Home Tags Sniffing

Tag: Sniffing

Network-sniffing, automation, machine learning: How to get better threat intel

When two 'innocent' events on the network are anything but IT teams can get away with poor service management, outdated software development methods and outdated apps running on legacy tin, but they might want to think twice before skimping on cybersecurity.
If you don't stay on top of this stuff, while you might not be found out today or tomorrow, eventually, your customersrsquo; personal details might just turn up on Pastebin.…

New, deadlier trend in the raging opioid epidemic: Elephant tranquilizer

It’s 10,000X stronger than morphine, 100X stronger than fentanyl, and on the rise.

Large UK businesses are getting pwned way more than smaller ones

But are they just better at sniffing out breaches? Larger businesses in the UK are far more likely to be victims of attacks than smaller ones, according to a survey by the British Chamber of Commerce.…

Akamai buys bot-sniffing startup Cyberfend

Credential-stuffing mitigator snapped up Akamai Technologies has beefed up its existing bot management and mitigation services with the acquisition of US startup Cyberfend.

Financial terms of the deal, announced Monday, were undisclosed. Credential theft and abuse is a significant problem for online businesses and their customers.

Cyberfend’s tech is designed to mitigate problems caused by compromised user credentials (eg, usernames, passwords, email addresses) that leak and become public following data breaches. Hackers increasingly use these stolen and leaked credentials to log into a wide range of popular web and mobile services.

Credential-stuffing attacks of this type have affected the UK National Lottery and online takeaway firm Deliveroo over recent weeks. “With the introduction of Bot Manager earlier this year, Akamai helped change the way online businesses deal with the bots and other automated agents that visit their sites,” said Stuart Scholly, senior vice president and general manager, web security at Akamai. “The addition of Cyberfend’s technology is intended to give our customers a better way to spot and stop credential abuse on their sites – benefitting both the online business and its users.” Through its acquisition of Cyberfend, Akamai plans to extend the capabilities of the Cyberfend’s Bot Manager product by offering online businesses the technology required to effectively distinguish between real customers and attackers, thus limiting hackers’ ability to skirt detection. ® Sponsored: Customer Identity and Access Management

Signal security revealed: A triple-Diffie-Hellman with a double ratchet

Secure messaging app invites you to dive in and figure out if it's done anything wrong Signal developer Open Whisper Systems has quietly posted some important documents for developer consumption: the specifications of its signature verification, key agreement, and secret key protocols. The posts are dated 20 November, although a Tweet from 4 November suggests the documentation was stealth-published earlier. The three specs cover the XEdDSA and VXEdDSA signature schemes; the Extended Triple Diffie-Hellman (X3DH) key agreement protocol; and what the outfit calls the “Double Ratchet” protocol, which Signal uses for message encryption. With the Signal Service API and Signal Protocol API already public, Whisper Systems is giving outsiders a deep view of the operations of the popular privacy-messaging system. So what's in the box? X3DH kicks things off, providing key agreement between Bob and Alice, even if only one is online at the time.
It uses the familiar public key infrastructure approach – Alice retrieves Bob's key from the server he published it to – and they use that information to establish communication and choose their shared private key. The document's in-short version of what happens is a three-phase process: Bob publishes his identity key and prekeys to a server; Alice fetches a "prekey bundle" from the server, and uses it to send an initial message to Bob; Bob receives and processes Alice's initial message. X3DH can use X25519 or X448 elliptic curves, and for hashing it requires SHA 256 or SHA 512, and the document notes that the protocol “provides forward secrecy and cryptographic deniability”. The signatures X3DH uses are described in XEdDSA and VXEdDSA Signature Schemes.

The focus of the schemes is twofold: to ensure that the encrypted signatures look random to anybody sniffing them (a “verifiable random function”); and to make the schemes resistant to timing side-channel attacks. And we still haven't gotten to the users exchanging messages, because this only gets us as far as Bob and Alice setting up their message-passing.

The last part, protecting the messages, is the job of the Double Ratchet Algorithm. Defeating the snoops To make Signal resistant to decryption using a bunch of sniffed messages, the algorithm creates new keys for each message, and here Bob and Alice's public Diffie-Hellman values come back into play: “The parties also send Diffie-Hellman public values attached to their messages.

The results of Diffie-Hellman calculations are mixed into the derived keys so that later keys cannot be calculated from earlier ones.

These properties gives some protection to earlier or later encrypted messages in case of a compromise of a party's keys.” A “KDF chain” (key derivation function) in Double Ratchet protects Bob and Alice's message keys “even if the adversary can control the KDF inputs”, the document says; because a key is never used twice, the messages get forward security; and as long as the system is running enough entropy, Double Ratchet's also designed to be resistant to a snoop breaking into a server and recovering user messages. For non-cryptographers, the term “Double Ratchet” comes from how the protocol makes sure each message gets a new key: their Diffie-Hellman keys are “ratcheted” by each new message exchange; and so are the send/receive chains (the “symmetric-key ratchet”). The Register will watch with interest to see if any cryptanalysts can spot any gaps in the specs. ® Sponsored: Customer Identity and Access Management

Surveillance cameras most dangerous IoT devices in enterprise

Networked security cameras are the most likely to have vulnerabilities when it comes to securing Internet of Things devices in the enterprise, according to a new report by Zscaler. “I would consider the entire video camera category as particularly dangerous,” said Deepen Desai, director of security research at Zscaler. Take, for example, the Flir FX wireless HD monitoring camera. Researchers found that the camera communicated with the parent company in plain text and without authentication tokens. “The firmware that was being updated was not being digitally signed,” said Desai. That means that attackers have the opportunity to introduce their own, malicious firmware instead, he said. Another camera, the Foscam IP surveillance camera, connects to a web server to stream video to users’ desktops or smartphones.

That can be a useful feature, but the user credentials, including the password, are transmitted in plain text, over HTTP, right in the URL. The Axis camera has a remote management console, but it uses basic HTTP authentication, allowing sniffing and man-in-the-middle attacks. Zscaler also found that consumer devices frequently appeared inside enterprises, such as the Chromecast and Roku media players and smart TVs. Zscaler didn’t find any security issues with either the Chromecast or the Roku, but the smart TVs used outdated libraries which could be used to get control of the system. Late last month, a botnet that infected networked devices, cut off access to large areas of the Web.

But this isn’t actually the biggest threat that vulnerable IoT devices pose for enterprises, Desai said. But when Zscaler analysed the traffic from enterprise devices, and correlated it with DDoS attacks, there were no spikes. “Based on the analysis that we did, none of the devices that were in our customers’ enterprise networks were affected,” Desai said. “My take on that is that enterprises had their IoT devices properly segmented in the network.

The way that the Mirai botnet was propagating, it was preying on weak and default connections.” But just because the most recent round of attacks did not reach these devices, doesn’t mean that companies should get complacent.

And the risks are much higher than simply having a device in a network that acts as a DDoS message relay. An infected device can be an access point into an enterprise network.

And an infected camera can do even more damage. “If an attacker got access to your video camera, they could see what’s going on in the environment,” he said. So for example, they can see when particular areas are unguarded, to plan both physical attacks and cyber attacks. Desai suggested that enterprises restrict access to IoT devices as much as possible, by blocking external ports or isolating devices on isolated networks, to prevent lateral movement.

They should also change default credentials, and set up a process to apply regular security and firmware updates. This story, "Surveillance cameras most dangerous IoT devices in enterprise" was originally published by CSO.

True man-in-the-middle: Transmitting logins through the human body

Apparently your flesh is the equivalent of a 1950s modem Computer science researchers at the University of Washington are developing a technology to securely send data through the human body rather than wires or the air. Passwords sent over insecure networks are liable to sniffing. This well-understood problem is most easily mitigated against using VPN technology but now security academics have taken a left-field approach to the same problem which also guards against the risk of vulnerabilities in custom radio protocols for wearables and implantables. The technology would work in conjunction with fingerprint sensors in the latest generation of smartphones. One use cited is opening a door fitted with an electronic smart lock. A user would touch the doorknob and the fingerprint sensor on their smartphone at the same time, with their credentials been transmitted through their body rather than over the air. The technology is not restricted by body type or posture, as a research paper by the researchers (abstract below) explains: We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body. We characterize the propagation of the resulting transmissions across the whole body and run experiments with ten subjects to demonstrate that our approach generalizes across different body types and postures. We also evaluate our communication system in the presence of interference from other wearable devices such as smartwatches and nearby metallic surfaces. Finally, by modulating the operations of these input devices, we demonstrate bit rates of up to 50 bits per second over the human body. The approach works because fingerprint sensors “produce characteristic electromagnetic signals at frequencies below 10 MHz” that propagate well through the human body. The researchers ran tests using iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touch pads. Interference from wearable or metallic objects a users might have about them (such as watches) wasn’t a problem. The data transmission rate achieved of just 25 bits per second, or “less than a quarter the speed of a 1950s modem”, as security blogger Bill Camarda notes, might well be a limitation though. “It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible,” Camarda adds in a post on the Sophos Naked Security blog. “Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body. Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks,” he concludes. ®

Domain name resolution is a Tor attack vector, but don’t worry

Nation-state attackers probably pwn you anyhow This one needs the words “Don't Panic” in large friendly letters on the cover: privacy researchers have worked out that Tor's use of the domain name system (DNS) can be exploited to identify users. However, they say, right now an attacker with resources to drop Tor sniffers at “Internet scale” can already de-anonymise users. Rather, they hope to have Tor and relay operators start hardening their use of DNS against future attacks. So: read if you're interested in the interaction between Tor and the DNS, but not if you need the sensation of smelling salts after a faint. The basis of Tor is that your ISP can see you're talking to a Tor node, but nothing else, because your content is encrypted; while a Tor Website is responding to your requests, but doesn't know your IP address. What Benjamin Greschbach (KTH Royal Institute of Technology) and his collaborators have done is add the DNS to the attack vectors. While the user's traffic is encrypted when it enters the network, what travels from the exit node to a resolver is a standard – unencrypted – DNS request. Described at Freedom to Tinker here and written up in full in this Arxiv pre-print, the attack is dubbed DefecTor. Google's DNS has a special place in the research, the paper states, because 40 per cent of DNS bandwidth from Tor exit nodes, and one-third of all Tor DNS requests, land on The Chocolate Factory's resolvers.

That makes Google uniquely placed to help snoop on users, if it were so minded. There's a second problem, and one The Register is sure has other researchers slapping their foreheads and saying “why didn't I think of that?”: DNS requests often traverse networks (autonomous systems, ASs) that the user's HTTP traffic never touches.

The requests leak further than the Tor traffic that triggers it. DefecTor components: a sniffer on the ingress TCP traffic, and another either on the DNS path or in a malicious DNS server Like other attacks, DefecTor needs a network-level sniffer at ingress. While ingress traffic is encrypted, existing research demonstrates that packet length and direction provides a fingerprint that can identify the Website that originated the traffic. Egress sniffing is also needed: the attacker might capture traffic on the path between an exit relay and a resolver; or may operate a malicious DNS resolver to capture exit traffic. With the user's encrypted TCP traffic fingerprinted, DNS requests, and time-stamps, DefecTor can mount “perfectly precise” attacks. “Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites,” the paper states. Mitigations suggested in the paper include: Exit relay operators handling DNS resolution themselves, or using their ISP's resolver, rather than Google or OpenDNS; There's a “clipping bug” in Tor (notified to the operators) that expires DNS caches too soon, sending too many requests out to a resolver (and providing more sniffable material to an attacker); Site operators should create .onion services that don't raise DNS requests; and Tor needs hardening against Website fingerprinting. The researchers have published code, data, and replication instructions here. &regl

Expect 'Flood' of DDoS Attacks After Source Code Release

Brian Krebs warns that "the Internet will soon be flooded with attacks from many new botnets." The source code behind the massive distributed denial of service attack against security researcher Brian Krebs's website has been released online. In a bl...

Sniffing your storage could lead to sensitive leaks, warn infosec bods

Electromagnetic fields aren't a miscreant's magic key, though Data from storage devices leaks through electromagnetic radiation to a much greater extent than previously thought, according to new research. Near-field analysis allowed security researchers at MWR Security to infer (or ‘sniff’) data transferred internally within a device. The finding means that resilient systems are far more vulnerable to attack than was previously thought. Attackers are increasingly gaining access to the sophisticated hardware needed for such an attack, giving them access to (unencrypted) data, according to MWR Security. Piotr Osuch, an information security researcher with MWR, explained: “All cryptographic operations within modern data processing and storage devices are physical processes where data elements must be represented by physical quantities in physical structures such as gates and transmission lines.

These physical quantities and structures must necessarily have a time- and spatial-extent. “As a result, a finite amount of energy must be transmitted during operation, necessarily giving rise to an EM field.

The result is an unavoidable leakage of secret information,” he added. Hardware required to pull off the attack would cost from a “few thousand dollars to tens of thousands of dollars” depending of the sophistication of an attack – which is easily within the potential budget of cybercriminals, rather than being restricted to the likes of governments or intel agencies. “[One] possible approach is to analyse leaked EM data during a challenge-response authentication protocol, by means of a simple H-field loop sensor (essentially just a looped piece of wire that is placed in the close vicinity of the [device],” Osuch told El Reg. “This sensor would pick up multiple sources of leaked EM information and so it would be impossible to ‘focus’ on just the source of interest, i.e. where the actual authentication operation happens. Nonetheless from an understanding of the internal operations performed by the crypto-algorithm and from a statistical analysis some information about the internal cryptographic operation could be inferred.” “There has been a surge in both the sophistication and frequency of EM side-channel attacks, successfully employed to sniff secret information in underlying hardware,” he added. More advanced techniques explored by MWR demonstrate that it is possible to “extract data non-intrusively from individual data lines in modern devices”. “This [MWR Labs] research has formalised our near-field EM analysis methodology, allowing for the non-intrusive sniffing of data at a low abstraction level, and giving security researchers a view of a device’s data transmission under test,” Osuch explained. “At this low level, various security measures are often not yet in place, such as data encryption which is usually done at a later, higher-abstraction stage of the process.
If no provision has been made to sufficiently reduce this leaked EM field, then a near-field EM analysis will uncover, at least partially, any secret information being transmitted, allowing organisations to identify where defensive action needs to be taken,” he added. Monitors and computers also give out stray electro-magnetic radiation, a problem at least partially addressed by tempest shielding.
Something similar could be attempted to shield storage devices but this would be far from trivial, according to MWR. “In most cases, tempest shielding is included as an ‘afterthought’ in the design, usually in the form of a simple metal enclosure, which *might* (fingers crossed) reduce leaked signal strength sufficiently,” Osuch explained. “The same could as well be done for storage devices. However, to ensure security, an EM-aware design is necessary which requires skilled professionals (such as RF engineers) – a practice not often employed in industry." More details on the research are due to be published on the MWR Labs’ blog on 13 September 2016. ®

Bloke accused of Linux kernel.org hack nabbed during traffic stop

Possible 40 years in the Big House for 2011 infiltration of open-source world's servers A man who allegedly hacked the Linux Kernel Organization's kernel.org and the Linux Foundation's servers has been collared by cops. Donald Ryan Austin, 27, of El Portal, Florida, will appear in court in San Francisco later this month, and is accused of intentional transmission causing damage to a protected computer. The four charges were filed in absentia against Austin. His alleged hacking spree led to the Linux groups shutting down completely while a malware infection was cleared up.

Austin was stopped by police in Miami Shores for a traffic offense and then arrested when he identified himself. Court documents [PDF] claim that in 2011, Austin managed to steal the credentials of one of the Linux server admins and used these to install the Phalanx malware, a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a TTY program. Using Phalanx, he is also accused of installing the Ebury trojan, which is designed for Linux, FreeBSD or Solaris hacking, onto numerous servers run by the groups.

This harvested login credentials of people using the servers and forwarded them to the attacker. Austin's goal, according to the prosecution, was to get early access to Linux builds. He is also accused of leaving messages on the system for others to find, and of hacking the personal email server of one member of the Linux Foundation. Some of the Linux servers were offline for almost a month, while administrators picked over files to make sure that the attacker hadn't left any more nasty surprises in there.
It took over five years of sleuthing to find out who could have been responsible, and now the Feds think they have their man. Austin was released from jail on payment of $50,000 in bail money, and will have to appear in court in San Francisco at 0930 on September 21 before the Honorable Sallie Kim.
If found guilty, he faces a possible sentence of 40 years in prison and $2m in fines. ®

If you use ‘smart’ Bluetooth locks, you’re asking to be burgled

The bad ones send passwords in plaintext, the good ones can't survive a screwdiver DEF CON Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away. In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart locks with using the US$100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle. “Smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.” Some of the locks he tested were ridiculously easy to crack with this kit.

Four of them, the Quicklock doorlock and padlock, the IBluLock padlock, and the Plantrace Phantomlock, transmit their passwords in plaintext - making it trivially easy for a data sniffer to pick up the code once the lock is used. Five more locks are susceptible to replay attacks whereby a hacker picks up the signal when the lock is used, stores it, then sends it again to unlock the device.

The susceptible systems were the Ceomate Bluetooth Smart Doorlock, the Lagute Sciener Smart Doorlock, the Vians Bluetooth Smart Doorlock, and the Elecycle EL797 and EL797G smart padlocks. Rose said his equipment made it easy to crack the locks, but there are other methods that are less conspicuous.

As we saw in February with the SimpliSafe hack, an attacker could simply hide a sniffer behind some bushes and come back for it later. Some manufacturers are still making basic mistakes that also leave them highly vulnerable. One brand, Quicklock, only allows six-digit passwords, making it trivially easy to brute force, while another manufacturer hardcoded the administrator’s password (ironically the phrase “thisisthesecret”) in the firmware and Rose was able to find it. Fuzzing also proved very effective at finding flaws in the source code for many locks, as did crashing them.

By sending malformed packets at one lock he managed to crash it, causing the lock to automatically open. When Rose contacted the 12 manufacturers about these issues the response was almost universally negative. One Chinese manufacturer shut down its website, but still sells on Amazon.

Ten other companies simply ignored his messages. One firm did come back to him, acknowledging the issue, but said it wasn’t going to fix it. Four locks did hold up however, so if you’re in the market for such as device then check out the Noke Locks, Masterlock, the August doorlock.

The Kwickset Kevo lock has a “fantastic” software security system with strong crypto, Rose said, but should be avoided because the lock was so badly made you could open it in seconds with a screwdriver. ® Sponsored: Global DDoS threat landscape report