Category Archives: Technology

DSL router patch merely hides backdoor instead of closing it

DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals it. And the nature of the “fix” suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was an intentional feature to begin with.

back-door

Back in December, Eloi Vanderbeken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to their Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.

After Vanderbeken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the back door.

However, that new firmware apparently only hid the backdoor rather than closing it. In a PowerPoint narrative posted on April 18, Vanderbeken disclosed that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface.

The packet structure used to open the backdoor, Vanderbeken said, is the same used by “an old Sercomm update tool”—a packet also used in code by Wilmer van der Gaast to “rootkit” another Netgear router. The packet’s payload, in the version of the backdoor discovered by Vanderbeken in the firmware posted by Netgear, is an MD5 hash of the router’s model number (DGN1000).

The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding. “It’s DELIBERATE,” Vanderbeken asserted in his presentation.

There are some limitations to the use of the backdoor. Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched.

Once the backdoor is switched back on, it listens for TCP/IP traffic just as the original firmware did, giving “root shell” access—allowing anyone to send commands to the router, including getting a “dump” of its entire configuration. It also allows a remote user to access features of the hardware—such as blinking the router’s lights.

Just how widely the old, new backdoor has been spread is unknown. Vanderbeken said that because each version of the firmware is customized to the manufacturer and model number, the checksum fingerprints for each will be different. While he’s provided a proof-of-concept attack for the DGN1000, the only way to find the vulnerability would be to extract the filesystem of the firmware and search for the code that listens for the packet, called “ft_tool”, or the command to reactivate the backdoor (scfgmgr –f ).

We attempted to reach Sercomm and Netgear for comment on the backdoor. Sercomm did not respond, and a Netgear spokesperson could not yet comment on the vulnerability. Ars will update this story as more details are made available by the device manufacturers.

(via Arstechnica.com)

Advertisements

Learning from history

Or not.

history

The plundering of the Internet of Things has commenced

From a command center in a non-descript high-rise here in the heart of Silicon Valley, security start-up Norse has been gathering shocking evidence of hackers usurping control of Internet-connected appliances, everything from web cams to climate-control systems.

This latest expansion of cybercrime revolves around the IP address assigned to each computing device connected to the Internet. Cybercriminals have begun capitalizing on the fact that many of the mundane digital devices we tie into the web are easy to locate and wide open to hacking.

“There’s only one way onto the Internet, and that’s through an IP address,” says Norse CEO Sam Glines. “The adversary just wants IP space to launch attacks and doesn’t really care if it’s a baby monitor or a server at a Fortune 1000 company.”

The bad guys are using automated programs to scan ranges of IP addresses for signs of vulnerable appliances. It’s often a simple matter to take control by installing a few lines of malicious coding.

A typical hack: traffic lights. Real screenshot, not fake.

A typical hack: traffic lights. Real screen shot, not fake.

Norse has devised innovative technology for monitoring such cyberattacks in real time. A tiny sampling of its data, extracted exclusively for CyberTruth, revealed 724 infected appliances actively carrying out fraudulent tasks.

The corrupted appliances included firewalls, routers, modems, printers, DVRs, surveillance cams, web cams, IP cameras, VPN appliances, VOIP phone systems, FM radio transmitters, storage drives, video conferencing systems and climate-control modules. One of the big things these corrupted devices are being used for: payment card fraud.

“We are seeing credit card transactions from baby monitors, DVRs, TVs, printers, medical devices, you name it,” says Tommy Stiansen, Norse founder and chief technology officer. “It’s coming from all types of industries and from homes.”

In a stunning demonstration, Stiansen clicked to the IP address for an activated ABS MegaCam, widely sold as a $220 baby monitor. The device was activated on the Internet by a resident of Glendale, Calif., who uses Charter Communications as an ISP.

Malicious software embedded on the web cam’s Linux operating system causes a live cam view of the homeowner’s living room to appear in the browser of anyone who clicks to the web cam’s IP address. During Stiansen’s demo, a woman and then a man enter the room and sit on a couch.

The bad guy who embedded the malware on the baby monitor probably doesn’t care much about snooping; the web cam’s computing power, instead, is being used to locate similar devices and help the attacker to control as many as 2,000 ABS MegaCams.

“This is happening at a large scale, and it’s growing hugely every day,” Stiansen says, “This is very powerful stuff, and the scariest part is this is only the tip of the iceberg.”

There’s clear logic behind methodically assembling digital appliances into niche networks, called botnets, under the control of a single operator.

Botnets have been the foundation of the cyber underground for more than a decade. Traditionally comprising infected personal and server computers, botnets are the engine that drives multibillion-dollar markets for spam, phishing, account hijacking, identity theft and denial-of-service attacks.

Norse’s findings show how the advance guard of cybercriminals has begun pulling digital appliances into botnet service because, at the moment, it’s easy to do so.

Norse notifies proper entities about problems. However, sheer numbers of issues make it impossible to notify everyone, says Glines. The company is working on processes to extend notifications. For the moment, there is no broad-based effort at defense, beyond what individual organizations are doing to protect themselves.

The Internet of Things has proved trivial to hack as the U.S. tech industry puts new consumer technologies on a fast track to store shelves, sometimes with meager quality control or accounting for security and privacy.

That trait is coming to the fore as the tech giants race to profit from the rising popularity of mobile devices and Internet-delivered services. Meanwhile, the cyber underground continues to mature into a smooth-running global industry that’s quick to pounce on fresh opportunities.

“Competitive struggles force manufacturers into early release cycles, networks are becoming increasingly complex, and the complexity is hard to overcome,” Stiansen says. “Meanwhile, hackers use social crowds to build hacker communities that allow them to move under the radar.”

Stiansen grew up tinkering with computers on a Norwegian farm, which led him to a career designing air-traffic control and telecom-billing systems. After immigrating to the U.S. in 2004, Stiansen began thinking about a way to gain a real-time, bird’s-eye view of the teeming world of botnet activity.

What he eventually came up with is IPViking, a globe-spanning network of millions of physical and virtual sensors — or honeypots — dispersed through 160 data centers in 40 countries. Each pot appears to be an Internet-connected web cam, router or other appliance — irresistible honey to hackers.

When an intruder tries to take control of a Norse honeypot, Norse grabs the attacker’s IP address and begins an intensive counterintelligence routine. The IP address is fed into automated programs, called web crawlers, that scour the bulletin boards and chat rooms where hackers congregate for snippets of discussions tied to that IP address.

Analysts also do manual research to construct a dossier on the attacking IP. Norse delivers this intelligence to its clients, which include large financial institutions. The companies are then able to cut off communications from suspicious IP addresses and be on the lookout for derivative attacks. Source 

Related posts: Shodan.

Steve Ballmer gone, Project F.A.R.T. Started

We will miss Steve, sure, but a new Microsoft development overshadows the news: Project F.A.R.T. (Fixing A Retarded Technology). The goal of Project F.A.R.T. is to make Windows 9 as fast and reliable as the competition.

Thanks to a leak within the MS organization I got hold of the official Developer T-shirt. I wonder if I have to wash it first.

 

Fart Loading

Arachnophobia? Then this is not for you.

More information: http://www.robugtix.com/

Cheap ammo for the AR15

You can pull the trigger 15.000 times with one cartridge. Only $43.42!

ar15ammo

Gadget of the week: Casio AL190WD-1AV

Forget the model number – it’s impossible to memorize. What Casio resurrected from the dead is a battery-less retro watch that’s powered by the sun, artificial light or other sources of natural light. Its large solar panel collects enough light to power such useful functions as a stopwatch, countdown timer and 5 alarms. Silver stainless steel band digital watch with a neutral face.

  • casio-solarSolar Powered
  • 1/100-second stopwatch
  • Countdown timer
  • 5 alarms
  • 50-meter water resistance

While the bracelet is metal, the case is made of resin and painted to resemble metal. This finish will probably wear off quickly, but who cares: the watch is dirt cheap. A little bit of shopping will land this model in your shopping basket for about $20.

I must say: so far the watch works as advertised. It takes a while to charge the built-in capacitor, but once fully charged the watch can run up to 14 days without having to expose it to light. A solar icon warns you when it’s time to get out of your man cave.

WiFi, a hacker’s dream

wifiThe average user doesn’t give WiFi security much thought. As far as they’re concerned, it’s just as safe as wired networks and that’s where the fun begins. I did a few experiments in order to find out if hacking into someone else’s access point is really that hard. This is a lengthy article, but I didn’t want to divide it into separate posts.

The basics
Let’s start with the basics. Wi-Fi (also spelled Wifi or WiFi) is a technology allowing electronic devices to exchange data wirelessly (using radio waves) over a computer network, including high-speed Internet connections. The Wi-Fi Alliance defines Wi-Fi as any “Wireless Local Area Network (WLAN) products that are based on the Institute of Electrical and Electronics Engineers’ (IEEE) 802.11 standards”. However, since most modern WLANs are based gained controlon these standards, the term “Wi-Fi” is used in general English as a synonym for “WLAN”. (more: Wikipedia)

Most modern routers come with an integrated wireless access point. It gives you a choice: connect cables to the integrated multi-port switch, use WiFi, or a combination of both. In my home both are used: desktops are wired, notebooks, smartphones and tablets use WiFi.

secure-wifiSecurity
When your access point is open (e.g. no password), everyone in range can use your Internet connection and peek into your internal network. That’s not a smart idea. Someone might abuse your connection to send threatening e-mails or download porn – and your IP address is attached to the messages and downloads. Your house might be raided by a SWAT team, and this actually happened not too long ago.

It is obvious you should protect your network to the best of your abilities. If you go into the Web interface of your router/access point, you will be presented with a number of options. Below a typical screen.

Security

  1. Disable Security, no password. Bad idea, see above.
  2. WEP (Wired Equivalent Privacy).  Bad idea too, can be hacked in minutes because the key is transmitted over the air in plain text at regular intervals.
  3. WPA/WPA2 (Wi-Fi Protected Access). Acceptable.
  4. WPA2/WPA2-PSK. Best option. The abbreviation PSK stands for Pre-Shared Key. You define the key (pass phrase) yourself and share it with others in the family. WPA2 can use AES encryption.

Do not useWiFi Protected Setup“, an automated system which was invented to make setup easier for unexperienced users. In this system you press and hold a button on the router or access point to send the key to a new device. Because the key is transmitted over the air, it can be picked up.

OK, I did everything right. Am I still vulnerable?
Unfortunately the answer is “Yes”. Any signal transmitted over the air can be intercepted and inspected. Not too long ago hacking into WiFi was the domain of seasoned hackers, but times changed. Anyone can get hold of so-called sniffers and other tools to get into your system. A good example is Kali Linux, a cover-it-all distribution specifically designed to discover security flaws.

kali-linux

If someone is really committed, finding the right key is just a matter of time. I used some tools and tried to get into my own system. In order to mimic a real life situation, none of the devices present in my home network were protected in any way. I also shared a directory present on a Windows XP desktop, something commonly done.

To make it easier, my WiFi key was the shortest possible (8 characters), something many people think is just fine. It took a while, but I got in and could surf the Internet for free. After that I picked up my Android phone on which three special apps were installed. These apps are also available for the iPhone.

  1. Fing. This program scans a network, finds all devices, and shows supported protocols you can use to access them.
  2. AndSMB. This program is used to access shared files and directories on networks.
  3. AndFTP. This program uses the FTP protocol which is used by some devices.

This is what I could see and do:
– See all devices present in the network,
– Open, download, move, replace or delete files on any NAS or shared directory,
– Upload files (could be used to plant viruses or worms)
– Open ports in the router/firewall for later (ab)use

And more. If I would have had a Samsung Smart TV, I could have gained control over it.

Screenshot_2013-05-28-13-40-20

Scanning the network, 13 devices found, selecting the PLAYONHD media player

Screenshot_2013-05-28-13-44-44

Scanning for protocols, selecting SMB

Screenshot_2013-05-28-13-44-55

Selecting Samba client

Screenshot_2013-05-28-13-45-02

No password needed, so can be erased

Screenshot_2013-05-28-13-45-23

And there’s the directory structure.

Screenshot_2013-05-28-13-46-02

What can I do here apart from listening to the music?

Screenshot_2013-05-28-13-51-23

Checking the shared directory on the IBM computer. Login with Guest/Guest. A password file, a passport scan, AMEX info. Nice!

Some prevention tips:

  1. Use the best security protocol and make the key as long as possible instead of only 8 characters
  2. Hide the SSID of your access point
  3. Avoid using wireless for financial transactions
  4. Password-protect shared devices and directories
  5. Limit access to your devices only based on their MAC Address
  6. Being paranoid is good. Switch off WiFi when there’s nobody home.

Stricter gun laws? Try a light saber.

Most of Star Trek and  Star Wars technology might seem far fetched, but you will be surprised how many modern gadgets resemble something we once only knew from SciFi movies. We have communicators (cell phones), spaceships, plasma drives, lasers and we even start to understand the principles behind transporters.

Lightsaber-cutaway

For many Star Wars fans the coolest gadget is a light saber. Yes, you can buy them, including a Darth Vader outfit, but the stuff can’t even harm a fly. If you really want to slice a burglar in two halves, you have to build your own version. All you need to do is salvage a 3 Watt laser from a DLP projector and put it into something resembling a light saber.

May The Force be with you.

Google For Hackers

If it can’t be found on Google, it doesn’t exist. Right? Wrong. You haven’t visited Shodan yet.

Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

Nice, but who cares? Hackers do. If you would get one dollar for every device which is still accessible with the default username and password, you’d be rich. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Typing in “Default Password” tells it all – countless companies and individuals have no clue how important (even basic) security really is. This simple search reveals countless printers, servers and system control devices that use “admin” as user name and “1234” as password. Many more connected systems require no credentials at all — all you need is a Web browser or FTP client to connect to them.

shodan

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

Scary stuff.