VoIP cameras, DVRs, and other devices running the Web Services Dynamic Discovery (WSDD) protocol are being used in a new type of DDoS attack. This isn’t the first time a zeroconf service has been hijacked as part of a DDoS, as UPnP has also been abused in similar ways.
Feel like alphabet soup yet? A Denial of Service attack is one where the target is simply made unavailable, rather than actually compromised. The classic example of this is the SYN flood, where an attacker would open hundreds of connections to a web server at once, exhausting the server’s resources and interrupting legitimate use of that server. As mitigations for these attacks were developed (SYN Cookies, for example), DoS attacks were replaced by Distributed Denial of Service (DDOS) attacks. Rather than attack a weakness on the target machine, like available RAM or CPU cycles, a DDoS generally targets available network bandwidth by hitting the target website from many, many locations at once. No clever software tricks can help when your Internet connection is fully saturated with junk traffic.
And one way to get many, many computers to send traffic to the same IP is to run a botnet. Your five megabit upload bandwidth might not seem like much, but if a thousand computers are each saturating their 5 megabits, the resulting 5 gigabit attack is nothing to sneeze at. DDoS amplification is when a third party service is used as a part of an attack. Imagine sending a DNS request with a spoofed source IP address. A UDP connection doesn’t have the initial handshake of a TCP packet, so detecting a spoof of this sort is much more difficult. You send a relatively small DNS request, and a DNS server responds by sending a larger reply — not to your IP, but to the target IP that you spoofed. This sort of amplification is usually done as part of a botnet DDoS attack, resulting in even more attack bandwidth. The largest confirmed DDoS attack on record is a staggering 1.3 Terabytes per second, was aimed at Github, and used Memcached as the amplification vector.
Now back to Zeroconf. Zero-configuration networking is the idea that things should “just work” when plugged into a network together. When you have the option to send video to your Chromecast, or Windows shows you the list of all the other devices on your network, you’re seeing zeroconf in action. Zeroconf protocols like UPnP and WSDD are intended to run only over the local network, but vendors are notorious for mis-implementing standards, and here is no exception. WSDD as defined should only respond to multicast requests on UDP port 3702. Many vendors have built their WSDD support in such a way that devices will respond to WSDD requests from any IP address, multicast or not. The last key to this amplification technique is the actual amplification. How small of a packet can an attacker send, vs how big of a packet can this trigger in response. Researchers at Akamai identified an eighteen byte message that triggers a much larger response. They managed a 153x amplification factor, which is terrifying. Thankfully, active attacks are running something more like 10x amplification factors.
Lastpass Reveals Your Last Pass
Sometimes software names and the bugs that affect them are downright uncanny. The Lastpass plugin had an issue where a website could run some clever Javascript and retrieve the last password that Lastpass auto-filled. This worked because the Lastpass plugin uses Javascript on the web pages you visit, watching for password prompts to fill. It was discovered that the JS code of a malicious website could interact with the plugin’s code in unintended ways. Because the Lastpass pop-up could be referenced without calling an initialization function, data was still present from the last time that pop-up was shown. Lastpass fixed the problem in release 4.33.0.
More Data Breaches
This week there were two separate stories about very large data breaches. Though technically, neither is a breach so much as passwordless databases carelessly exposed to the internet. First is the more than 100 medical databases being served on the internet without proper security. So far there seems to be plenty of finger-pointing, but with that many security fails, there is plenty of blame to go around. It’s worth noting that each of those exposed databases is a HIPAA violation, and each carries the potential for a sizable fine.
The second is the records of essentially every citizen of Ecuador. An Elasticsearch instance was misconfigured and publicly accessible. While at first glance, this seemed to be yet another government database exposed to the Internet, there was something strange about this database. There was data from multiple sources. About half of the database was consistent with the idea of a government database, but the rest seemed to come from private entities. The researchers working on this story determined an Ecuadorian company named Novaestrat was hosting the vulnerable database.
The database was secured, and Novaestrat’s website has disappeared. There are still more questions than answers concerning this story. Was this database the combined storage for other data breaches? Regardless, the personal data of millions of Ecuadorians was exposed. Interestingly, Julian Assange was among the people with entries in this Database, as a result of his Ecuadorian asylum.
Both of these databases contained personal information, which is of course unchangeable. Millions of people have been doxxed by carelessness, and short of witness-protection-plan level measures, there is no undo button.
Windows Defender
Using Windows Defender? You might be in for a surprise next time you manually run a scan. Since the update this Tuesday, Windows Defender only scans a handful of files when manually running a quick or full scan. As is often the case, this bug was introduced when another problem was being fixed. If you use Windows Defender and want to run a manual scan, the custom scan does still work correctly.
Between this WIndows Defender bug and the recent string of Windows fixes breaking Windows fixes, I’m guessing some Microsoft beancounter decided they didn’t need a QA department.
“Regression tests? What are we wasting money on those for?!”
It’s hard to tell from the content and tone of this message whether or not you’re joking about Microsoft firing their QA department, because they did actually do that.
Let me go way out on a limb here.
I’m guessing that the last password in a person’s LastPass file, is completely different than all the other passwords in the file.
So, a hacker gaining the last entry is only gaining that login and password.
Yeah, it’s literally just the last password that LastPass autofilled.
Not sure if people missed the point here….
You visit a site, said site recently started offering advertising space which includes running javascript. You logged in using lastpass. The javascript of the advert runs, whoops, lastpass just autofilled that password in again, this time for the advert, giving said site’s password to $bad_actor.
Aye, if anything, the specificity of the last used password can be leveraged as described above.
What seems innocuous, would have actually been quite targeted.
Like basically redirect to pay on PayPal / login to google and come back to site, thanks we have one of your most important passwords.
No, they weren’t gaining access to the last password in the file, they were gaining access to the last password the Lastpass plugin actually used.
So you’re suggesting changing the name of the software from Lastpass to Mostrecentpass?
Everyone should be using a password store. Folks who value security should use one that’s _not_ integrated into their browser. Folks who value convenience, well, okay.
From Post- “Lastpass fixed the problem in release 4.33.0″
From Lastpass – Tavis Ormandy, a security researcher from Google’s Project Zero, responsibly disclosed the issue to us. His report revealed a limited set of circumstances on specific browser extensions that could potentially allow an attacker to create a clickjacking scenario. ”
“Additionally, while any potential exposure due to the bug was limited to specific browsers (Chrome and Opera), as a precaution, we’ve deployed the update to all browsers. ”
Good thing I don’t use Google and use their Chrome data collection machine!
Congrats Travis for finding the bug and collecting Lastpass’s reward $$ so we all can be more secure.
“Data” is plural of “datum”, so the title should read: “All your data ARE belong to US!”
And the plural of “data”, is “daters”.
That would match the meme better, too. This is what I get for not spending hours perusing know your meme instead of writing my column. :P
I’ve never used a password manager that uses a plugin or server.. I never understood why password managers with huge attack surfaces were so popular compared to something like PasswordSafe which is just audited crypto lib and uses input API for top-level window or timed-out clipboard..
It’s crazy how niche marketing is all people need to be sold on a security solution
C’mon HAD, why do you have to dirty the name of Zeroconf, which is it’s OWN protocol, with the misdeeds of Microsoft’s crappy WSDD? Zeroconf has NOTHING to do with this. It’s not mentioned once in the linked article, because it’s not involved.
You should remove any mention of Zeroconf, before it becomes sentient, and sues you for libel.
I’m not aware of a hard definition of which zero-configuration-network stack is *the* zeroconf. Has that been nailed down in an RFC or similar document?
The propublica story about the medical information accessible on the Internet, is old news; or am i missing something?
Not sure how you ended up here, but this is all news from 2019. The most recent iteration of this column is at https://hackaday.com/2021/01/29/this-week-in-security-sudo-database-breaches-and-ransomware/. Or just keep an eye on the main hackaday.com page on Friday mornings (US Time) for each week’s column.