My information Resource (blog.mir.net)

In the last few years the price of 3D printers fit for home use has fallen substantially. They have become cheap enough for people without advanced technical skills, especially security skills to venture into this market area. By default, most of the current 3D printers require being tethered to a PC full time via USB to configure and run print jobs.

 Octoprint, a 3D printing application, makes life easier for non-technical users by removing this requirement. It can be installed on a device such as a Raspberry Pi and connected to your home network where it exposes a HTTP interface for interaction with the printer which greatly improves usability. During the Octoprint installation process, the user is prompted to enable authentication on the web interface although many people choose to disable the authentication for ease of use. This is not ideal but usually fine if the printer is exposed on the local network only.

As 3D prints can take upwards of 24 hours to complete many people don’t wait long before thinking ‘it would be great to monitor the progress remotely’.  Therein lies the issues. In order to accomplish this, they must open a HTTP port in their network via port forwarding to access Octoprint from anywhere and typically forget to enable authentication first. This is how thousands of unsecured Octoprint instances ended up accessible from the internet.
There are MANY risks associated with having these web interfaces publicly exposed. The first is that Octoprint isn’t really designed as a secure web application. It was designed with advanced users in mind and as such can be tweaked and modified endlessly. In it’s default configuration, it is essentially an unauthenticated portal to your network as you can run arbitrary system commands from the web interface. By leveraging this feature an attacker could easily move to more sensitive machines in the network. The second major risk is that 3D printers are essentially simple robots with attached heaters. These heaters can reach extremely high temperatures very quickly. Most modern 3D printers have temperature limits enabled in the firmware to prevent thermal runaways from causing a fire. However, by modifying the firmware and flashing the printer from the Octoprint interface these limits can be removed. This could allow an attacker to start a fire with the printer in just a few clicks. While not as dangerous, an attacker could also possibly damage the machine by commanding the motors to move past their defined areas. 

Octoprint has always stated to its customers that making the application available to the internet even with authentication enabled is a terrible idea. Many software applications designed for advanced users, and or experimentation don’t go through rigorous security assessments and aren’t meant to be exposed on the internet. Similar to a cheap lock, the authentication mechanisms are meant to keep the honest out. It is important to review the software’s security posture before opening a port in your network to access it remotely. Even better although not as convenient, using a VPN to access network services running in your home network is the best idea to reduce risk of exposure.
Sources: • https://www.csoonline.com/article/3303562/security/over-3700-exposed3d-printers-open-to-remote-attackers.html • https://octoprint.org/blog/2018/09/03/safe-remote-access/

Announcing PowerShell Core 6.1

PowerShell Gallery

The PowerShell
Gallery is the place to find PowerShell code that is shared by the
community, Microsoft, and other companies. The site has averaged over 21
million downloads per month for the past 6 months and has more than 3,800
unique packages available for use. It’s amazing when we consider we were
handling just under 4 million downloads in July 2017. We clearly needed to
invest in the PowerShell Gallery to support that kind of growth.

New features and performance enhancements

Most users should
see an improvement in package download speeds from the PowerShell Gallery. The
new release takes advantage of CDN to provide faster downloads, particularly
for those outside the United States. This should be most noticeable when
installing a module with many dependencies.  

The new updates
include things users have requested for a long time, including:

• A manual
  download option from the PowerShell Gallery. It cannot replace
  install-module / install-script but does solve some specific issues for
  those with private repositories or older versions of PowerShell.
• A change to Install-Module and
  Install-Script to simply install to the current user scope when not
  running in an elevated PowerShell session.

The
new user experience is more than just a face-lift, as providing a modern UI
also improves the performance. The PowerShell Gallery pages now display only
the most critical information initially, and move the details to expanding
sections in the UI. This makes the pages faster and easier for users to find
the content they want to see. You can see the full post here

PowerShell
Training Resources

Microsoft
Virtual Academy (MVA) is a logical first-stop when searching for sources
of free learning. A search for “powershell” on the main page of the MVA website
returns 68 hits, 13 of which include PowerShell in the course title. Other
highly rated courses include Getting Started with PowerShell Desired State
Configuration (DSC), Advanced Tools & Scripting with PowerShell: 3.0 Tools
That Make Changes and Advanced PowerShell Desired State
Configuration (DSC) and Custom Resources.  To go to the MVA click here.

PowerShell.org Supporting
all platforms and languages that use PowerShell, this site’s Videos section
provides links to the organization’s PowerShell on YouTube channel (with more
than 100 videos) as well as a few structured learning courses. You’ll also find
pointers to a whole slew of lengthy articles and tutorials on PowerShell in the
site’s eBooks section. The Build
Server section lets you sign up for virtual instances of PowerShell
for testing and learning purposes. And while you’re on the PowerShell.org site,
be sure to browse the articles and forums, both of which are good sources of
PowerShell how-to information

Windows PowerShell
Survival Guide: This
is perhaps the motherlode of resources — Microsoft’s list of lists for
PowerShell. To go to this tool click here

The Spectre attack has been an unexpected danger to our security since January of this year. It’s an attack on most modern processors that use speculative execution to leak sensitive information to a potential attacker. Speculative execution allows processors to execute instructions in parallel, and in cases where instructions are dependent upon the results of other instructions, tries to predict which instructions are likely to take place. When there are hundreds of instructions to run, predictions provide a significant gain in performance. The Spectre attack starts by miss training the processor with processes that will cause erroneous speculative executions which also create covert side channels for exfiltration. Then the attacker has the victim perform an action that usually is allowed and requests sensitive information. Permissions are not checked until the instructions are committed so it has no problem reading the sensitive information and modifying the cache state in a vulnerable way. The attacker then retrieves that information despite the erroneous instructions being discarded.

Researchers at University of California, Riverside (UCR) have discovered a new form of the attack named SpectreRSB that uses the Return Stack Buffer (RSB) instead of the Branch target Buffer to acquire and smuggle sensitive information. Instead of causing the Branch Predictor to miss speculate onto a poisoned branch, SpectreRSB poisons the return address of the RSB. 

Intel already has a patch but only on the Core-i7 Skylake and later processors. The patch is called RSB refilling and it fills the RSB with a benign address whenever there is a switch to the Kernel. Some of the proposed attacks in the UCR paper can bypass RSB refilling, but the researchers believe their proof of concept attacks are unlikely to be practical because of the difficulty in implementing the gadget that smuggles the return address to a recoverable cache. 
Sources: 
https://securityaffairs.co/wordpress/74698/hacking/spectrersb-attack.html  https://arxiv.org/pdf/1807.07940.pdf  https://www.bleepingcomputer.com/news/security/researchers-detail-newcpu-side-channel-attack-named-spectrersb/

Researchers at Cisco Talos recently spent some time probing the Samsung SmartThings Hub, a device designed to be the center of your smart home. They discovered a number of vulnerabilities that allow remote information leakage up to arbitrary remote code execution. The device is designed to communicate with a range of devices over Ethernet, Z-Wave, Bluetooth, and Zigbee. These devices could be smart locks, IP cameras, alarm systems, thermostats and more.

The researchers found a total of 20 vulnerabilities in the hub. They noted that while each of the vulnerabilities by themselves might not have a great impact on the security of the device, in many cases the vulnerabilities can be chained together to form a complete exploit. Three vulnerability chains were identified that allows an attacker to have complete control over the device.

The first chain allows for remote code execution on the hub. By using a vulnerability that allows for the execution of arbitrary SQL queries an attacker would be able to trigger a different vulnerability that allows for memory corruption. Specially crafted queries would allow the attacker to execute arbitrary code via this attack vector. The second chain allows the attacker to get a glance inside the ‘hubCore’ process of the device, leaking sensitive information. This is accomplished via a vulnerability that allows an empty file to be created anywhere on the device. While at first glance this vulnerability doesn’t seem impactful, the researchers learned that creating this empty file in a specific location causes the ‘hubCore’ process to crash and create a memory dump.
 
The third vulnerability in this chain allows for the capture of this information over the network. The last of the 3 chains allows for remote code execution with no prior authentication. This chain relies on sending specially crafted queries to the ‘video-core’ process running on the device. A vulnerability in the HTTP pipeline allows the requests to reach the vulnerable service with an arbitrary payload that triggers a buffer overflow, allowing for remote code execution. While the third exploit chain requires no authentication, the first two have varying requirements depending on a number of factors. In some cases anyone holding a valid OAuth bearer token can talk to the remote servers in order to trigger some of the vulnerabilities. Malicious apps designed for the hub can also be used to trigger the exploits.
Cisco Talos reported all the found vulnerabilities to Samsung. Samsung responded by fixing the bugs and pushing a firmware update to all connected SmartThings Hubs. While the hubs are designed to update automatically, it is always a good idea to verify the firmware version currently running and update manually if necessary.

Sources: 

https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html  https://www.csoonline.com/article/3292942/security/researchers-reveal-20vulnerabilities-in-samsung-smartthings-hub.html 

 https://www.securityweek.com/samsung-patches-critical-vulnerabilitiessmartthings-hub 

BOISE, Idaho (AP) — Idaho prison officials say 364 inmates exploited
vulnerable software in the JPay tablets they use for email, music and
games to collectively transfer nearly a quarter million dollars into
their own accounts.

Here the link to the story https://apnews.com/dfd5dccdf75c4b5dbc97ff5ecf3f3d5b, this show where this a way people will find it and use it to their own  ends

https://www.nomoreransom.org/en/index.html
is a site you should save in your favorite.

The Apache Software Foundation has released security updates to
address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9,
8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote
attacker could exploit one of these vulnerabilities to obtain sensitive
information.

NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates

  Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.

Overview

Bluetooth firmware or operating system software drivers may not
sufficiently validate elliptic curve parameters used to generate public
keys during a Diffie-Hellman key exchange, which may allow a remote
attacker to obtain the encryption key used by the device.

Description

CWE-325: Missing Required Cryptographic Step – CVE-2018-5383 Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used. Previous work on the “Invalid Curve Attack” showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key. In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages. Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected. Bluetooth device users are encouraged to consult with their device vendor for further information. Since the vulnerability was identified, the Bluetooth SIG has updated the Bluetooth specifications to require validation of any public key received as part of public key-based security procedures, thereby providing a remedy to the vulnerability from a specification perspective. In addition, the Bluetooth SIG has added testing for this vulnerability within its Bluetooth Qualification Program.  The Bluetooth SIG has also released a public statement regarding the vulnerability.

Impact

An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device. The attacker can then intercept and decrypt and/or forge and inject device messages.

Solution

Apply an update Both software and firmware updates are expected over the coming weeks. Affected users should check with their device vendor for availability of updates. Vendor Information Vendor Status Date Notified Date Updated Apple Affected 18 Jan 2018 23 Jul 2018 Broadcom Affected 18 Jan 2018 19 Jun 2018 Intel Affected 18 Jan 2018 23 Jul 2018 QUALCOMM Incorporated Affected 18 Jan 2018 06 Feb 2018 Microsoft Not Affected 06 Feb 2018 20 Jul 2018 Android Open Source Project Unknown 18 Jan 2018 18 Jan 2018 Bluetooth SIG Unknown 06 Feb 2018 06 Feb 2018 Google Unknown 19 Mar 2018 19 Mar 2018 Linux Kernel Unknown 05 Mar 2018 05 Mar 2018

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Here a new one that has started to circulate.
__________________________________________

Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: [email protected]