Securitybreaches – Page 2 – Explaining Security

IoT Botnet Can DDoS Your Webserver

Ok it happened as some predicted last year:

A botnet was found¹ (a collection of computers or in this case devices that are controlled by another computer) controlling a number of IoT (Internet of Things). These IoT devices were then told to attack a website thus causing a DDoS (Dynamic Denial of Service). The website then crashed as it was too busy.

image from valuewalk.com²

So let’s back up a bit what are IoT’s? http://iotlist.co/ has a list.

An IoT can be many things – camera is one, espresso machines, samsung VR headset, indoor night light,wifi smart plug, speakers, indoor air quality monitor, samsung galaxy connected screen, keypad, oven, watch, light switches, and many more.

Director of National Intelligence (DNI) James Clapper Feb 25 hearing in congress:

“I want to briefly comment on both technology and cyber specifically. Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities,” he said. “The Internet of things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems and potentially disrupt labor markets.”

So our esteemed leaders are keeping an eye on IoT’s but what are they really?

The attack happened from CCTV devices connected to the Internet (which have a specific bug noted below that can be exploited by criminal hackers).

KerneronSecurity³ wrote about this in March 22, 2016. 70 CCTV vendors have a remote code execution bug. And apparently this has been going on since 2014.

So this is a big problem and will continue to be one it looks like will not be fixed until the vendors of most CCTV devices fix this issue.

GoldenEye IR camera http://www.goldeyecctv.com/

http://www.technomate.com/categories/Products/Security/Cameras/

Above are just 2 of the supposed 70 according to KerneronSecurity that are susceptible to this big Cybersecurity problem.

This blog post does not imply that the above 2 vendors (GoldenEye and Technomate) have the bug as i have not independently verified these 2 models with that specific remote code execution.

I imagine the criminal hackers are working on new attack angles with this many potential attack points.

In fact according to Google – 5.9 mil in Britain CCtv’s and 245 million in world. Likely most of them are susceptible to this attack.

As it seems that over 25,000 attack points came into the website DDOS attack. There seems to be a potential for much bigger mischief.

You may not realize this, but the hackers also have problems with their software, especially since it is custom built, and thus they cannot come into controlling hundreds of thousands of devices, first have to control 25,000.

So what to do if we know a major Cyberstorm is coming?

According to Kerneron Security these devices all are white label devices coming from TVT a Chinese company.

TVT 5F,North Block,CE Lighting House, Hi-Tech Park, Nanshan District, Shenzhen,GuangDong,P.R.China

And I have found an actual CVE 2013-6023 that explains this Cross Web Server vulnerability(4)

And specifically check Exploit-db.com

Which discusses the directory traversal vulnerability.

Now if we try to find the actual market share of TVT devices (H.265) then we find:

from https://technology.ihs.com/api/binary/520143

It looks like most vendors are coming from China and the market in 2013 was $13.5Billion for professional video surveillance. So as usual Security not as important as sales.

My recommendation? If you have TVT video camera – REPLACE it. with a technology that is different than this one. As it seems the TVT devices are not security tested.Run your own security tests.

It looks like you have to test and fix this problem.

Contact me to discuss

This is what I do as a security vulnerability analyst among others… https://fixvirus.com/sigma-service/

1)https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

2)http://www.valuewalk.com/2015/12/iot-based-botnets-will-be-major-problem-by-2017-iid/

3)http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6023

Cybersecurity and Internet: Too Complicated?

Brian Krebs- KrebsonSecurity¹ has a story of Cici’s Pizza with a data breach on June 3rd .

This credit Card breach story is interesting but not what I want to discuss.

Instead let’s discuss “Todd”‘s response in the comments

1st response:

So obviously Todd wrote this response as an immediate reflex action and does not have an understanding of how Internet Cybersecurity works.

He keeps trying to impugn the integrity of Brian Krebs and reduce the actual faults (which he acknowledges) on his ‘placeholder’ website.

This is the problem Todd: Even a placeholder can be an attack vector and obviously Todd does not understand this. Also have you heard of watering hole attacks? Where a website is attacked and compromised, the subsequent visitors on the website would then get attacked not knowing that happened.

Almost like saying please hack us we don’t pay attention to this site (last updated in 2012).

The other thing is – when PR is concerned if you don’t know what to say – saying nothing is better.

Now let’s go to Todd’s 2nd response:

This response just confirms Todd’s inexperience and naivete.

But the worst is yet to come….

Yes – 3rd response:

His last response does all the wrong things again – admits to not caring about their website and so what if we had adware injections to potential customers or our customers.

The third response proves that his responses are just reactionary and not well thought out – even though the first started June 5, 2016 at 1:45 pm then 2nd at June 6, 2016 at 12:25 am with final at June 5, 2016 at 10:47 pm (so obviously the responses were quickly being sent while Brian was making sure this was not spam and he finally allowed them to go on the site) But there was at least 9 hours and finally almost 12 hours between responses (explains why there were no substantive changes in his response)

Even though Todd claims to be part of a POS (Point of Sale) technology company apparently Todd believes there is no correlation with being up-to-speed with your unimportant (in his eyes) website that discusses POS technology. Confirming it was not updated for 4 years is not a plus.

Also claiming to “have a home page” because we have to have one. Misses the point of cybersecurity. You must protect all your assets not just the ones 1 person is aware of.

Or at least fix them, update them on a regular basis. Not every four years (i.e. when we get around to it).

So what can we learn from this Todd vs Brian exchange?

I would say do not try to engage with journalists even if they are wrong unless you have a crafted response and stick to your points.

the points should not be

A. We did not do it that badly (this is a bad argument on all accounts)

B. Our xyz property is not important – and none of our customers got hacked as a result of our mistake.

It is better to figure out the right response and maybe even ask someone else before actually responding.

Forgive me but I want to point out the obvious – Saying we did not screw up so bad is not what should be said. If you will accept blame apologize without saying someone else is at fault. then fix the problem ASAP and say that.

Tell us how you will keep things together in the future, don’t start arguing with the journalist on minor semantics just to win a small battle.

But most of all remember to do risk analysis and the following concept(your limited impact items are likely already hacked – and thus the attacker is already in the network trying to attack more interesting targets):

And more info in this past post² (Feb 8th, 2016)

So contact me to review your “non-essential” properties before they get hacked.

Finally – realize that the Internet is 24/7/365 – if you don’t get that would you accept no more Netflix at 2am on a Saturday? It is at 2am when you get attacked. Don’t whine about writing a story on Friday and needing a response at 2pm on Friday. Now we know why your company has problems.

Also it looks like Brian’s comment software had a hiccup in orienting the comments when Brian took a little while (Friday evening) in sorting the comments once approved. I took them to be 1st , 2nd , and 3rd responses as they are listed top to bottom.

Script Kiddie Breaks Into v3.9 WordPress

What happens when an enterprising young person is in front of a computer too long?

Oh yes one thing leads to another and WordPress is something to conquer.

It does require patience and diligence. Every day somebody is finding new vulnerabilities in new and old software (this problem was uncovered by ‘speckz’ poster on reddit).

So in the image above (which are snippets of the website¹ that speckz placed). I did not place the details of his analysis because I do not want to get in the weeds (php code etc).

That is what a criminal and good hacker does. Diligently pursue code snippets until they reveal more information about the website technology.

The idea is for you to have someone that will keep an eye on your security, preform vulnerability analysis and more.

Either way you will pay some money to someone… Either to ethical hackers or as in the next point from unethical extortionist hackers.

Threatpost² has a story which tells of 30 unsolicited bug poaching incidents. Here is where the ‘bug poachers’ are telling companies: “You have a bug in xyz software or system” on your premise. Oh and by the way we already stole all your data.

So what you need to do is give us(the poachers) $10,000 so we will tell you where the problem is and we will not use the data we stole for nefarious deeds.

So do you believe these unethical criminal elements?

Paying Extortion is bad because guess what – it will happen again.

What you really need is to spend more money and resources on fixing all IT process problems that are causing this problem in the first place. How can I say this with certainty?

Here is a quote from the Threatpost post:

“So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn

It is a shame that some IT orgs don’t have the wherewithal to get the resources in place.

Am I being too critical? Are we as humans too weak to get the right info tech help that will cause us to have a good defensive umbrella? Is management just incapable of making good long term decisions?

The right methods in my opinion are the following:

A Next Gen Firewall,

Patching your systems within 30-60 days after new patches come out –(all patches should be performed after a good test)

Testing everything even though every function has been performed – there is no way around this “testing” as stuff happens and there is too much at stake for mistakes.

The problem is 1 mistake causes problems and problems turn into breaches … and extortion, ransomware etc. script Kiddies are coming and they are not stopping… Because they can.

Why are There Cyber Security Issues?

Why are there constant patches for security problems that are inside software? Why???

Why do we have New Security breaches? every year new ones are found and hackers find them to hack computers (which happen to have this breached software).

At the end of last year (2015) everyone was being circumspect and reviewed what happened – why is it we get new breaches and attacks every year?

There are also several blogs that have taken umbrage with Verizon’s DBIR (Data Breach Investigations Report)

Here are some:

OSVDB¹ blog
Rapid7 Blogpost²

Found another interesting analysis of Verizon’s DBIR: FoxGlovesecurity(6)

FoxGloveSecurity researched the types of vulnerabilities and categorized them (of the ones in the report). Foxglove says the focus should be on remote command execution and impact (51)

Remote Command Execution – 51 Instances

SQL Injection – 12 Instances
Default Credentials – 6 Instances
Insecurely Configured Application Server – 6 Instances
Guessed Password – 5 Instances
Outdated Software – 5 Instances
SQL User is SA – 5 Instances
Single Factor Authentication – 3 Instances
Command Injection – 2 Instances
Insecure File Upload – 2 Instances
Public Credential Leakage – 2 Instances
Unsafe Deserialization – 2 Instances
Reflected Cross-site Scripting – 1 Instance

Notice that there are a fair amount of errors in configuration or administration fault:

default credentials, insecure server config, guessed password,SQL User is SA, single factor authentication (30 instances) 59% of the remote command execution impact table are errors of some kind.

The top10 vulnerabilities in the report were:

SQL Injection – 38 Instances
Insecure Authorization – 23 Instances
Insecure Direct Object Reference – 15 Instances
Stored Cross-site Scripting – 13 Instances
Insecure Authentication – 9 Instances
Insecure Password Reset – 9 Instances
Guessed Password – 9 Instances
Default Credentials – 8 Instances
Single Factor Authentication – 8 Instances
Insecurely Configured Application Server – 6 Instances

Foxglove took the 51 remote code executions out of the top10 (138 instances) which are the most dangerous.

So obviously there are many potential vulnerabilities and system administration pitfalls which many entities can’t seem to handle.

I have another question to ask: Why is Security so Hard? I ask this because the hits just keep on coming.

“Hackers Breach Goldcorp, Lifeboat, Qatar national Bank”³ 5/4/16 story

“The Future of our City Services? Cyberattackers target Core Water Systems”(4) 3/23/16 story

“Another Hospital Computer System Down to Ransomware”(5) 2/29/16 story

My attempt at explaining the thoughts that may go through management (above picture).

Apparently the difficulties of proper IT administration with security in mind has not been solved yet by most organizations.

What is so difficult to patch all your computers, change default admin passwords, and even to make sure the system administrator and userid are not the same. Single factor authentication might have to do with budget considerations or not having the technical ability to handle switching to 2FA (Two Factor Authentication).

So the effect of a constant change in security, the technical challenges as well as administrative changes is just difficult enough to give many companies problems.

One solution is to have an outside entity test your environment.

I know my solution is somewhat technical – but the point is to have a person test your environment (firewall, software, websites, or wifi device) so that the administration or configuration problems can be reviewed and fixed by the staff themselves.

The answer to the title is there will always be cybersecurity issues with humans running things because stuff happens and nothing is perfect.

Contact Me to discuss

Don’t Trust And Verify

I know the gipper had the famous saying:

But that is only for the soviet union arms control in the 1980’s.

In the 1990’s and early 2000’s we have the following:

“Trust but verify” and always back up your work.

But I think it is not enough in the 2010’s specifically March 10th, 2016.

Now the motto in Cybersecurity should be the following:

DON’T TRUST AND VERIFY ALL PLUGINS!!!

Why ??? Why do we have to verify all plugins?

Sucuri Blog¹ has an interesting post

Have you heard of the Wooranker account at WordPress Directory? Where all the plugins are located?

The WooRanker Developer took over the Custom Content Type Manager (CCTM) plugin. with more than 10,000 installs.

This Wooranker ‘developer’ took over the CCTM plugin and created a hacked version 0.9.8.8 and thus over 10,000 installations unwittingly updated their plugins thus causing the hacked or backdoored version to be installed.

Sucuri found an infected site with CCTM 0.9.8.8

And as SucuriBlog continues to point out that on Feb 18th, 2016 “wooranker” made a change and added auto-update.php with the following message “small tweeks by new owner”

So the new owner made a new plugin update with the backdoor included.

So as a dutiful PCI compliant person you updated the plugin and are now hacked.

This is why we “can’t trust the plugin and verify it”. We need to know about our suppliers and vendors. We need to review patches and plugin updates. On certain plugins we need to go an extra mile and review who is really working on plugins and verify authenticity. Otherwise a hacker will get into your site through the front door with you installing it. It looks like PCI needs another update to it’s standard, because one cannot install a patch that has a backdoor???

Since hackers are human and programmers and administrators are human new attacks will take us to places we did not suspect before.

You know OSI’s (open Source Interconnection) 7 layers network model.

The 8th layer (the human element) will always be a problem.

Even safeguards can fail if humans don’t pay attention.

Having safeguards for the safeguards does not make sense – it is better to have principles that are simple to follow yet easy to remember.

Contact Me to discuss these “simple principles”

If you do have the CCTM plugin and 0.9.8.8 version you are infected – go here betanews.com² to fix (it is not as simple as uninstalling)