Technology

TWiT 716: A Very Attractive Container of Nope

This week in tech - Sun, 04/28/2019 - 17:42

Top Stories This Week

  • Galaxy Fold Recalled After Screen Failures
  • Inside the Fake World of Influencers
  • Apple vs Apps vs iPhone Addiction
  • Growing Up Online: The Always-Connected Generation
  • Don't Forget to Cancel Apple News+!
  • Amazon Prime to Offer One-Day Delivery
  • Amazon Invests in Electric Vehicles
  • Amazon Doubles its Profits
  • Microsoft hits $1 Trillion
  • Which Tech Company has the Best Reputation?
  • Facebook Stole Your Email Contacts, Ready for Massive Fines
  • Hertz Sues Accenture for Terrible, Horrible Website
  • Netflix Wins Right to be in the Oscars
  • AI Writes the Best Country Song About Doors Ever
  • $16K Laundry Folding Robot Goes Bankrupt
  • Podcasts vs Luminary
  • Thanos Easter Egg Snaps Your Google Search

Host: Leo Laporte

Guests: Fr. Robert Ballecer, SJ, Paris Martineau, and Mikah Sargent

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

P2P Weakness Exposes Millions of IoT Devices

Krebs on Security - Fri, 04/26/2019 - 07:17

A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found.

A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research.

The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.

iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest.

A Webcam made by HiChip that includes the iLnkP2P software.

But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions.

Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States.

Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software.

For example, HiChip — a Chinese IoT vendor that Marrapese said accounts for nearly half of the vulnerable devices — uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ.

These prefixes identify different product lines and vendors that use iLnkP2P. If the code stamped on your IoT device begins with one of these, it is vulnerable.

“In theory, this allows them to support nearly 6 million devices for these prefixes alone,” Marrapese said. “In reality, enumeration of these prefixes has shown that the number of online devices was ~1,517,260 in March 2019. By enumerating all of the other vendor prefixes, that pushes the number toward 2 million.”

Marrapese said he also built a proof-of-concept attack that can steal passwords from devices by abusing their built-in “heartbeat” feature. Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.

“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”

To make matters worse, even if an attacker doesn’t want to bother intercepting device passwords, a great many of them will be running in their factory-default state with the factory-default password. The IoT malware Mirai proved this conclusively, as it rapidly spread to millions of devices using nothing more than the default credentials for IoT devices made by dozens of manufacturers.

What’s more, as we saw with Mirai the firmware and software built into these IoT devices is often based on computer code that is many years old and replete with security vulnerabilities, meaning that anyone able to communicate directly with them is also likely to be able to remotely compromise them with malicious software.

Marrapese said despite attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports — even though he first started reaching out to them more than four months ago. Neither HiChip nor iLnk responded to requests for comment sent by KrebsOnSecurity.

Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site.

Despite the widespread impact of these vulnerabilities, Marrapese’s research suggests that remediation from vendors is unlikely – and in fact, infeasible.

“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”

Marrapese said there is no practical way to turn off the P2P functionality on the affected devices. Many IoT devices can punch holes in firewalls using a feature built into hardware-based routers called Universal Plug and Play (UPnP). But simply turning off UPnP on one’s router won’t prevent the devices from establishing a P2P connection as they rely on a different communications technique called “UDP hole punching.”

Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100.

However, a much safer idea would be to simply avoid purchasing or using IoT devices that advertise any P2P capabilities. Previous research has unearthed similar vulnerabilities in the P2P functionality built into other IoT systems. For examples of this, see This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

Marrapese documented his findings in more detail here. The enumeration vulnerability has been assigned CVE-2019-11219, and the man-in-the-middle vulnerability has been assigned CVE-2019-11220.

Additional reading: Some Basic Rules for Securing your IoT Stuff.

Categories: Technology, Virus Info

The Linux Link Tech Show Episode 806

The Linux Link Tech Show - Wed, 04/24/2019 - 08:30
ubuntu woes, jenkins, docker, continuous integration, 3d priting, odroid-n2
Categories: Podcasts, Technology

SN 711: DNSpionage

Security Now - Tue, 04/23/2019 - 20:26

Top Security Stories this Week:
• Google uses its "SensorVault" to help catch the bad guys.
• Time to update Drupal again.
• Facebook steals users' email contact lists, logs plaintext Instagram passwords
• Russia moves closer to adopting "Internet Master Cutoff Switch" legislation.
• A reminder that "USB Killers" are a real thing.
• Marcus Hutchins' plea deal
• A new(ish) actively exploited Windows 0-day
• A bunch of Microsoft Edge news
• Windows 7 end-of-life notices
• Something from the "I did say this was bound to happen" department
• Detailed threat research from Cisco's Talos group about the leveraging of DNS epionage.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Categories: Podcasts, Technology

Who’s Behind the RevCode WebMonitor RAT?

Krebs on Security - Mon, 04/22/2019 - 13:43

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.

Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.

Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.

Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”

The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.

According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.

A letter from Alex Yücel’s parents to the court in June 2016.

Categories: Technology, Virus Info

TWiT 715: 8K + 5G

This week in tech - Sun, 04/21/2019 - 21:09

Top Stories This Week:

  • Samsung's Folding Phone Fail
  • Apple vs Qualcomm: It's Over! Qualcomm wins!
  • What Is Intel's Future After Apple?
  • iMac Pro vs MacBook Pro: Which One Wins?
  • iOS 13 Has Everything You Want, But Not the One Thing You Need
  • Brexit, Muller, and US Voting Machines: What's the Connection?
  • Ransomware Attacks: Is This an Act of War?
  • The Mental Health App that Secretly Shares Your Data
  • MalwareTech (Marcus Hutchins) Pleads Guilty
  • Facebook's Bad Day Week 15 Months
  • Summit Learning: Everything You Hate About Facebook, Now in the Classroom!
  • Apple Shuts Down Texture, Android Users S.O.L.
  • The Browser Ballot Part II: Electric Boogaloo
  • YouTube: Notre Dame was Terrorism
  • Sri Lanka vs Social Media, India vs Tik Tok, the UK vs Porn
  • Utah Bans Warrantless Phone Searches
  • Google and Amazon Make Nice
  • Assassin's Creed Helps Fix Notre Dame
  • Playstation 5 Revealed!
  • TWiT's Official Super Smash Bros Ultimate Level

Host: Leo Laporte

Guests: Devindra Hardawar, Nate Lanxon, and Dylan Tweney

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Sponsors:

Categories: Podcasts, Technology

Pages

Subscribe to Some Place in Ohio aggregator - Technology