Ring Issues ? Did you secure your Ring properly

    In the world of IoT home cameras, Ring cameras by Amazon are most popular. There can be many benefits of using the cameras for monitoring or as a security device, but it’s been a bad few weeks for the Ring camera. We now have reports of a hacker taunting a child in Mississippi, in another report someone hurled racist insults at a Florida family. A Tennessee family reported that a man hacked their camera to talk to an 8-year-old girl in her bedroom. Yesterday, a Ring camera was hacked to make inappropriate comments toward a California woman. 

    Are these really hacks, or simply user errors? Ring seems to have put much of the blame for these hacks on its users. A Ring spokesperson said that the California incident was not a result of Ring’s network or systems being compromised. A Ring spokesperson also said that the incident in Tennessee was isolated and that it wasn’t because of a security breach. But there have been two claims of exposed Ring data. The first, reported by Buzzfeed, claimed 3,672 Amazon Ring cameras were compromised potentially exposing the login credentials of users; security experts noted the data was most likely taken from another company’s database. Tech Crunch reported that about 1,500 Ring customers’ passwords were also compromised in a separate leak and the passwords and email addresses were uploaded to a dark web site DeepPaste.

    Motherboard found “hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring

    Zerocleare abuse on their own so-called podcast dubbed ‘NulledCast.’ ” Users are not without blame here. As motherboard pointed out, reused passwords can lead to compromise and may have been the case in several incidents. Ring however is not without blame either. Last month a flaw was identified in Ring Video Doorbell Pro cameras’ software that made it possible for wireless eavesdroppers to grab the WiFi credentials of customers during the device’s setup. Ring does not currently offer some basic security precautions, such as double-checking whether someone logging in from an unknown IP address different from the legitimate user, or providing identification of how many users are currently logged in. Ring doesn’t appear to check a user’s chosen password against known compromised user credentials nor does Ring appear to provide users a list of previous login attempts.

    What can one do? Ring does offer twofactor authentication, and although not required, it should be implemented. As always don’t reuse passwords, go change it now if you did reuse one. Even if someone is actively watching though one of your devices, Ring will log everyone out after the password change. Look at the blue light, we know it’s not a guarantee if the camera is on but it’s an indication. And finally, you can always cover or unplug a camera if you want your privacy assured, otherwise smile – you might be on camera.

Sources:

https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security

https://www.digitaltrends.com/home/man-hacks-ring-camera-inwomans-home-to-make-explicitcomments/

Android Malware impacts all Android devices including the most recent versions and updates

    Malicious apps are bad enough, but what if you have one on your phone that looks just like an app you use everyday? As it turns out, researchers from the Norwegian application security firm Promon discovered an Android vulnerability that does just that. 

    Dubbed StrandHogg, it impacts all Android devices including the most recent versions and updates. It also reportedly “puts the top 500 most popular apps at risk” without even needing root access. If you have an Android in your pocket, you are at risk.

    StrandHogg is delivered through a malicious dropper app that then downloads additional apps posing as some of your favorites. From there it will request additional permissions to your phone, allowing it to spy on your activity, steal credentials, track your location, access your data, and access features like the camera and microphone. Thirty-six known dropper apps have since been removed from the Google Play store, but even more will surely take their place. 

    At this time it’s unclear whether Google plans to do anything about StrandHogg. The vulnerability itself is not exactly brand new. The Promon team’s work was actually a continuation of research conducted in 2015 by a team at Penn State. Back then they proved that the vulnerability was theoretically possible, but it wasn’t enough to get Google to take it seriously. Now that it’s being actively exploited in the wild, perhaps that will change. 

    Despite the fact that StrandHogg impacts all 2.5 billion Android devices in use, a healthy dose of user awareness will go a long way in mitigating the risk. If an app you normally use is behaving strangely, there may be something wrong and you should stop using it immediately. 
Tell-tale signs of malicious app activity include unusual permissions requests or requests that don’t include the app name; login prompts when you are already logged in; and mistakes in the interface like typos or buttons that don’t work. 

    Always download apps from trusted sources and even then, a quick check to make sure an app is legit can save a lot of headaches later. 

Sources: 

https://threatpost.com/strandhogg-vulnerability-allows-malware-to-poseas-legitimate-android-apps/150750/

https://lifehacker.com/how-to-tell-if-an-android-app-is-strandhoggmalware-in-1840172627

https://promon.co/security-news/strandhogg/

VPN Hijacking Attack

A virtual private network (VPN) is supposed to keep the user’s traffic over a network safe from outside onlookers. They act as a protected path for communication over a public network to gain access to the resources and capabilities of the private network without a physical connection. Researchers at University of New Mexico have discovered a vulnerability in most  Linux distros that allow an attacker to discover if the victim is using a VPN and to even hijack active connections within the VPN. The vulnerability is tracked as CVE-2019-14899.

The Attacker needs to be network adjacent to the victim to set up a rogue access point for which the victim will connect. This allows the attacker to determine the victim’s virtual IP address, make inferences about the victim’s active connections, and then to determine the sequence and acknowledgement numbers of the active connection by examining the encrypted replies to unsolicited packets. This gives the attacker the ability to hijack the TCP session. This acts much like echolocation or backscattering effects to determine the shape of something by observing the reactions of something thrown at it, be it sound waves, charged particles, or unsolicited packets.
This method was tested against several VPN services including OpenVPN, WireGaurd, and IKEv2/IPSec. The vulnerability was found to be exploitable in both IPv4 and IPv6 connections. It was not effective against any Linux distribution before the Ubuntu 19.10. In Ubuntu 19.10, the rp_filter settings were set to “loose” as opposed to “strict”, but can be changed manually. The researchers believe that ToR users are protected as the encryption for these connections occur in user space.

The systems this vulnerability effects are as follows:
• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init) • MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

Turning on Reverse path filtering (setting the rp_filter to “strict”), filtering fake addresses with bogon filtering, and encrypting both packet size and timing would help mitigate the issue.

Sources:

https://www.zdnet.com/article/newvulnerability-lets-attackers-sniff-orhijack-vpn-connections/

https://seclists.org/oss-sec/2019/q4/122

https://securityaffairs.co/wordpress/94764/hacking/cve-201914899-vpn-flaw.html

Don’t

Get or Buy a New Smart TV Warning

    Smart TVs have become extremely common in the last few years; it is even difficult to buy a new TV without smart functionality. Having Netflix streaming built into your TV can be convenient, but connecting your TV to the internet might not be the best idea. The FBI issued a warning this week regarding smart TVs and the risks associated with including your TV in the often poorly secured Internet of Things pool. The warning includes successful attack results ranging from minor annoyances like attacker being able to change the channel to major privacy invasions such as being able to record video and sound of you and your home.

    An attacker having the ability to change the volume and channels on your TV would be annoying, but the greater danger stems from more advanced attacks. As TVs have started integrating with 3rd party services, like Amazon Alexa and Google Assistant, some manufacturers have started including microphones and video cameras into their devices. As TVs are often located where people most commonly hang out, often these sensors provide an interesting target to attackers looking to eavesdrop on private conversations or steal personal information. Some manufacturers may even utilize these sensors for marketing and research purposes depending on the privacy policy and device settings. Automatic content recognition technology designed to analyze and report your viewing habits is also included in many smart TVs.

    Beyond using the TV to spy on you an attacker may just use it as a starting point into your private network to attack other devices containing more valuable information. Smart TVs fall into the IoT device category which includes a history of poorly secured and vulnerable devices. Some botnets, like Mirai, targeted IoT devices specifically due to their security reputation. Some TVs create their own wifi or Bluetooth network to enable file sharing or control from proximity devices. These can provide a bridge of sorts for a local attacker onto a network they shouldn’t have access to.

    The FBI has several recommendations to mitigate the risks associated with putting your smart TV on the network. The first tip is to look through the TV settings to disable the camera and microphone if possible. Along with this, they recommend reading through the privacy policy and opting out of any data collections options included with the TV. If it is not possible to disable the camera via software, they suggest the low tech method of placing a piece of tape over it. Consumers should research the security history of devices they are thinking of purchasing and try to buy from reputable companies to increase the likelihood of future security updates.

Sources

 • https://threatpost.com/smart-tvs-cyberthreat-living-room-feds/150713/

https://fbi.gov/contact-us/field-offices/portland/news/press-releases/techtuesdaysmart-tvs

Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes

NIST invites
comments on
Draft NIST
Special Publication (SP) 800-208,
Recommendation for Stateful Hash-Based
Signature Schemes.
All of the digital signature schemes
specified in Federal Information Processing Standards Publication (FIPS) 186-4
will be broken if large-scale quantum computers are ever built. NIST is in the
process of developing
standards
for post-quantum secure digital signature schemes that can be used as
replacements for the schemes that are specified in FIPS 186-4. However, this
standardization process will not be complete for several
years.

In this draft recommendation,
NIST is proposing to supplement
FIPS
186
by approving the use of two stateful hash-based signature schemes: the
eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature
system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554,
respectively. Stateful hash-based signature schemes are not suitable for
general use since they require careful state management in order to ensure
their security. However, their use may be appropriate for applications in which
use of the private key may be carefully controlled and where there is a need to
transition to a post-quantum secure digital signature scheme before the
post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS,
XMSS, and their multi-tree variants. This profile approves the use of some but
not all of the parameter sets defined in RFCs 8391 and 8554. The approved
parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs.
This profile also requires that key and signature generation be performed in
hardware cryptographic modules that do not allow secret keying material to be
exported.

The public comment period for this document is open through February 28,
2020.
See
the publication details
for a copy of the draft and instructions for
submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat
features at all and it was riddled with espionage behaviors. When
launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several
scheduling jobs to collect call logs, SMSs, contacts, and files on the
device. It also receives commands from the C&C server to take
screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
Figure 3. Scheduled jobs
Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local
database before they’re uploaded to the C&C server periodically.
This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
Figure 4. Privacy database
The screenshot gets captured
when a command is received from the C&C server. The screenshot image
then gets encoded using Base64 and sent back to the server via a
preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here

Caller Poses as CISA Rep in Extortion Scam

National Cyber Awareness System:

 

Original
release date: November 29, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a
phone scam where a caller pretends to be a CISA representative. The scammer
claims to have knowledge of the potential victim’s questionable behavior and
attempts to extort money.

If you receive a threatening call from someone claiming to be a CISA
representative, CISA recommends the following actions:

  • Do not respond or try to contact the caller.
  • Do not pay the caller.
  • Contact your local
    FBI field office
    to file a report.

(In)Security Management Engine

   The out of band management system bundled on almost all Intel processors has become a hot target for attackers in recent years. This is because it runs alongside the main processor and has virtually unrestricted access to all the hardware in the machine. As long as the machine has power the management engine is sitting there silently waiting for commands from a system administrator with access to it. While this feature can be a huge help for administrators managing a large number of machines it also presents an extremely attractive attack point.

    Intel provides a number of different subsystems under the Converged Security and Management Engine (CSME). The management engine is the specific firmware for mainstream chips, they also provide Server Platform Services (SPS) for server hardware and the Trusted Execution Engine (TXE) for tablets and other low power devices. Security researchers have been skeptical of the CSME for years due to it being closed source, having full access to the hardware, and its inability to be disabled. Several vulnerabilities have been found in the system by various researchers in the past. It’s time to make sure your systems are up to date as Intel just released a bug advisory with 77 found vulnerabilities, including one listed as critical.
    The most critical vulnerability found (CVE-2019-0169) is a heap overflow bug that could allow an unauthenticated attacker to take over a target system or cause a denial of service. Other high security bugs were found as well including cross site scripting, insufficient access control, and privilege escalation. For most of the attacks the only requirement is that the target machine is on the same network as the attacker. While many of the vulnerabilities allow an already privileged user to escalate their privileges, some of them require no prior authorization. By chaining these types of vulnerabilities together it would be possible for someone to go from having no access to having full privileges on the machine.
    Most of the vulnerabilities were found by Intel itself as part of an internal audit designed to harden the CSME system. 10 of the vulnerabilities came from independent researchers who reported the bugs to Intel. As always, it is important to make sure your systems are up to date, especially if public facing or used on untrusted networks. The required patches are typically bundled in your operating systems update mechanism such as processor micro code updates. Depending on your specific hardware and software setup you may have to acquire and run the updates manually.

Sources

 • https://threatpost.ccom/intel-critical-info-disclosure-bug-securityengine/150124/

https://blogs.intel.com/technology/2019/11/ipas-november-2019-intelplatform-update-ipu/11

Vulnerability in Amazon’s Ring Video Doorbell

    Researchers at Bitdefender have found a vulnerability in Amazon’s Ring Video Doorbell which allows an attacker with proximity to the device to intercept the Wi-Fi credentials of the network it operates on, which could lead to further attacks to devices on the network. The Ring Doorbell is an IoT device that allows a person to remotely view and communicate to people on their property. The exploit revolves around the setup procedure and the lack of security in place during that setup. The researchers say that while setting up the device, the doorbell will broadcast an unprotected wireless signal which is meant to facilitate the communication between the app and the device. Besides this, the communication between the app and the doorbell is done insecurely through HTTP. This means that when the app prompts the user to enter their home Wi-Fi credentials, an eavesdropper can see the password in plaintext. This could then lead to exploitation of the network and attacks against the devices on it.

    While the doorbell is only vulnerable when performing the initial setup, the researchers say that there is a way to trick the user into going through the setup again. They discovered that sending de-authentication messages to the device will make the user think that the device is not properly working, leading them to reconfigure it. A de-authentication attack is a type of denial of service attack where an attacker continuously sends de-authentication frames to one or more devices, preventing them from connecting to the network. While sending the de-authentication messages, the doorbell will disconnect itself from the Wi-Fi network and make it unable to reconnect. The last resort to resolve the connection issue is to reconfigure the device by going through the setup process again, leading to an eavesdropper gathering the credentials.

    Ring has since patched this vulnerability with the release of its newest software update and urges its users to perform an update on their device. However, users that have not yet updated should be aware of this method to force a reconfiguration. If you suddenly find that the device is unable to connect to Wi-Fi you may be the victim of this attack. The exploitation of this vulnerability, while relatively easy, does require the attacker to be within some proximity to the network. This is not the first time that Ring has exposed users’ Wi-Fi passwords to attackers. In 2016, researchers found that by pushing a button on the device to activate access point mode, an attacker could use a mobile device to navigate to a URL that exposed the network settings. While IoT devices can provide great benefits to consumers, they must contain proper security controls.

Sources: 

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html 

https://www.bitdefender.com/files/News/CaseStudies/study/294/Bitdefender-WhitePaper-RDoor-CREA3949-en-EN-GenericUse.pdf 
11

Amazon Alexa and Google Home are listening

    Amazon Alexa and Google Home are listening. It’s likely you are aware of the security and privacy concerns as well as their mitigations. It’s the price we pay for the technology we want. Unfortunately, there is another attack vector recently exposed by researchers at Germany’s Security Research Labs (SRL). The most interesting part of this research is that it is an absolute “confirmed proofof-concept”. The researchers developed four Alexa “skills” and 4 more Google Home “actions”, submitted the malicious apps where they all passed Amazon and Google security vetting processes, and made it into the respective markets. SRL developed two types of malicious applications: a set for eavesdropping, and a set for phishing. The eavesdropping apps responded to the wake phrase and provided the requested information while the phishing apps responded with an error message. Both methods created the illusion of stopped functions while proceeding silently with their attack. The eavesdropping attacks used methods involving pauses, delays, and exploiting flaws in text-to-speech engines speaking unspeakable phrases that produced no auditable output. This gave the impression that the application finished when it was still listening, recording, and sending it back to the application developer. In the case of the phishing apps, the error message created the impression that the application had finished unsuccessfully. Similar tricks to keep the application running were used followed by the application mimicking the device voice claiming there is an update available and requesting that the user say their account password. Neither Amazon Alexa nor Google Home do this, but naive users might respond. These seem like they may not be too effective- a user may not say anything of utility or anything at all to the eavesdropper and they should know to ignore the requests of a phishing attempt.

    But these attacks highlight key issues:

• What vetting process is Amazon or Google using?

• What other exploitable flaws exist in their vetting methods?

• Why would Amazon or Google allow a functionality change after review?

    Google Play has an unfortunate history of hosting a variety of malicious apps and eavesdropping concerns have been previously reported by Checkmarx and MWR Labs for Alexa skills. SRL did report the results of its research to Amazon and Google through their responsible disclosure process. Both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future. But SRL’s success raises serious concerns and it’s worth noting these key issues are not only applicable to listening smart home devices but can be considered for all applications available on any platform. I’m not ready to give them up just yet, but Dan Goodin of ARS Technica sums it up this way: “SRL’s research only adds to my belief that these devices shouldn’t be trusted by most people.”

Sources: 

https://arstechnica.com/information-technology/2019/10/alexa-andgoogle-home-abused-to-eavesdrop-and-phish-passwords/

https://srlabs.de/bites/smart-spies/