More IoT Webcams Hackable – Trivially

Researchers at Bitdefender say that they have uncovered two vulnerabilities in low cost Chinese cameras.

One of the cameras is used in the iDoorbell – which represents a software supply chain issue on top of it.  The cameras come from Shenzen Neo Electronics.  Researchers suspect that other cameras are affected as well.

Using the search engine Shodan, researchers found over 100,000 vulnerable cameras, but researchers suspect the number is larger because other camera models may be affected.

One of the two exploits doesn’t even require the user to be able to login;  they compromised the login process itself.

The low cost of the camera ($39) means that there are likely a lot of them out there.

The low cost of the camera also probably explains why the manufacturer did not respond to the researchers notification of the problem.

Now that the vulnerability has been disclosed, any hacker that was not aware of the problem before is aware of it now.

Since the vulnerabilities allow a hacker to run arbitrary code, the hacker could compromise any network that the camera is attached to.  That is pretty scary.

There is some hope on the horizon.  Maybe.

Senators Cory Gardner (R-CO) and Mark Warner (D-VA) have introduced a bill that could make things a little bit better.

The bill, IF PASSED AND SIGNED BY THE PRESIDENT, establishes certain requirements for any IoT device that a vendor wants to SELL TO THE FEDERAL GOVERNMENT.  This represents a small but meaningful subset of IoT devices and likely vendors will advertise the fact that they are more secure, which could force those vendors who have not implemented the federal government standard to do so for competitive reasons.  IF the bill passes.

Here are the bill’s requirements as of today:

  • The devices must be patchable (seems logical but have you tried to patch your refrigerator lately).
  • The devices must not contain known vulnerabilities.  That means that the cameras at the beginning of the article could not be sold to the government.  If the vendor identifies vulnerabilities later, they must disclose that to the government, explain why it is still secure and what compensating controls might exist.  After that, the agency’s CIO can issue a waiver. Most likely, CIOs would not want their signature on that waiver unless it was absolutely critical to the agency’s mission.
  • That the devices rely on standard protocols.  No secret, proprietary (and hence untested for security) protocols allowed.
  • Agencies can ask the OMB for a waiver to buy a non compliant device if they can show that there are compensating controls, but who is going to ask for that?  If that device were to be hacked after the fact, there would be hell to pay.
  • The OMB, working with NIST, would be required to create security standards for the government to deploy those devices.  Of course businesses could use those standards too.
  • Agencies could have their own security standards for IoT devices – as long as they were more rigorous than the standard.
  • Vulnerabilities found must be patched or devices replaced in a timely manner (whatever that means – full employment for lawyers, I suppose).
  • It also protects researchers from being prosecuted under the Digital Millennium Copyright Act (DMCA) for hacking into the device to find and report vulnerabilities.

We shall see if the bill gets passed, but it might be and that would be very good.  Stay tuned.  If it does get signed into law, I will let readers know.

Information on this post came from ZDNet and Senator Warner’s web site.

Industrial Espionage – Much Worse Than Credit Card Breaches

General Keith Alexander, former director of the National Security Agency, said that cyber espionage is the greatest transfer of wealth in history.  In 2012 when he made that statement, the the value of cyber industrial espionage on an annual basis was $338 billion.  Per year.  5 years later I am sure that number is greater.

Of course industrial espionage is not new.  In the early 18th century John Lombe, a British silk spinner went to Italy to steal the technology of an Italian company.  At night, by candlelight, he sketched drawings of the Italian company’s machines that he had managed to get a job working for.  He returned to England with the stolen technology and built a better machine to compete with the Italians.  Industrial espionage is not new.

What is new is the ease with which this can be done.  With everything being connected, you can now steal secrets from half way around the world.  And with cyber security practices at many businesses being a bit lax (there are a few industries for which this is not the case, but they are the exception), it is pretty easy to do.  Even defense, which you think would be secure, is not.  Lockheed lost the technology for the F-35 and now the Chinese make a knockoff and sell it at a fraction of the price.

Unlike credit card or personal information theft which is required to be disclosed, for the most part, stolen intellectual property is kept quiet.  It is embarrassing and would likely make stockholders upset.  What they don’t know won’t hurt them.

As the manufacturing process becomes more computerized, it is a huge leak opportunity.  Traditional IT security solutions sometimes don’t work on the factory floor.  Crooks know that and attack at that weak spot. In the absence of controls, detection and good processes, the crime will go undetected.

Fast forward a couple of centuries.

6 men in Houston were arrested for stealing technology for creating marine foam.  China wanted to increase it’s marine business and this foam is used in building boats due to its special buoyancy.

The Chinese, like John Lombe above, spent years weaseling their way into the company in Houston that makes this.  The crooks sent the info back to China who then had the gall to try and sell it back to the company they stole it from saying they could make it for less.

In the process of stealing the information they kept coming back to the insiders in the U.S. to get more information when their efforts at cloning the process was not working.

Now, except for one guy who is in China, they are all under arrest.  BUT, the technology has already been stolen, so it is not clear how this company can get the genie back in the bottle.  Not clear at all.

Supposedly, this information that was stolen was only known to about a half dozen employees in this company – it was the company’s crown jewels and now the cat is out of the bag.

The company considered buying the stuff from the Chinese knockoff IF the Chinese would give them an exclusive.  SO, rather than go public and be outed, they proposed making a deal with the devil.

When the Chinese started offering this U.S. company’s technology to other companies in the U.S., the company called in the FBI.  That started an investigation and, eventually, the arrest of these 6 engineers. FOUR years later.

Unfortunately, this is one of, likely, thousands of incidents.  Stopping one will NOT stop the hackers.  They just consider that an acceptable loss or collateral damage to the bigger game.

And American companies continue to ignore the warning signs (because, in many cases, there are no warning signs because the companies who got hacked keep the attack quiet).

Think about what happens to your company if you lose control of your intellectual property, whatever that is.

Information for this post came from IIoT World and the Houston Chronicle.

Business Email Compromise Attacks Are Not Always Sophisticated


Business email compromise (BEC) attacks are relentlessly attacking businesses with no let-up in sight.  BEC attacks have traditionally used CEOs and CFOs as their foils, pretending to be them and getting people to wire money to the hackers.

The oil and gas industry was targeted by a single individual using old generic malware readily available online and scraping company’s web sites for email addresses.  It doesn’t always require a sophisticated plan of attack,

One guy in his 20s targeting 4,000 organizations using a few fake Yahoo email addresses was all it took in this case. Over a few months he successfully attacked a few large companies, getting away with a lot of money.

According to Cisco’s midyear cybersecurity report, over the last 3 years, businesses lost over $5 billion.  Likely, this number is low because a lot of companies don’t want to let customers know that they were hacked – possibly by a lone hacker using obsolete software and no infrastructure to support him.

One industry that is being hammered is the real estate industry.  For the most part, industry members don’t like talking about it, but every now and then we do hear stories.  One group that is often targeted is real estate agents.  These people are often one person organizations with limited technical support and, in many cases, not technically sophisticated.  And, they act as trusted intermediaries between all the parties to the transaction.  My recommendation to real estate agents is to not get in the middle of the finances and make that clear to the parties.  Otherwise they will potentially wind up in the middle of a lawsuit just for trying to help out.

In one example, a real estate agent got an email from a person claiming to be looking for a house.  The scammer then sent a link in another email to the agent, claiming that the link was a bank mortgage pre-approval letter.  In fact, it was an attempt to steal the agent’s email password.  If successful the attacker, could then, silently, read all of the agent’s emails.

As soon as the hacker sees an exchange with information about wiring funds, they can inject their own emails changing those instructions and wiring money to them.

We have seen multiple cases where the money lost was well over a hundred thousand dollars in each case.  For a company, with the right kind of insurance, while this loss is a pain, but it is manageable.  We know of one local company that lost close to $150,000 because they did not have the right insurance coverage.

For homeowners who are either buying or selling a house, they have no insurance and the real estate agent or title company likely has zero liability for giving you back the money.  It is possible that the might have insurance coverage, but it depends a lot on exactly how the attack worked.

If the company does not have the right kind of insurance and they don’t have the funds to reimburse the buyer or seller, that company will likely face a lawsuit and may go out of business.  For real estate agents, that could be a judgement against them and bankruptcy.

We always tell people that they need to have the right kind of cyber insurance and the Cisco report gives 5 billion reasons why.

It is important to understand exactly what insurance coverage you do have and we strongly recommend that our customers seek out the advice of a cyber insurance knowledgeable insurance agent before purchasing cyber risk insurance.  Unfortunately, many agents who sell cyber insurance do not have the training needed to take care of the customer.  They are not bad people, just people who need more training before selling an insurance product that can be very complicated.

Information for this post came from Dark Reading .

Beware of Shady Repair Shops

A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.

Offensive security is what spies do – go out and attack a system.

The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place.  The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.

They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.

This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised.  In this case, that trust is broken.

In reality, this is nothing new.  Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it.  There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.

In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.

All this for about ten bucks in parts.

The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.

They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.

The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.

They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.

As a user, the only thing that you can do is choose your repair center wisely.  If you can use a manufacturer’s repair center, that is probably less risky.  If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.

Great – something else to worry about.

For more details about the hack, see the article in Ars Technica.

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.



A New Reality in the World of Connected Things

I have come to a realization that I’m not very fond of, but in the world of security vs. convenience, security has to prevail.

As we start having more and more smart things around us  – from dishwashers to smart phones, we need to consider whether the manufacturer and/or distributor is committed to our security.  This comes out of a conversation that I had with Verizon and LG Electronics today which I will briefly recount below.

I have a moderately new Android phone – not even two years old – and I stopped getting patches in June.  In a conversation with Verizon today – even after escalating the call three levels up, it became clear that they could care less about security.  The first two levels couldn’t even comprehend my question about why I wasn’t getting security patches.  The third level blamed LG.

When I contacted LG, they attempted to blame Google even though Google has released patches for the version of the Android OS that I am running, each and every month.  Patches that,  apparently, LG is not.

It is also important to understand that this is not limited to phones.  Not limited to tablets.  In fact, it applies to any “smart” Internet connected device.  As an example, when GE came to repair my dishwasher, the tech was not allowed to close the repair ticket until he patched my dishwasher.  Of course, if the dishwasher hadn’t broken it would not have been patched, but at least it is a start.

So here is the realization.

IF you or your company is concerned about security, then one of the criteria to eliminate vendors from consideration should be security.

If a vendor does not commit in writing to provide patches for what you consider the life expectancy of the device, then THAT VENDOR SHOULD BE ELIMINATED FROM CONSIDERATION.  Then you pick the vendor that you select from among the vendors still in the running.

Up until now, security hasn’t been a selection criteria, never mind an elimination criteria.

And this applies just as much to dishwashers as to phones.

When it comes to both phones and dishwashers, the unpopular part is that we may have to REPLACE devices that are still working but are no longer being patched by the vendor.  The alternative is to completely isolate the device, disconnect it from the Internet or remove any sensitive information from it.  That won’t work very well for a phone, for example.

If you choose to completely isolate it from every other device, which is certainly an option, it may not be able to perform the functions that it needs to.  If all the device needs is access to the Internet then it is pretty easy to isolate it from all other devices, but if it needs to interact with say, a copier or a file server or something else, then it is much harder and the patching question needs to come back into consideration.

Specifically when it comes to phones, if patches are an issue ,then Apple wins hands down.  An iPhone 5s released in 2013 is still being patched.  My two year old Android phone is on the edge of it’s useful life due to patches.  Or lack thereof.

Remember that when the next big bug comes out – like BroadPwn – if your phone isn’t being patched  then the hackers have all the advantage.  They can compromise the device and from there, steal all the information on the device (which this week seems to include, once again, nude pictures of celebrities) and from there, infect the company network(s) that it is attached to.

If you not an Apple fan, then when it comes to Android, Google wins hands down, even if it is not as good as Apple, it is better than most.  Google has committed to providing version updates for two years after the phone is RELEASED and providing security patches for three years.  Three years is not as good as four or five years, but it is better than most.

When we add other connected devices such as IoT devices into the mix it becomes even more complicated.  Many IoT devices require network access and for most personal (home) networks, there is not an easy way for people to isolate them from their sensitive devices like laptops.

So, I think there are two conclusions here –

  1. Security needs to be a primary consideration when it comes to choosing a vendor.  I have decided that my next phone will be a Google phone even though it may not be the sexiest phone around.  And,
  2.  When it comes to both HOME and small business networks, we need to figure out a way to isolate those devices that we really don’t trust for some reason from the rest of the network.  It is way too hard right now.  For me, at home, I have two physically separated networks with two separate Internet connections from two different providers, but how many people will go to that level of effort and expense. Not many!

No source for this post – just me ranting 🙂  !