cybersecurity

28 Articles

Shut The Backdoor! More IoT Cybersecurity Problems

March 22, 2017 by 30 Comments

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut The Backdoor! More IoT Cybersecurity Problems”

Better Linux Through Coloring

March 7, 2017 by 6 Comments

Cyber security is on everyone’s minds these days. Embedded devices like cameras have been used by bad guys to launch attacks on the Internet. People worry about data leaking from voice command devices or home automation systems. And this goes for the roll-your-own systems we build and deploy.

Many network-aware systems use Linux somewhere — one big example is pretty much every Raspberry Pi based project. How much do you think about security when you deploy a Pi? There is a superior security system available for Linux (including most versions you’d use on the Pi) called SELinux. The added letters on the front are for “Security-Enhanced” and this project was originally started by the NSA and RedHat. RedHat actually has — no kidding — a coloring book that helps explain some of the basic concepts.

We aren’t so sure the coloring book format is really the right approach here, but it is a light and informative read (we didn’t stay in the lines very well, though). Our one complaint is that it doesn’t really show you anything in practice, it just explains the ideas behind the different kind of protections available in SELinux. If you want to actually set it up on Pi, there’s a page on the Pi site that will help. If you have an hour, you can get a good overview of using SELinux in the video below.

Continue reading “Better Linux Through Coloring”

Do You Trust Your Hard Drive Indication Light?

February 25, 2017 by 48 Comments

Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.

All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”

We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.

Continue reading “Do You Trust Your Hard Drive Indication Light?”

Hacking A Device That Lives Inside The Matrix

December 5, 2016 by 15 Comments

[Gerardo Iglesias Galván] decided he wanted to try his hand at bug-bounty hunting — where companies offer to pay hackers for finding vulnerabilities. Usually, this involves getting a device or accessing a device on the network, attacking it as a black box, and finding a way in. [Gerrado] realized that some vendors now supply virtual images of their appliances for testing, so instead of attacking a device on the network, he put the software in a virtual machine and attempted to gain access to the device. Understanding the steps he took can help you shore up your defenses against criminals, who might be after more than just a manufacturer’s debugging bounty.

Continue reading “Hacking A Device That Lives Inside The Matrix”

Lock Up Your Raspberry Pi With Google Authenticator

September 30, 2016 by 14 Comments

Raspberry Pi boards (or any of the many similar boards) are handy to leave at odd places to talk to the network and collect data, control things, or do whatever other tasks you need a tiny fanless computer to do. Of course, any time you have a computer on a network, you are inviting hackers (and not our kind of hackers) to break in.

We recently looked at how to tunnel ssh using a reverse proxy via Pagekite so you can connect to a Pi even through firewalls and at dynamic IP addresses. How do you stop a bad guy from trying to log in repeatedly until they have access? This can work on any Linux machine, but for this tutorial I’ll use Raspberry Pi as the example device. In all cases, knowing how to set up adequate ssh security is paramount for anything you drop onto a network.

Continue reading “Lock Up Your Raspberry Pi With Google Authenticator”

Bridging The Air Gap; Data Transfer Via Fan Noise

July 1, 2016 by 45 Comments

When you want to protect a computer connected to the Internet against attackers, you usually put it behind a firewall. The firewall controls access to the protected computer. However, you can defeat any lock and there are ways a dedicated attacker can compromise a firewall. Really critical data is often placed on a computer that is “air gapped.” That is, the computer isn’t connected at all to an insecure network.

An air gap turns a network security problem into a physical security problem. Even if you can infect the target system and collect data, you don’t have an easy way to get the data out of the secure facility unless you are physically present and doing something obvious (like reading from the screen into a phone). Right? Maybe not.

Researchers in Isreal have been devising various ways to transmit data from air walled computers. Their latest approach? Transmit data via changing the speed of cooling fans in the target computer. Software running on a cellphone (or other computer, obviously) can decode the data and exfiltrate it. You can see a video on the process below.

Continue reading “Bridging The Air Gap; Data Transfer Via Fan Noise”

Apple Aftermath: Senate Entertains A New Encryption Bill

April 11, 2016 by 62 Comments

If you recall, there was a recent standoff between Apple and the U. S. Government regarding unlocking an iPhone. Senators Richard Burr and Dianne Feinstein have a “discussion draft” of a bill that appears to require companies to allow the government to court order decryption.

Here at Hackaday, we aren’t lawyers, so maybe we aren’t the best source of legislative commentary. However, on the face of it, this seems a bit overreaching. The first part of the proposed bill is simple enough: any “covered entity” that receives a court order for information must provide it in intelligible form or provide the technical assistance necessary to get the information in intelligible form. The problem, of course, is what if you can’t? A covered entity, by the way, is anyone from a manufacturer, to a software developer, a communications service, or a provider of remote computing or storage.

There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.

The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.

A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S. Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.

In all fairness, this isn’t a bill yet. It is a draft and given some of the definitions in section 4, perhaps they plan to expand it so that it makes more sense, or – at least – is more practical. If not, then it seems to be an indication that we need legislators that understand our increasingly technical world and have some understanding of how the new economy works. After all, we’ve seen this before, right? Many countries are all too happy to enact and enforce tight banking privacy laws to encourage deposits from people who want to hide their money. What makes you think that if the U. S. weakens the ability of domestic companies to make data private, that the business of concealing data won’t just move offshore, too?

If you were living under a rock and missed the whole Apple and FBI controversy, [Elliot] can catch you up. Or, you can see what [Brian] thought about Apple’s response to the FBI’s demand.