Home Tags Sniffer

Tag: Sniffer

Penquin’s Moonlit Maze

Moonlight Maze is the stuff of cyberespionage legend.
In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale.

To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether.
No, not the fictional energy sword, the machine learning hacker sniffer Palo Alto Networks has acquired smaller cyber security firm LightCyber for $105m in cash.…
A study by Rapid7 finds multiple vulnerabilities in Bluetooth tracking technologies, leading to possible security breaches as IoT device use continues to rise. Small tags embedded with Bluetooth Low Energy have become increasingly popular in recent years as a way for consumers to track things such as car keys or other small items.

There is only one small problem: They're also potentially a larger public privacy risk, according to new research released Oct. 25 by security firm Rapid7.Among the trackers Rapid7 looked at is the TrackR Bravo device, which was found to have four unique vulnerabilities, including cleartext password storage (CVE-2016-6538), Tracking ID exposure (CVE-2016-6539), unauthenticated access (CVE-2016-6540) and unauthentic pairing (CVE-2016-6541) vulnerabilities."Originally, I became interested in conducting this research because I continually saw these devices attached to people's key chains," Deral Heiland, research lead at Rapid7, told eWEEK. "I did not have a specific result in mind when I set out to do this research; however, given the state of IoT [internet of things] security, I was curious about the extent of personal information that was being exposed, and what security implications were being created due to that exposure."Rapid7 conducted its operational analysis of the Bluetooth tracking products by using multiple tools including Burpsuite to intercept communication between the cloud and mobile applications, Heiland said.

Additionally, the Rapid7 researchers used Nordic Bluetooth Low Energy (BLE) tools on Mac and smartphones combined with the Bluefruit LE sniffer to analyze the BLE communication and pairing process and identify attributes used during operations. A core area of weakness overall in Bluetooth is the fact that it is not encrypted, and, as such, communications potentially can be intercepted and read. "When the devices are initially paired, they derive a long-term key using a key-exchange protocol," Heiland explained. "If you eavesdrop during this exchange, you can get in between the pairing process and can decode the communication."Heiland added that the Bluefruit LE sniffer tools make this simple when analyzing two devices and their communication.While Rapid7 has found issues with Bluetooth trackers, Heiland noted that the average person may not encounter abuse of these devices related to their privacy.

That said, he noted someone with a higher profile—such as someone in the government, business or entertainment sector—or someone currently having issues such as harassment or stalkers may want to avoid the use of these devices because of the elevated risk of abuse.TrackR said no user data has been compromised, as far as the company is aware."As we work in a fast-moving and exciting market, we try to constantly improve our product and satisfy our customers," Chris Herbert, CEO of TrackR, wrote in an email to eWEEK. "Like other IoT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security."We were aware of all but one of these issues and have resolutions in place for all the issues identified," Herbert added.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Nation-state attackers probably pwn you anyhow This one needs the words “Don't Panic” in large friendly letters on the cover: privacy researchers have worked out that Tor's use of the domain name system (DNS) can be exploited to identify users. However, they say, right now an attacker with resources to drop Tor sniffers at “Internet scale” can already de-anonymise users. Rather, they hope to have Tor and relay operators start hardening their use of DNS against future attacks. So: read if you're interested in the interaction between Tor and the DNS, but not if you need the sensation of smelling salts after a faint. The basis of Tor is that your ISP can see you're talking to a Tor node, but nothing else, because your content is encrypted; while a Tor Website is responding to your requests, but doesn't know your IP address. What Benjamin Greschbach (KTH Royal Institute of Technology) and his collaborators have done is add the DNS to the attack vectors. While the user's traffic is encrypted when it enters the network, what travels from the exit node to a resolver is a standard – unencrypted – DNS request. Described at Freedom to Tinker here and written up in full in this Arxiv pre-print, the attack is dubbed DefecTor. Google's DNS has a special place in the research, the paper states, because 40 per cent of DNS bandwidth from Tor exit nodes, and one-third of all Tor DNS requests, land on The Chocolate Factory's resolvers.

That makes Google uniquely placed to help snoop on users, if it were so minded. There's a second problem, and one The Register is sure has other researchers slapping their foreheads and saying “why didn't I think of that?”: DNS requests often traverse networks (autonomous systems, ASs) that the user's HTTP traffic never touches.

The requests leak further than the Tor traffic that triggers it. DefecTor components: a sniffer on the ingress TCP traffic, and another either on the DNS path or in a malicious DNS server Like other attacks, DefecTor needs a network-level sniffer at ingress. While ingress traffic is encrypted, existing research demonstrates that packet length and direction provides a fingerprint that can identify the Website that originated the traffic. Egress sniffing is also needed: the attacker might capture traffic on the path between an exit relay and a resolver; or may operate a malicious DNS resolver to capture exit traffic. With the user's encrypted TCP traffic fingerprinted, DNS requests, and time-stamps, DefecTor can mount “perfectly precise” attacks. “Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites,” the paper states. Mitigations suggested in the paper include: Exit relay operators handling DNS resolution themselves, or using their ISP's resolver, rather than Google or OpenDNS; There's a “clipping bug” in Tor (notified to the operators) that expires DNS caches too soon, sending too many requests out to a resolver (and providing more sniffable material to an attacker); Site operators should create .onion services that don't raise DNS requests; and Tor needs hardening against Website fingerprinting. The researchers have published code, data, and replication instructions here. &regl
As the gent says, 'this shouldn't work' Security consultant and blogger Rob Fuller has turned a USB SoC-based device into a credential-sniffer that works even on locked machines. Fuller's attack works by modifying the dongle; when it's plugged in, it installs and makes itself the victim's network gateway, DNS server, and WPAD (Web proxy autodiscovery protocol) server.
In the process of trying to install what it thinks is an Ethernet adapter, the target machine will send its credentials over the spoofed network. The modded Ethernet adapter also needs to be set up to capture the credentials the target machine offers, as it's trying to connect to the network through the adapter. While the password it captures has whatever hash the victim's machine applies in storage, that's also what a server will expect to see. As Fuller explains here, it's an attack that shouldn't work, but he reckons it does and has tested the attack on Windows up to Windows 10 Enterprise and Home (but not Windows 8).
It also worked on OS X El Capitan, but Fuller is unsure if that is down to quirks in his own setup. As he explains, if a machine can see both a wireless and wired network, it'll try to connect to whichever is faster – and the USB key is providing network responses rather than having to pass requests upstream. He tested two dongles for the attack, the USB Armory and the Hak5 Turtle. While the attack needs physical access to the target, Fuller says his average retrieval time was 13 seconds. ®
The bad ones send passwords in plaintext, the good ones can't survive a screwdiver DEF CON Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away. In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart locks with using the US$100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle. “Smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.” Some of the locks he tested were ridiculously easy to crack with this kit.

Four of them, the Quicklock doorlock and padlock, the IBluLock padlock, and the Plantrace Phantomlock, transmit their passwords in plaintext - making it trivially easy for a data sniffer to pick up the code once the lock is used. Five more locks are susceptible to replay attacks whereby a hacker picks up the signal when the lock is used, stores it, then sends it again to unlock the device.

The susceptible systems were the Ceomate Bluetooth Smart Doorlock, the Lagute Sciener Smart Doorlock, the Vians Bluetooth Smart Doorlock, and the Elecycle EL797 and EL797G smart padlocks. Rose said his equipment made it easy to crack the locks, but there are other methods that are less conspicuous.

As we saw in February with the SimpliSafe hack, an attacker could simply hide a sniffer behind some bushes and come back for it later. Some manufacturers are still making basic mistakes that also leave them highly vulnerable. One brand, Quicklock, only allows six-digit passwords, making it trivially easy to brute force, while another manufacturer hardcoded the administrator’s password (ironically the phrase “thisisthesecret”) in the firmware and Rose was able to find it. Fuzzing also proved very effective at finding flaws in the source code for many locks, as did crashing them.

By sending malformed packets at one lock he managed to crash it, causing the lock to automatically open. When Rose contacted the 12 manufacturers about these issues the response was almost universally negative. One Chinese manufacturer shut down its website, but still sells on Amazon.

Ten other companies simply ignored his messages. One firm did come back to him, acknowledging the issue, but said it wasn’t going to fix it. Four locks did hold up however, so if you’re in the market for such as device then check out the Noke Locks, Masterlock, the August doorlock.

The Kwickset Kevo lock has a “fantastic” software security system with strong crypto, Rose said, but should be avoided because the lock was so badly made you could open it in seconds with a screwdriver. ® Sponsored: Global DDoS threat landscape report
Benign messages frogmarched into quarantine FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason. The glitch persisted for around two hours during during Monday morning before the problem was resolved, as a statement by the security vendor supplied to El Reg explains. At approximately 10am BST Monday 1 August, FireEye became aware of an issue with a newly released version of the Security Content in its Email Security products that caused certain non-malicious emails to be temporarily quarantined. A new version of Security Content was released in under two hours, limiting impact and resolving the issue for customers automatically. FireEye deploys rapid updates to Security Content in order to quickly mitigate emerging campaigns, and we will continue to improve our testing and review prior to release. El Reg heard of the “computer says no” issue from a reader – who asked to remain anonymous – and complained that FireEye “crippled email globally for all their customers running email protection”, a comment that doubtless stemmed from understandable personal frustration. ® Sponsored: 2016 Cyberthreat defense report
Smart watch, dumb botch: sensor sensitivity equals insecurity say boffins Chinese scientists have brewed a way to steal -- with 80 percent accuracy -- automatic teller machine PINs by infecting wearable devices. Five university boffins demonstrated the trick in a laboratory, finding even the slight hand movements a person makes while entering PINs can be captured through infected smart watches. The sniffed telemetry data could be later crunched by algorithms to reveal the correct PIN.
Subsequent monitoring increases the PIN guessing accuracy to upwards of 90 percent. Chen Wang of Birmingham University, together with Xiaonan Guo, Yan Wang, Yingying Chen, and Bo Liu of Stevens Institute of Technology, New Jersey, describe their work in the paper "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN [paywalled]. They say they achieved the accuracy rating over 5,000 pin-entry tests on ATMs and other systems.

Twenty subjects wore various wearable devices during the 11-month study in which hardware accelerometers, gyroscopes, and other standard smart device componentry allowed millimeter-accuracy in reading PINs. "Wearable devices can be exploited," said Wang. "Attackers can reproduce the trajectories of the user's hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers." An internally-developed backward PIN-sequence inference algorithm then turned the data into PINs with between 80 percent to 90 percent accuracy. The team wins best paper at the Asia Conference on Computer and Communications Security. Birmingham University says it is the first technique of its kind that does not require contextual data about the machine on which PINs are entered. "There are two attacking scenarios that are achievable: internal and sniffing attacks," Wang says. "In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. "An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim's associated smartphones." The team recommends generating noise within devices to confuse attackers. Internet-of-things are known security failures, but the tiny size of the devices can make infection challenging. The research was funded, in-part, by a grant from the National Science Foundation and the United States Army Research Office. ® Sponsored: Global DDoS threat landscape report