This week, 60,000 GPS trackers for people and pets are using the same password, YouTube fined $170m for covertly tracking kids online, a free working exploit for BlueKeep, WordPress 5.2.3 fixes new clutch of security vulnerabilities, critical Exim flaw opens millions of servers to Takeover, cyberattack Disrupted Firewalls at U.S. Power Utility, a Million-plus IoT Radios Open to Hijack via Telnet Backdoor, Vulnerabilities in D-Link, Comba Routers Can Leak Credentials, and vulnerabilities exposed 2 million Verizon customer contracts. In the expert commentary, Matt Alderman talks about the slew of ransomware attacks, and pay-offs, targeted at cities and municipalities earlier this year, is the tide starting to turn?
Visit https://www.securityweekly.com/hnn for all the latest episodes!
To learn more about our sponsors visit: The Security Weekly Sponsor’s Page
September 10, 2019
- 600,000 GPS trackers for people and pets are using the same password – ‘Researchers at Avast Threat Labs found that ID numbers assigned to each device were based on its International Mobile Equipment Identity, or IMEI. Even worse, during manufacturing, devices were assigned precisely the same default password of 123456. The design allowed the researchers to find more than 600,000 devices actively being used in the wild with that password. As if that wasn’t bad enough, the devices transmitted all data in plaintext using commands that were easy to reverse engineer. The result: people who are on the same network as the smartphone or Web-based app can monitor or modify sensitive traffic.
- YouTube fined $170m for covertly tracking kids online – The penalty follows a complaint filed by the FTC and the New York Attorney General that YouTube had violated the Children’s Online Privacy Protection Act (COPPA) Rule. Passed in 1998, the legislation advanced new rights for children under 13. It forced service providers to tell children what information they’re collecting and how they will use it, and get parental consent to do so. They must also enable parents to review the information collected and to prevent its further use. YouTube failed at this. It used cookies to follow kids around the internet without getting consent from their parents to do so. This only happened with the regular YouTube service and not with YouTube Kids, the exclusively child-targeted service it launched in 2015.
- Heads up: A free, working exploit for BlueKeep just hit – By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.
- WordPress 5.2.3 fixes new clutch of security vulnerabilities – This makes it difficult to do a risk analysis: WordPress version 5.2.3 has just appeared on the download pipe featuring half a dozen security fixes and software enhancements. It doesn’t look as though any of the flaws have been publicly disclosed or identified with CVEs, but admins who are confident about compatibility will still want to apply it.
- Critical Exim Flaw Opens Millions of Servers to Takeover – All versions of Exim servers up to and including 4.92.1 have a serious flaw (CVE-2019-15846) that could allow a local or remote attacker to execute arbitrary code with root privileges, which means that they could take full control of the impacted server. The vulnerability ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.. The Exim vulnerability rouses fears after a similar vulnerability in June was exploited in a widespread campaign to gain remote command-execution on victims’ Linux systems. Researchers said that currently, more than 3.5 million servers were at risk from the attacks, which used a wormable exploit.
- Cyberattack Disrupted Firewalls at U.S. Power Utility | SecurityWeek.Com – A quarterly report published last spring by the National Energy Technology Laboratory revealed that a cyber event caused “interruptions of electrical system operations” at an unnamed utility in the western part of the United States. The incident, which occurred on March 5, impacted California, Utah and Wyoming, but it did not result in any power outages. US power utility’s firewalls disrupted by DoS attackE&E News, which provides news for energy and environment professionals, learned at the time that the disruption involved a DoS attack that exploited a known vulnerability, but no other details were made available. E&E now noticed that a “lesson learned” report from the North American Electric Reliability Corporation (NERC) revealed that the incident involved a vulnerability in the web interface of firewalls used by the impacted organization.
- Million+ IoT Radios Open to Hijack via Telnet Backdoor –Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to. The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.
- Vulnerabilities in D-Link, Comba Routers Can Leak Credentials – Specifically, the two D-Link vulnerabilities affect the D-Link DSL-2875AL and the DSL-2875AL and also the DSL-2877AL, respectively. The first Coomba vulnerability discovered affects the AC2400 Wi-Fi Access Controller, and the other two affect the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2), according to Trustwave. Trustwave’s disclosure team said it made “multiple attempts” to notify both companies of the vulnerabilities after their discovery. Their response—or lack thereof–points to a persistent problem with device makers neglecting to take outside security recommendations seriously, the company said.
- Vulnerabilities Exposed 2 Million Verizon Customer Contracts | SecurityWeek.Com – UK-based researcher Daley Bee was analyzing Verizon Wireless systems when he came across a subdomain that appeared to be used by the company’s employees to access internal point-of-sale tools and view customer information. Further analysis led to the discovery of a URL pointing to PDF format contracts for Verizon Wireless customers who used the company’s monthly installment program to pay for their devices. While authentication was needed to access the files, the expert initially managed to access one contract, linked to a specific phone number and contract number, after brute-forcing the URL’s GET parameters.
Expert Commentary: Matt Alderman
After a slew of ransomware attacks, and pay-offs, targeted at cities and municipalities earlier this year, is the tide starting to turn?
The use of ransomware to hold cities hostage has continued to grow. But, as those affected pay the ransom, either through their insurance policies or other means, the more likely the price of future attacks will increase. However, most citizens are against local governments paying ransomware attackers. A recent study by Morning Consult on behalf of IBM found that nearly 2 in 3 respondents would prefer to pay higher repair costs and not pay a ransom rather than using taxpayer dollars to pay for a ransom. Taxpayers would rather see ransomware play out than pay up, which is exactly what cities in Texas and Massachusetts just did.
After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself. According to Mayor Jon Mitchell, only 158 computers, or 4 per cent of the more than 3,500 machines used by city employees were compromised. Unwilling to pay the $5.3M, which would have been the largest known ransom payout for an attack yet, Mitchell said he made a counter-offer of $400,000, based on cyber-insurance proceeds available to the city. When the counter-offer was rejected, the city took it’s own steps by shoring up defenses, restoring from backups, and rebuilding systems.
New Bedford is not alone. The state of Texas is refusing to comply with the demands of a ransomware attack that affected 22 local governments, according to Texas Department of Information Resources (DIR) reports. Hackers managed to infiltrate the 22 local government organizations via a third-party services provider, planting ransomware that encrypted data and disrupted business-critical services. The ransom, $2.5M. But instead of paying the ransom, DIR implemented their response plan within hours of receiving notice of the event. By day four, response teams had visited all impacted sites and completed the response work at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery.
Is this the new trend? Not every city or municipality will make the same decision, but with ample planning, they can have a choice. Here’s a few tips for being prepared:
- Keep your systems up to date with the latest patches.
- Backup your systems, test restores from backups, and keep critical backups offsite/offline.
- Have a business continuity/disaster recovery plan, including incident response, and test it!
- Periodically test your defenses, either internally or externally via reputable testing firms
- We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
- Security Weekly will be at Hacker Halted in Atlanta, GA this October 10th-11th! EC-Council is offering our listeners a $100 discount to attend the two day conference. Use discount code HH19SW when you register or go to securityweekly.com/hackerhalted and register there! Make sure you checkout the keynote (Paul Asadoorian) and Mr. Jeff Man’s talk as well!