This week, how a politicians’ kids accessed his laptop through facial recognition, critical flaws in WordPress and Qualcomm chips, how 2 million IoT security cameras and baby monitors are vulnerable to takeover, and how a new Emotet variant uses connected devices as proxy C2 servers! In the expert commentary, the return of Jason Wood from Paladin Security, joins us to talk about how Microsoft is telling IT admins to nix ‘obsolete’ password reset practices!
- Facial recognition fail allows politician’s kids to access his laptop – With new elections for Europe just around the corner, Matt Carthy can’t be the only politician liberally distributing photographs of his smiling face through the letterboxes of potential voters. But in Carthy’s case it wasn’t a stranger that was able to subvert the facial recognition on his HP laptop, but instead his kids. So, I was wondering why the battery on my laptop was running down every time I left it at home. Turns out the kids have been using my election leaflets to get through the facial recognition lock… I’m not sure whether to be proud by the wit or concerned by the sneakiness?
- Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension – The vulnerability in question is an “arbitrary file upload” issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings. “From the more technical aspect, vulnerability occurs inside ‘includes/admin.php’ file at line 2084 on which application is moving given files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,” explains a blog post published Thursday by web application security platform WebARX, who warned their users after Plugin Vulnerabilities made the flaw public.
- Critical flaw in Qualcomm chips exposes sensitive data for Android Devices – Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips, including popular Snapdragon models 820, 835, 845 and 855 The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices. “A side-channel attack can extract private keys from certain versions of Qualcomm’s secure keystore. Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware.” reads a blog post published by NCC Group. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. “
- New Emotet variant uses connected devices as proxy C2 servers – “Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. ” reads the analysis published by Trend Micro. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “ The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure.
- ISC patches three vulnerabilities in BIND | SC Media – The first issue, the high-severity CVE-2018-5743, addresses a flaw that does not limit the number of TCP clients that can be connected at any given time. The scenario can be created because the number of TCP connections is changeable and, if unset, is designed to default to the conservative value for the server. However, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit, creating a DoS condition.
- 2 Million IoT Security Cameras and Baby Monitors Vulnerable to Takeover – “Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws, in a post last week. “Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.” The first iLnkP2P bug is an enumeration vulnerability (CVE-2019-11219), which enables attackers to discover exploitable devices that are online. The second is an authentication vulnerability (CVE-2019-11220) that allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials.
- Researchers Explore Remote Code Injection in macOS – The core of Weinberg’s report digs into three sparsely documented tactics to hook functions on a remote process, as well as the new custom loader designed by the Deep Instinct research team, to achieve code execution. The three tactics outlined in the paper exploit the Mach-O format to do this, says Oren. There is no vulnerability in Mach-O, he adds; these methods abuse the way it’s built to work. Weinberg uses “Hook-Inj” as a term to group these tactics, which are based on remote process hooking but were used to achieve code execution in remote processes. The first he describes was initially published in a Facebook project called fishhook, where it was only used for hooking functions in a local process. Researchers found a way to modify the method for code execution.
- Oh dear. Huawei enterprise router ‘backdoor’ was Telnet, sighs Vodafone – The Bloomberg financial newswire reported this morning that Vodafone had found “vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business”. “Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy,” wailed the newswire. Unfortunately for Bloomberg, Vodafone had a far less alarming explanation for the “backdoor”. “The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” said the telco in a statement to The Register, adding: “Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy’.”
If our co-workers read the latest changes to Microsoft’s security baseline for Windows 10, we would hear a loud roar of rejoicing about Microsoft’s advice around passwords. This would be followed by a hoard of people at our desk demanding changes be made now. Microsoft has removed recommendations to change passwords on a regular schedule from their baseline!
Microsoft isn’t the first organization to bring this idea up. In 2017, NIST made changes to SP 800-63 that state, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” They went on to recommend using “memorized secrets” instead of “passwords” in policies. NIST’s reasoning is that the old requirements had the not so surprising effect of passwords not being replaced and only adjusted. Password1 becomes Password2. Or Winter2018! becomes Spring2019! Penetration testers around the world can tell you stories of getting into scores of accounts using password spraying with these passwords.
Aaron Margosis, a principal consultant for Microsoft, wrote a blog post to explain their reasoning for the change. I’d recommend reading it, as someone is bound to bring it up to you to justify removing password expiration. One line of interest is where Margosis states, “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.” In principle this makes sense. One of the justifications that I heard for password expiration policies is that they would remove an attacker’s access to valid credentials if they had them. Microsoft is turning that around and saying that passwords should be changed when they are compromised instead. This would imply that an organization would quickly have knowledge of when credentials were compromised.
Margosis also recommends that organizations implement multi-factor authentication and banned password lists. So they have not just tossed a requirement out. Microsoft also recommends making some change to make stupid passwords unusable and adding randomness to every authentication attempt.
I have a few thoughts on this change, as I’m sure you do. First, I’m not a huge fan of scheduled password changes. I don’t think anyone out there really is a fan of this. It’s annoying. It takes a couple of weeks before muscle memory comes back when typing in credentials. I’ve also experienced how much political capital we have to spend on password requirements and rotation in our organizations. People start grabbing the pitchforks and torches in a hurry when a change gets made here.
There are a few reality checks to this change in the recommendation. First, the things that Microsoft is recommending aren’t supported in a vanilla Active Directory deployment. Sure, we can go purchase something like Azure AD Password Protection and add it into your environment, but we’re going to have to go ask for more money. That is never easy or fun. Though who knows, the execs might buy into this idea very quickly.
Second, this is going to take YEARS to start making organizations change their policies. Large organizations will resist making changes because they are slow to make any change. Requirements in audit frameworks will need to be changed. Auditors will need to be trained. Years of hearing “password expiration” need to be overcome and get us to think in a different direction. Even if we want to make the change today, we’ll have to deal with the audit requirements beating us up.
In the end, I don’t mind this recommendation being changed. I have my doubts as to its real effectiveness. What I am concerned about is that people are becoming aware that the old requirements are changing, but don’t have a clear idea of what those changes are. There may be some pushing to toss out other unpopular requirements as well. I do feel that we should be using things like multi-factor authentication instead of depending on just passwords. I’d recommend taking some time to read the articles linked here in the show notes. And then perhaps take a look at how your organization is handing credentials to see what improvements can be made.
Paul Asadorian – CTO, Security Weekly.