National Cyber Security Institute – A non Profit educational organization focused on helping you understand and reduce risk

The Shadowbrokers Dump of the month update and UNITEDRAKE

So in the mist and haze of the Equifax hack we seemed to have missed the new update from The Shadowbrokers. On Sept. 5th , 2017 they released a new update on steemit.com to add some updates to their dump of the month club. The changes are starting this month they will only take Zcash and no longer accept Monero because the memo field, where you give them your email, on Monero isn’t encrypted. They will sell previous, and it appears, future dumps for a set price ranging in price from 100 ZEC to 16000 ZEC (at the time of this writing that is anywhere from 20,567 USD to 3,290,720 USD).

They will deliver the emails in clear text only and they recommend using tutanota or protonmail. The dump for September is all exploits. The last thing is that they are 2 dumps a month.

Another thing they did was release their megafolder that has the manual for UNITEDRACK a tool that is a fully extensible remote collection system designed for Windows targets. The interesting thing about this tool is that it is either older and retired or it itself runs on old and insecure systems. (windows server 2003 and SQL 2008). Though it is able to compromise everything up to Windows 8 and Window server 2012. The UNITEDRAKE malware’s modules can capture keystrokes, impersonate the user, listen in and view your webcam and mic, steal diagonistic info, and self destruct when its finished. Interesting stuff as always from this group. Still looking forward to what comes public next.

How secure is your credit data with consumer credit reporting agencies?

First let’s get all the facts. On Sept 7^th, 2017 Equifax launched the site https://www.equifaxsecurity2017.com/ and announced that they have encountered “Cybersecurity incident” that potentially impacts 143,000,000 U.S. consumers. “Criminals” exploited a website application vulnerability to gain access to certain files. Based on an internal investigation the attack took place from mid-May to June 29^th.

The information that was accessed in this attack were:

Names
Social Security Numbers
Birth dates
Addresses
Some Drivers license numbers
Credit Card number for approx. 209,000 customers
Dispute documents with Personal Identifying Information (PII) for approx. 182,000 customers
Limited PII for some UK and Canadian residents

Once Equifax discovered the unauthorized access they closed the vulnerability in their web application. Then they called in a “…leading, independent cybersecurity firm” that has been doing a forensic review to find what data has been compromised and how much of that data did the “criminals” get. Equifax has also called in law enforcement and is still working with authorities.

Equifax has taken steps to help consumers find out if they are now at risk or could have been impacted by the attack and to sign up for free credit monitoring and identity theft protection with TrustedID Premier through Equifax. The monitoring includes:

3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports
Copies of Equifax credit reports
The ability to lock and unlock Equifax credit reports
Identity theft insurance of 1 million dollars
Internet scanning for Social Security numbers

Equifax recommend that anyone with additional questions visit their website www.equifaxsecurity2017.com or call their call center at 866-447-7559. The call center is open from 7:00 a.m. to 1:00 a.m. Eastern Time. They are also going to send mail notices to anyone who’s dispute documents with PII on it or credit card numbers were impacted. They have started to reach out to State and Federal regulators and they have sent written notices to all state attorney general’s that includes Equifax contact information for regulator inquiries.

“Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.”

The last statement that Equifax makes about the incident on their site is the quote above the rest is an about Equifax, Forward-Looking Statements, and contact for Ines Gutzmer who’s in Corporate Communications.

This points out that they didn’t see a need to protect their company and other peoples PII enough to pay someone to double check their cybersecurity work. This also brings forward why did it take so long for them not to notice a breach the size of nearly HALF of all American citizens. We depend heavily on the credit reporting agencies to fully protect our data since good credit is so vital in today society.

It is true that the scope of this is pales in comparison to the Yahoo breach of 2014 but the major difference is that the Yahoo breach while inconvenient didn’t necessarily give away PII to all 1 billion accounts or for that matter most accounts.

This attack is going to put nearly 44% of the US population at a higher risk of fraud and Identity theft. It could very well lead to ruining people’s lives and lively hoods since some jobs do credit checks, getting a loan or a mortgage requires a credit check, and sometimes even renting a car can require a credit check. This is the sort of leak that we never want to happen.

Then let’s look at the overall response to the attack. I took nearly five weeks to let consumers know that their PII could have been leaked. The site www.equifaxsecurity2017.com uses a stock WordPress install which is a problem because on that site to sign up forEquifax’s ID theft protection you must enter nearly all of you Social Security number minus the first 3 digits and your last name. A stock WordPress install doesn’t provide the needed site security for that sort of information. The site wasn’t initially registered to Equifax. Cisco OpenDNS was blocking this site and was warning that it was a suspected phishing threat. Meanwhile the main Equifax site after the discloser was displaying debug codes, which for many reasons should never happen on a production server.

So, with the lack luster start, middle and finish to Equifax’s security the question come to mind what should be done and what could be done now to fix these issues not only at Equifax but at the other credit reporting agencies who, by my best guess, have the same level of cyber security Equifax did. I say did in the hope of them taking the advice of the cybersecurity firm they hired, which they probably won’t, and will have a much higher level of cybersecurity going into the future.

Source:

https://www.equifaxsecurity2017.com/

https://twitter.com/kennwhite/status/905988701670531072

https://whois.domaintools.com/equifaxsecurity2017.com

https://twitter.com/SwiftOnSecurity/status/906005134529966080

https://www.equifax.com/cs7/faces/jspx/login.jspx

Ultrasonic attacks on Speech recognition systems

Researchers out of Zhejiang University have done ultrasound experiments on Speech recognition systems such as Siri, Google now, Amazon’s Alexia, and other Speech recognition devices to see if they can get modulated voice commands to work in frequencies of 20KHz or higher. The University has named the method the DolphinAttack.

The activation commands that they tried were things like “OK Google”, “Alexa”, and “Hey Siri”. The commands they gave after activation were things like “Open dolphinattack.com” and “Call 1234567890”. The experiment was tested on 7 speech recognition systems on 16 different devices. The attack was successful on all systems and all devices from various distances.

Some of the things that affected the attack were what the command was, such as “Call 1234567890” had much better results than “open dolphinattack.com”. Another thing is the distance from the device that was being attacked. The furthest attack was on Siri on the Iphone 4 and on Amazon’s Alexa on echo. Those two devices registered commands from over 6 feet away. The third thing that effected the attack was background noise. On the street the command “turn on airplane mode” was only successful only about 30% of the time where in a cafe it worked about 80% of the time and in a quite office it worked 100% of the time. The one thing that didn’t seem to affect the attack was what language the command was spoken in.

Some of the proposed defenses against this sort of attack were both hardware and software based. The reseachers suggest that the mics in the phone be enhanced by suppressing acoustic signals in the ultrasound range. The software based defense they propose is that it looks at the features of real voice commands vs modulated commands which have distinct acoustic features.

Sources:

Pacemaker firmware update needed

Pacemaker firmware update needed on almost half a million pacemakers.

On Aug. 23^ed, 2017 the FDA has issued a recall on 465,000 pace makers for fear of being hacked. All the pacemakers in the recall are made by Abbott (formerly St. Jude Medical) the devices are listed below¹:

Accent
Anthem
Accent MRI
Accent ST
Assurity
Allure

The fix to this is simply go to your physician or cardiologist to get a firmware update to the device via radio-frequency. The update will take about 3 minutes and will operate in backup mode during the update. The new firmware is currently available for pacemakers already in place and is pre-loaded on devices manufactured after August 28, 2017.

The vulnerability that this firmware update fixes is access to the device by unauthorized users to access a patients device using equipment that is commercially available. This could be used to modify the programming of the implanted pacemaker and that could result in repaid battery deletion or setting the wrong pacing on a pacemaker causing harm to the patient. At the time of this writing there is no know reports of patient harm related to the security vulnerabilities.

Source:

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

Did you download Sarahah?

Did you download Sarahah? Well they might have all your contacts.

Sarahah means honesty in Arabic, well they may not being so honest with you. When you installed the app it could silently upload all your contact info on to the company’s servers for no apparent reason. This was spotted first by security analyst Zachary Julian in late August 2017. On android it initially didn’t prompt to do this or ask for permission it just did it when you logged on. Now on newer android OS’s it does ask for permission to access contacts . On iOS devices it always had a prompt to access contacts.

When The Intercept reached out to the apps creator, Zain al-Abidin Tawfiq, he didn’t respond after they first posted their story on it he responded via Twitter saying that the functionality would be removed and it was originally a part of a find your friends feature. He also stated that the feature was stymied by “technical issues” and that a partner he no longer works with was supposed to remove it but must have “missed that”. He also claims that the server no longer has that functionality but there is no way to verify that.

We will see over the coming days if Mr Tawfiq is true to his word and removes the functionality from the app or if it remains.

Sources:

https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/

Home Routers and Data collection.

Earlier this year Netgear put out a memo that the new firmware for their Nighthawk routers would start collecting analytic data of all network traffic that went through it. This data includes¹:

information regarding the router’s running status,
number of devices connected to the router,
types of connections,
LAN/WAN status,
WiFi bands and channels,
IP address, MAC address, serial number,
similar technical data about the functioning and use of the router and its WiFi network.

Now Netgear is saying that it collects this data only for

isolate and debug general technical issues,
improve router features and functionality,
improve the performance and usability of NETGEAR routers.

For example, such data may help NETGEAR get any early notification of Internet or WiFi disconnects in a firmware and help identify root causes in order to fix them quickly.¹

This isn’t too much of a problem if it is true but for the security cautious I recommend disabling this functionality because there is no reason for them to have all that data the issues they say they are looking into. Why would they need the IP address, MAC address or serial number of a connected device?

To opt-out you can do this at the beginning after installing the new firmware by checking the opt-out option after the firmware install. If you have already installed the firmware and didn’t opt-out then you still can do it now by following the steps below².

Launch a web browser from a computer or mobile device that is connected to the network.

Enter http://www.routerlogin.net.
A login window opens.
Enter the router user name and password.
The user name is admin. The default password is password. The user name and password are case-sensitive.
The BASIC Home page displays.
Select ADVANCED > Administration > Router Update.
The Router Update page displays.
Scroll down to the Router Analytics Data Collection section.
To enable router analytics data collections, select the Enable radio button.
To disable router analytics data collections, select the Disable radio button.
To view the type of data that might be collected, click the router analytics data link.
Click the Apply button.
Your settings are saved.

The other router company we are going to look at is ASUS and their router firmware asuswrt. They have a really neat function of being able to prioritize devices in your house using QOS service to make sure that streaming devices have network priority. This is nice to make sure that all of your videos and tv content is coming through smoothly but there is a huge catch. They collect and transmit data about websites you visit to Trend Micro if you use any of the feauters listed below that are apart of ASUSWRT³:

Apps/traffic Analysis
Bandwidth Monitor
Network Analyzer
Network Protection (AiProtection), blocks known malware domains
Parental Controls, including time scheduling
Quality-of-Service
Web History

When you use any of the above functions you will be presented with a EULA from Trend Micro to read and agree to. The end of the EULA you find the section to “Privacy” Below are some snipits of that EULA³:

“[…] certain information (“Forwarded Data”) to be sent to Trend Micro-owned or -controlled servers for security scanning and other purposes as described in this paragraph. This Forwarded Data may include information on potential security risks as well as URLs of websites visited that the Software deem potentially fraudulent and/or executable files or content that are identified as potential malware. Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router. […]”

[…] “Trend Micro reserves the title, ownership and all rights and interests to any intellectual property or work product resulting from its use and analysis of Forwarded Data.”

The EULA also holds the devices owner responsible for notifying anyone else using the router that their network data may be recorded and shared with Trend Micro.

So for the two facts above I would recommend NOT even buying an ASUS router and if you already have one I recommend that you very quickly flash the firmware over to DD-WRT if compatible, you can check compatibility here: https://www.dd-wrt.com/wiki/index.php/Supported_Devices. If not compatible I recommend you go buy something else if you can

Sources:

https://kb.netgear.com/000038663/What-router-analytics-data-is-collected-and-how-is-the-data-being-used-by-NETGEAR
https://kb.netgear.com/000038661/How-do-I-Enable-Disable-Router-Analytics-Data-Collection
https://ctrl.blog/entry/review-asuswrt

TheShadowBrokers Data Dump of the Month club

Welcome to the TheShadowBrokers Data Dump of the Month

On May 15^th TheShadowBrokers group announced in a blog post that they were going to introduce a hack of the months club and compared it to a wine of the month type club. Where they will sell you a membership and you will get an unknown number and unknown type of exploits. It could be anything from web browser, router, and handset exploits and tools to compromised network data from North Korean nuke and missile programs.

On May 29^th the group Tweeted out a PGP singed message that tells you how to subscribe and pay and their price. The will be using ZEC (Zcash) for the transaction which is a new and supposedly more secure version of bit coin though they even admit they don’t necessarily trust it. The instructions are :

#1 – Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address: zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnG mUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq

#2 – Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment

#3 – If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided

#4 – Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)

#5 – The “mass email” will contain a link and a password for the June 2017 dump

The ZEC to USD is approximately at the time of writing 1 ZEC to US $235.71 on CoinGecko.com. So to join the club it will cost approximately us $23,571 for something that you don’t know what you are getting. This will obviously limit who gets first access to the tool since the average person doesn’t have thats sort of money laying around and even TheShadowBrokers admit this. They say in the PGP message that its for high rollers, hackers, security companies, OEMs, and governments.

So whats in it? Who knows but it will be interesting for sure when “thepeople” see what they have to lay bare to the world for such a steep price.

Sources: