This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware

Some switches in Cisco’s 9000 series are susceptible to a remote vulnerability, numbered CVE-2019-1804 . It’s a bit odd to call it a vulnerability, actually, because the software is operating as intended. Cisco shipped out these switches with the same private key hardcoded in software for all root SSH logins. Anyone with the key can log in as root on any of these switches.

Cisco makes a strange claim in their advisory, that this is only exploitable over IPv6. This seems very odd, as there is nothing about SSH or the key authentication process that is IPv6 specific. This suggests that there is possibly another blunder, that they accidentally left the SSH port open to the world on IPv6. Another possibility is that they are assuming that all these switches are safely behind NAT routers, and therefore inaccessible through IPv4. One of the advantages/disadvantages of IPv6 is that there is no NAT, and all the network devices are accessible from the outside network. (Accessible in the sense that a route exists. Firewalling is still possible, of course.)

It’s staggering how many devices, even high end commercial devices, are shipped with unintentional yet effective backdoors, just like this one. Continue reading “This Week in Security: Backdoors in Cisco Switches, PGP Spoofing in Emails, Git Ransomware”

This Week in Security: Facebook Hacked your Email, Cyber on the Power Grid, and a Nasty Zero-day

Ah, Facebook. Only you could mess up email verification this badly, and still get a million people to hand over their email address passwords. Yes, you read that right, Facebook’s email verification scheme was to ask users for their email address and email account password. During the verification, Facebook automatically downloaded the account’s contact list, with no warning and no way to opt out.

The amount of terrible here is mind-boggling, but perhaps we need a new security rule-of-thumb for these kind of situations. Don’t ever give an online service the password to a different service. In order to make use of a password in this case, it’s necessary to handle it in plain-text. It’s not certain how long Facebook stored these passwords, but they also recently disclosed that they have been storing millions of Facebook and Instagram passwords in plain-text internally.

This isn’t the first time Facebook has been called out for serious privacy shenanigans, either: In early 2018 it was revealed that the Facebook Android app had been uploading phone call records without informing users. Mark Zuckerberg has recently outlined his plan to give Facebook a new focus on privacy. Time will tell whether any real change will occur.

Cyber Can Mean Anything

Have you noticed that “cyber” has become a meaningless buzz-word, particularly when used by the usual suspects? The Department of Energy released a report that contained a vague but interesting sounding description of an event: “Cyber event that causes interruptions of electrical system operations.” This was noticed by news outlets, and people have been speculating ever since. What is frustrating about this is the wide range of meaning covered by the term “cyber event”. Was it an actual attack? Was Trinity shutting down the power stations, or did an intern trip over a power cord?
Continue reading “This Week in Security: Facebook Hacked your Email, Cyber on the Power Grid, and a Nasty Zero-day”

SNES Mode 7 Gets An HD Upgrade

Emulating SNES games hits us right in the nostalgic feels, but playing SNES games on an 1920×1080 monitor is a painful reminder of the limitations of SNES hardware. [DerKoun] felt the same consternation, and decided to do something about it. He realized that some SNES games have much higher resolution textures that weren’t being taken advantage of. The SNES had a revolutionary video mode, mode 7, that allowed a game to set a relatively high resolution background, and then rotate and scale that background during gameplay.

This pseudo 3d effect was amazing for its time, but taking a high resolution image and squashing it into a 320 by 240 pixel viewport makes for some painful artefacts. This is where [DerKoun]’s hack comes in. He wrote a modification to the bsnes emulator, allowing those rotations and scaling to happen in full resolution, vastly improving the visuals of mode 7 games.

The latest teaser for what’s to come is shown above, mapping the mode 7 backgrounds onto a widescreen viewport, as well as HD.

Come back after the break for some mind blowing SNES HD PilotWings action!

Update: Development discussion has continued in a new thread. Start with link above to get origin story and continue to the new dev thread for recent updates.
Continue reading “SNES Mode 7 Gets An HD Upgrade”

Hack my House: UL Certification and Turning the lights on with an ESP8266

It’s hard to imagine a smart house without smart lighting. Maybe it’s laziness, but the ability to turn a light on or off without walking over to the switch is a must-have, particularly once the lap is occupied by a sleeping infant. It’s tempting to just stuff a relay in the electrical boxes and control them with a Raspberry Pi or micro-controller GPIO. While tempting, get it wrong and you have a real fire hazard. A better option is one of the integrated WiFi switches. Sonoff is probably the most well known brand, producing a whole line of devices based on the ESP8266. These devices are powered from mains power and connect to your network via WiFi. One disadvantage of Sonoff devices is they only work when connected to Sonoff’s cloud.

Light switches locked in to a cloud provider are simply not acceptable. Enter Tasmota, which we’ve covered before. Tasmota is an open source firmware, designed specifically for Sonoff switches, but supporting a wide range of ESP8266 based devices. Tasmota doesn’t connect to any cloud providers unless you tell it to, and can be completely controlled from within a local network.

Certifications, Liability, and More

We’re well acquainted with some of the pitfalls of imported electronics, but one of the lesser known problems is the lack of certification. In the United States, there are several nationally recognized testing laboratories: Underwriters Laboratories (UL) and Intertek (ETL) are the most prominent. Many¬† imported electronic devices, including Sonoff devices, do not have either of these certifications. The problem with this is liability, should the worst ever happen and an electrical fire break out. The Internet abounds with various opinions on the importance of the certification — a missing certification mark is somewhere between meaningless and a total hazard. The most common claim is that a house fire combined with non-certified equipment installed would result in an insurance company refusing to pay.

Rather than just repeat this surely sage advice from the Internet, I asked my insurance agent about uncertified equipment in the case of a fire. I discovered that insurance agencies avoid giving definite answers about claim payments. The response that came back was “it depends”: homeowner’s insurance covers events that are accidental and sudden. If a homeowner was aware that they were using uncertified equipment, then it could be categorized as “not an accident”. So far, the myth seems plausible. The final answer from the insurance agency: it’s possible that a non UL-certified device could result in denial of payment on a claim, but it depends on the policy and other details– why take the risk? Certification marks make insurance companies happier.

I also talked to my city’s electrical inspector about the issue. He commented that non-certified equipment is a violation of electrical code when it is hard-wired into a house. He echoed the warning that an insurance company could refuse to pay, but added that in the case of injury, there could be even further liability issues. I’ve opted to use certified equipment in my house. You’ll have to make your own decision about what equipment you’re willing to use.

There are some devices on Amazon that claim to have certification, but searching the certification database leads me to believe that not all of those claims are valid. If in doubt, there is a searchable UL database, as well as a searchable Intertek database.
Continue reading “Hack my House: UL Certification and Turning the lights on with an ESP8266”

Shadowhammer, WPA3, and Alexa is Listening: This Week in Computer Security

Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.

Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.

Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.

While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
Continue reading “Shadowhammer, WPA3, and Alexa is Listening: This Week in Computer Security”

What to Do When the Botnet Comes Knocking

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What to Do When the Botnet Comes Knocking”

Spoiler, Use-After-Free, and Ghidra: This Week in Computer Security

The past few days have been busy if you’re trying to keep up with the pace of computer security news. Between a serious Chromium bug that’s actively being exploited on Windows 7 systems, the NSA releasing one of their tools as an open source project, and a new Spectre-like speculative execution flaw in Intel processors, there’s a lot to digest.
Continue reading “Spoiler, Use-After-Free, and Ghidra: This Week in Computer Security”