Internet exposed 3D printers Pose Fire Risk

In the last few years the price of 3D printers fit for home use has fallen substantially. They have become cheap enough for people without advanced technical skills, especially security skills to venture into this market area. By default, most of the current 3D printers require being tethered to a PC full time via USB to configure and run print jobs.

 Octoprint, a 3D printing application, makes life easier for non-technical users by removing this requirement. It can be installed on a device such as a Raspberry Pi and connected to your home network where it exposes a HTTP interface for interaction with the printer which greatly improves usability. During the Octoprint installation process, the user is prompted to enable authentication on the web interface although many people choose to disable the authentication for ease of use. This is not ideal but usually fine if the printer is exposed on the local network only.

As 3D prints can take upwards of 24 hours to complete many people don’t wait long before thinking ‘it would be great to monitor the progress remotely’.  Therein lies the issues. In order to accomplish this, they must open a HTTP port in their network via port forwarding to access Octoprint from anywhere and typically forget to enable authentication first. This is how thousands of unsecured Octoprint instances ended up accessible from the internet.
There are MANY risks associated with having these web interfaces publicly exposed. The first is that Octoprint isn’t really designed as a secure web application. It was designed with advanced users in mind and as such can be tweaked and modified endlessly. In it’s default configuration, it is essentially an unauthenticated portal to your network as you can run arbitrary system commands from the web interface. By leveraging this feature an attacker could easily move to more sensitive machines in the network. The second major risk is that 3D printers are essentially simple robots with attached heaters. These heaters can reach extremely high temperatures very quickly. Most modern 3D printers have temperature limits enabled in the firmware to prevent thermal runaways from causing a fire. However, by modifying the firmware and flashing the printer from the Octoprint interface these limits can be removed. This could allow an attacker to start a fire with the printer in just a few clicks. While not as dangerous, an attacker could also possibly damage the machine by commanding the motors to move past their defined areas. 

Octoprint has always stated to its customers that making the application available to the internet even with authentication enabled is a terrible idea. Many software applications designed for advanced users, and or experimentation don’t go through rigorous security assessments and aren’t meant to be exposed on the internet. Similar to a cheap lock, the authentication mechanisms are meant to keep the honest out. It is important to review the software’s security posture before opening a port in your network to access it remotely. Even better although not as convenient, using a VPN to access network services running in your home network is the best idea to reduce risk of exposure.
Sources: • https://www.csoonline.com/article/3303562/security/over-3700-exposed3d-printers-open-to-remote-attackers.htmlhttps://octoprint.org/blog/2018/09/03/safe-remote-access/

PowerShell Updates

Announcing PowerShell Core 6.1

We’re proud to announce that the
latest version of PowerShell has been released! This marks our second supported release of PowerShell Core, the
open-source edition of PowerShell that works on Linux, macOS, and Windows!

By far, the biggest feature of this
release is compatibility of built-in Windows modules with PowerShell Core. This
means that you can natively run those modules/cmdlets with PowerShell Core and
easily transition from Windows PowerShell. You can see the full post here

PowerShell Gallery

The PowerShell
Gallery is the place to find PowerShell code that is shared by the
community, Microsoft, and other companies. The site has averaged over 21
million downloads per month for the past 6 months and has more than 3,800
unique packages available for use. It’s amazing when we consider we were
handling just under 4 million downloads in July 2017. We clearly needed to
invest in the PowerShell Gallery to support that kind of growth.

We have been working for some time to improve the performance of
the PowerShell Gallery. The result is now available to everyone, and includes
new features, performance enhancements, security improvements to accounts and
publishing keys, and better alignment with the NuGet.org codebase that we rely
on for our service and cmdlets

New features and performance enhancements

Most users should
see an improvement in package download speeds from the PowerShell Gallery. The
new release takes advantage of CDN to provide faster downloads, particularly
for those outside the United States. This should be most noticeable when
installing a module with many dependencies.  

The new updates
include things users have requested for a long time, including:

  • A manual
    download
    option from the PowerShell Gallery. It cannot replace
    install-module / install-script but does solve some specific issues for
    those with private repositories or older versions of PowerShell.
  • A change to Install-Module and
    Install-Script to simply install to the current user scope when not
    running in an elevated PowerShell session.

The
new user experience is more than just a face-lift, as providing a modern UI
also improves the performance. The PowerShell Gallery pages now display only
the most critical information initially, and move the details to expanding
sections in the UI. This makes the pages faster and easier for users to find
the content they want to see.
You can see the full post here

PowerShell
Training Resources

Microsoft
Virtual Academy
(MVA) is a logical first-stop when searching for sources
of free learning. A search for “powershell” on the main page of the MVA website
returns 68 hits, 13 of which include PowerShell in the course title. Other
highly rated courses include Getting Started with PowerShell Desired State
Configuration (DSC)
Advanced Tools & Scripting with PowerShell: 3.0 Tools
That Make Changes
 and Advanced PowerShell Desired State
Configuration (DSC) and Custom Resources
.  To go to the MVA click here.

PowerShell.org Supporting
all platforms and languages that use PowerShell, this site’s Videos section
provides links to the organization’s PowerShell on YouTube channel (with more
than 100 videos) as well as a few structured learning courses. You’ll also find
pointers to a whole slew of lengthy articles and tutorials on PowerShell in the
site’s eBooks section. The Build
Server
 section lets you sign up for virtual instances of PowerShell
for testing and learning purposes. And while you’re on the PowerShell.org site,
be sure to browse the articles and forums, both of which are good sources of
PowerShell how-to information

Windows PowerShell
Survival Guide
: This
is perhaps the motherlode of resources — Microsoft’s list of lists for
PowerShell. To go to this tool click here

The Spectre Looms Over Us Still

The Spectre attack has been an unexpected danger to our security since January of this year. It’s an attack on most modern processors that use speculative execution to leak sensitive information to a potential attacker. Speculative execution allows processors to execute instructions in parallel, and in cases where instructions are dependent upon the results of other instructions, tries to predict which instructions are likely to take place. When there are hundreds of instructions to run, predictions provide a significant gain in performance. The Spectre attack starts by miss training the processor with processes that will cause erroneous speculative executions which also create covert side channels for exfiltration. Then the attacker has the victim perform an action that usually is allowed and requests sensitive information. Permissions are not checked until the instructions are committed so it has no problem reading the sensitive information and modifying the cache state in a vulnerable way. The attacker then retrieves that information despite the erroneous instructions being discarded.

Researchers at University of California, Riverside (UCR) have discovered a new form of the attack named SpectreRSB that uses the Return Stack Buffer (RSB) instead of the Branch target Buffer to acquire and smuggle sensitive information. Instead of causing the Branch Predictor to miss speculate onto a poisoned branch, SpectreRSB poisons the return address of the RSB. 

Intel already has a patch but only on the Core-i7 Skylake and later processors. The patch is called RSB refilling and it fills the RSB with a benign address whenever there is a switch to the Kernel. Some of the proposed attacks in the UCR paper can bypass RSB refilling, but the researchers believe their proof of concept attacks are unlikely to be practical because of the difficulty in implementing the gadget that smuggles the return address to a recoverable cache. 
Sources: 
https://securityaffairs.co/wordpress/74698/hacking/spectrersb-attack.htmlhttps://arxiv.org/pdf/1807.07940.pdfhttps://www.bleepingcomputer.com/news/security/researchers-detail-newcpu-side-channel-attack-named-spectrersb/

More Vulnerabilities in the Smart Home

Researchers at Cisco Talos recently spent some time probing the Samsung SmartThings Hub, a device designed to be the center of your smart home. They discovered a number of vulnerabilities that allow remote information leakage up to arbitrary remote code execution. The device is designed to communicate with a range of devices over Ethernet, Z-Wave, Bluetooth, and Zigbee. These devices could be smart locks, IP cameras, alarm systems, thermostats and more.

The researchers found a total of 20 vulnerabilities in the hub. They noted that while each of the vulnerabilities by themselves might not have a great impact on the security of the device, in many cases the vulnerabilities can be chained together to form a complete exploit. Three vulnerability chains were identified that allows an attacker to have complete control over the device.

The first chain allows for remote code execution on the hub. By using a vulnerability that allows for the execution of arbitrary SQL queries an attacker would be able to trigger a different vulnerability that allows for memory corruption. Specially crafted queries would allow the attacker to execute arbitrary code via this attack vector. The second chain allows the attacker to get a glance inside the ‘hubCore’ process of the device, leaking sensitive information. This is accomplished via a vulnerability that allows an empty file to be created anywhere on the device. While at first glance this vulnerability doesn’t seem impactful, the researchers learned that creating this empty file in a specific location causes the ‘hubCore’ process to crash and create a memory dump.
 
The third vulnerability in this chain allows for the capture of this information over the network. The last of the 3 chains allows for remote code execution with no prior authentication. This chain relies on sending specially crafted queries to the ‘video-core’ process running on the device. A vulnerability in the HTTP pipeline allows the requests to reach the vulnerable service with an arbitrary payload that triggers a buffer overflow, allowing for remote code execution. While the third exploit chain requires no authentication, the first two have varying requirements depending on a number of factors. In some cases anyone holding a valid OAuth bearer token can talk to the remote servers in order to trigger some of the vulnerabilities. Malicious apps designed for the hub can also be used to trigger the exploits.
Cisco Talos reported all the found vulnerabilities to Samsung. Samsung responded by fixing the bugs and pushing a firmware update to all connected SmartThings Hubs. While the hubs are designed to update automatically, it is always a good idea to verify the firmware version currently running and update manually if necessary.

Sources: 

https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.htmlhttps://www.csoonline.com/article/3292942/security/researchers-reveal-20vulnerabilities-in-samsung-smartthings-hub.html

 https://www.securityweek.com/samsung-patches-critical-vulnerabilitiessmartthings-hub 

Ransomware

No More Ransomware Web Site

https://www.nomoreransom.org/en/index.html
is a site you should save in your favorite.

This site has lost of resources to help you deal with
ransomware.

Ransomware is malware that locks your computer and mobile
devices or encrypts your electronic files. When this happens, you can’t get to
the data unless you pay a ransom. However, this is not guaranteed, and you
should try this site for a solution 1st.

The site has Crypto Sheriff an upload page where you can
submit a file and the site may give you a solution on how to remove the ransomware
Part of the site has solution for many types of ransomware.

How to prevent a
ransomware attack?

1. Back-up! Back-up! Back-up! Have a recovery system in
place so a ransomware infection can’t destroy your personal data forever. It’s
best to create two back-up copies: one to be stored in the cloud (remember to
use a service that makes an automatic backup of your files) and one to store physically
(portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from
your computer when you are done. Your back up copies will also come in handy
should you accidentally delete a critical file or experience a hard drive
failure.

2. Use robust antivirus software to protect your system from
ransomware. Do not switch off the ‘heuristic functions’ as these help the
solution to catch samples of ransomware that have not yet been formally
detected.

3. Keep all the software on your computer up to date. When
your operating system (OS) or applications release a new version, install it.
And if the software offers the option of automatic updating, take it.

4. Trust no one. Literally. Any account can be compromised,
and malicious links can be sent from the accounts of friends on social media,
colleagues or an online gaming partner. Never open attachments in emails from
someone you don’t know. Cybercriminals often distribute fake email messages
that look very much like email notifications from an online store, a bank, the
police, a court or a tax collection agency, luring recipients into clicking on
a malicious link and releasing the malware into their system.

5. Enable the ‘Show file extensions’ option in the Windows
settings on your computer. This will make it much easier to spot potentially
malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
Scammers can use several extensions to disguise a malicious file as a video,
photo, or document (like hot-chics.avi.exe or doc.scr).

6. If you discover a rogue or unknown process on your
machine, disconnect it immediately from the internet or other network
connections (such as home Wi-Fi) — this will prevent the infection from
spreading.

Other resources

If you are a member of InfraGard look at the resource here as well.

 

Apache Releases Security Updates for Apache Tomcat

The Apache Software Foundation has released security updates to
address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9,
8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote
attacker could exploit one of these vulnerabilities to obtain sensitive
information.

NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates

Bluetooth Vulnerability

  Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.

Overview

Bluetooth firmware or operating system software drivers may not
sufficiently validate elliptic curve parameters used to generate public
keys during a Diffie-Hellman key exchange, which may allow a remote
attacker to obtain the encryption key used by the device.


Description

CWE-325: Missing Required Cryptographic StepCVE-2018-5383

Bluetooth utilizes a device pairing mechanism based on
elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted
communication between devices. The ECDH key pair consists of a private
and a public key, and the public keys are exchanged to produce a shared
pairing key. The devices must also agree on the elliptic curve
parameters being used. Previous work on the “Invalid Curve Attack”
showed that the ECDH parameters are not always validated before being
used in computing the resulted shared key, which reduces attacker effort
to obtain the private key of the device under attack if the
implementation does not validate all of the parameters before computing
the shared key.

In some implementations, the elliptic curve parameters are not all
validated by the cryptographic algorithm implementation, which may allow
a remote attacker within wireless range to inject an invalid public key
to determine the session key with high probability. Such an attacker
can then passively intercept and decrypt all device messages, and/or
forge and inject malicious messages.

Both Bluetooth low energy (LE) implementations of Secure Connections
Pairing in operating system software and BR/EDR implementations of
Secure Simple Pairing in device firmware may be affected. Bluetooth
device users are encouraged to consult with their device vendor for
further information.

Since the vulnerability was identified, the Bluetooth SIG has updated
the Bluetooth specifications to require validation of any public key
received as
part of public key-based security procedures, thereby providing a remedy
to the vulnerability from a specification perspective. In addition, the
Bluetooth SIG has added testing for this vulnerability within its
Bluetooth Qualification Program.  The Bluetooth SIG has also released a public statement regarding the vulnerability.

Impact

An
unauthenticated, remote attacker within range may be able to utilize a
man-in-the-middle network position to determine the cryptographic keys
used by the device. The attacker can then intercept and decrypt and/or
forge and inject device messages.


Solution

Apply an update

Both software and firmware updates are expected over the coming weeks.
Affected users should check with their device vendor for availability of
updates.

Vendor Information

Vendor Status Date Notified Date Updated
Apple Affected 18 Jan 2018 23 Jul 2018
Broadcom Affected 18 Jan 2018 19 Jun 2018
Intel Affected 18 Jan 2018 23 Jul 2018
QUALCOMM Incorporated Affected 18 Jan 2018 06 Feb 2018
Microsoft Not Affected 06 Feb 2018 20 Jul 2018
Android Open Source Project Unknown 18 Jan 2018 18 Jan 2018
Bluetooth SIG Unknown 06 Feb 2018 06 Feb 2018
Google Unknown 19 Mar 2018 19 Mar 2018
Linux Kernel Unknown 05 Mar 2018 05 Mar 2018

Another type of phishing attack

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Here a new one that has started to circulate.
__________________________________________

You don’t know me and you’re thinking why you received this
e mail, right?

Well, I actually placed a malware on the porn website and guess what, you
visited this web site to have fun (you know what I mean). While you were
watching the video, your web browser acted as a RDP (Remote Desktop) and a
keylogger which provided me access to your display screen and webcam. Right
after that, my software gathered all your contacts from your Messenger, Facebook
account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing
(you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s
you doing nasty things!).

What should you do?

Well, I believe, $1900 is a fair price for our little secret. You’ll make the
payment via Bitcoin to the below address (if you don’t know this, search
“how to buy bitcoin” in Google).

BTC Address: XXXXXXXXXXXXX
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within
this email message, and right now I know that you have read this email). If I
don’t get the payment, I will send your video to all of your contacts including
relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase
the video immidiately. If you want evidence, reply with “Yes!” and I
will send your video recording to your 5 friends. This is a non-negotiable
offer, so don’t waste my time and yours by replying to this email.

 
______________________________________________
 
FYI i wish they would learn to use a spell checker..
 
ONCE AGAIN,  IF YOU DO NOT KNOW THE SENDER DO NOT OPEN UP
THINK BERFORE YOU CLICK
 

CERT Advisory (ICSMA-18-179-01) Medtronic MyCareLink Patient Monitor

1. EXECUTIVE SUMMARY

  • CVSS v3 6.4
  • Vendor: Medtronic 
  • Equipment: MyCareLink Patient Monitor
  • Vulnerabilities: Use of Hard-coded Password, Exposed Dangerous Method or Function

2. RISK EVALUATION

If
exploited, these vulnerabilities may allow privileged access to the
monitor’s operating system. However, physical access to the MyCareLink
monitor is required. Additionally, these vulnerabilities may allow a
MyCareLink monitor, when operated within close physical proximity of an
implantable cardiac device, to read and write arbitrary memory values of
that device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following MyCareLink Monitors are affected:

  • 24950 MyCareLink Monitor, all versions,
  • 24952 MyCareLink Monitor, all versions.

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF HARD-CODED PASSWORD CWE-259
The
affected product contains a hard-coded operating system password. An
attacker with physical access can remove the case of the device, connect
to the debug port, and use the password to gain privileged access to
the operating system
CVE-2018-8870 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2    EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749
The
affected product contains debug code meant to test the functionality of
the monitor’s communication interfaces, including the interface between
the monitor and implantable cardiac device. An attacker with physical
access to the device can apply the other vulnerabilities within this
advisory to access this debug functionality.
This debug
functionality provides the ability to read and write arbitrary memory
values to implantable cardiac devices via inductive or short range
wireless protocols. An attacker with close physical proximity to a
target implantable cardiac device can use this debug functionality.
CVE-2018-8868 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Dublin, Ireland

3.4 RESEARCHER

Peter Morgan of Clever Security reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Medtronic
will release several rolling over-the-air product updates that will
mitigate the vulnerabilities described within this advisory. These
updates will be applied to devices automatically as part of standard,
reoccurring update processes. In addition, Medtronic has increased
security monitoring of affected devices and related infrastructure.
Medtronic
recommends users take additional defensive measures to minimize the
risk of exploitation of these vulnerabilities. Specifically, users
should:

  • Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.  
  • Only
    use home monitors obtained directly from their healthcare provider or a
    Medtronic representative to ensure integrity of the system. 
  • Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. 

Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security
NCCIC
recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When
    remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing that VPNs may have vulnerabilities and
    should be updated to the most current version available. Also recognize
    that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations
observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for
tracking and correlation against other incidents.
No known public
exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely. High skill level is needed
to exploit.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: [email protected]