Friday, February 20, 2015

Justification for Your Paranoia

Thursday, February 26th is "Internet Slowdown Day" to demand Net Neutrality. It's also when the FCC is scheduled to vote. Hurry up and e-mail or call your legislators and tell them to support reclassifying broadband under Title II of the Communications Act.




A few more things of interest from my professional life...


1) Black Hats vs. Black Phones
In my very first post in this series, I mentioned the BlackPhone, in passing, as a thing that had a lot of promise. There is a lot to be said for designing phones with privacy and security in mind. Of course, such plans don't always pan out. The BlackPhone has gotten a lot of good press over the last year for its end-to-end encryption on all voice and text messaging, and has become a leader in the budding secure phone industry. Of course someone was going to find something wrong with that eventually...
In late January, a memory corruption vulnerability in the BlackPhone was discovered, or, more specifically, in Silent Circle Instant Message Protocol. SCIMP is used for sending text messages and files securely, but this vulnerability would cause the exact opposite. Using the flaw would allow an attacker to execute arbitrary code with the privileges of the messaging application. The flaw could be leveraged by a hacker to decrypt messages, take over Silent Circle accounts, access contacts, collect location information, and write data to external storage. An attacker could have also executed a privilege escalation exploit that would enable him to take complete control of the targeted handset.
The BlackPhone attack utilizes type confusion and could be triggered by sending targets a specially designed payload that allowed an attacker to overwrite a pointer in memory, paving the way to replacing normal contents with malicious ones. 
But don't go discounting the product yet. BlackPhone worked fast to fix the vulnerability, and the company announced a new bug bounty program to encourage researchers to find any other such problems. Despite the embarrassment this bug caused, if they can maintain such a quick turnaround on fixes, BlackPhone is still worth the $$.
 Or, if you cannot afford an actual BlackPhone, the SCIMP text app, Silent Text, is available for free on google play for your android. If you want to take it a step further, this tutorial shows how to remove or disable your android phone's excess sensors and use SnoopSnitch to reduce your chances of your communications being intercepted by third parties. SnoopSnitch will run on any rooted phone running Android 4.1 or higher, and constantly monitors communications on your phone to alert you to mobile network security issues, fake cellular base stations and more.
2) Want to hack a Gas Station?
In late January, HD Moore from Rapid7 disclosed that over 5800 Automated Tank Gauges at gas stations around the world were publicly accessible. Of those 5800, 5300 of them were in the US. In addition to the US, vulnerable ATGs were also discovered in Spain, Puerto Rico, Canada, Germany, Italy, New Zealand, Uruguay, France and Slovenia. Now 5300 is only a small fraction of the more than 115,000 refueling stations in the US.
Anyone connected to the internet can now view the in-tank inventories of the gas stations and manage the gas tanks. There are over 600 commands that can be executed, some of which include setting alarm thresholds, editing sensor configurations, running tank tests, or causing the tank to report as full or empty when it is not. Or, if you really wanted to cause some headaches, have the ATG report a leak which will shut down the tank and pump completely. 
To make things more fun Kyle Whilhoit at Trend Micro reports that more than 1500 devices used to monitor gas pumps were also vulnerable. These vulnerable devices have been actively exploited, including one pump that had its identifier changed from "DIESEL" to "WE_ARE_LEGION". 
Most of the things you can do after compromising either of these kind of devices are not really consumer-beneficial (read as 'you won't get free gas out of the deal'). If you were simply interested in a little mayhem though, you could cause all kinds of supply-chain problems--dispatching trucks to fill tanks that falsely report as empty, having tanks always report full so that they never get filled, etc.
3) Don't expect your car to be smarter than yourself...
So, you went and bought an expensive new car with all the fancy connected whistles: blue tooth, wi-fi, GPS navigation systems, the ability to start your engine with an app, or open your doors when you get close using NFC. Well, all those open communication ports just makes them easier targets. Don't really count on you being the only one able to open your doors or start your engine remotely.
report released by Sen. Ed Markey, a member of the Senate Commerce Committee, makes it clear that even the political establishment is catching on to how vulnerable internet connected machines are. The report included participation by just about every automaker except Aston Martin and Tesla. Of those reporting, nearly 100% of vehicles on the market have wireless communication capabilities and only two automakers had any capability to diagnose or meaningfully respond to an electronic intrusion. Close to two years ago white hats showed that you could control a vehicles breaking and acceleration remotely by taking over the vehicles controller area network (CAN), making the need for intrusion protection a serious safety concern.
The report also showed that vehicles from twelve manufacturers are collecting data about your driving habits and history, and 50% of those transmit that stored data back to the manufacturer, much of it without encryption, and without the driver's consent. 
Then, stacked on top of all of the previous research and the Senate report, around the same time that the report came out, a security researched showed how you can spoof the ConnectedDrive in BMW vehicles to not only intercept all the driving data that is being sent back to the manufacturer, but also unlock the car by simulating a fake phone network  (a wonderful new toy for anyone interested in committing some grand theft auto). BMW was quick enough to release a patch and push it out to the connected vehicles, but that patch basically boils down to just having the car use HTTPS...
Which we hope would be the first step in building such a system...not a patch released after the fact...
4) Your Lenovo was compromised when you got it...
Last week it was revealed that Lenovo computers come pre-installed with adware that hijacks encrypted web sessions and makes user vulnerable to HTTPS man-in-the-middle attacks. According to Lenovo this affects all consumer laptops shipped between October and December of last year (which may include some sitting on shelves in Best Buys or other retailers left over from Christmas inventories).
The software called "Superfish" installs a self-signed root HTTPS certificate than can intercept all encrypted traffic for every website you visit, no matter what browser you use, and inject advertisements into all of those . Even worse, the Superfish TLS certificate is the same for every Lenovo machine, which might allow attackers to create impostor HTTPS sites (like a bank for instance) with the same cert which your computer would then not flag as a forgery. Then, of course, all of those keys are protected by the same password,  "komodia".
Lenovo has published instructions for removing the malware, but you may be better off just doing a clean install of your OS.
The underlying SSL hijack software, Komodia Redirector and Komodia SSL Digester, developed by an Israeli company called Komodia (who's website is, understandably, DDOS'd), has been found on 14 pieces of software so far, including at least one trojan, and a privacy/security tool called PrivDog.
This website will test if your machine is infected with any of the Komodia-based apps. 
5) Some places are so insecure even a 7-year-old can hack them...
It is always good when you find a free Wi-Fi connection at a coffee shop. But all of this changed for all those present the day when a seven year old girl hacked one such WAP and accessed a stranger’s laptop within minutes.
An experiment was conducted by Hide My Ass!, a VPN provider, to alert the public about the risks involved when using free, public Wi-Fi. To prove how easy and vulnerable you may be, the team at HMA gave this task to a seven year old girl.
Primary school student Betsy Davies from Dulwich in South London was able to hack into a public Wi-Fi hotspot after she searched and watched a video tutorial online which explained how to hack a network. It took 7-year old Betsy just 10 minutes and 54 seconds to hack into a Wi-Fi hotspot. She then set up a Rogue Access Point which is often used by cybercriminals to trigger a ‘man in the middle’ attack allowing her to ‘sniff’ traffic.
Professional pen-tester Marcus Dempsey watched Betsy as she made her way through by Googling everything. Of the things she Googled, there were eleven million results returned and about fourteen thousand video tutorials linked via YouTube.
Cain McKenna Charley, a member of HMA, said that the image of cyber criminals hiding away in some far flung part of the world is antiquated. They are just as likely to be sitting next to you in a coffee shop or a public library. And if a child can perform a basic hack on a Wi-Fi network in minutes, imagine the damage a professional blackhat can do.
As for the title here, by "some places" I really mean "most places". Hacking is literally child's play and we need to make sure we teach our children the ethics to go along with their computer skills.