Ring Issues ? Did you secure your Ring properly

    In the world of IoT home cameras, Ring cameras by Amazon are most popular. There can be many benefits of using the cameras for monitoring or as a security device, but it’s been a bad few weeks for the Ring camera. We now have reports of a hacker taunting a child in Mississippi, in another report someone hurled racist insults at a Florida family. A Tennessee family reported that a man hacked their camera to talk to an 8-year-old girl in her bedroom. Yesterday, a Ring camera was hacked to make inappropriate comments toward a California woman. 

    Are these really hacks, or simply user errors? Ring seems to have put much of the blame for these hacks on its users. A Ring spokesperson said that the California incident was not a result of Ring’s network or systems being compromised. A Ring spokesperson also said that the incident in Tennessee was isolated and that it wasn’t because of a security breach. But there have been two claims of exposed Ring data. The first, reported by Buzzfeed, claimed 3,672 Amazon Ring cameras were compromised potentially exposing the login credentials of users; security experts noted the data was most likely taken from another company’s database. Tech Crunch reported that about 1,500 Ring customers’ passwords were also compromised in a separate leak and the passwords and email addresses were uploaded to a dark web site DeepPaste.

    Motherboard found “hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring

    Zerocleare abuse on their own so-called podcast dubbed ‘NulledCast.’ ” Users are not without blame here. As motherboard pointed out, reused passwords can lead to compromise and may have been the case in several incidents. Ring however is not without blame either. Last month a flaw was identified in Ring Video Doorbell Pro cameras’ software that made it possible for wireless eavesdroppers to grab the WiFi credentials of customers during the device’s setup. Ring does not currently offer some basic security precautions, such as double-checking whether someone logging in from an unknown IP address different from the legitimate user, or providing identification of how many users are currently logged in. Ring doesn’t appear to check a user’s chosen password against known compromised user credentials nor does Ring appear to provide users a list of previous login attempts.

    What can one do? Ring does offer twofactor authentication, and although not required, it should be implemented. As always don’t reuse passwords, go change it now if you did reuse one. Even if someone is actively watching though one of your devices, Ring will log everyone out after the password change. Look at the blue light, we know it’s not a guarantee if the camera is on but it’s an indication. And finally, you can always cover or unplug a camera if you want your privacy assured, otherwise smile – you might be on camera.

Sources:

https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security

https://www.digitaltrends.com/home/man-hacks-ring-camera-inwomans-home-to-make-explicitcomments/

Android Malware impacts all Android devices including the most recent versions and updates

    Malicious apps are bad enough, but what if you have one on your phone that looks just like an app you use everyday? As it turns out, researchers from the Norwegian application security firm Promon discovered an Android vulnerability that does just that. 

    Dubbed StrandHogg, it impacts all Android devices including the most recent versions and updates. It also reportedly “puts the top 500 most popular apps at risk” without even needing root access. If you have an Android in your pocket, you are at risk.

    StrandHogg is delivered through a malicious dropper app that then downloads additional apps posing as some of your favorites. From there it will request additional permissions to your phone, allowing it to spy on your activity, steal credentials, track your location, access your data, and access features like the camera and microphone. Thirty-six known dropper apps have since been removed from the Google Play store, but even more will surely take their place. 

    At this time it’s unclear whether Google plans to do anything about StrandHogg. The vulnerability itself is not exactly brand new. The Promon team’s work was actually a continuation of research conducted in 2015 by a team at Penn State. Back then they proved that the vulnerability was theoretically possible, but it wasn’t enough to get Google to take it seriously. Now that it’s being actively exploited in the wild, perhaps that will change. 

    Despite the fact that StrandHogg impacts all 2.5 billion Android devices in use, a healthy dose of user awareness will go a long way in mitigating the risk. If an app you normally use is behaving strangely, there may be something wrong and you should stop using it immediately. 
Tell-tale signs of malicious app activity include unusual permissions requests or requests that don’t include the app name; login prompts when you are already logged in; and mistakes in the interface like typos or buttons that don’t work. 

    Always download apps from trusted sources and even then, a quick check to make sure an app is legit can save a lot of headaches later. 

Sources: 

https://threatpost.com/strandhogg-vulnerability-allows-malware-to-poseas-legitimate-android-apps/150750/

https://lifehacker.com/how-to-tell-if-an-android-app-is-strandhoggmalware-in-1840172627

https://promon.co/security-news/strandhogg/

VPN Hijacking Attack

A virtual private network (VPN) is supposed to keep the user’s traffic over a network safe from outside onlookers. They act as a protected path for communication over a public network to gain access to the resources and capabilities of the private network without a physical connection. Researchers at University of New Mexico have discovered a vulnerability in most  Linux distros that allow an attacker to discover if the victim is using a VPN and to even hijack active connections within the VPN. The vulnerability is tracked as CVE-2019-14899.

The Attacker needs to be network adjacent to the victim to set up a rogue access point for which the victim will connect. This allows the attacker to determine the victim’s virtual IP address, make inferences about the victim’s active connections, and then to determine the sequence and acknowledgement numbers of the active connection by examining the encrypted replies to unsolicited packets. This gives the attacker the ability to hijack the TCP session. This acts much like echolocation or backscattering effects to determine the shape of something by observing the reactions of something thrown at it, be it sound waves, charged particles, or unsolicited packets.
This method was tested against several VPN services including OpenVPN, WireGaurd, and IKEv2/IPSec. The vulnerability was found to be exploitable in both IPv4 and IPv6 connections. It was not effective against any Linux distribution before the Ubuntu 19.10. In Ubuntu 19.10, the rp_filter settings were set to “loose” as opposed to “strict”, but can be changed manually. The researchers believe that ToR users are protected as the encryption for these connections occur in user space.

The systems this vulnerability effects are as follows:
• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init) • MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

Turning on Reverse path filtering (setting the rp_filter to “strict”), filtering fake addresses with bogon filtering, and encrypting both packet size and timing would help mitigate the issue.

Sources:

https://www.zdnet.com/article/newvulnerability-lets-attackers-sniff-orhijack-vpn-connections/

https://seclists.org/oss-sec/2019/q4/122

https://securityaffairs.co/wordpress/94764/hacking/cve-201914899-vpn-flaw.html

Don’t

Get or Buy a New Smart TV Warning

    Smart TVs have become extremely common in the last few years; it is even difficult to buy a new TV without smart functionality. Having Netflix streaming built into your TV can be convenient, but connecting your TV to the internet might not be the best idea. The FBI issued a warning this week regarding smart TVs and the risks associated with including your TV in the often poorly secured Internet of Things pool. The warning includes successful attack results ranging from minor annoyances like attacker being able to change the channel to major privacy invasions such as being able to record video and sound of you and your home.

    An attacker having the ability to change the volume and channels on your TV would be annoying, but the greater danger stems from more advanced attacks. As TVs have started integrating with 3rd party services, like Amazon Alexa and Google Assistant, some manufacturers have started including microphones and video cameras into their devices. As TVs are often located where people most commonly hang out, often these sensors provide an interesting target to attackers looking to eavesdrop on private conversations or steal personal information. Some manufacturers may even utilize these sensors for marketing and research purposes depending on the privacy policy and device settings. Automatic content recognition technology designed to analyze and report your viewing habits is also included in many smart TVs.

    Beyond using the TV to spy on you an attacker may just use it as a starting point into your private network to attack other devices containing more valuable information. Smart TVs fall into the IoT device category which includes a history of poorly secured and vulnerable devices. Some botnets, like Mirai, targeted IoT devices specifically due to their security reputation. Some TVs create their own wifi or Bluetooth network to enable file sharing or control from proximity devices. These can provide a bridge of sorts for a local attacker onto a network they shouldn’t have access to.

    The FBI has several recommendations to mitigate the risks associated with putting your smart TV on the network. The first tip is to look through the TV settings to disable the camera and microphone if possible. Along with this, they recommend reading through the privacy policy and opting out of any data collections options included with the TV. If it is not possible to disable the camera via software, they suggest the low tech method of placing a piece of tape over it. Consumers should research the security history of devices they are thinking of purchasing and try to buy from reputable companies to increase the likelihood of future security updates.

Sources

 • https://threatpost.com/smart-tvs-cyberthreat-living-room-feds/150713/

https://fbi.gov/contact-us/field-offices/portland/news/press-releases/techtuesdaysmart-tvs

Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes

NIST invites
comments on
Draft NIST
Special Publication (SP) 800-208,
Recommendation for Stateful Hash-Based
Signature Schemes.
All of the digital signature schemes
specified in Federal Information Processing Standards Publication (FIPS) 186-4
will be broken if large-scale quantum computers are ever built. NIST is in the
process of developing
standards
for post-quantum secure digital signature schemes that can be used as
replacements for the schemes that are specified in FIPS 186-4. However, this
standardization process will not be complete for several
years.

In this draft recommendation,
NIST is proposing to supplement
FIPS
186
by approving the use of two stateful hash-based signature schemes: the
eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature
system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554,
respectively. Stateful hash-based signature schemes are not suitable for
general use since they require careful state management in order to ensure
their security. However, their use may be appropriate for applications in which
use of the private key may be carefully controlled and where there is a need to
transition to a post-quantum secure digital signature scheme before the
post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS,
XMSS, and their multi-tree variants. This profile approves the use of some but
not all of the parameter sets defined in RFCs 8391 and 8554. The approved
parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs.
This profile also requires that key and signature generation be performed in
hardware cryptographic modules that do not allow secret keying material to be
exported.

The public comment period for this document is open through February 28,
2020.
See
the publication details
for a copy of the draft and instructions for
submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat
features at all and it was riddled with espionage behaviors. When
launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several
scheduling jobs to collect call logs, SMSs, contacts, and files on the
device. It also receives commands from the C&C server to take
screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
Figure 3. Scheduled jobs
Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local
database before they’re uploaded to the C&C server periodically.
This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
Figure 4. Privacy database
The screenshot gets captured
when a command is received from the C&C server. The screenshot image
then gets encoded using Base64 and sent back to the server via a
preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here

Caller Poses as CISA Rep in Extortion Scam

National Cyber Awareness System:

 

Original
release date: November 29, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a
phone scam where a caller pretends to be a CISA representative. The scammer
claims to have knowledge of the potential victim’s questionable behavior and
attempts to extort money.

If you receive a threatening call from someone claiming to be a CISA
representative, CISA recommends the following actions:

  • Do not respond or try to contact the caller.
  • Do not pay the caller.
  • Contact your local
    FBI field office
    to file a report.