Security News – wk4 Jan 2016

Backdoors seem to be the order of the day: SEC Consult in Austria have found what they term a “deliberately hidden backdoor account” in NX-1200, a network controller appliance for conference rooms manufactured by AMX, which is used by governmental and military bodies (even the US White House), educational and healthcare institutions, hotels and conference centers all over the US. 30+ other products from AMX also contain the same backdoor, a function which sets up an account in the internal database, one which includes features ( not even available to the sysadmin ) like packet capturing on network interfaces. After they contacted AMX and shared their finding, the company shipped a fix for the backdoor after seven months. Unfortunately, as the researchers found, the fix removed the BlackWidow backdoor account and created another one named “1MB@tMaN,” with the exact same capabilities. All your data is ours!

Web-based Password managers are fantastic for keeping track of passwords and automating the login function to websites and apps. But consider that all your passwords are now in one place, online and subject to the security abilities of the website maintainers. Sean Cassidy from Praesidio, has demonstrated how easy it is to steal a user’s email, password and 2-factor authentication code via a simple phishing attack. The attack, call LostPass, takes advantage of notifications in the browser viewport area and XSS and CRSF issues resulting in exploit of the user’s details. I also use a password manager as it’s pretty much indispensable if you need to maintain large amounts of passwords, but rather than an online app that is subject to a lot of potential attacks, I use a local application that limits the opportunity for exploits. Not foolproof but a log better than keeping your valuables online.

If you’ve seen Craig Heffner’s fantastic ( what I call seminal ) Defcon talk in 2012 on hacking millions of routers, you’ll have some idea of how bad these consumer devices are at security. I’ve written myself on a few occasions about the inherent issues with these devices. A new variant of the TheMoon worm is taking advantage of weaknesses in HNAP ( Home Networking Administration Protocol ) and is delivered via one of five dating sites apparently controlled by the same person. There’s no C&C server at the moment but that’s not to say it won’t change. Craig touched on HNAP in his talk and that was already 4 years ago. The fact that we’re still having problems in this area is testament to how little consideration router vendors give to security. Many of these router attacks rely on default IP addresses and username/password combinations so this is something that needs changing immediately after you purchase and install one of these. Above that, HNAP and uPnP should be switched off.

Oracle have released their Critical Patch Update ( CPU ) for Jan 2016 and it includes 248 fixes for vulns. This covers a range of applications from Java, to JDE, WebLogic and MySQL. I’ve always been critical of Oracle’s patch procedure – they only provide updates quarterly leading to  long periods of time where applications could be exploited. It’s important to look at WAFs and DB security systems to bide you through the lean times.

The Magento CMS has 2 pretty serious XSS bugs that can lead to compromise of the ecommerce store and server-side execution of Javascript. Update now.

Finally, FACC, which produces components and systems for aircraft manufacturers, is about 50 million Euro poorer after hackers managed to attack it. It’s suspected base don information gained so far, that the company may have been a victim of BEC ( business email compromise ) – BEC is a sophisticated scam performed by members of organized crime groups from Africa, Eastern Europe, and the Middle East. They usually target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  The scammers impersonate a supplier, a high-level executive with the firm, or a firm’s employee by hacking or spoofing their email accounts. From those accounts, they send requests to the firm’s employee(s) in charge of making payments to wire a payment to a bank account belonging to the scammers, usually set up with a Chinese bank.

That’s all folks!