Tag Archives: AOL

Dell, Lenovo, AOL and Shodan Make Life Easy For Hackers and Foreign Intelligence Services

Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).

  1. Dell has a couple of features in Dell Foundation Services.  One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net.  With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers.  Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs.  Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit.  Err, ease of use.
  2. Lenovo has a bug in Lenovo Solution Center.  It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below.  This could also allow a local attacker to execute programs with more privileges than the user has.

Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.

In theory these ports should be closed from the Internet – but not always – read below.  Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.

3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users.  It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup.  It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop.  Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream.  This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.

Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.

John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded.  For the Dell feature, he found around 12,800 webservers that responded to that port.  Of those, about 2,300 are running software that looks like it is from Dell,  He ran a quick script and was able to collect about 1,000 Dell service tags.  He didn’t try this for the other exploits – that I know about.

Quickly.

Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features.  That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.

Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.

The big question is how many more of these features exist that we have not found.

And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely.  And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.

Soooooo, HOW MANY MORE FEATURES ARE THERE?  Features that are here today or will be here tomorrow.  As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.

 

Information on the Shodan search can be found here.

For information on the Dell feature, go to LizardHQ.

For information the Lenovo feature, go to PC World.

CIA Chief’s Personal Email Hacked – Are You Surprised?

Wired and other media are reporting the the head of the CIA, John Brennan, had his personal email account hacked.  The hacker, a teenager, talked to Wired about how he did it.  It points to general weaknesses in commercial online services security that you should understand.

It is less of a surprise that Brennan’s commercial, consumer email account (it was an AOL account) was hacked than what he had in it.

Some details:

  • First, the fact that it was an AOL account.  Probably an indication of his age.  Hopefully, not an indication of his technical sophistication.
  • The hackers (apparently, it was a team effort) posed as Verizon technicians and were able to socially engineer Verizon customer service out of his account number, PIN, backup mobile phone number, email address and last 4 of his bank card number.  The fact that they were able to do that is not a surprise, but it should be a concern.  It points to the processes for security that most commercial providers use are “somewhat lacking”.
  • Once they had that information, they went to AOL, impersonating Brennan and said they were locked out.  Using the information they got from Verizon, they got AOL to reset the password.  Unfortunately, password resets are relatively, very easy to get them (meaning all consumer online providers) to do.
  • Brennan, for some pretty strange reason had a number of sensitive, but unlikely unclassified, documents stored in his AOL account – his government security clearance form that contains an identify thief’s dream information, a spreadsheet containing names and socials of people who may be intelligence agents and other files.  That he would store this information in a public, commercial, consumer information service makes me nervous.
  • Brennan attempted to recover his account and the hackers stole it again.  Apparently, 3 times.
  • Brennan finally deleted his account.

So what does this tell you?

First, don’t trust commercial, consumer online services not to be socially engineered.  Unfortunately, commercial business class services are not much better.

Second, don’t trust those service’s security.  If you are using it for something sensitive, you need to make sure that you overlay your own security (such as encryption with you controlling the keys).

If you are a business, sometimes you can negotiate additional security with online service providers – you can always ask.

While the CIA is not confirming that this is real, there are a number of media sources reporting it and the CIA is not denying it, so it has some credibility.  The files date back to 2009, so it is possible that Brennan had forgotten it existed.

For the nation’s head spy, this is a bit embarrassing.

 

Information for this post came from Wired.