Yet Another IoT Botnet

[TrendMicro] are reporting that yet another IoT botnet is emerging. This new botnet had been dubbed Persirai and targets IP cameras. Most of the victims don’t even realize their camera has access to the Internet 24/7 in the first place.

Trend Micro, have found 1,000 IP cameras of different models that have been exploited by Persirai so far. There are at least another 120,000 IP cameras that the botnet could attack using the same method. The problem starts with the IP cameras exposing themselves by default on TCP Port 81 as a web server — never a great idea.

Most IP cameras use Universal Plug and Play, which allows them to open ports from inside the router and start a web server without much in the way of security checks. This paints a giant target in cyber space complete with signs asking to be exploited. After logging into a vulnerable device the attacker can perform a command injection attack which in turn points gets the camera to download further malware.

The exploit runs in memory only, so once it has been rebooted it should all be fine again until your next drive by malware download. Check your devices, because even big named companies make mistakes. IoT is turning into a battlefield. We just hope that with all these attacks, botnets, and hacks the promise of the IoT idea isn’t destroyed because of lazy coders.

Part of feature image from Wikipedia, Creative Commons license.

Patents on MP3 Format Due to Expire

MP3 took off in the late 90s as the digital music format. It then proceeded to slaughter the CD, and launch the file sharing revolution as well. It’s a proud format that has roots stretching all the way back to the early 1980s, when the possibility of sending music over ISDN lines was first considered. Now the patents on it are beginning to expire and its licencing program has been terminated.

The MP3 standard was the property of Fraunhofer IIS, and the original licencing model was intended such that encoders would be expensive, and decoders relatively inexpensive. This would allow people to buy software to listen to MP3s cheaply, but the creation of MP3s would be expensive, and thus handled by studios and music labels. This all changed when a high-quality MP3 encoder was leaked to the public, and suddenly it became possible to readily convert your CDs at home into the MP3 format.

One hangover of this ownership of the MP3 standard was that when you installed certain FOSS software, such as Audacity or a Linux distro, you would find that you had to go and do some legwork to find an MP3 codec. That was because it wasn’t worth the legal trouble for the FOSS authors to arrange a workaround, and trading in proprietary software is the antithesis to everything they stand for.

However, now that more of the relevant patents are expiring, you can now expect MP3 support to be baked into more software. It may be more than a little late, with more advanced audio formats beginning to take over, but it’s great to know that Fedora, for one, is starting to include MP3 support with their releases.

If you’d like to read more about the history of the MP3, check out this great article from NPR. Fraunhofer have their own great history site, too. If all this talk of advanced audio formats has gotten you excited, check out this MP3 decoder written for the ESP8266.

[Thanks to Tim Trzepacz for the tip!]

Global Cyber Attack Halted: Autopsy Time

Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.

Spread Halted?

It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.

Why was the UK’s NHS Hit So Badly?

According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.

Where Else Was Hit?

There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.

So is this the end for ransomware?

No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.

[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]

Massive Cyber Attack Cripples UK Hospitals, Spreads Globally

A massive ransomware attack is currently under way. It was first widely reported having crippled the UK hospital system, but has since spread to numerous other systems throughout the world including FedEx in the US, the Russian Interior Ministry, and telecommunications firms in Spain and Russia.

The virus is known by names WannaCrypt, WannaCry, and a few other variants. It spreads using the ExternalBlue exploit in unpatched Windows machines older than version 10. The tools used to pull off this attack were likely from an NSA toolset leaked by the Shadow Brokers.

So far the strongest resource for technical information that we’ve found is this factsheet hosted on GitHub.

NHS Services at a Standstill in the UK

NHS services across England and Scotland have been hit by the ransomware attack, crippling multiple hospitals and doctor’s practices. The UK has universal healthcare — the National Health Service  — covering Doctors, Hospitals and generally everything medical related is free at the point of service. but today they have had to turn away patients and cancel consultations.

NHS is unable to access medical records of patients unless they pay £230 ($300) in bitcoin for infected machines. There is no evidence patient data has been compromised, NHS Digital has said. The BBC has stated that up to 39 NHS organisations and some GP practices have been affected.

The National Cyber Security Centre (NCSC) was “working closely” with the NHS and that they will protect patient safety. We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack.

-Prime Minister Theresa May

Infected Systems Throughout the World

Computers in regions across the globe have been under attack today, including Telefonica (O2 in the UK), with at least 45,000 computers compromised in Russia, Ukraine, India, and Taiwan alone. There’s no indication of who is behind the attack yet.

The ransomware’s code takes advantage of an exploit called EternalBlue, made public in April by Shadow Brokers which was patched by Microsoft in March, It comes as a shock that an organisation the size of the NHS seem not to have kept their computers updated. This is perhaps just a taster of what is to come in the future as cyber crime and warfare become more and more commonplace.

[Ransomware screenshots via @UID_]

Automate the Freight: Medical Deliveries by Drone

Being a cop’s kid leaves you with a lot of vivid memories. My dad was a Connecticut State Trooper for over twenty years, and because of the small size of the state, he was essentially on duty at all times. His cruiser was very much the family vehicle, and like all police vehicles, it was loaded with the tools of the trade. Chief among them was the VHF two-way radio, which I’d listen to during long car rides, hearing troopers dispatched to this accident or calling in that traffic stop.

One very common call was the blood relay — Greenwich Hospital might have had an urgent need for Type B+ blood, but the nearest supply was perhaps at Yale-New Haven Hospital. The State Police would be called, a trooper would pick up the blood in a cooler, drive like hell down I-95, and hand deliver the blood to waiting OR personnel. On a good day, a sufficiently motivated and skilled trooper could cover that 45-mile stretch in about half an hour. On a bad day, the trooper might end up in an accident and in need of blood himself.

Continue reading “Automate the Freight: Medical Deliveries by Drone”

HP Laptops Turn Up Keylogger Where You Wouldn’t Expect It

Keyloggers are nasty little things that have the potential to steal the credit card numbers of you and everyone you care about. Usernames and passwords can be easily stolen this way, so they’re a useful tool for the black hats out there. One would generally expect to find a keylogger in a dodgy movie torrent or perhaps a keygen for pirated software, but this week a keylogger was found in an audio driver for an HP laptop.

The logger was found by Swiss security researchers modzero. The Conexant HD Audio Driver Package version 1.0.0.46 and earlier apparently logs keystrokes in order to monitor things like the laptop’s volume up and down keys. The real killer here is that it feels the need to log all keystrokes detected to a readily accessible file, for reasons we can’t possibly fathom. It’s a huge security risk, but it doesn’t stop there – the driver also exposes the keystrokes through an API as well, creating an even wider attack surface for malicious actors. One can in principle access the keystroke log remotely.

There’s no word from the company yet, but we really want to know – why save the keystrokes to a file at all? Code left over from debugging, perhaps? Speculate in the comments.

Templates Speed Up Arduino I/O

It is easy to forget, but the Arduino does use C++. Typically, the C++ part is in the libraries and the framework and most people just tend to code their main programs using a C-style just using the library objects like C-language extensions. [Fredllll] recently created a template library to speed up Arduino I/O and he shared it on GitHub.

If you’ve ever done anything serious with the Arduino, you probably know that while digitalWrite is handy, it does a lot of work behind the scenes to make sure the pin is setup and this adds overhead to every call. [Fredllll’s] template versions can switch a pin’s state in two cycles. You can cut that in half if you don’t mind bothering the state of other pins on the same port.

Continue reading “Templates Speed Up Arduino I/O”