Category Archives: Security

AVIATION-RELATED PHISHING PASSWORDS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A wave of email-based phishing campaigns is targeting airline consumers with messages that contain malware that infects systems or links to spoofed airline websites that are personalized to trick victims into handing over personal or business credentials.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” said Asaf Cidon, vice president, content security services at Barracuda Networks. Attachments, he said, are documents rigged with malware or are designed to download it from a command and control server.

Cidon said other aviation-themed phishing attacks contain links to spoofed airline sites. In these types of attacks, adversaries go to great lengths to spoof the airline’s site. In addition, attackers personalize the landing page with the target’s personal information in hopes of coaxing them to log in with either their company or airline username and password.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon said.

Recent phishing campaigns, he said, are targeting logistic, shipping and manufacturing industries.

Barracuda’s warning comes a week after the U.S. Computer Emergency Readiness Team issued an alert of similar attacks targeting airline consumers. It warned email-based phishing campaigns were attempting to obtain credentials as well.

“Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information,” according to the US-CERT warning.

The US-CERT warning was based on concerns Delta Air Lines had over a rash of fake websites designed to confuse consumers.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” according to the Delta Air Lines warning.

Delta said some victims were sent emails that claimed to contain invoices or receipts inside attached documents. Attachments contained either dangerous viruses or links to websites that downloaded malware onto a victim’s computer.

When asked about the warning, Delta declined to comment.

More troubling to Barracuda researchers was the success rate adversaries are having with phishing campaigns it is tracking.

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” Cidon wrote in a research note posted Thursday. “This is one of the highest success rates for phishing attacks.”

In June, Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks. Researchers say crooks attempting to install malware and perpetrate credential-harvesting attacks are more likely to use social engineering to trick people into installing malware than to exploit vulnerabilities with tools such as exploit kits.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.

CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that could have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.

Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.

The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.

What is Cloudbleed?

Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.

CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.

Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare’s edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in a blog post that was also published Thursday. “We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

According to Ormandy, Cloudflare had code in its “ScrapeShield” feature that did something similar to this:

int Length = ObfuscateEmailAddressesInHtml(&OutputBuffer, CachedPage);
write(fd, OutputBuffer, Length);

But the company was not checking if the obfuscation parsers returned a negative value because of malicious HTML.

The Cloudflare’s “ScrapeShield” feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.

Ormandy contacted Cloudflare and reported it about his findings. The company identified the cause of the issue, and immediately disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites — that were using the same HTML parser chain, which was causing the leakage.

Ormandy observed encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for the other leading Cloudflare-hosted websites from other users and immediately contacted Cloudflare.

Since CloudFlare patched the issue but did not notify customers by Wednesday of the data leak issue, Ormandy made public his findings on Thursday, following Project Zero’s seven-day policy for actively exploited attacks.

Following Ormandy’s public disclosure of the vulnerability on Thursday, CloudFlare confirmed the flaw, ensuring its customers that their SSL private keys were not leaked.

“Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug,” Cloudflare CTO John Graham-Cumming wrote in a blog post. “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.”

“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information,” he added. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

 

The Root Cause of Cloudbleed:

The root cause of the Cloudbleed vulnerability was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.” 

“Had the check been done using >= instead of == jumping over the buffer end would have been caught,” said Cumming.

Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.

However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google’s cached data.

How Does Cloudbleed Affect You?

There are a large number of Cloudflare’s services and websites that use parsing HTML pages and modify them through the Cloudflare’s edge servers.

Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.

Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare’s proxies.

While CloudFlare’s service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.

Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.

Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.

Cloudbleed Also Affects Mobile Apps

Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

Users on YCombinator have confirmed the presence of HTTP header data for apps like Discord, FitBit, and Uber by searching through DuckDuckGo caches with targeted search terms.

In an analysis conducted by NowSecure, the researchers have discovered some 200 iOS apps that identified as using Cloudflare services from a sampling of some 3,500 of the most popular apps on the app store.

There is always a possibility of someone discovering this vulnerability before Tavis, and may have been actively exploiting it, although there is no evidence to support this theory.

Some of the Cloudflare’s major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.

However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of ‘pirate,’ on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.

Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.

What should You do about the Cloudbleed bug?

Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.

Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.

Update: Uber representative reached out to me via an email and said their investigation revealed that the CloudBleed bug exposed no passwords of their customers. Here’s the statement provided by Uber:

“Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

11-Year Old Linux Kernel Local Privilege Escalation Flaw Discovered

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Another privilege-escalation vulnerability has been discovered in Linux kernel that dates back to 2005 and affects major distro of the Linux operating system, including Redhat, Debian, OpenSUSE, and Ubuntu.

Over a decade old Linux Kernel bug (CVE-2017-6074) has been discovered by security researcher Andrey Konovalov in the DCCP (Datagram Congestion Control Protocol) implementation using Syzkaller, a kernel fuzzing tool released by Google.

The vulnerability is a use-after-free flaw in the way the Linux kernel’s “DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”

The DCCP double-free vulnerability could allow a local unprivileged user to alter the Linux kernel memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.

“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel,” full disclosure mailing list about the vulnerability reads.

DCCP is a message-oriented transport layer protocol that minimizes the overhead of packet header size or end-node processing as much as possible and provides the establishment, maintenance and teardown of an unreliable packet flow, and the congestion control of that packet flow.

This vulnerability does not provide any way for an outsider to break into your system in the first place, as it is not a remote code execution (RCE) flaw and require an attacker to have a local account access on the system to exploit the flaw.

Almost two months ago, a similar privilege-escalation vulnerability (CVE-2016-8655) was uncovered in Linux kernel that dated back to 2011 and allowed an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel.

The vulnerability has already been patched in the mainline kernel. So, if you are an advanced Linux user, apply the patch and rebuild kernel yourself.

OR, you can wait for the next kernel update from your distro provider and apply it as soon as possible.

Source: http://thehackernews.com/2017/02/linux-kernel-local-root.html
Facebooktwittergoogle_plusredditpinterestlinkedinmail

OPENSSL UPDATE FIXES HIGH-SEVERITY DOS VULNERABILITY

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.

OpenSSL is ubiquitous, in tens of thousands of commercial and homespun software projects. The open source project provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The technology is credited for keeping communications secure between endpoints by ensuring the identity of both parties.

According OpenSSL, the issue does not impact OpenSSL version 1.0.2. However, additional versions of OpenSSL, such as version 1.0.0 and 0.9.8, which are no longer supported, will also need updates. The bug, CVE-2017-3733, was reported by Red Hat’s Joe Orton on Jan. 31. The fix was developed by the OpenSSL team’s Matt Caswell.

OpenSSL deployments continue to be plagued by the Heartbleed vulnerability. The flaw persists today and can be found on almost 200,000 servers and devices, according to a recent report by the operators of Shodan search engine.

Earlier this month Ubuntu users were urged to update their operating system to address a handful of patched OpenSSL vulnerabilities (CVE-2016-7056 and CVE-2016-7055) which affect Ubuntu and its derivatives.

The OpenSSL toolkit is licensed under an Apache-style license and has the financial backing of firms such as The Linux Foundation, Microsoft, Facebook, Amazon, Dell and Google.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

President Donald Trump’s Website Hacked; Defaced By Iraqi Hacker

Facebooktwittergoogle_plusredditpinterestlinkedinmail
During the 2016 presidential election campaign, we reported about how insecure was the mail servers operated by the Trump organization that anyone with little knowledge of computers can expose almost everything about Trump and his campaign.

Now, some unknown hackers calling themselves “Pro_Mast3r” managed to deface an official website associated with President Donald Trump’s presidential campaign fundraising on Sunday.

The hacker, claiming to be from Iraq, reportedly defaced the server, secure2.donaldjtrump.com, which is behind CloudFlare’s content management system and security platform.

The server appears to be an official Trump campaign server, reported Ars, as the certificate of the server is legitimate, “but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.

The defaced website displayed an image of a black hat man and included a text message, which reads:

Hacked by Pro_Mast3r ~
Attacker Gov
Nothing Is Impossible
Peace From Iraq

At the time of writing, the server is now offline, and there is no official statement from Trump-Pence campaign team yet.

According to a blog post published by Italian IT journalist Paolo Attivissimo, the source code of the defaced server does not contain any malicious script.

Instead, the server includes a link to javascript on a now-nonexistent Google Code account, ‘masterendi,’ which was linked to cyber attacks on three other sites in the past.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Your LinkedIn Profile Might Be The Source of Hacker Attacks

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Why is LinkedIn So Attractive to Hackers?
Here’s a look at LinkedIn through a hacker’s eyes. Conducting a search for a specific organization on LinkedIn will turn up any number of professionals’ profiles, some of which will include the person’s business e-mail address. Once a hacker has seen a few e-mail addresses for the same company, he’s learned the company’s e-mail address structure ([email protected] ) and can build an e-mail list of employees to target. In fact, hackers can successfully guess 50 to 60 percent of all employee email addresses using this method.

Next, the hacker will formulate a phishing or social engineering plan. Using his knowledge of your firm’s IT platforms, his scheme could take the form of an e-mail that directs his unsuspecting victims to a webpage requiring them to enter their username and password credentials, for example.

The hacker will avoid including IT staffers on his distribution list, as that’s too likely to raise red flags. But customer service, accounting, marketing, and human resources personnel make much more attractive targets. The hacker will create urgency and emotion with his request. And, finally, he’ll send out his bait, hook his targets and voilá: he’s gained a foothold, the first step to getting the access he needs to breach the network and steal valuable credit-card, social-security or other data stores. A company’s worst nightmare has just begun.

As a penetration tester, my best efforts result in me finding a vulnerability like this, and helping companies close this security gap before real hackers find their way through. The scariest part of this scenario is that any company with more than 100 employees is at risk for this kind of stealth attack from an ill-intentioned hacker who has made LinkedIn his or her best friend.

What’s a Business to Do?
So, now that you know why LinkedIn has unwittingly become a hacker’s BFF, what’s a business to do? Companies have competing priorities when it comes to social media and LinkedIn in particular. They want their employees out there promoting the company, recruiting new customers and talent and driving up online visibility. But they also have a driving need to protect their data—especially in regulated industries where a data breach could cost them not only reputation points and customer loyalty, but also countless dollars in fines.

As far as anyone can tell, however. LinkedIn is here to stay. Smart companies will accept this fact, and quickly and effectively find the balance between freedom and security. Employees will continue to post personal data on LinkedIn, but their companies in turn will need to prevent that superficial information from becoming a hacker’s key to their business-critical data stores.

Here are three things your firm can do to protect your business-critical data:

1. Invest in good, frequent social engineering training.
Just because hackers can guess your employees’ e-mail addresses doesn’t mean your people should fall for their schemes and provide their login or other information. A strong social engineering training program can help your employees learn to recognize and resist a phishing scam. And one-and-done is not the way to go here; frequent reminders and follow-up training can help keep employees vigilant.

2. Develop a statement that clearly tells employees how your company will handle network security information.
For example, “We will never ask for your username and password,” or “All network-related communications will come only from this specific e-mail address.” This statement should be well known to all of your people and can prevent employees from sharing usernames and passwords with parties who have malicious intent.

3. Have a clear reporting process for suspicious activity.
Make sure employees know how to report social engineering schemes and suspicious e-mails. Keep it simple, maybe with a catch phrase, for example, like “See something? Say something.” Wallet cards or another physical reference might be a good idea here—anything that makes it easy to recognize a potential hacker and report suspicious activity before it becomes a full-blown network attack.

In today’s social media environment, it’s unrealistic to think that a business can avoid all exposure to hackers who are putting LinkedIn to work for their own purposes. However, educating and equipping your people can go a long way toward keeping your business-critical data safe and sound.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

HACKED: PUB CHAIN JD WETHERSPOON; 500,000+ CUSTOMERS’ RECORDS BREACHED

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pub company JD Wetherspoon has confirmed that its database was the target of a cyberattack. The data breach could potentially affect over half a million customer records from the database.

A database of over 650,000 customers of UK pub chain JD Wetherspoon has been breached by unknown malicious hackers. According to a statement put out by the company, a “very limited” number of customers have had their credit and debit card details stolen, although they are unlikely to be used for fraudulent transactions.

While the card data was not encrypted, only the last four digits of payment card details were stored in the database to begin with, according to CEO John Hutson.

The statement read:

These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.

In a BBC report, it is revealed that the database also held details of 656,723 customers such as:

  • Names
  • Dates of birth
  • Email addresses
  • Phone numbers

The breach is significant, despite the lack of financial information stolen as it is entirely within the realm of possibility that expert malicious hackers could potentially use the breached personal data to engage in identity theft of phishing campaigns.

In a letter to customers, Hutson stressed there was no evidence to show any fraudulent activity from the breached data. Customers are also recommended to stay vigilant against any emails or messages that request them to click or download any files or request any financial and personal data.

An excerpt from the statement read:

We apologize wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread.

The cyberattack struck the company’s old website between June 15 and June 17. The website has since been replaced. Wetherspoon was only made aware of the possible breach on December 1 while confirming it soon after.

The United Kingdom has weathered a blitz of cyberattacks lately with the TalkTalk hack proving to be the most prominent data breach in recent times. Over 4 million users’ personal details may have been compromised with the telecom and broadband provider noting that it might cost the company upwards of $50 million as a one-time financial hit.

Featured image The Flying Standard pub from Shutterstock.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacking Drones

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

Early conversations took place regarding the inception and the possibility of a spy drone created by Boeing’s aircraft expertise, carrying malware that Hacking Team is notorious for. The concept was designing a drone capable of intercepting communications and hacking on-the-fly, via Wi-Fi. Discussions didn’t get far, however, when lawyers representing both companies couldn’t see eye-to-eye on a viable non-disclosure agreement.

The Talks Behind the Flying, Hacking Drone

Initial discussions kicked off when Giuseppe Venneri, a mechanical engineering graduate from UC and internee at Insitu took notice of Hacking Team’s “Galileo”, a piece of hardware otherwise known as the Tactical Network Injector. This is essentially designed to infiltrate networks and insert the malicious code via Wi-Fi networks to launch man-in-the-middle attacks and other exploits.

Venneri wrote to Emad Shehata, Hacking Team’s key account manager, stating:

We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System.

Shehata replied by sending in the standard Hacking Team NDA, to which Venneri responded with Boeing’s own PIA (Proprietary Information Agreement) which the intern noted “must be signed before we engage with potential partners.”

“Signing our PIA (attached) will dramatically shorten the authorization process at our end,” Venneri added. “Let me know if you are willing to sign our document to engage in conversations with us.”

It was at this point when Hacking Team’s Chief Operating Office Giancarlo Russo stepped into the conversation, taking the authority and stating: “I saw your document and it will require additional legal verification from our side regarding the applicability of ITAR and other U.S. Law,” he said. “In my opinion, for a preliminary discussion our non-disclosure agreement should be sufficient to protect both companies and as you will see it is including mutual provision for both parties and it will make things easier and faster for us.”

Venneri’s response was short and succinct: “If you are unable to review/sign our form, know it will take some time on our side to seek approval from our Boeing parent. Are you willing to consider our form?”

Communications went quiet for about a month after this exchange and Venneri sent in another email on 11 May 2015: “We corresponded with you about a month ago and were unsure about the progress going forward with preliminary discussions regarding any future collaborations. If you could please reconsider our mutual PIA, know that the questionnaire at the beginning of the document is just for gathering information and has no impact on the PIA itself. We have lots of Non-US companies under our PIA. If you or your legal team have any requested changes to our PIA please don’t hesitate to add them in the attached document.”

This was the last known correspondence taken from the leaks which came from the data breach two months later in July 2015. All NDAs are have been rendered obsolete and ineffective due to the Hacking Team hack.

Images from Wikimedia Commons and Shutterstock.

Original Source

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical Infrastructure at risk

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical infrastructure at risk from remotely exploitable NTP flaws

Remotely exploitable Network Time Protocol (NTP) vulnerabilities are leaving critical infrastructure firms open to attack, according to the Industrial Control Systems Computer Emergency Response Team (ICS-CERT).

ICS-CERT issued an advisory on the flaws, confirming it is working with over 20 vendors, including Google, to create fixes.

“As NTP is widely used within operational industrial control systems deployments, ICS-CERT is providing this information for US critical infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” read the advisory.

“These vulnerabilities could be exploited remotely.”

The multitude of flaws exist in all NTP Version 4 releases prior to Version 4.2.8p1 and are the result of “insufficient entropy”, the use of a cryptographically weak pseudorandom number generator (PRNG), a section of code without a return command and weak stack buffer, according to the ICS.

The emergency response team said it is yet to see any evidence any of the flaws are being exploited, but warned:

“An attacker with a low skill and an exploit script would be able to exploit these vulnerabilities. However, a higher-level of skill would be necessary to craft usable exploit scripts.”

It added that assessing the full scale of the flaws’ impact is difficult as it will depend on the individual company’s wider system.

“Impact to individual organisations depends on many factors that are unique to each organisation,” read the advisory.

“ICS-CERT recommends that organisations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

ICS-CERT recommends firms update to new unaffected NTP versions and take a variety of other protective measures.

“Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” read the advisory.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

“[Finally] when remote access is required, use secure methods, such as virtual private networks (VPNs).”

The ICS-CERT advisory follows widespread warnings that firms involved in critical infrastructure are dangerously vulnerable to cyber attacks.

US president Barack Obama pledged to bolster the nation’s cyber security and intelligence-gathering powers in a bid to protect critical infrastructure and industry from terrorists during his State of the Union speech in January.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Asterisk and Vicidial Hacking

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Securing SIP Asterisk installations effectively is a “must” today and by taking a few easy steps you can go a long way towards a more secure phone system. 

There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP phone system.  Unfortunately, there are some easily obtainable SIP scanners widely available that make it much easier today for hacking into a ]system.  It was not long ago when these attempts were fairly prevalent and some systems were compromised allowing culprits to make thousands of toll calls at the owners expense.  Since that time awareness of potential SIP  vulnerabilities has increased and many installations of Asterisk have been “hardened”, but many others may not have been.   For those we recommend the following easy steps that will make any attempts to exploit an easy target much more difficult, and in most cases not worth the effort.

5 Steps to securing Asterisk

  • Change default passwords.  Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows good password rules.  Others that are part of the [email protected] such as the maint login should be changed right away as well.  Additionally, disable the Alt+F9 access which bypasses directly to the administration console.
  • Do not use the extension number as the SIP name.   While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker.
  • Use strong passwords.  Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust.  Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case.
  • Limit access to SIP authentication.   By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses.  This can be done by using permit= and deny=in the sip.conf file.
  • Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
  • Disable International Calling.  Most attempts at using a hacked phone system (not only Asterisk) is to make International calls.  An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account.
Facebooktwittergoogle_plusredditpinterestlinkedinmail