This Week In Security: Ubiquiti, Nissan, Zyxel, And Dovecot

You may have been one of the many of us who received an email from Ubiquiti this week, recommending a password change. The email stated that there was an unauthorized access of Ubiquiti systems, and while there wasn’t evidence of user data being accessed, there was also not enough evidence to say emphatically that user data was not accessed. Ubiquiti has mentioned that the database that may have been accessed contains a user’s name, email address, hashed password, and optionally the mailing address and phone number.

Depending on how the Ubiquiti authentication system is designed, that hashed password may be enough to log in to someone’s account. In any case, updating your password would invalidate the potentially compromised hash. This event underscores a complaint voiced by Ubiquiti users: Ubiquiti has been making it difficult to administrate hardware without a cloud-enabled account. Continue reading “This Week In Security: Ubiquiti, Nissan, Zyxel, And Dovecot”

This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.

Fix potential OOB write in libbluetooth
Check event id if of register notification command from remote to avoid OOB write.

It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device. Continue reading “This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere”

This Week In Security: Deeper Dive Into SolarWinds, Bouncy Castle, And Docker Images

Merry Christmas and happy holidays! I took Christmas day off from writing the security roundup, coming in a day early with this week’s installment, dodging New year’s day. The SolarWinds story has continued to dominate the news, so lets dive into it a bit deeper.

Microsoft has published their analysis of Solorigate, and the details are interesting. The added code was carefully written to blend in with the rest of the code, using the name OrionImprovementBusinessLayer.Initialize, which sounds like a perfectly boring-yet-legitimate function. The actual backdoor is obfuscated using zip compression and base64 encoding.

Once this bootstrap code begins, it runs a series of checks before actually doing anything malicious. It waits 2 weeks after installation to do anything, and then checks the system domain name for any indication it’s running in a test environment. It then checks for certain security applications, like Wireshark, and refuses to run if they are detected. This series of checks all seem to be an effort to avoid detection, and to only run in a deployed environment. Even the Command and Control URL that the backdoor uses is constructed to appear benign. Beyond this, it seems that the malware simply waited for instructions, and didn’t take any automated actions. All the attacks were performed manually.

Continue reading “This Week In Security: Deeper Dive Into SolarWinds, Bouncy Castle, And Docker Images”

Netscape Communicator And SHA-1 Written Into Brexit Agreement

We pity the civil servants involved in the negotiations between the European Union and the United Kingdom, because after tense meetings until almost the Eleventh Hour, they’ve had to cobble together the text of a post-Brexit trade agreement in next-to-no time. In the usual manner of such international agreements both sides are claiming some kind of victory over fish, but the really interesting parts of the document lie in the small print. In particular it was left to eagle-eyed security researchers to spot that Netscape Communicator 4, SHA-1, and RSA encryption with a 1024-bit key length are recommended to secure the transfer of DNA data between states. The paragraphs in question can be found on page 932 of the 1256-page agreement.

It’s likely that some readers under 30 years old will never have used a Netscape product even though they will be familiar with Firefox, the descendant Mozilla software. Netscape were a pioneer of early web browsers, and  Communicator 4 was the company’s all-in-one browser and email offering from the late 1990s. It and its successors steadily lost ground against Microsoft’s Internet Explorer, and ultimately faded away along with the company under AOL ownership in the late 2000s. Meanwhile the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It’s clear that something is amiss in the drafting of this treaty, and we’d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document.

So will the lawmakers of Europe now have to dig for ancient software as mandated by treaty? We hope not, as from our reading they are given as examples rather than as directives. We worry however that their agencies might turn out to be as clueless on digital security as evidently the civil servants are, so maybe Verizon Communications, current owners of the Netscape brand, could be in for a few support calls.

Better Security, Harry Potter Style

We all know we shouldn’t use 1234 as our password. But we often don’t do the absolute best practice when it comes to passwords. After all, you should have some obscure strange password that is unique for every site. But we all have lots of passwords, so most of us use $pock2020 or something like that. If you know I’m a Star Trek fan, that wouldn’t be super hard to guess. [Phani] writes about a technique called Horcruxing — a term taken from the literary realm of Harry Potter that allowed Voldemort to preserve life by splitting it into multiple parts, all of which were required to bring an end to his villany. [Phani’s] process promises to offer better security than using a single password, without the problems associated with having hundreds of random passwords.

Most people these days use some form of password manager. That’s great because the manager can create 48 character passwords of random words or symbols and even you don’t know the password. Of course, you do know the master password or, at least, you better. So if anyone ever compromised that password, they’d have all your passwords at their fingers. Horcruxing makes sure that the password manager doesn’t know the entire password, just the hard parts of it.

Continue reading “Better Security, Harry Potter Style”

This Week In Security: SolarWinds And FireEye, WordPress DDoS, And Enhance!

The big story this week is Solarwinds. This IT management company supplies network monitoring and other security equipment, and it seems that malicious code was included in a product update as early as last spring. Their equipment is present in a multitude of high-profile networks, like Fireeye, many branches of the US government, and pretty much any other large company you can think of. To say that this supply chain attack is a big deal is an understatement. The blame has initially been placed on APT42, AKA, the Russian hacking pros.

The attack hasn’t been without some positive effects, as Fireeye has released some of their internal tooling as open source as a result. Microsoft has led the official response to the attack, managing to win control of the C&C domain in court, and black-holing it.

The last wrinkle to this story is the interesting timing of the sale of some Solarwinds stock by a pair of investment firms. If those firms were aware of the breech, and sold their shares before the news was made public, this would be a classic case of illegal insider trading. Continue reading “This Week In Security: SolarWinds And FireEye, WordPress DDoS, And Enhance!”

Remoticon Video: Breaking Encrypted Firmware Workshop

If only you could get your hands on the code to fix the broken features on your beloved electronic widget. But wait, hardware hackers have the skills to write their own firmware… as long as we can get the compiled binary into a format the hardware needs.

Luckily, we have Uri Shaked to walk us through that process. This workshop from the 2020 Hackaday Remoticon demonstrates how to decipher the encryption scheme used on the firmware binary of a 3D printer. Along the way, we learn about the tools and techniques that are useful for many encrypted binary deciphering adventures.

Continue reading “Remoticon Video: Breaking Encrypted Firmware Workshop”