news
Security measure against hacking implantable medical device
Scientists have finally worked out a “cloaking” device or a shield for existing Implantable Cardioverter Defibrillator (ICD) devices, following a report detailing weaknesses in the communications mechanism that can lead to leak of patient information and risk of loss of life. ICDs are similar to pacemakers and used by heart patients to slow down the heart.
Earlier this year in May, a team of researchers from were able to exploit a weakness in the wireless communications protocol used by ICDs operating in the 175kHz frequency range. The research team was able to intercept the wireless signals used to communicate with the ICD and reprogram the signals, and even retrieve patient information. The complete research can be found here (pdf).
Figure: Communications between an ICD and ICD Programmer (computer)
The cloaking device, invented by Dr Tamara Denning, a computer scientist at the University of Washington in Seattle, is designed to resist any instructions that come from anyone other than the doctor. The device itself is wearable like a wrist watch and technical working details have not been released.
Is this really a practical solution? Not everyone thinks so:
However, Dr William Maisel of Harvard University, who led the pacemaker hacking experiment earlier this year, said the cloaker was unrealistic.
In an emergency, a cloaker could be hidden in clothing and be hard for doctors to find.
‘You’re asking hundreds of thousands or millions of people to wear something every day for a theoretical risk,’ he said.
Justice for largest hacking case ever
CNN is reporting that 11 people were charged yesterday for allegedly stealing more than 40 million credit and debit card numbers. The hacking incidents relating to the accused took place at various major retail outlets in the USA over the past three years.
The defendants come from U.S.; Estonia; Belarus; China, with one individual whose country of origin still remains unknown.
From the report:
Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.
The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.
New tool simplifies DNS exploitation further
DNS Multiple Race Exploiter simiplifies exploitation of the latest DNS vulnerability and even attempts to poison patched servers. According to the author:
Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours.
Unlike the previously released tools that work on poisioning uncached “NS” and “A” records, this tool can overwrite any A record by using a CNAME response.
The tool uses a static TTL of 0×7BEDABED in all spoofed replies, which should be sufficient to create an IDS/IPS signature to protect against the script kiddies out there.
cname_rr = (struct cname_RR *) (payload + sizeof(struct dns_hdr) + hostname->size + sizeof(struct query_RR));
cname_rr->name = htons(0xC00C);
cname_rr->type = htons(0×0005);
cname_rr->clss = htons(0×0001);
cname_rr->ttl = htonl(0×7BEDABED);
cname_rr->length = htons(entryname->size);
Vietnam’s No.2 webhost restores services after security breach
PA Vietnam, a Vietnam Government affiliate and the second largest hosting company in the country, saw over 10,000 websites being crippled after the provider’s .COM and .NET Top Level Domains (TLDs) were hijacked by attackers on Sunday, 27th of July. The crippled websites used the provider’s domain name servers (DNS) that were registered under the hijacked domains.
According to VNCERT, the country’s National Computer Emergency Response Team:
“It’s believed the hackers broke in through a hole in DNS to control the administration,”
-VNCERT Technical Branch Chief - Do Ngoc Duy Trac. Read the rest of this entry
RF Barrier Helps Deter Wardrivers
Meru Networks has introduced RF Barrier, a solution for wardriving threat that uses wireless technology itself to produce a barrier to protect corporate wireless networks.
The RF Barrier system involves mounting a specialized Wireless Access Point on the inside Wireless perimeter with an advanced antenna extending to the outside of the Wireless perimeter. The technology inspects the traffic in real time to differentiate the “sensitive” (internal) traffic from the outside traffic. Sensitive traffic is protected by the RF Barrier by simultaneously transmitting harmless, but stronger RF waves through the external antenna. The stronger RF waves in turn degrade the sensitive traffic outside the internal wireless perimeter, leaving the wardrivers with very weak or no signals to work with.
The official press release states:
RF Barrier is the first solution using exclusively 802.11 technology to offer wireless perimeter protection for organizations with regulatory requirements or policies regarding data privacy, such as retailers, financial and government institutions, manufacturers and health-care organizations. RF Barrier protects clients with legacy security mechanisms, such as handhelds and scanners equipped only with WEP or WPA/TKIP, as well as modern WPA2- and EAP-based networks, where it helps prevent the exposure of potentially exploitable information such as user identities. Furthermore, it provides physical wireless security in remote branch offices where no IT personnel are present to detect or stop an attack from outside the site’s physical boundaries.
Emirates Skywards accounts leaked on the net
It is not unusual to come across stolen identities on the web and this one is no exception. I came across a post in an underground forum listing a bunch of Emirates Skywards accounts. I picked a random account to verify the claims and the rest is pictured below:
Figure1: Skywards/Emirates account main page
Figure 2: Saved credit card information
Figure 3: Skywards member personal information
After going through the list, I reckon the accounts were compromised as a result of brute force attacks given the relative serial order of the listed accounts, and the inadequate authentication controls available on emirates.com.
Skywards members - update your passwords now! Read the rest of this entry
Metasploit: DNS exploit code now available
Metasploit team has published two modules that exploit the recently announced DNS flaw. These are named “DNS BailiWicked Host Attack” for injecting individual uncached host records into the target nameserver’s cache, and “DNS BailiWicked Domain Attack” for replacing a target domain’s nameserver records in a target nameserver’s cache.
The above two modules require you run Metasploit Framework from the “trunk” development branch which is currently only supported on the Linux platform.
Here’s more from the official blog:
The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original primary mitigation against this was to make use of a 16-bit transaction ID which is used to correlate requests and replies that the attacker would have to guess in order to correctly spoof a reply packet. This makes spoofing harder, but not an insurmountable task; you just need to be able to send a whole lot of packets to eventually get one right at match the transaction ID chosen for the request packet.
The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver. This is core protocol functionality, however the original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to records in domains that they weren’t queried for or aren’t authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to.
When you combine the attacks for these two flaws however, and introduce nameserver query recursion, an attacker can essentially cause the target nameserver to make as many queries as the attacker wants while also pretending to be the authoritative nameserver and spoofing the responses, achieving the birthday attack against the transaction ID and successfully updating the nameserver record for a domain to point to a malicious nameserver address. You can also use this trick to inject cache entries for individual hostname records as long as those hostnames are both not already cached, and also in-bailiwick.
IT Assurance Framework introduced
ISACA today introduced ITAF: A Professional Practices Framework for IT Assurance targeting the IT Auditing and Assurance professionals. The official release states:
ITAFTM consists of compliance and good practice setting guidance:
- Provides guidance on the design, conduct and reporting of IT audit and assurance assignments
- Defines terms and concepts specific to IT assurance
- Establishes standards that address IT audit and assurance professional roles and responsibilities, knowledge, skills and diligence, conduct, and reporting requirements
Figure 1: The ITAF Structure
More info here
The biggest security patch release in Internet history
Security concerns truly bind us all together and this is very much applicable in the electronic world. Yesterday saw the release of software patches from almost every major operating system and network device vendor that fixes a critical vulnerability in the Domain Name System (DNS). This was a well coordinated release for a vulnerability which was first discovered almost six months ago by Dan Kaminsky of IOActive.
The specifics of the vulnerability are not being disclosed, however, it is being described as an inherent design flaw which allows for DNS poisoning – allowing false DNS information to be cached by a DNS server and served to clients requesting it - by using predictable TX IDs and source port numbers. This could potentially lead visitors trying to accessing their everyday websites to be redirected to phishing or malicious websites.
The patch deployment process itself is going to take a while for bigger DNS installations; expect some phishing attacks to target end-users within days. As of this writing, my ISP in Dubai is vulnerable according to Dan Kaminsky’s script that checks for the flaw in DNS servers.
For now, a good workaround is the use third-party DNS service such as OpenDNS which is not vulnerable to the discovered flaw.
NIST CVE-2008-1447 has more details and links to vendor patches.
iPhone “exploit development” support toolkit released
Core Security Technologies has launched an iPhone debugger for native iPhone processes and libraries. Here’s the email sent out to the Securityfocus mailing lists:
———- Forwarded message ———-
From: Nicolas A. Economou <lists@corest.com>
Date: Tue, Jun 17, 2008 at 6:09 PM
Subject: iPhoneDbg Toolkit
To: pen-test@securityfocus.com, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, focus-apple@securityfocus.comHello!
We are proud to announce the release of the iPhoneDbg Toolkit, an effort towards iPhone exploit development.
You can find it here:
http://oss.coresecurity.com/projects/iphonedbg.html.- What is the iPhoneDbg Toolkit?
This set of tools will enable you to delve into iPhone Binary Reversing.
* The iPhone Debugger allows you to debug running or newly-created native processes inside iPhone (iphonedbg).
* The Library Loader Patcher will allow to debug iPhone libraries (dyld_patcher).
* You can also build a tunnel from your PC to your iPhone through USB (iphone_tunnel.exe).Thanks!
Nicolas (*)Open Source Software
Core Security Technologies—–
(*) I am a semi-senior exploit writer at Core Security Technologies. I’ve being working in computer security for 3 years and I am specialized in Windows exploits, mostly, and the development of exploit writing tools. I also developed some exploits for Linux and MacOS X.
