Windows 8 ‘Secure Boot’ not that secure

At least booting Windows 8 was secure – or so we thought.

Windows 8 TrashWindows 8 Secure Boot is based on UEFI 2.3.1. Secure Boot is considered to be an important step towards securing platforms from malware compromising the boot sequence before the OS starts.

However, there are certain mistakes platform vendors could make which can completely undermine protections offered by Secure Boot. And, of course, hardware vendors make these.

At Black Hat USA2013 Yuriy Bulygin will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

Why blocking ads became important

Not because ads are more frequent or annoying, but because Ad Servers became a target. Infecting an Ad Server is way more efficient than targeting just one website. One Ad Server can serve dozens – sometime hundreds – of websites at a time.

Another reason why this is becoming more popular is that these attacks can’t be blocked in a firewall. The attacks use port 80, which you need to access the WWW. If you block port 80, your computer becomes largely useless. Infected Ad Servers became an important way to distribute malware, worms and viruses.

All of this happened on quite a few occasions already, and the resulting infections spread quickly and world wide. One of the more ‘famous’ hacks involved servers used by Yahoo, Fox and Google. One of the most popular ad blockers is Adblock Plus. Installation is a breeze. If you still use IE (…) go here.

adblockplus

Cheap ammo for the AR15

You can pull the trigger 15.000 times with one cartridge. Only $43.42!

ar15ammo

Gadget of the week: Casio AL190WD-1AV

Forget the model number – it’s impossible to memorize. What Casio resurrected from the dead is a battery-less retro watch that’s powered by the sun, artificial light or other sources of natural light. Its large solar panel collects enough light to power such useful functions as a stopwatch, countdown timer and 5 alarms. Silver stainless steel band digital watch with a neutral face.

  • casio-solarSolar Powered
  • 1/100-second stopwatch
  • Countdown timer
  • 5 alarms
  • 50-meter water resistance

While the bracelet is metal, the case is made of resin and painted to resemble metal. This finish will probably wear off quickly, but who cares: the watch is dirt cheap. A little bit of shopping will land this model in your shopping basket for about $20.

I must say: so far the watch works as advertised. It takes a while to charge the built-in capacitor, but once fully charged the watch can run up to 14 days without having to expose it to light. A solar icon warns you when it’s time to get out of your man cave.

WiFi, a hacker’s dream

wifiThe average user doesn’t give WiFi security much thought. As far as they’re concerned, it’s just as safe as wired networks and that’s where the fun begins. I did a few experiments in order to find out if hacking into someone else’s access point is really that hard. This is a lengthy article, but I didn’t want to divide it into separate posts.

The basics
Let’s start with the basics. Wi-Fi (also spelled Wifi or WiFi) is a technology allowing electronic devices to exchange data wirelessly (using radio waves) over a computer network, including high-speed Internet connections. The Wi-Fi Alliance defines Wi-Fi as any “Wireless Local Area Network (WLAN) products that are based on the Institute of Electrical and Electronics Engineers’ (IEEE) 802.11 standards”. However, since most modern WLANs are based gained controlon these standards, the term “Wi-Fi” is used in general English as a synonym for “WLAN”. (more: Wikipedia)

Most modern routers come with an integrated wireless access point. It gives you a choice: connect cables to the integrated multi-port switch, use WiFi, or a combination of both. In my home both are used: desktops are wired, notebooks, smartphones and tablets use WiFi.

secure-wifiSecurity
When your access point is open (e.g. no password), everyone in range can use your Internet connection and peek into your internal network. That’s not a smart idea. Someone might abuse your connection to send threatening e-mails or download porn – and your IP address is attached to the messages and downloads. Your house might be raided by a SWAT team, and this actually happened not too long ago.

It is obvious you should protect your network to the best of your abilities. If you go into the Web interface of your router/access point, you will be presented with a number of options. Below a typical screen.

Security

  1. Disable Security, no password. Bad idea, see above.
  2. WEP (Wired Equivalent Privacy).  Bad idea too, can be hacked in minutes because the key is transmitted over the air in plain text at regular intervals.
  3. WPA/WPA2 (Wi-Fi Protected Access). Acceptable.
  4. WPA2/WPA2-PSK. Best option. The abbreviation PSK stands for Pre-Shared Key. You define the key (pass phrase) yourself and share it with others in the family. WPA2 can use AES encryption.

Do not useWiFi Protected Setup“, an automated system which was invented to make setup easier for unexperienced users. In this system you press and hold a button on the router or access point to send the key to a new device. Because the key is transmitted over the air, it can be picked up.

OK, I did everything right. Am I still vulnerable?
Unfortunately the answer is “Yes”. Any signal transmitted over the air can be intercepted and inspected. Not too long ago hacking into WiFi was the domain of seasoned hackers, but times changed. Anyone can get hold of so-called sniffers and other tools to get into your system. A good example is Kali Linux, a cover-it-all distribution specifically designed to discover security flaws.

kali-linux

If someone is really committed, finding the right key is just a matter of time. I used some tools and tried to get into my own system. In order to mimic a real life situation, none of the devices present in my home network were protected in any way. I also shared a directory present on a Windows XP desktop, something commonly done.

To make it easier, my WiFi key was the shortest possible (8 characters), something many people think is just fine. It took a while, but I got in and could surf the Internet for free. After that I picked up my Android phone on which three special apps were installed. These apps are also available for the iPhone.

  1. Fing. This program scans a network, finds all devices, and shows supported protocols you can use to access them.
  2. AndSMB. This program is used to access shared files and directories on networks.
  3. AndFTP. This program uses the FTP protocol which is used by some devices.

This is what I could see and do:
– See all devices present in the network,
– Open, download, move, replace or delete files on any NAS or shared directory,
– Upload files (could be used to plant viruses or worms)
– Open ports in the router/firewall for later (ab)use

And more. If I would have had a Samsung Smart TV, I could have gained control over it.

Screenshot_2013-05-28-13-40-20

Scanning the network, 13 devices found, selecting the PLAYONHD media player

Screenshot_2013-05-28-13-44-44

Scanning for protocols, selecting SMB

Screenshot_2013-05-28-13-44-55

Selecting Samba client

Screenshot_2013-05-28-13-45-02

No password needed, so can be erased

Screenshot_2013-05-28-13-45-23

And there’s the directory structure.

Screenshot_2013-05-28-13-46-02

What can I do here apart from listening to the music?

Screenshot_2013-05-28-13-51-23

Checking the shared directory on the IBM computer. Login with Guest/Guest. A password file, a passport scan, AMEX info. Nice!

Some prevention tips:

  1. Use the best security protocol and make the key as long as possible instead of only 8 characters
  2. Hide the SSID of your access point
  3. Avoid using wireless for financial transactions
  4. Password-protect shared devices and directories
  5. Limit access to your devices only based on their MAC Address
  6. Being paranoid is good. Switch off WiFi when there’s nobody home.

Stricter gun laws? Try a light saber.

Most of Star Trek and  Star Wars technology might seem far fetched, but you will be surprised how many modern gadgets resemble something we once only knew from SciFi movies. We have communicators (cell phones), spaceships, plasma drives, lasers and we even start to understand the principles behind transporters.

Lightsaber-cutaway

For many Star Wars fans the coolest gadget is a light saber. Yes, you can buy them, including a Darth Vader outfit, but the stuff can’t even harm a fly. If you really want to slice a burglar in two halves, you have to build your own version. All you need to do is salvage a 3 Watt laser from a DLP projector and put it into something resembling a light saber.

May The Force be with you.

Google For Hackers

If it can’t be found on Google, it doesn’t exist. Right? Wrong. You haven’t visited Shodan yet.

Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

Nice, but who cares? Hackers do. If you would get one dollar for every device which is still accessible with the default username and password, you’d be rich. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Typing in “Default Password” tells it all – countless companies and individuals have no clue how important (even basic) security really is. This simple search reveals countless printers, servers and system control devices that use “admin” as user name and “1234” as password. Many more connected systems require no credentials at all — all you need is a Web browser or FTP client to connect to them.

shodan

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

Scary stuff.

Why smartphones are vulnerable

The answer: because most users don’t understand what smartphones really are: mini-computers which, accidentally, can also be used to place or receive calls. Many users still perceive smartphones as just phones with nice screens and loaded with a lot of awesome tools.

Cybersecurity was never an issue with ordinary land line phones and older, simple mobile phones. In essence the word “Phone” in “Smartphone” caused many people to think that nothing really changed.

Even in my inner circle of nerds and geeks there are still some who don’t give security much thought. On the second day of CTIA 2013™, CTIA (The Wireless Association®) released a consumer survey revealing users’ attitudes toward cybersecurity. The result didn’t really surprise me: less than one in five users understands what smartphones really are.

smartphone

You can download the complete survey (PPT format) here.

The Future Of Privacy

“We know how important it is to keep your data private. That’s why all the information you provide to us will be used for just one purpose — to help you. Information about you, your creditors and outstanding balances are never disclosed to outside parties. And don’t worry about your name, address, telephone number, or e-mail being revealed because we will never sell information about you to anyone.”

‘Apps act’ in the making

With more than 1.5 million apps now available for Android phones and Apple’s iPhone, a congressman is proposing a law that would require mobile app developers to let users know what an app’s privacy policies are when it comes to information being shared and the length of time the information is kept by a developer.

“Data has become the oil of the 21st century, and like any other resource, there must be common-sense rules of the road for this emerging challenge,” said Rep. Hank Johnson, D-Ga., in introducing the Application Privacy, Protection and Security in Congress Thursday.

“Every day millions of Americans use mobile applications to help us get through the day,” Johnson said. “But many consumers do not know their data is being collected. This privacy breach is just not 1s and 0s, it’s personal information, including our location at any given moment, our photos, messages and many of the things meant only for our friends and loved ones.

Read the rest of the article on NBC News.