Wednesday, January 29, 2014

Somebody's Watching You

It turns out that your Internet-enabled baby monitor may not be very secure after all. A recently reported security flaw may allow an intruder to watch your webcam or its recorded videos simply by clicking through a prompt.

Evidently, this bug is active if not all eight user fields are populated by a configured userid and password. The flaw exists even on fairly recent versions of the webcam firmware.

Foscam, the camera vendor, has released a new firmware version and has provided common sense tips for securing the webcams. Since a reported 20% of these cameras use the default admin password, common sense tips are not out of place.

Friday, January 24, 2014

NTP Vulnerability Key in DOS Attacks

A mis-used feature on older versions of the industry-standard NTP (Network Time Protocol) software has resulted in vulnerable systems being used as amplification servers in DOS attacks.

Because NTP uses UDP as its transport protocol, and because it responds to certain queries with larger amounts of data than is used to perform the query, an amplification attack can tremendously increase the amount of traffic hitting a DOS (Denial of Service) target. TCP-based services require a handshake with the initial sender before replying, and so are not easily usable for amplification attacks.

US CERT has posted resolution steps for admins of systems with this vulnerability. The Open NTP Project also provides a scanner to help identify vulnerable systems.

Details of Target Hack Revealed

Details of the Target hack are slowly becoming clear. Two coders have been associated with the malware. It appears that initial entry to the Target network was made via standard methods (eg weak passwords), and the target of the attack was the server that processed the card data. From there, the malware was installed on the POS terminals.

The malware itself grabbed the unencrypted data from memory during the period of time that it is unencrypted in order to allow authentication to take place. The data was then stored locally and transmitted to a compromised collection server on a scheduled basis.

Tuesday, January 14, 2014

Scraping Memory

Earlier this week, we finally found out what sort of attack resulted in security breaches at Target and several other retailers. It appears that a type of software known as a "memory scraper," which reads data from live memory. This allows the attacker to view the data before or after it has been decrypted in order for the computer or PoS (Point of Sale) terminal to process it.

Several security researchers have commented on how vociferously Target had insisted that the data on its hard drives had been encrypted using strong encryption. Memory scrapers are an attack vector that can bypass on-disk encryption techniques.

Reuters reports:

Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
...
It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.

Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.

Last week, Target admitted that its security breach compromised on the order of 110 million cards, which puts it in the top tier of such security breaches.

While the people responsible for the Target hack have not been identified, Krebs identified one person who has been selling credit card numbers that were stolen from Target.

UPDATE: CNET has an interesting article where Target describes the reasons for the delay in notification about a breach that was discovered on Dec 15. It amounts to "we were trying to get ready for the storm."

Monday, January 13, 2014

Windows XP Security Essentials Cancelled

Besides running a lot of last-generation PCs (estimated at one third of the global installed base), Windows XP is an important platform for SCADA and other infrastructure integrated systems. Migrating or upgrading those components is likely to be expensive, and many owners of such systems have not planned for a replacement or upgrade path.

Microsoft announced that Windows XP Security Essentials will also not be available after XP is declared "unsupported" in April.

If Security Essentials is no longer available, other vendors are likely to also drop support for XP product lines. This may include vendors like anti-virus and other security software vendors.

If XP systems can be upgraded, they should be upgraded immediately. Systems that cannot be upgraded need to be protected by air gaps and firewall rules. Services on these systems should be limited to only those functions that cannot be migrated.

Even with these measures, there will be a lot of insecure, poorly managed systems in the global IT environment. Black hats are rubbing their hands in anticipation of the feast.

Thursday, January 9, 2014

The Promise and Peril of Self-Driving Cars

The research by Google and others into self-driving cars has been intriguing. The vast majority of traffic accidents are the fault of drivers, and being able to eliminate human error would be a huge win for traffic safety.

But if computers are driving cars, we have to take a serious look at information security in the context of a self-driving automobile. Unfortunately, most current automation does not have adequate safeguards to protect from malicious inputs.

In particular, components do not do checking or validation to make sure that commands are being issued from an appropriate source. Security researchers have demonstrated that they are able to issue commands to a Prius to control steering, braking, acceleration, and dashboard displays. They were also able to disable an Escape's brakes at slow speed.

Ford and Toyota both point out that the researchers were connecting directly to the car's CAN (Controller Area Network), which limits the impact of some of their demonstrations. But keep in mind that wireless controllers on on-board systems such as Bluetooth controllers on sound systems and telematics units on satellite roadside assistance services may provide an entry point into the automobile. Anywhere a wireless connection allows access to a component connected to a CAN is a possible entry point for malicious code.

The sorts of security measures we use for other network-connected items would still work inside a car. Provide air gaps between components that don't need to be connected. And provide for validation and authentication of commands from components that do need to be connected.

I remember discussions about PC security in the early days of the Internet, when most computer viruses were still spread by injudicious insertion of floppy disks. Way back when, we were told that PCs didn't need to have security programmed in from the ground up. I'm hoping we learn from the history of those poor decisions. A Blue Screen of Death is one thing, but a traffic fatality is another.