Roundup This week we had an NSA reverse-engineering toolkit released at the RSA Conference, a buffer bashed aboard British Airways, big trouble brewing for Citrix, plus much more. Along the way, a few other things happened: Alarms raised over IP cameras A new Internet of Things botnet could be in the works, as security outfit
Along the way, a few other things happened:
Alarms raised over IP cameras
A new Internet of Things botnet could be in the works, as security outfit GreyNoise says it has seen a major uptick in machines scanning the public internet for a specific debug port used by surveillance cameras. Presumably the boxes are looking for devices to hijack via this debugging interface:
GreyNoise has observed an ~875% spike in Internet-wide scan traffic on 9527/TCP, an undocumented debug interface for various models of IP camera. GreyNoise has also identified ~2,000 devices likely probing for vulnerable devices, starting four days ago. Tags available now.
— GreyNoise Intelligence (@GreyNoiseIO) March 8, 2019
If true, this would suggest a fresh attempt to infect net-connected cameras for use in an IoT botnet – like Mirai, the massive collection of infected IoT equipment that has menaced the internet in various forms for years.
If you do run an IP-enabled camera, you would be wise to check for and install any available firmware updates, or firewall off TCP port 9527 just to be on the safe side.
FBI warns of SIM-swapping outbreak
Holding a substantial amount of crypto-currency? You may want to take a close look at your multi-factor authentication settings on your online accounts, particularly your email, and protections on your cellphone plan.
The FBI is warning of what it says is an uptick in SIM-swapping fraud incidents. Criminals call a target’s phone carrier’s customer support, and, through blagging and social engineering, request that their mark’s mobile phone number be switched to a SIM card in a device belonging to the crooks.
Should the transfer work, the thieves then attempt to reset the password on the victim’s email account, using the two-factor authentication code sent to the mark’s phone number, which is directed to the crim’s handset. From there, the miscreants can reset the password on the victim’s cloud-based crypto-coin wallets, and drain it of digital dosh.
Either switch to physical hardware tokens to protect accounts, ideally, or authentication apps, and/or call your carrier and put SIM transfer protections on your plan.
“The FBI has seen an increase in the use of SIM swapping by criminals to steal digital currency using information found on social media,” said Special Agent John Bennett from the FBI San Francisco Division.
“This includes personally identifying information or details about the victim’s digital currency accounts.
“The FBI wants to help individuals make themselves harder targets and, if they are victimized, to quickly regain control of their accounts to mitigate any potential harm.”
In brief… If you’re wondering how some iOS jailbreakers and other infosec researchers crack certain parts of Apple’s iPhone security so fast when a new device comes out, it’s probably because they obtain prototypes of the hardware that have security measures disabled, allowing them to poke around the firmware for vulnerabilities…
Chelsea Manning was jailed on Friday for refusing to testify before US grand jury probing WikiLeaks and its document dumps. The military whistleblower, or diplomatic cables leaker, depending on where you stand, will remain behind bars until she changes her mind, or the jury completes its investigation…
Finally, vulnerability hunter Victor Gevers detailed 18 MongoDB databases he found facing the public internet that appear to be part of China’s social-media-monitoring system that’s not terribly unlike the NSA’s PRISM program, processing 364 million online profiles and their chats and file transfers daily.
Security MadLibs! Hackers can steal your medical records by exploiting your ultrasound scan
Thanks to the terrible state of IT security in various medical facilities, here’s yet another example of patient records being put at risk by obsolete devices.
Researchers at Check Point stumbled upon an ultraSound machine that could be compromised to steal patient medical data. See the vid before for more…
In this case, Check Point says, the ultrasound machines use Windows 2000, an OS that is so outdated as to be trivial for an attacker who has infiltrated a hospital IT network to crack open. As the bug-hunters note, this is not just a privacy risk for the patients, but also a legal liability for the hospitals, who could be on the hook for heavy fines and lawsuits should they allow patient records to fall into the wrong hands.
Reportedly, the unnamed young woman linked to the script on a message board, causing any one who followed the link to see an alert dialog box that automatically, on some browsers, respawned itself every time the user clicked the “OK” button.
Hardly the Stuxnet worm, but apparently it was serious enough for the police in Kariya to charge the teen with distributing malicious computer code.
IBM says hospitality kiosks are being lousy hosts when it comes to security
Researchers with IBM are warning that some of the automatic desktop reception systems used to process building guests are rife with bugs.
Big Blue’s Red Team found that a number of popular visitor management systems (things like automated guest registration for offices) contain some basic security holes, like default admin credentials, enabled breakout keys that opened the Windows desktop, and had data leakage bugs that would expose employee information.
This, says IBM, is particularly bad because these systems are, by design, left open to world + dog.
“Considering that these systems are intentionally physically exposed to outsiders and have a role in the security of an organization, they should be developed with security in mind throughout the product life cycle and should include physically present attackers in their threat model,” IBM says.
“However, our team has identified vulnerabilities in a number of visitor management system products that could prevent them from achieving that goal.”
Kittens and puppies put the “Awww!” in RSA Conference
Let’s face it, RSA Conference isn’t always a lot of fun. It’s crowded, the bathroom lines are long, the marketing bullshit is often turned up to 11, and this year the weather in its host city San Francisco was awful.
If you were lucky enough to wander over to one particular corner of the show, however, there were two booths that were sure to make your day a bit better, thanks to some furry friends in search of a home.
Two companies opted to supplement the usual crew of bored execs and chipper marketing folks with some shelter pets, of floof babes as we like to call them.
Tinfoil Security, a company specializing in security and vulnerability scanning tools for developer APIs, teamed up with the Humane Society of Silicon Valley to let convention-goers meet Grace and Hopper, a pair of foster-kittens picked because their easy-going and friendly nature left them unfazed by the hustle and bustle of the show floor.
Hopper, reflecting the mood of every RSA attendee by day 3
While ThreatQuotient, a vulnerability management and intelligence platform, brought in a handful of puppies from Finding a Best Friend Rescue to brighten everyone’s day. Those willing to use hand sanitizer and disinfecting spray were even able to get some quality snuggle time with the junior doggos.
Cuddles with Bruce the pup: better than any booth swag
Playing with puppies and kittens was a nice respite from the expo floor and a great way for two of the smaller companies at RSA Conference to make themselves stand out, but more importantly, the two booths served as a reminder that there are many great cats and dogs looking for a home.
Hopefully a few attendees upon returning home will consider going over to their local shelter or rescue group and taking in a furry friend of their own. ®
Becoming a Pragmatic Security Leader