Between $150 million and $300 million in digital currency called ether remains inaccessible today after a user said he “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.

Parity Technologies issued an advisory warning users about the flaw in the Parity Wallet library contract affecting users with assets in a standard multi-sig contract deployed after July 20, one day after the original bug in this saga had been patched. Parity said in its advisory:

“However that code still contained another issue—it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

Researcher Matt Suiche of Comae Technologies said in a post that the user in question who goes by the handle devops199 was able to first take over the library and then kill it; the library was used by all multisignature wallets created after July 20.

“The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized,” Suiche wrote. “Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.”

In a report published on CoinDesk.com, Ethereum Foundation head of security Martin Holst Swende said that the funds can only be accessible following a hard fork of the ethereum blockchain via an emergency update.

Parity Technologies operates independently of the Ethereum Foundation.

The July 19 bug was devastating as well. About $30 million in ether was stolen from a Parity wallet after attackers exploited a vulnerability in the software. Parity said three wallet addresses had been compromised and advised users to immediately move assets in the affected wallet to a secure address.

That’s not the case this time around since no funds can be moved out of the wallets.

“We are analyzing the situation and will release an update with further details shortly,” Parity said yesterday.

top feature image

Eavesdropper Vulnerability Exposes Mobile Call, Text Data

Eavesdropper Vulnerability Exposes Mobile Call, Text Data
Eavesdropper Vulnerability Exposes Mobile Call, Text Data

UPDATE Mobile app developers who code using the Twilio cloud-based platform and are forgetful about removing their hardcoded credentials have put businesses messaging data at risk for exposure.

The so-called Eavesdropper vulnerability, disclosed today by Appthority, has been around since 2011 and in apps downloaded likely more than 200 million times.

The researchers privately reported the bug in July; they found 685 enterprise apps (56 percent of them iOS apps) linked to 85 Twilio developer accounts. Many of the apps have been removed from the respective Apple and Google stores but as of August, 75 still remained on Google Play and 102 on the App Store.

“The affected Android apps had been downloaded up to 180 million times,” Appthority said. “Approximately 33 percent of the Eavesdropper apps found are business related. The exposure has been present since 2011. The scope of the exposure is massive including hundreds of millions of call records, minutes of calls and audio recordings, and text messages.”

Appthority said the hardcoded credentials afford an attacker “global access” to metadata in the developers’ Twilio accounts, including text messages, call metadata and recordings.

“Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain,” Appthority said, adding it did not listen to any of the exposed recordings, but based on the types of apps, it’s not far-fetched to assume sensitive business transactions were discussed and negotatied on these calls.

“A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data,” Appthority said.

A request for comment to Twilio was not returned in time for publication. Twilio’s documentation provides guidance on securing credentials.

“Hard-coding API credentials isn’t a vulnerability as much as it is a poor coding practice, well-known to both the security and API industries. We’ve discouraged this practice for some time throughout our documentation and developer outreach,” Twilio said in a statement sent to Threatpost. “Appthority identified apps running in their customer environments where developers had done this, representing a very small fraction of the total accounts on Twilio.”

Appthority said an attacker would first need to find exposed enterprise apps built on Twilio; some market themselves as such. Using a YARA rule, for example, an attacker could then search for specific strings in order to identify Twilio IDs and either tokens or passwords authenticating the developer to the platform. Once having access to an account, Appthority said it would be trivial to exfiltrate call and messaging data.

“The attacker only needs to perform reconnaissance, exploitation, and exfiltration actions,” Appthority said. “There is no need to perform weaponization or the other steps as the files are undefended. Once the messaging and audio files have been exfiltrated, the attacker can run a simple script to convert audio files to text and search the text for keywords that would lead to proprietary or sensitive data.”

Twilio said it has notified each customer with an app identified by Appthority and has been working with them to rotate their API keys and implement secure solutions, Twilio said.

“We do not have any evidence that data shared through these apps was accessed by an unauthorized party,” Twilio said. “Many of those apps had long been decommissioned by their developers. Again, this is an example of poor coding practices, and in no way specific to Twilio.”

Earlier this year, Appthority disclosed the Hospital Gown vulnerability, which was linked to developers’ failure to secure backend servers communicating with mobile apps. Many of those servers are on platforms such as Elasticsearch, MongoDB and MySQL. Appthority said it found 21,000 exposed Elasticsearch servers and 43 terabytes of exposed data.

top feature image

Microsoft Provides Guidance on Mitigating DDE Attacks

Microsoft Provides Guidance on Mitigating DDE Attacks
Microsoft Provides Guidance on Mitigating DDE Attacks

Despite a rash of attacks leveraging Dynamic Data Exchange fields in Office, including some spreading destructive ransomware, Microsoft has remained insistent that DDE is a product feature and won’t address it as a vulnerability.

Microsoft on Wednesday did, however, put some guidance in admins’ hands as to how to safely disable the feature via new registry settings for Office. Each one comes with a caveat that data between applications will no longer update automatically; this is something that would impact Excel users in particular who rely this live feed of data to keep spreadsheets automatically updated.

DDE is a protocol that establishes how apps send messages and share data through shared memory, Microsoft said.

Attackers that have found great success in the past 18 months with macro-based malware have re-invigorated their interest in using DDE to launch droppers, exploits and malware.

“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email,” Microsoft said. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”

Attacks leveraging macro malware weren’t finding much of an impediment in tricking users into enabling macros—which are off by default in Office—with clever social engineering through subject lines and attachments related to day-to-day business operations such as shipping notifications and invoices.

In Microsoft’s advisory published yesterday, it recommended enabling security-related feature control keys for Office 2016 and 2013 that will disable the automatic update of data from linked fields.

In Excel, Microsoft provided instructions on how to disable DDE via the registry editor or the user interface.

“Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”

For Outlook, setting the respective registry key will disable DDE updates as well as OLE links, the modern replacement for DDE. In Publisher, Microsoft recommends setting the same registry key for Word that will also disable both DDE and OLE.

In the Windows 10 Fall Creator Update, Microsoft recommends using Windows Defender Exploit Guard to block DDE malware, specifically with its Attack Surface Reduction component that blocks behaviors exhibited by these malicious documents. Microsoft says ASR will block Office apps from creating executable content, launching child processes and injecting into processes. It will also block macro code and block Win32 imports from macro code.

DDE-based attacks surfaced in mid-October when SensePost published a proof-of-concept attack demonstrating how an attacker would use DDE to run code on a machine. The company said it privately disclosed its research in August, and Microsoft responded in late September that DDE was a feature and that no further action would be taken.

A week later, the SANS Internet Storm Center reported an increase in traffic from the Necurs botnet that was spreading Locky ransomware using the DDE attack. A spam campaign was opting for the DDE technique in Word document attachments rather than macros, which had been for some time the preferred means of downloading malware from a remote server.

Attacks using DDE are also likely to bypass antimalware and intrusion prevention scanners given that it’s likely a whitelisted feature.

“Apparently, DDE and macros are both legitimate features in Microsoft Office.  Both have been used in malware attacks. In both cases, Office documents from malicious spam provide warnings to let a victim know what’s going on. To fix the issue, you’d have to remove the DDE entirely,” said SANS ISC handler Brad Duncan in an interview with Threatpost last month. “If DDE is a functionality, then yes, I agree with Microsoft’s statement that it won’t be patched. However, many articles about DDE state it’s been superseded by OLE functionality. If so, why doesn’t Microsoft get rid of DDE entirely?  Are there any legitimate DDE cases that require Microsoft to retain this backwards compatibility?”

top feature image

IoT is Insecure, Get Over It! Say Researchers

IoT is Insecure, Get Over It! Say Researchers
IoT is Insecure, Get Over It! Say Researchers

BOSTON—Noted security experts Charlie Miller and Chris Valasek said the Internet of Things can’t be secure, but it can be tamed.

Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritize personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.

“We write code and we are not perfect. The problem is, great security is expensive. You can’t just keep looking for vulnerabilities. You need to ship product and accept the fact you can’t solve security,” said Miller, who along with Valasek are principal autonomous vehicle security architects at GM’s Cruse Automation. The comments were made during a keynote at the Black Duck Software’s Flight 2017 conference.

The problem, they said, is if a business’s core mission is not security or personal safety, it’s never going to be cost effective to build world-class security into the devices it makes. Device makers can’t sell great IT security as a product feature and can’t pass the cost on to the customer.

“A locked-down IoT toothbrush with a secure platform would cost millions to develop and millions more to maintain,” Valasek said. The cost to consumers would be $400 a toothbrush and would eventually fail against the $4 Internet-enabled toothbrush advertised with “good” security.

“Unlike a car salesman up-selling you to spend more on airbags, a software company can’t up-sell you on a security package,” Miller said. “A developer can’t tell a potential customer, if you want a security package with your software, that will cost you $1,000 more.”

The problem then becomes quantifying the type of security a product might need it. For example, there is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks. Prioritizing which needs more security is a challenge, they said.

Citing hacked insulin pumps, pacemakers and automobiles, both advocated the security community focus a disproportionate amount of time on those security challenges versus others.

“We learn from our mistakes. We were bad on security with a lot of these things like servers and browsers. And now we are better. And that’s fine,” Miller said. “People want to solve security. But you can’t. You are never going to make it impossible to hack something. But, you can make it really hard.”

Looking toward the future, autonomous vehicles present a special challenge, the researchers said. “Autonomous vehicles are the next-level things to worry about in hacking cars,” Miller said.

“When we were hacking Jeeps we had steering wheels and brake pedals to fall back on if a hack went wrong,” Valasek said. “Without either of those you’re screwed if your car gets hacked.”

“In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint allowed us to see the car’s head unit. With autonomous vehicles, they are designed to have outside input,” Miller added. Miller and Valasek said security needs to be the first thought and paramount with autonomous vehicles. For the bulk of companies building connected things, security shouldn’t be their primary concern.

“If you’re a company worried about being attacked, it’s not internet-enabled lightbulbs that you have to worry about. It wasn’t an Equifax toaster that lead to 145 million people who got their personal data leaked,” Valasek said. Thwarting server breaches and network hacks takes more conventional meat-and-potatoes security defenses.

“It’s fun to talk about hacking IoT devices. But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks,” Miller said. “Don’t be surprised if the IoT toothbrushes of the world get hacked. Focus on the important stuff.”

top feature image

Spambot Contains ‘Mind-Boggling’ Amount of Email, SMTP Credentials

Researchers have managed to penetrate a spam bot and uncover a massive list of 711 million records that includes email addresses, email and password combinations (some in cleartext), and SMTP credentials and configuration files.

Troy Hunt who runs the Have I Been Pwned service called it a “mind-boggling amount of data.”

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” Hunt wrote in an analysis of the data.

The spambot is called Onliner and it’s been around since 2016 and is best known for spreading the Ursnif banking Trojan. A researcher known as Benkow has studied and reported on Onliner for months; he found an open directory in an Onliner server hosted in the Netherlands and was able to grab more than 50 GB of data likely culled from the multitude of breaches and data dumps reported last year.

Hunt said that as of yesterday, the server was still up and running and law enforcement had been notified.

Benkow, meanwhile, said he found 80 million credentials among the data, though he added it’s near impossible to determine where they all came from. He was able to determine that about two million came from a Facebook phishing campaign, and that none of those addresses were yet listed on Have I Been Pwned. Hunt’s site is a free resource where users may enter an email address and learn whether it has been part of a publicly known breach.

More than one billion records containing personal information, including email addresses, were exposed in 2016 alone as a rash of leaked data from numerous breaches were put up for sale or made available to the public.

“That’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth,” Hunt wrote. “That, unfortunately, is life on the web today.”

Benkow said the SMTP credentials and configuration information is the key to this particular set of data. Antispam solutions, reputation services, and firewall rules have put a dent in spammers’ ability to send unwanted emails the old-fashioned way by scanning the internet for vulnerable SMTP servers running in Open Relay mode or with weak credentials.

Additional steps are required today, generally starting with a website exploit that leads to the compromised site hosting a PHP script used to send email, or malware used to infect computers and send spam. These methods, however, don’t scale well without SMTP credentials, Benkow said.

“Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy,” Benkow wrote. “And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.”

Ursnif, for example, contains two modules used to send spam and create a list of SMTP credentials. Email addresses and credentials are fed to the module, which tries to send an email using this combination, he said. Any that fail are ignored. The good ones are added to a growing list of usable credentials.

Benkow shared his findings with Hunt who has since made all of it searchable in Have I Been Pwned. Hunt found a lot of overlapping data among the files he analyzed, including some poorly parsed data that indicates that the number of people involved are likely a lot fewer than 711 million. Nonetheless, one file alone contained 1.2 million email addresses and cleartext passwords, many of which are likely from the LinkedIn breach which leaked passwords as SHA1 hashes with no salt. Many of these passwords were likely quite easy to crack, Hunt said.

Another file contained 4.2 million email addresses and passwords and each one, according to Hunt and Have I Been Pwned, were found in a list from the Exploit[.]In underground forum.

Hunt also found in separate files thousands of records containing email addresses, passwords and SMTP server and port designations (25 and 587).

“This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from,” Hunt said. “It took HIBP 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location. It’s a mind-boggling amount of data.”

top feature image

Siemens Fixes Session Hijacking Bug in LOGO!, Warns of Man-in-the-Middle Attacks

Administrators who have Siemens’ LOGO! logic module deployed in automation setups are being urged to update its firmware.

The German industrial manufacturing giant pushed out an update for its LOGO! 8 BM devices Wednesday morning to fix a vulnerability (CVE-2017-12734) that could let an attacker hijack existing web sessions. The vulnerability affects all versions of the module prior to V1.81.2.

LOGO! is a universal logic module designed for use in small-scale automation projects. It’s commonly used in domestic and installation engineering setups, gate control systems, air conditioning systems, and rainwater pumps. The module can also communicate with SIMATIC HMI and S7 systems.

The vulnerability, discovered by Maxim Rupp, an independent security researcher based in Germany, could allow an attacker with network access to the integrated web server on port 80/TCP to obtain the session ID of an active session user as long as that user is logged into the web interface.

 

While admins should pay attention to the firmware update and apply it to fix the vulnerability, more concerning is that there’s a second issue (CVE-2017-12735) that plagues the logic module which has not been fixed.

The second issue could let an attacker carry out a man-in-the-middle attack between LOGO! and other devices and potentially allow them to decrypt and modify network traffic, according to a security advisory (.PDF) issued by the company’s ProductCERT team Wednesday.

Siemens is urging admins to apply four mitigations to thwart exploitation of the second vulnerability:

  • Configure the environment according to the recommendations in the user manual
  • Apply cell protection concept
  • Use VPN for protecting network communication between cells
  • Apply Defense-in-Depth

It’s unclear if Siemens plans to fix the vulnerability that could lead to a man-in-the-middle attack. The company did not immediately return a request for comment on Wednesday, but said in its advisory it strongly recommends users protect network access to the devices with appropriate mechanisms.

Siemens warned of vulnerabilities in several other products on Wednesday, including a denial of service vulnerability in its 7KM PAC Switched Ethernet PROFINET expansion modules, and scores of industrial products vulnerable to remote resource consumption attacks.

The remote resource consumption attacks could be caused if an attacker sent a collection of specially crafted packets to a server used by the products, OPC Discovery. If successful the system could access various resources chosen by the attacker. Patches exist but until deployed a number of SIMATIC devices, PCS 7, WinCC, WinCC Runtime Professional, NET PC Software, and IT Production Suite, are all vulnerable, Siemens warns (.PDF). Sergey Temnikov, a senior research developer at Kaspersky Lab’s ICS-CERT, discovered the attack vector and responsibly disclosed it to the company.

Specially crafted packets could also trigger the DoS vulnerability (.PDF) in the expansion modules. Users should update to the most recent version, V2.1.3 [1], to mitigate the issue.