Information Technology

BLACK HAT USA: Researchers have revealed how security vulnerabilities could be exploited to compromise hotel Internet of Things (IoT) devices — and take revenge on loud neighbors.

IoT devices are now commonplace both in businesses and in the home. These internet and often Bluetooth-connected products range from security cameras to smart lighting; fridges that monitor your foodstuffs, pet trackers, intelligent thermostats — and in the hospitality space, IoT is also employed to give guests more control over their stay. These services are sometimes offered through dedicated apps and tablets, allowing the management of lights, heaters, air conditioning, televisions, and more. However, the moment you network IoT and hand over control to third parties, you may also give individuals the keys to a digital kingdom — and the ability to cause mischief, or worse. Vulnerabilities in IoT devices vary. They can range from hardcoded, weak credentials to bugs that allow local attackers to hijack devices; remote code execution (RCE) flaws, information-leaking interfaces, and to a lack of security and firmware updates — the latter of which is a frequent problem in legacy and early IoT products. Speaking at Black Hat USA, Las Vegas, security consultant Kya Supa from LEXFO explained how a chain of security weaknesses were combined and exploited to gain control of rooms at a capsule hotel, a budget-friendly type of hotel offering extremely small — and, therefore, cozy — spaces to guests, who are stacked side-by-side.Supa was traveling and checked in to a capsule hotel abroad. When they arrived, guests were issued an iPod Touch. The capsules contained a bed and curtain for privacy, as well as a ventilation fan. The technology in use included NFC cards for each floor, the option to mirror a device screen on the curtain, and on the iPod Touch, guests could control the lights, ventilation fan, and change the position of the adjustable bed via an app.

The app was connected via either Bluetooth or Wi-Fi. A neighbor, “Bob,” kept waking Supa up by making loud phone calls in the early hours of the morning. While Bob had agreed to keep it down, he did not keep his promise — and the researcher set to work since he needed his sleep, especially during his vacation. The first thing Supa did was to explore his room, finding an emergency light installed for safety reasons; a Nasnos automaton center for use in controlling products in case the iPod Touch was lost; an electric motor used to manage the incline of the capsule’s bed; and a Nasnos router, hidden in the wall. If you connected to the router via a smartphone, it was then possible to control other devices on the network, and this was the setup the hotel chose to use.It was not possible to exit the app or turn off the iPod Touch, and Apple’s Gateway software was in use to stop the device from being tampered with, and so a passcode was required for any other action. To circumvent these protections, Supa was able to drain the battery and then explore the iPod Touch’s settings. He found that two networks were connected — the hotel Wi-Fi and the router. To retrieve the router key, Supa targeted WEP, a protocol that has been known to be weak for years. Access points, each being one of the bedrooms, were found. Supa inspected the traffic and found weak credentials in place — “123” — and you can guess the rest. By using an Android smartphone, the iPod Touch, and a laptop, the researcher created a Man-in-The-Middle (MiTM) architecture and inspected the network traffic. No encryption was found and he created a simple program to tamper with these connections, allowing the researcher to seize control of his bedroom through his laptop. Now, it was to be determined if the key would be applicable for the other bedrooms. Supa downloaded a Nasnos router app and reverse-engineered the software to see how the Wi-Fi key was generated, and while this investigation failed, he was able to find that packets were sent via UDP port 968, and a lack of authentication meant he was still able to secure Wi-Fi keys. Only four digits in each key appeared to be generated differently, confirmed via a dictionary attack, and so a quick exploit program later, Supa had control of each bedroom’s smart features. 
Kya Supa
Now that he could “control every bedroom,” and Bob was still there, Supa then tampered with the lights of different bedrooms until he found the right one. He created a script that, every two hours, would change the bed into a sofa and turn the lights on and off. The script was launched at midnight. We can probably assume Bob did not enjoy his stay.”I hope he will be more respectful in the future,” Supa commented. While this case is amusing — although, not for Bob — it does also highlight how a single access point can be used to tamper with and hijack IoT devices: and this goes for the home, too. While intelligent technology can be convenient, we need to be aware of the potential security ramifications, too.The hotel and Nasnos were both contacted afterward, and the hotel has since improved its security posture.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Graph Foundation has launched a bug bounty program promising rewards of up to $2.5 million for smart contract vulnerabilities. 

The Graph Foundation is the overseer of an indexing protocol, created by the community, for querying blockchains and networks including the Ethereum, Celo, and IPFS ecosystems.Blockchain data is indexed by the decentralized protocol, based on the “subgraph manifest,” a system that defines smart contracts and network events, and participants are able to publish their own subgraph open APIs.  On Wednesday, the project said a new bug bounty program has been launched on Immunefi, a DeFi-based bug bounty platform that has paid out over $3 million in rewards to date.  The bug bounty program will focus on some of the most common threats to blockchain systems — the potential loss of user funds, data leaks, and severe security issues leading to remote code execution (RCE), service degradation, network tampering, and more. Rewards are based on Immunefi’s five-level scale, ranging in severity from “critical” to “none.” The most severe issues, deemed critical, are eligible for rewards of up to $2.5 million, made in The Graph tokens (GRT). According to the team, the reward is based on the potential economic damage — such as the loss of user funds. 

“For instance, if the bug were to be exploited and we knew that a total of 1000 GRT could be drained, that is considered critical because it involves loss of funds, but the reward would only be 100 GRT,” the team explained. “As there are over three billion GRT staked in the network at the moment, and assuming that would be the considered economic damage (worst case scenario), the actual maximum amount for that particular bug would be 300 million GRT.” Severity payouts range from roughly $5,000 to $200,000 for low and high-risk vulnerability discoveries.  “Last year more than $200 million were stolen by hackers through DeFi exploits and hacks that indeed question the effectiveness of traditional security methods,” commented Mitchell Amador, Immunefi CEO. “We at Immunefi strive to protect projects against smart contract hacks by helping create, run, and promote best practice bug bounty programs, and we’re excited to move forward with The Graph.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security vulnerabilities in the communications protocols used by industrial control systems could allow cyber attackers to tamper with or disrupt services, as well access data on the network. Dubbed INFRA:HALT, the set of 14 security vulnerabilities have been detailed by cybersecurity researchers at Forescout Research Labs and JFrog Security Research, who warn that if left unchecked, the flaws could allow remote code execution, denial of service or even information leaks.All the vulnerabilities relate to TCP/IP stacks – communications protocols commonly used in connected devices – in NicheStack, used throughout operational technology (OT) and industrial infrastructure.  Some of the newly uncovered vulnerabilities are more than 20 years old, a common problem in operational technology, which still often runs on protocols developed and produced years ago. Over 200 vendors, including Siemens, use the NicheStack libraries and users are advised to apply the security patches.  Forescout has detailed each of the vulnerabilities in a blog post – they’re related to malformed packet processes which allow an attacker to send instructions to read or write on parts of the memory it shouldn’t. That can crash the device and disrupt networks, as well as allowing attackers to craft shell code to perform malicious actions, including take control of the device. The disclosure of the newly discovered vulnerabilities is the continuation of Project Memoria, Forescout’s research initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them. The INFRA:HALT vulnerabilities were uncovered because of the ongoing research.  All versions of NicheStack before version 4.3, including NicheLite, are affected by the vulnerabilities, which have been disclosed to HCC Embedded, which acquired NicheStack in 2016.  

SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The full extent of vulnerable OT devices is uncertain, but researchers were able to identify over 6,400 vulnerable devices by using Shodan, the Internet of Things search engine. “When you’re dealing with operational technology crashing devices and crashing systems is something that can have various serious consequences. There are also remote code execution possibilities  in these, vulnerabilities which would allow the attacker to take control of a device, and not just crash it but make it behave in a way that it’s not intended to or use it to pivot within the network,” Daniel dos Santos, research manager at Forescout research labs told ZDNet For remote code execution, attackers would need to have detailed knowledge of the systems, but crashing the device is a blunt instrument that’s easier to use and that could significant consequences, especially if the devices help control or monitor critical infrastructure.  Forescout and JFrog Security Research contacted HCC Embedded to disclose the vulnerabilities, as well as contacting CERT as part of the coordinated vulnerability disclosure process. HCC Embedded confirmed that Forescout contacted them about the vulnerabilities and that patches have been released to mitigate them.  “We have been fixing these vulnerabilities over the last six months or so and we have released fixes for every customer who maintains their software,” Dave Hughes, CEO of HCC Embedded told ZDNet, adding that if environments are properly configured, it’s unlikely that attackers could plant code or take control of devices. “These are real vulnerabilities, they are weaknesses in the stack. However, most of them are extremely dependent on how you use the software and how you integrate it as to whether you can experience these things. “If they’ve got a security department that understands DNS poisoning and things like that then they will not be vulnerable at all because they’ve configured things in a safe way,” Hughes said.  Researchers also contacted Coordination agencies including the CERT Coordination Center, BSI (the German Federal Cyber Security Authority), and ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team) about the vulnerabilities. Siemens has also issued an advisory about the vulnerabilities – although only four of the vulnerabilities affect Siemens products.  To help protect operational technology from any kind of cyber attacks, researchers at Forescout recommend that network segmentation is put in place, so operational technology which doesn’t need to be exposed to the internet can’t be remotely discovered – and technology which doesn’t need to be connected to the internet at all is on a separate, air-gapped network. Forescout has released an open-source script to detect devices running NicheStack to help provide visibility onto networks – and help protect them.  MORE ON CYBERSECURITY More

Everyone in the Linux and cloud world knows Red Hat. Everyone who pays attention to security knows Qualys. Now, the two are joining forces to bring Qualys’s Cloud Agent to Red Hat Enterprise Linux (RHEL) CoreOS and Red Hat OpenShift to better secure both systems.

Qualys Cloud Agent is a lightweight software agent. Typically it uses about 2% of CPU resources with bursts of up to 5%. Once in place, it takes a full configuration assessment of its host while running in the background and uploading that snapshot to the Qualys Cloud  Platform. The agent itself is self-updating and self-healing, so you need never reinstall or reboot it to keep the latest version up and running. OpenShift is, as most of you know, Red Hat’s Kubernetes distribution. CoreOS is Red Hat’s specialized version of RHEL for OpenShift. Besides being its base operating system, CoreOS also underlines OpenShift’s control plane. In this case, the CoreOS Cloud Agent for OpenShift works with Qualys’s Container Security Runtime. This provides continuous discovery of packages and vulnerabilities for the complete OpenShift stack. It does this by placing a lightweight snippet of Qualys code into the container image. Once there, it enables policy-driven monitoring, detection, and blocking of unwanted container behavior at runtime. This eliminates the need for host-based sidecar management and privileged containers. Once instrumented in the image, it will work within each container irrespective of where the container is instantiated and it doesn’t need any additional administration containers. Specifically, the Qualys Cloud Agent for CoreOS on OpenShift brings the following features to OpenShift managers. See the Full Inventory – Continuous visibility of installed software, open ports, and Red Hat Security Advisories (RHSA) for all Red Hat Enterprise Linux CoreOS nodes with comprehensive reporting.  Manage Host Hygiene – Fully integrated on the Qualys Cloud Platform to automatically detect and manage host status related to patches and compliance adherence for known vulnerabilities.  Easily Deploy to the Host – Simplified deployment via the Qualys Cloud Agent to secure the host operating system. This approach eliminates the need to modify the host, open ports, or manage credentials.  Get Complete Coverage – Full coverage of Red Hat OpenShift and Qualys Container security delivers comprehensive visibility from the host operating system through to images and containers running on OpenShift.  Aaron Levey, Red Hat’s Head of Security Partner Ecosystem, said in a statement that, “Qualys’ Cloud Platform and Cloud Agent helps administrators gain deeper visibility into known vulnerabilities that may be present on their Red Hat Enterprise Linux CoreOS nodes with pointers to associated Red Hat Security Advisories, leaning on the expertise of Red Hat as well as Qualys’ own skills in driving cloud-native security.”Sumedh Thakar, Qualys’s president and CEO, added,  “By collaborating with Red Hat, we have built a unique approach to secure Red Hat Enterprise Linux CoreOS that provides complete control over containerized workloads enhancing Qualys’ ability to help customers discover, track, and continuously secure containers.”

Related Stories: More

Google has unveiled Google Identity Services, a set of standard interfaces that lets developers integrate Google’s One Tap for faster user sign-ups and simpler sign-in. Google Identity Services aims to make it easier for businesses to gain new users and make life easier for users to sign in. It’s available as a software development kit containing its Identity APIs, including the Sign with Google button as well as the new One Tap prompt. 

“Sign in with Google and One Tap use secure tokens, rather than passwords, to sign users into partner websites and apps,” says Filip Verley, a product manager on the Google Identity team. SEE: Cloud security in 2021: A business guide to essential tools and best practicesThe easier sign-up and sign-in processes are meant to help end users avoid the pressure of picking convenience over security when deciding on yet another password for an app or website.The One Tap prompt brings the login to the user on the page they’re at on a given website. So, instead of being interrupted when redirected to a landing page, the One Tap prompt slides down from the top right of a website and from the bottom up on a mobile device. “Users can sign in to or sign up using just one tap, without having to remember their credentials or to create a password,” explains Verley. 

Google has also improved the Sign with Google Button – the buttons users see that show which Google Account they’re signing in to a website with – so that it displays more personalized user details when returning to a site. Reddit has implemented the new Sign in with Google button and the One Tap prompt. Pinterest has also implemented the Google Identity Services APIs. According to Google, Reddit has increased new user sign up and returning user conversion by almost twice.      Key to One Tap sign-ups are ID tokens that are generated for users with Google Accounts on a device. The ID token is shared with the website operator.   SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts”When you display the One Tap UI, users are prompted to create a new account with your app using one of the Google Accounts on their device,” Google explains in its developer pages. “If the user chooses to continue, you get an ID token with basic profile information—their name, profile photo, and their verified email address—which you can use to create the new account.”Currently, Google One Tap works with Chrome on Android, macOS, Linux and Windows 10. No mobile browser is supported on iOS. Edge on macOS and Windows 10 is supported, while Firefox is supported on Android, macOS, Linux and Windows. Google notes that One Tap is not supported on Safari for iOS and macOS because of Apple’s Intelligent Tracking Prevention. 
Google More

The National Security Agency (NSA) has released its first Kubernetes hardening guidance to help organizations deploy the open-source platform for managing containerized applications.The guidance was also authored by the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to make users aware of key threats and configurations to minimize risk. 

“Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service,” the agencies note in a joint announcement. SEE: One third of cybersecurity workers have faced harassment at work or online – this initiative aims to stamp it out”Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining.”Researchers recently warned that attackers were using misconfigured Kubernetes deployments to drop crypto-miners on enterprise hardware.     The key hardening guidance isn’t unusual, but the report also offers an in-depth look at applying standard security mitigations in the context of complex environments that are often deployed in the cloud. At a high-level the guidance includes: scanning containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.

Of course, standard cyber hygiene is key too, including applying patches, updates, and upgrades to minimize risk. They also recommend vulnerability scans to check patches are applied. The advice covers Kubernetes clusters, the control plane, worker nodes (for running containerized apps for the cluster), and pods for containers that are hosted upon these nodes.  The NSA and CISA make a special point about supply chain risks, including software and hardware dependencies that could be compromised at any point in the supply chain before deployment.”The security of applications running in Kubernetes and their third-party dependencies relies on the trustworthiness of the developers and the defense of the development infrastructure. A malicious container or application from a third party could provide cyber actors with a foothold in the cluster,” the agencies note. SEE: Ransomware: Only half of organisations can effectively defend against attacks, warns reportThe report also warns that remote attackers do target control plane components lacking appropriate access controls, as well as worker nodes that live outside of the locked down control plane. Insider threats include admins with high privileges and physical access to systems or hypervisors. Pods in particular need to be hardened against exploitation because they’re often an attacker’s initial execution environment after exploiting a container. It also recommends running non-root containers and rootless container engines to prevent root execution as many container services, by default, run as the privileged root user.  More

Image: Facebook
Facebook has announced it is rolling out a new view once feature that it says will give users “more control over their privacy”.When photos and videos are shared on WhatsApp, they are automatically saved to a recipient’s camera roll. The view once feature allows users to send photos and videos that disappear from a WhatsApp chat after a recipient has opened it once. Users will be unable to forward, save, star, or share the media that was sent as a view once media. When the media has been viewed, the message will appear as “opened”, which Facebook said will “help avoid any confusion about what was happening in the chat at the time”. Users, however, will only be able to see if a recipient has opened a view once photo or video if they have read receipts turned on. Media that is shared using the view once feature will be marked with a “one-time” icon. If a view once photo or video is not opened within 14 days of being sent, the media will expire from that chat. However, it can be restored from backup if the message is unopened at the time of back up. If the photo or video has already been opened, Facebook said the media will not be included in the backup and cannot be restored.The company assured that like all personal messages sent on WhatsApp, view once media is “protected by the platform’s end-to-end encryption”. But like all encrypted media on WhatsApp, it “may be stored for a few weeks on WhatsApp’s servers” after it’s been sent. “While taking photos or videos on our phones has become such a big part of our lives, not everything we share needs to become a permanent digital record. On many phones, simply taking a photo means it will take up space in your camera roll forever,” the company said in a blog post.

“That’s why today we’re rolling out new View Once photos and videos that disappear from the chat after they’ve been opened, giving users even more control over their privacy.”For example, you might send a View Once photo of some new clothes you’re trying on at a store, a quick reaction to a moment in time, or something sensitive like a Wi-Fi password.”Facebook introduced a similar feature it called Vanish Mode to Messenger and Instagram at the end of last year.Related Coverage More

Bandwidth provider Akamai Technologies this afternoon reported Q2 revenue and profit that both topped expectations, driving by a 25% rise in security revenue. The company’s forecast for the current quarter and for the full year was also above Wall Street’s expectations.Despite the upbeat results and outlook, the report sent Akamai shares down 4% in late trading. CEO Tom Leighton called the results “excellent,” remarking that the “performance was highlighted by continued strong growth across our security solutions globally.” Added Leighton, “As the internet has become increasingly critical to consumers and businesses, our customers have turned to us more than ever to power and protect exceptional online experiences.”Revenue in the three months ended in June rose 7%, year over year, to $853 million, yielding a net profit of $1.42 a share.Analysts had been modeling $846 million and $1.38 per share.Revenue from Akamai’s security business rose by 25%, year over year, to $325 million, while its “edge technology” revenue declined by 1% to $528 million.

International revenue was up 15% in the quarter, while Akamai’s U.S. revenue rose 1%. The report follows issues last month with Akamai’s DNS servers that led to outages at major customers of Akamai, including Amazon Web Services, Microsoft, Delta Airlines, Oracle, Capital One, and AT&T. For the current quarter, the company sees revenue of $845 million to $860 million, and EPS in a range of $1.37 to $1.41. That compares to consensus for $845 million and a $1.35 profit per share.For the full year, the company sees revenue in a range of $3.42 billion to $3.45 billion, and EPS of $5.45 to $5.65. That compares to consensus of $3.43 billion and a $5.53 profit per share.Also: McAfee, Akamai Q1 reports top expectations on security technology growth 

Tech Earnings More