Monday, December 15, 2014

Justification for Your Paranoia

I'm busy investigating a ransomware infection on my company's internal fileshare. In the meantime, here is your next dose of security nonsense...

1) Someone hacked a space-ship!
Last Friday, NASA launched their Orion spacecraft for the first time. That spacecraft includes the names of 1.3 million people and might also store a (not-malicious but unapproved) payload injected by researchers at Germany-based Vulnerability Lab
In October, NASA launched a website where users could get a "boarding pass" to fly their name on Orion's first flight. However, the fields where users entered their first name and their last name were plagued by an input validation vulnerability.
Benjamin Kunz Mejri, of Vulnerability Lab, said he reported the vulnerability to NASA, but not before injecting three payloads to test the flaw. NASA addressed the issue and put Mejri's name on a "No Fly List", but it is believed that the agency spotted only two of the payloads, while one passed the verification process. Mejri found that one of his test payloads was still marked as a valid ticket for the Orion flight scheduled for December 4.
Despite the injected stowaway code, Orion's flight was virtually flawless, landing in the pacific only a mile and a half off target. NASA claims the chip storing the names was isolated and non-executable and therefore posed no risk to the spacecraft.

2) Yes, you can even hack your coffee machine...
As a non-coffee-drinker, I don't particularly care about this one, but plenty of my friends might. The oh-so-popular Keurig 2.0 coffee machine is designed to only use genuine Keurig approved coffee K-Cups (a design choice that was the subject of an anti-trust law-suit earlier this year). However, a flaw in the verification method can allow you to use unauthorized K-Cups. The Keurig 2.0 does not verify that the K-Cup foil lid used for verification is not re-used.
Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate.
Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack.
Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an "oops" error message stating that the K-Cup is not genuine.
Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the Keurig, and carefully places the previously saved genuine K-Cup lid on top of the non-genuine K-Cup, lining up the puncture hole to keep the lid in place.
Step 5: Attacker closes the Keurig, and is able to brew coffee using the non-genuine K-Cup. 
In the business we would call this a "spoofing vulnerability", but for you coffee lovers, just call it "Freedom from oppression". Here is a handy video demonstration. Go forth and enjoy whatever single-cup insta-caffeine you like.
3) The Iranians have a Cleaver...
In 2010 Iran's infrastructure was affected by a computer worm known as Stuxnet, which significantly damaged Iran's nuclear fuel enrichment program. Well, it looks like they are getting their revenge...
According to a report by security firm Cylance, an on-going, two-year long attack by pro-Iranian hackers has compromised critical infrastructure in 16 different countries, targeting more than 50 companies (including airports, hospitals, telecom, chemical manufacturers, and others). 
Cylance researchers wrote: "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems..."
You get the picture.
And, just for giggles I guess, they wiped out the network of a Vegas casino.

4) So you want your watch to be Smart?

First people wanted Smart phones, then they wanted tablets, then connected devices in the it's all about the wearables, with so-called "Smart Watches" being the new hotness. What should be obvious is that, if everything prior is still hackable, or course your fancy new watch is.
When paired with a phone, everything from sms to e-mail to facebook notifications are constantly being sent to your watch via bluetooth. This transmission is obfuscated, but only by a 6-digit PIN. Which are historically easy to break (having only 1 million possible combinations).
Researchers from security firm Bitdefender mounted a proof-of-concept hack against a Samsung Gear Live smartwatch that was paired with a Google Nexus 4 running Android L. Using readily available hacking tools, they found that the PIN obfuscating the Bluetooth connection between the two devices was easily brute forced. From that point on, they were able to monitor the information passing between the watch and the phone in plaintext. They even made a handy video showing how they did it.
On the plus side, bluetooth has a pretty short range, so an attacker would have to be sitting right behind you to intercept the communication and brute-force the PIN. So...just don't use it in a coffee shop/airport/other location with lots of people with laptops in close proximity...