June 21, 2017

SigPloit framework published: telecom vulnerability testing of SS7, GTP, Diameter, and SIP made easy

Code for the open-source SigPloit framework has been published on GitHub by security researcher Loay Abdelrazek. SigPloit is a convenient framework for testing for vulnerabilities in telecommunication protocols. We cannot say state that this project will have a big effect on the security situation, but this is definitely one of the alarm bells that should be noted by telecom industry.

June 16, 2017

Practical ways to misuse a router

Wi-Fi and 3G routers are all around us. Yet in just one recent month, approximately 10 root shell and administrator account vulnerabilities in home internet devices came to light. And access to tens of millions of IoT devices—routers, webcams, and other gadgets—is available to anyone willing to pay $50 for a shodan.io paid account.

At the same time, developers and vendors of these devices tend to have other priorities than "testing" and "security." Many serious vulnerabilities remain unpatched, and even when patches are released, users are slow to install them. What does this leave us with? Legions of vulnerable devices, lying low until hacked and pressed into service as part of a DDoS botnet.

June 2, 2017

WAF Bypass at PHDays VII: Results and Answers

Continuing the tradition of past years, the WAF Bypass contest was held at last month's PHDays. Participants tried to bypass PT Application Firewall protection mechanisms in order to find special flags accessible through vulnerabilities specially left in web applications. In a series of challenges, the organizers disabled different features of PT Application Firewall, leaving a "way in" for participants to take advantage of. The focus of attention this time was a prototype database firewall (DBFW), which analyzed SQL traffic from applications to databases.

May 26, 2017

Positive Technologies expert helps to fix vulnerability in Viber for Windows

Viber has fixed a vulnerability in the company's Windows client found by a group of security experts, which included a Positive Technologies researcher. This security bug enabled attackers to steal data needed for user authentication in Windows. Users urged to update to Viber version 6.7.2

May 18, 2017

A closer look at the CVE-2017-0263 privilege escalation vulnerability in Windows

May has been a busy month for vulnerabilities in the world's most popular desktop operating system. Hackers have made headlines with massive infections by WannaCry ransomware, which exploits an SMB security flaw and the ETERNALBLUE tool. Shortly prior, on May 9, Microsoft fixed CVE-2017-0263, which had made it possible for attackers to gain maximum system privileges on PCs running Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Vulnerability CVE-2017-0263 had been used already in phishing messages. The emails contained an exploit that first entered the system by taking advantage of incorrect handling of EPS files by Microsoft Office (CVE-2017-0262) and then, once on the inside, leveraged CVE-2017-0263 to get full administrator rights. Two years ago we looked at a similar vulnerability in Windows, and here we will see how the new CVE-2017-0263 opens the way to "pwning" remote workstations and servers.

In a word, this is a use-after-free vulnerability (CWE-416)—when context menu windows were closed and the memory occupied by the menu was freed up, the pointer to the freed-up memory was not zeroed out. As a result, the pointer could be reused.

The below discussion covers the process of window handling in the win32k.sys driver and how this process makes it possible to exploit the vulnerability.

April 24, 2017

Intel ME: The Way of Static Analysis

Image: Clive Darra, Flickr

Intel Management Engine (ME) has been known for over 10 years (since 2005), but official Internet sources about ME are few and far between. Fortunately, excellent works on the topic have been published in recent years. However, all of them deal with ME 10 and earlier, while modern computers implement ME 11, which was introduced in 2015 for the Skylake microarchitecture.

If you have never heard about ME, this is a good time to check out great slides from Igor Skochinsky about previous versions of ME.

In short, ME is a separate processor embedded in the chipset of any modern computer with an Intel CPU. ME runs even when the computer is sleeping or powered off (as long as it is plugged in to a power outlet). ME can access any part of RAM, but the RAM region used by ME is not accessible from the OS. What’s more, ME is capable of out-of-band access to the network adapter.

April 19, 2017

Bank employees using social networks at work: danger or mere distraction?

Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.

Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.

April 13, 2017

Intel and Lenovo have restricted access to debugging interface of CPUs after Positive Technologies' revelations

Intel and Lenovo have released recommendations that help restrict access to JTAG debugging interface of processors which can be used by attackers. The insecurity was first discovered by Positive Technologies’ experts in December 2016.

At that time Positive Technologies’ experts Maxim Goryachiy and Mark Ermolov presented their findings, during a session at the Chaos Communication Congress (33C3) in Hamburg, explaining that modern Intel processors allow usage of the debugging interface via a USB 3.0 port available on many platforms to gain full control over the system. Modern security systems cannot detect such attacks.

April 7, 2017

Our new R&D center in Brno

We are pleased to announce the opening of our brand new   R&D center Brno, Czech Republic, which will focus on developing products to secure mobile telecommunications systems.

March 31, 2017

CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP

This article discloses the exploitation of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP).

March 6, 2017

Security reflections from Mobile World Congress

Michael Downs, Director of Telecoms Security, EMEA

Mobile World Congress is not just a name, it is perfectly descriptive.  The entire mobile world squeezes into a few square kilometres of Barcelona for four days. Given this concentration of senior execs, it’s a good place to form an opinion on industry trends and try to understand the place security has in the future of mobile.    

Transport was a massive theme this year.  Someone mentioned there were more car companies here than at a recent major motor show, and everything from chip-set manufacturers to infrastructure providers were touting their connected mobility play.  It seems to be the most obvious large scale early application for the Internet of Things as companies see problems that can be solved with data connections, namely accidents, congestion and general resource waste. The promise is great. 

However, from a security point of view, I got the impression the priorities for many of these propositions was traditional elements such as speed to market, efficiency of UI, prioritizing functionality, hardware power, connection speeds etc.  Not many of the people on the booths I questioned could truly answer the question of what they were doing to keep connected cars, trucks and buses secure from abuse.  Maybe it was an unfair question, but given the scale of what is being proposed, this raised a few eyebrows amongst our experts.  The consequences of attacks on a fleet of trucks, or the targeting of a car’s systems, don’t bear thinking about.  Theoretically, such attacks are possible in the same way an attacker would abuse existing Diameter or SS7 networks.  Everything is assigned a number in the network the same way a phone is, providing a marker from which to develop an attack profile.

This theme grows further when you look at the underlying narrative for the show as a whole, that of attaching a data connection to everything. Lots of marketing dollars were spent on tiny models of everything from stadiums, to entire cities.  This is being enabled by the hope the industry has for emerging protocols such as 5G and LTE-M.  More capacity and higher speeds, means more things can now talk to the Internet.    

This is good for the mobile industry, but also for attackers, as more connected things simply mean a larger attack surface on which to work.  As was demonstrated at our expert dinner, we believe too many vulnerabilities are still present, both in the underlying infrastructure that carries data and also in the radio delivery from base station to user.  This will only be compounded on as more things become connected on an application level, driven by increased digitization and usage of emerging web technologies.

From a signalling (SS7 and Diameter) point of view, the underlying infrastructure to support this brave new world is vulnerable, and becoming easier and cheaper to access by an attacker. For dollars per day, bad actors can now buy access to core telecoms networks on the black market and exploit either existing flaws, or new ones.  Once inside, all that is needed  is a phone number (MSISDN) of your target or targets, be it a person or a fleet of connected cars, to manipulate the commands accordingly.  The move towards new protocols will only present new opportunities for bad actors, who are notoriously creative and persistent.

There are also weaknesses from a radio frequency point of view, as vulnerabilities exist in the vast majority of communication protocols and their implementation. Again, as we saw at our expert’s dinner, armed with just a Raspberry Pi, a chipboard bought for a few dollars and some Python script, data can be sniffed, intercepted, even decrypted on the fly and altered to carry out the whim of the attacker.  Whilst we demonstrated some of this on a toy drone, it is important to note that the same protocols are used in the delivery of the entire gamut of ‘things’ connected by mobile networks.  This means everything from industrial control systems to cars.

This is not intended to be a doomsday rant.  These are points we believe, as a research based security company, are important to be on the mind of the mobile industry.  Many believe we are on the edge of a new industrial revolution. If this is true, then the old mantra that security needs to be built into the heart of things is never truer than right now.  We look forward to spending time making sure the brave new world the mobile industry is creating, is kept safe and can flourish for everyone’s benefit.

February 8, 2017

Web application attack trends: government, e-commerce, and finance in the spotlight

Positive Technologies has revealed how hackers attacked web applications throughout 2016. The aim of our research was two-fold: to determine which attacks are most commonly used by hackers in the wild, and to find out which industries are being targeted and how. With this data, organizations can be more aware of digital threats and protect themselves accordingly.

January 17, 2017

Intel debugger interface open to hacking via USB

New Intel processors contain a debugging interface accessible via USB 3.0 ports that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools.

A talk on the mechanisms needed for such attacks and ways to protect against them was given by Positive Technologies experts Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany.