This Week In Security: Ubiquity Update, PHP Backdoor, And Netmask

April 2, 2021 by Jonathan Bennett 11 Comments

Back in January, we covered the news that Ubiquiti had a breach of undisclosed severity. One reader pointed out the compromise of a handful of devices as potentially related. With no similar reports out there, I didn’t think too much of it at the time. Now, however, a whistleblower from Ubiquiti has given Krebs the juicy details.

The “third party cloud provider” the original disclosure referred to was Amazon Web Services (AWS). According to the whistleblower, just about everything was accessible, including the keys to log in to any Ubiquiti device on the internet, so long as it was cloud enabled. The attackers installed a couple of backdoors in Ubiquiti’s infrastructure, and sent a 50 bitcoin blackmail threat. To their credit, Ubiquiti ignored the blackmail and cleaned up the mess.

To the claim that there was no evidence attackers had accessed user accounts, it seems that the database in question simply has no logging enabled. There was no evidence, because nothing was watching. So far, I’ve only seen the one report of device compromise that was potentially a result of the attack. If you had a Ubiquiti device go rogue around December 2020 – January 2021, be sure to let us know. Continue reading “This Week In Security: Ubiquity Update, PHP Backdoor, And Netmask” →

This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions

March 26, 2021 by Jonathan Bennett 25 Comments

There seems to be a new trend in malware, targeting developers and their development and build processes. The appeal is obvious: rather than working to build and market a malicious application, an attacker just needs to infect a development machine. The hapless infected developers can now do the hard work to spread the malicious payload.

The newest example is XcodeSpy, discovered by a researcher who chose to remain anonymous. It works by using the Xcode IDE’s Run Script function to, well, run a script that completely backdoors your computer. The instance was found in a repackaged open source project, TabBarInteraction, but they’re just innocent victims. It was simple enough for someone to insert a script in the build process, and distribute the new, doped package. It’s probably not the only one out there, so watch out for Run Scripts with obfuscated payloads.

Continue reading “This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions” →

To Kill A Blockchain, Add Naughty Stuff To It?

March 25, 2021 by Jenny List 65 Comments

Even if not all of us are blockchain savants, we mostly have a pretty good idea of how they function as a distributed database whose integrity is maintained by an unbroken chain of conputational hashes. For cyryptocurrencies a blockchain ledger stores transaction records, but there is no reason why the same ledger can not contain almost any other form of digital content. [Bruce Schneier] writes on the potential consequences of content that is illegal or censored being written to a blockchain, and about how it might eventually form a fatal weakness for popular cryptocurrencies.

It’s prompted by the news that some botnet operators have been spotted using the Bitcoin ledger to embed command and control messages to hide the address of their control server. There have already been cases of illegal pornography being placed within blockchain ledgers, as well as leaked government data.

[Schneier] uses these two content cases to pose the question as to whether this might prove to be a vulnerability for the whole system. If a government such as China objects to a block containing censored material or a notoriously litigious commercial entity such as Disney objects to a piece of copyrighted content, they could take steps to suppress copies of the blockchain that contain those blocks. Being forced by hostile governments or litigious corporations to in effect remove a block from the chain by returning to the previous block would fork the blockchain, and as multiple forks would inevitably be made in this way it would become a threat to the whole. It’s an interesting possible scenario, and one that should certainly be ready by anyone with an interest in blockchain technologies.

Only a few weeks ago we looked at another threat to blockchain technologies – that they might be legislated out of existence by environmental rules.

This Week In Security: Spectre In The Browser, Be Careful What You Clone, And Hackintosh

March 19, 2021 by Jonathan Bennett 12 Comments

Google has been working on mitigations for the Spectre attack, and has made available a Proof of Concept that you can run in your browser right now. Spectre is one of the issues that kicked off the entire series of speculative execution vulnerabilities and fixes. What Google has demonstrated is that the Spectre attack can actually be pulled off in Javascript, right in the browser. Spectre is limited to reading memory allocated to the same process, and modern browsers have implemented measures like site isolation, which puts each site in a separate, sandboxed process.

These security features don’t mean that there is no practical dangers from Spectre. There are a handful of ways an attacker can run Javascript on another site, from something as simple as an interactive advertisement, to a cross-site scripting injection. Google has produced features and guidance to mitigate those dangers.

Via Bleeping Computer. Continue reading “This Week In Security: Spectre In The Browser, Be Careful What You Clone, And Hackintosh” →

Injecting Bugs With An Electric Flyswatter

March 15, 2021 by Stephen Ogier 9 Comments

Hardware fault injection uses electrical manipulation of a digital circuit to intentionally introduce errors, which can be used to cause processors to behave in unpredictable ways. This unintentional behavior can be used to test for reliability, or it can be used for more nefarious purposes such as accessing code and data that was intended to be inaccessible. There are a few ways to accomplish this, and electromagnetic fault injection uses a localized electromagnetic pulse to flip bits inside a processor. The pulse induces a voltage in the processor’s circuits, causing bits to flip and often leading to unintentional behavior. The hardware to do this is very specialized, but [Pedro Javier] managed to hack a $4 electric flyswatter into an electromagnetic fault injection tool. (Page may be dead, try the Internet Archive version.)

[Pedro] accomplishes this by turning an electric flyswatter into a spark-gap triggered EMP generator. He removes the business end of the flyswatter and replaces it with a hand-wound inductor in series with a small spark gap. Pressing the power button on the modified flyswatter charges up the output capacitor until the developed voltage is enough to ionize the air in the spark gap, at which point the capacitor discharges through the inductor. The size of the spark gap determines the charge that is built up—a larger gap results in a larger charge, which produces a larger pulse, which induces a larger voltage in the chip.

[Pedro] demonstrates how this can be used to produce arithmetic glitches and even induce an Arduino to dump its memory. Others have used electromagnetic fault injection to corrupt SRAM, and intentionally glitching the power supply pins can also be used to access otherwise protected data.

An Anti-Tamper Mesh Plugin For KiCad

March 14, 2021 by Mike Szczys 31 Comments

Physical access to electronics generally means all bets are off when it comes to information security. But in special cases this is just unacceptable and a better solution must be found. Consider the encryption keys used by point of sale machines. To protect them, the devices incorporate anti-tamper mechanisms that will wipe the keys from memory if the device is opened. One such technique is to use a mesh of traces on a circuit board that are monitored for any changes in resistance or capacitance. [Sebastian Götte] has been researching in this area and wrote a KiCad plugin to automatically generate tamper-detection mesh.

The idea is pretty simple, place traces very close to one another and it makes it impossible to drill into the case of a device without upsetting the apple cart. There are other uses as well, such as embedding them in adhesives that destroy the traces when pried apart. For [Sebastian’s] experiments he’s sticking with PCBs because of the ease of manufacture. His plugin lays down a footprint that has four pads to begin and end two loops in the mesh. The plugin looks for an outline to fence in the area, then uses a space filling curve to generate the path. This proof of concept works, but it sounds like there are some quirks that can crash KiCad. Consider taking a look at the code if you have the expertise to help make it more stable.

We’ve seen these anti-tamper meshes in practice in the VeriFone payment terminal that [Tom Nardi] tore down a couple of years ago. The approach that [Sabastian] took with the plugin actually produces a more complex mesh than was in use there as it only really used vertical lines for the traces.

This Week In Security: APT Targeting Researchers, And Someone Watching All The Cameras

March 12, 2021 by Jonathan Bennett 16 Comments

Microsoft’s Patch Tuesday just passed, and it’s a humdinger. To add the cherry on top, two seperate BSOD inducing issues led to Microsoft temporarily pulling the update.

Among the security vulnerabilities fixed is CVE-2021-26897, another remote code exploit in the Windows DNS server. It’s considered a low-complexity attack, but does require local network access to pull off. CVE-2021-26867 is another of the patched vulnerabilities that sounds very serious, allowing an attacker on a Hyper-V virtual machine to pierce the barrier and run code on the hypervisor. The catch here is that the vulnerability is only present when using the Plan 9 filesystem, which surely limits the scope of the problem to a small handful of machines.

The most interesting fixed flaw was CVE-2021-26411 a vulnerability that allowed remote code execution when loading a malicious web page in either IE or pre-chromium Edge. That flaw was actively being exploited in a unique APT campaign, which we’ll cover right after the break.

Continue reading “This Week In Security: APT Targeting Researchers, And Someone Watching All The Cameras” →