Listen to the Headlines for week 05
Show notes for Security Endeavors Headlines for Week 5 of 2019
Check out our subreddit to discuss this week's headlines!
Now also available on SoundCloud
InfoSec Week 5, 2019 (link to original Malgregator.com posting)
According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware. It’s described as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said. In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the attackers harvest saved passwords, which could be used for other intrusions. According to the report, Karma relies, at least in part, on a flaw in Apple’s iMessage messaging system. The flaw allowed for the implantation of malware on the phone through iMessage which establishes a connection with the device even if the phone’s owner didn’t use the app.
To initiate the compromise, Karma needed only to send the target a text message — no action was required on the part of the recipient. It isn’t clear whether the Karma spyware is still in use. The story says that by the end of 2017, security updates to the iPhone software had made Karma far less effective.
https://www.reuters.com/investigates/special-report/usa-spying-karma/
Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web." Distributed Denial of Secrets, or DDoS, is a volunteer effort that launched last month. Its objective is to provide researchers and journalists with a central repository where they can find the terabytes of hacked and leaked documents that are appearing on the internet with growing regularity and is being considered a kind of academic library or a museum for leak scholars. DDoS differs from WikiLeaks in that it doesn’t solicit direct leaks of unpublished data—its focus is on compiling, organizing, and curating leaks that have already appeared somewhere in public. The DDoS project compiled more than 200,000 emails into a spreadsheet for ease of searching. In all, its cache now contains 61 different leaks totaling 175 gigabytes.
https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked
The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
The Cyber Independent Testing Lab, or CITL, is a nonprofit organization that focuses on consumer cybersecurity. They published research back in December of 2018, demonstrating how 28 home wireless routers fail to use even basic security techniques. CITL presented an update to that research during Shmoocon 2019, showing identical or similar weaknesses in 1,000 home and commercial Wi-Fi routers, across 6,000 firmware versions and 18 vendors. This includes highly rated devices from brands such as Asus, Belkin, Buffalo, D-Link, Linksys, and Netgear. It’s no secret that many Wi-Fi routers are highly insecure. Security researchers, pointing at issues such as hard-coded default passwords and irregular security updates, have been issuing warnings for years. What might be alarming about CITL’s latest research is that despite the alarm bells, CITL finds that vendors are generally building Wi-Fi routers with fewer protections than they had in 2003. The organization’s acting director says the research will be published soon on the CITL site.
https://the-parallax.com/2019/01/24/wi-fi-router-security-worse-citl-shmoocon/
A bug in the Samsung Galaxy Apps Store allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the vendor’s App Store itself. Due to initiating checks for updates in the Samsung Galaxy Apps Store in the clear, meaning not over a secured connection, an attacker can manipulate network traffic via Man-In-The-Middle style, and can change the URL for load-balancing and modify the requests for the update mirrors with inauthentic, user controlled domains. This would allow an attacker to trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid digital certificate, and simulate the API of the app store to modify existing apps on a given device. An attacker could exploit this vulnerability to achieve Remote Code Execution on Samsung devices.
https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/
Over 9,000 Cisco RV320/RV325 routers are currently being exploited in the wild after the network hardware manufacturer announced updates were available to patch newly published vulnerabilities. The release of the Proof of Concept exploit code triggered the scanning of devices by would-be attackers and professionals alike. Thousands of routers are exposed on the internet with a web-based management interface vulnerability that could allow an unauthenticated, remote attacker to either retrieve sensitive configuration information or perform remote command injections.
https://securityaffairs.co/wordpress/80363/hacking/cisco-rv320-rv325-hack.html
If you can imagine a mathematical version of the Kumite featured in the the 80s movie BloodSport, then you might be cheering from the stands this week as the US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms. After releasing a report on the status of quantum-resistant cryptography in April 2016, NIST followed up in December 2016 with a call to the public to submit post-quantum algorithms that potentially could resist a quantum computer’s onslaught. The agency spent one year collecting the submissions and another working with the larger cryptography community on a first round of review to focus on the most promising algorithms. Of the 69 submissions NIST received, these 26 algorithms made the cut.
This second round will focus more heavily on evaluating the submissions’ performance across a wide variety of systems, Moody said, because so many different devices will need effective encryption.
https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxE
https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals
A vulnerability in Apple’s FaceTime application allows the activation of the microphone of the device being called, allowing audio to be transmitted back to the person who initiated the session, all without ever having accepted a call. It’s also possible to trigger the camera to turn on as well. The issue has been replicated when calling from either from a mobile device or a Macintosh desktop. Apple has disabled the FaceTime conferencing servers before the fix is released. Word of the FaceTime bug has been spreading virally over social media. Apple says the issue will be addressed in a software update “later this week”.
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
Book Publisher NoStarch Press got an unwelcome surprise this week when it discovered a counterfeit version of one of their books on Amazon’s self-publishing platform, CreateSpace. Bill Pollack, the publisher’s founder, has taken to twitter to help raise awareness of the fraudulent item and is seeking assistance from Amazon to remedy the situation. Unfortunately this isn’t the first time printed fakes have made their way into the online merchant’s listings. The fake books are of noticeably lower quality, especially the screenshots. According to the current tweets, it took months to resolve things last time. Hopefully Bill Pollack and the NoStarch crew don’t have wait as long to see results this time. The best way to know what you’re getting the real deal is by just ordering direct from their website at NoStarch.com. That way you know what you’re getting and get a DRM free copy in eBook format, too.
https://twitter.com/billpollock/status/1091840257073471488
If you’re a tenant in the US, it’s very likely that a management-provided smart home system is headed your way in the near future. It will be important to carefully evaluate your family’s personal threat model, and consider the plausible digital ways which these systems could be exploited. A well known infosec professional recently had occasion to dive much more deeply into the topic as their apartment’s property management company announced that all units would be “upgraded” from traditional lock & key to a smart locks. This raised more than a few questions and concerns in the researcher's mind and kicked off a significant amount of research and engagement with all parties involved. Several thought provoking suggestions come out of the article including:
Spend some time reading into the vendor. Respectfully and courteously encourage your property management company and their smart system vendor to adopt industry best practices in securing smart hubs both physically and digitally, the networks they are connected to, and resident data at rest and in transit in their infrastructure. Request your property managers clearly and decisively address privacy concerns such as data ownership and resale in writing. If solid answers in writing don’t assuage legitimate concerns, consider politely seeking an option to opt-out – and make your threat model clear to them, if you’re in a sensitive situation. The author ends by saying, “These systems are the future – let’s do them right, for everybody.” Adapted from the article: Security Things to Consider When Your Apartment Goes Smart, posted on tisiphone.net.
https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/
Have you ever been out and about with a Raspberry Pi and wanted to update the configuration on the SD card, but didn’t have the necessary monitor, keyboard or mouse handy? That’s the type of situation that resulted in the creation of PiBakery! The key feature of PiBakery is its ability to create a customised version of Raspbian that you write directly to your Raspberry Pi’s SD card. This works by creating a set of scripts that run when the Raspberry Pi has been powered on, meaning that your Pi can automatically perform setup tasks, and you don't need to configure anything.
The scripts are created using a block based interface that is very similar to Scratch. If you've used Scratch before, you already know how to use PiBakery. Simply drag and drop the different tasks that you want your Raspberry Pi to perform, and they'll be turned into scripts and written to your SD card. As soon as the Pi boots up, the scripts will be run. If you've already made an SD card using PiBakery, you can insert that SD card back into your computer, and keep editing the blocks to add additional software, configure new WiFi networks, and alter different settings. All without having to find a monitor, keyboard and mouse. All the different blocks for PiBakery are stored on GitHub, which means that anyone who either has created software that they want to easily distribute to Raspberry Pis, or has a setup script they want to share with others, can turn this into an easy to use block, allowing others to use their software or script with ease.
https://www.pibakery.org/index.html
If you’re a Windows user maybe you’ve been using the Snipping Tool over the years to make quick screenshots. Since February of 2018, Windows 10 users have had access to Snip & Sketch from the Microsoft app store. It’s a modern version of the solid tool dating back to Windows 7. It’s also available for the XBox One, so maybe someone could explain a few use cases over the built in screenshot options? Happy Documenting.
https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l?activetab=pivot:overviewtab
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.
Additional supporting sources are also be included in our show notes
Why not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHL
More information about the podcast is available at SecurityEndeavors.com/SEHL
Thanks for listening and we'll see you next week!
Check out our subreddit to discuss this week's headlines!
Now also available on SoundCloud
InfoSec Week 5, 2019 (link to original Malgregator.com posting)
According to a Reuters investigation, United Arab Emirates used former U.S. intelligence operatives to hack into the iPhones of activists, diplomats and foreign politicians using so-called Karma spyware. It’s described as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said. In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the attackers harvest saved passwords, which could be used for other intrusions. According to the report, Karma relies, at least in part, on a flaw in Apple’s iMessage messaging system. The flaw allowed for the implantation of malware on the phone through iMessage which establishes a connection with the device even if the phone’s owner didn’t use the app.
To initiate the compromise, Karma needed only to send the target a text message — no action was required on the part of the recipient. It isn’t clear whether the Karma spyware is still in use. The story says that by the end of 2017, security updates to the iPhone software had made Karma far less effective.
https://www.reuters.com/investigates/special-report/usa-spying-karma/
Russia also has it's own Wikileaks. Called Distributed Denial of Secrets, the website aims to "bring into one place dozens of different archives of hacked material that, at best, have been difficult to locate, and in some cases appear to have disappeared entirely from the web." Distributed Denial of Secrets, or DDoS, is a volunteer effort that launched last month. Its objective is to provide researchers and journalists with a central repository where they can find the terabytes of hacked and leaked documents that are appearing on the internet with growing regularity and is being considered a kind of academic library or a museum for leak scholars. DDoS differs from WikiLeaks in that it doesn’t solicit direct leaks of unpublished data—its focus is on compiling, organizing, and curating leaks that have already appeared somewhere in public. The DDoS project compiled more than 200,000 emails into a spreadsheet for ease of searching. In all, its cache now contains 61 different leaks totaling 175 gigabytes.
https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked
The Japanese government will run penetration tests against all the IoT devices in the country in preparation for the Tokyo 2020 Summer Olympics. They want to map vulnerable devices and find out how to harden infrastructure. The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications. NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people's homes and on enterprise networks will be tested alike.
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
The Cyber Independent Testing Lab, or CITL, is a nonprofit organization that focuses on consumer cybersecurity. They published research back in December of 2018, demonstrating how 28 home wireless routers fail to use even basic security techniques. CITL presented an update to that research during Shmoocon 2019, showing identical or similar weaknesses in 1,000 home and commercial Wi-Fi routers, across 6,000 firmware versions and 18 vendors. This includes highly rated devices from brands such as Asus, Belkin, Buffalo, D-Link, Linksys, and Netgear. It’s no secret that many Wi-Fi routers are highly insecure. Security researchers, pointing at issues such as hard-coded default passwords and irregular security updates, have been issuing warnings for years. What might be alarming about CITL’s latest research is that despite the alarm bells, CITL finds that vendors are generally building Wi-Fi routers with fewer protections than they had in 2003. The organization’s acting director says the research will be published soon on the CITL site.
https://the-parallax.com/2019/01/24/wi-fi-router-security-worse-citl-shmoocon/
A bug in the Samsung Galaxy Apps Store allowed an attacker to inject arbitrary code through the interception of periodic update requests made by the vendor’s App Store itself. Due to initiating checks for updates in the Samsung Galaxy Apps Store in the clear, meaning not over a secured connection, an attacker can manipulate network traffic via Man-In-The-Middle style, and can change the URL for load-balancing and modify the requests for the update mirrors with inauthentic, user controlled domains. This would allow an attacker to trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid digital certificate, and simulate the API of the app store to modify existing apps on a given device. An attacker could exploit this vulnerability to achieve Remote Code Execution on Samsung devices.
https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/
Over 9,000 Cisco RV320/RV325 routers are currently being exploited in the wild after the network hardware manufacturer announced updates were available to patch newly published vulnerabilities. The release of the Proof of Concept exploit code triggered the scanning of devices by would-be attackers and professionals alike. Thousands of routers are exposed on the internet with a web-based management interface vulnerability that could allow an unauthenticated, remote attacker to either retrieve sensitive configuration information or perform remote command injections.
https://securityaffairs.co/wordpress/80363/hacking/cisco-rv320-rv325-hack.html
If you can imagine a mathematical version of the Kumite featured in the the 80s movie BloodSport, then you might be cheering from the stands this week as the US National Institute of Standards and Technology (NIST) announced the second-round candidates for quantum resistant public-key encryption and key-establishment algorithms. After releasing a report on the status of quantum-resistant cryptography in April 2016, NIST followed up in December 2016 with a call to the public to submit post-quantum algorithms that potentially could resist a quantum computer’s onslaught. The agency spent one year collecting the submissions and another working with the larger cryptography community on a first round of review to focus on the most promising algorithms. Of the 69 submissions NIST received, these 26 algorithms made the cut.
This second round will focus more heavily on evaluating the submissions’ performance across a wide variety of systems, Moody said, because so many different devices will need effective encryption.
https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxE
https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals
A vulnerability in Apple’s FaceTime application allows the activation of the microphone of the device being called, allowing audio to be transmitted back to the person who initiated the session, all without ever having accepted a call. It’s also possible to trigger the camera to turn on as well. The issue has been replicated when calling from either from a mobile device or a Macintosh desktop. Apple has disabled the FaceTime conferencing servers before the fix is released. Word of the FaceTime bug has been spreading virally over social media. Apple says the issue will be addressed in a software update “later this week”.
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
Book Publisher NoStarch Press got an unwelcome surprise this week when it discovered a counterfeit version of one of their books on Amazon’s self-publishing platform, CreateSpace. Bill Pollack, the publisher’s founder, has taken to twitter to help raise awareness of the fraudulent item and is seeking assistance from Amazon to remedy the situation. Unfortunately this isn’t the first time printed fakes have made their way into the online merchant’s listings. The fake books are of noticeably lower quality, especially the screenshots. According to the current tweets, it took months to resolve things last time. Hopefully Bill Pollack and the NoStarch crew don’t have wait as long to see results this time. The best way to know what you’re getting the real deal is by just ordering direct from their website at NoStarch.com. That way you know what you’re getting and get a DRM free copy in eBook format, too.
https://twitter.com/billpollock/status/1091840257073471488
If you’re a tenant in the US, it’s very likely that a management-provided smart home system is headed your way in the near future. It will be important to carefully evaluate your family’s personal threat model, and consider the plausible digital ways which these systems could be exploited. A well known infosec professional recently had occasion to dive much more deeply into the topic as their apartment’s property management company announced that all units would be “upgraded” from traditional lock & key to a smart locks. This raised more than a few questions and concerns in the researcher's mind and kicked off a significant amount of research and engagement with all parties involved. Several thought provoking suggestions come out of the article including:
Spend some time reading into the vendor. Respectfully and courteously encourage your property management company and their smart system vendor to adopt industry best practices in securing smart hubs both physically and digitally, the networks they are connected to, and resident data at rest and in transit in their infrastructure. Request your property managers clearly and decisively address privacy concerns such as data ownership and resale in writing. If solid answers in writing don’t assuage legitimate concerns, consider politely seeking an option to opt-out – and make your threat model clear to them, if you’re in a sensitive situation. The author ends by saying, “These systems are the future – let’s do them right, for everybody.” Adapted from the article: Security Things to Consider When Your Apartment Goes Smart, posted on tisiphone.net.
https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/
Have you ever been out and about with a Raspberry Pi and wanted to update the configuration on the SD card, but didn’t have the necessary monitor, keyboard or mouse handy? That’s the type of situation that resulted in the creation of PiBakery! The key feature of PiBakery is its ability to create a customised version of Raspbian that you write directly to your Raspberry Pi’s SD card. This works by creating a set of scripts that run when the Raspberry Pi has been powered on, meaning that your Pi can automatically perform setup tasks, and you don't need to configure anything.
The scripts are created using a block based interface that is very similar to Scratch. If you've used Scratch before, you already know how to use PiBakery. Simply drag and drop the different tasks that you want your Raspberry Pi to perform, and they'll be turned into scripts and written to your SD card. As soon as the Pi boots up, the scripts will be run. If you've already made an SD card using PiBakery, you can insert that SD card back into your computer, and keep editing the blocks to add additional software, configure new WiFi networks, and alter different settings. All without having to find a monitor, keyboard and mouse. All the different blocks for PiBakery are stored on GitHub, which means that anyone who either has created software that they want to easily distribute to Raspberry Pis, or has a setup script they want to share with others, can turn this into an easy to use block, allowing others to use their software or script with ease.
https://www.pibakery.org/index.html
If you’re a Windows user maybe you’ve been using the Snipping Tool over the years to make quick screenshots. Since February of 2018, Windows 10 users have had access to Snip & Sketch from the Microsoft app store. It’s a modern version of the solid tool dating back to Windows 7. It’s also available for the XBox One, so maybe someone could explain a few use cases over the built in screenshot options? Happy Documenting.
https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l?activetab=pivot:overviewtab
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.
Additional supporting sources are also be included in our show notes
Why not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHL
More information about the podcast is available at SecurityEndeavors.com/SEHL
Thanks for listening and we'll see you next week!