Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Land Rover Telematics Not Secure – Gee, I Am Surprised

While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model.  If this is a surprise to you, it should not be.

If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.

In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner.  That does not always happen.

In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.

When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.

That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.

Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner.  Sure!  Right!

After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.

They did say that he could take the car to the dealer and the dealer would reset it.  Probably for a not-so-nominal fee, but they did not address that.

So, as a buyer of a used car, what do you need to do?

First of all, hopefully, if the car is a new car from the dealer, this should not be a problem.  This is only a problem with used cars.

If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics.  To be safe, you can get the dealer to help you download the app and connect the car to the app.  That way if the dealer is lying, you can call him on it right then, right there.

If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).

One other note.

With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market.  After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read.  I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 28, 2017

Zip Slip Vulnerability Affects Thousands of Projects

Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.

The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.

The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.

And, likely, most of those developers are completely blind to the fact their their software  is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.

Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it.  (Source: Bleeping Computer)

NSA Forms Group to Counter Russian Threat in Cyberspace

In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace.  The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did.  The President has called the threat fake news many times.  It would appear that General Nakasone has a difference of opinion with his boss.  Source: Bloomberg

Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected

Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online.  The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.

The data was found by Chris Vickery of Upgard.  Chris has found dozens of unprotected data sets just in recent months, usually on Amazon.  Chris DOES NO HACKING.  All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked.  In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating.  That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies.  Source: NY Times

Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid

The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights.  DHS says there were likely  hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management).  Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?).  Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall.  For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time.  Source: CNET

Russian Hackers Attack Senator Claire McCaskill

Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri.  The Senator says that the attack was not successful.  McCaskill is a vocal opponent of Russia.  This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up.  Source: The Daily Beast

Facebooktwitterredditlinkedinmailby feather

Homeland Security Warns of Enterprise Systems Hacking

Enterprise Resource Planning (ERP) systems are quickly becoming a popular target of hackers.  It used to be that these systems were on private networks behind firewalls, but as companies move to the cloud and include their vendors and subcontractors in their ERP systems, the systems are becoming more public.

More public means easier to hack.

Two of the major ERP vendors are Oracle and SAP.  These systems can be incredibly complex and incredibly expensive,

But also incredibly easy to hack.

Oracle, for example, patched a record 334 vulnerabilities in the July 2018 patch release.

Patches may not be available if companies are running an older version of the software.

Even if a company is running the current version of the software, installing patches to fix 334 bugs is always risky, so companies often do not install the patches. Either ever or for a long time.  Often months, which is plenty of time for hackers to use those bugs to work their way into a company’s system.

Hacking into a company’s ERP system could give hackers access to a company’s  finances, plans, designs, production schedules, inventory, customers and a whole range of other information.

So what should a company be doing?

For EVERY SINGLE PUBLIC FACING system, you need to make sure that patches are being installed on a timely basis.  The more severe the bug, the quicker the patches need to be installed.  Hackers will start targeting systems within 24 hours of a patch being released, so waiting 30 days, for example, to install patches make be a greater risk than the possibility of the patch causing an outage.

And, there are ways to mitigate the risk of failure due to an errant patch.

Second, run third party penetration tests against all of your publicly facing servers at least once a year.  For sensitive servers, run the tests more often.  It will cost some money, but so will losing sensitive company information to competitors or the Chinese.

Run vulnerability scans on all servers at least monthly to find missing patches and potential vulnerabilities.

While ERP systems may be popular attack targets today, any public facing server is a target.  As we saw in the 2013 Target Stores breach, an attack on a vendor management portal led to the loss of 100 million credit card numbers.

It is important to understand that it does not matter who’s capital paid for the server that is running the software.  If it is in the cloud and therefore technically owned by a cloud service provider like Amazon or Microsoft, it is still a target.

Information for this post came from Bleeping Computer.

 

 

Facebooktwitterredditlinkedinmailby feather

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

Lessons From LabCorp

As I wrote last week, LabCorp, the mega medical lab testing company (mega as in revenue around $10 billion last year) was breached and  they have provided some interesting insights as they have been forced to detail to the SEC some of what happened last week when they had to shut down large parts of their network unannounced, putting a stop to testing of lab samples, both in house and on the way.

From what we are gleaning from their filings, they were hit with a ransomware attack, likely a SamSam variant which seems to have an affection for the healthcare industry.

They claim that their Security Operations Center was notified, we assume automatically, when the first computer was infected.

That, by itself, is pretty amazing.  I bet less than one percent of U.S. companies could achieve that benchmark.

Then, they say, they were able to contain the malware within 50 minutes of the first alert.  That too is pretty amazing.  In order to that, you have to know what you are dealing with and how it spreads.  Then you have to figure out which “circuit breakers” to trip in order to contain the malware.  The City of Denver was hit with a Denial of Service attack a couple of years ago and it took them, they say, a couple of hours to figure out how to disconnect from the Internet.  That is more typical than what LabCorp was able to do.

The attack started at around midnight, of course, when the least number of people were around to deal with it.  If you factor that in to the 50 minute containment time, that is pretty impressive.

However, in that very short 50 minute interval, 7,000 systems were infected including 1,900 servers.  Those numbers are not so good.  Of the 1,900 servers, 300 of these were production servers.  That is really not so good.

One of the attack vectors of SamSam is an old Microsoft Protocol called Remote Desktop protocol or RDP.

RDP should never  be publicly accessible and we don’t know if it was here and if used internally, it should be severely limited and where it is needed, it should require multifactor authentication.  While we don’t know, it is likely that this was the attack vector and they did not have multifactor authentication turned on.  Hopefully as part of their lessons learned, they will change that.

Within a few days they claimed they had 90% of their systems back.  It is not clear whether that is 90% of 7,000, which would be quite impressive or 90% of 300, which would be much less impressive but still good.

So what are the takeaways from this?

These conclusions are based mostly on what we can interpret, since they are not saying much.  This is likely because they are afraid of being sued and also what HIPAA sanctions they might get.

  • They seem to have excellent monitoring and alerting since they were able to detect the attack very quickly.
  • They also must have a good security operations center since they were able to identify what they were dealing with and contain it within 50 minutes.
  • On the other end of the spectrum, the malware was able to infect 7,000 machines including some production machines.  They probably need to work on this one.
  • Assuming RDP was the infection vector, that should not have happened at all – they lose points for this one.
  • They were able to restart a significant number of machines pretty quickly so it would appear that they have some degree of disaster recovery.
  • On the other hand, given that they had to shut down their network and stop processing lab work, it says that their business continuity process could use some work.
  • Finally, they claim that they were able to KNOW that none of the data was removed from the network.  I would say that 99% of companies could not do that.

Overall, you can compare how your company stacks up against LabCorp and figure out where you can improve.

Using other company’s bad luck to learn lessons is probably the least expensive way to improve your security.

I suggest that this is a great breach from which to learn lessons.

Information for this post came from CSO Online.

 

 

 

Facebooktwitterredditlinkedinmailby feather