Skip to content

Category: Hackerterrorcybercyber

TR069 meets Brickerbot and friends

Bleepingcomputer has a report on the californian ISP Sierra Tel, who apparently has visitors (JPG of letter) over at their customers TR069 interfaces.

TR069 is the config interface of home DSL equipment, and if it is insufficiently secured, can be used to own each and every home DSL router of an ISP.

Which happened to Sierra, twice, simultaneously. Which did not improve the results at all.

“BrickerBot was active on the Sierra Tel network at the time their customers reported issues,” Janit0r told Bleeping Computer in an email, “but their modems had also just been mass-infected with malware, so it’s possible some of the network problems were caused by this concomitant activity.”

Janit0r suggested the other culprit was Mirai, a malware also known to cause similar issues.

Mirai is also the malware that disabled a bunch of German and British Telekom modems earlier this year.

 

Leave a Comment

Handling Mail, correctly.

Somebody sent me a mail with
Content-Type: multipart-mixed;
  boundary=X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”
Thank you for that. This is precisely my kind of humor.
5 Comments

Bose Connect App creates illegal listening profiles

A class action lawsuit has been filed against Bose, by Kyle Zak, on the grounds of the Bose Connect App for their wireless headphones creating illegal listening profiles, and sharing data with data miners.

1. Defendant Bose manufactures and sells high-end wireless headphones and speakers. To fully operate its wireless products, customers must download Defendant’s “Bose Connect” mobile application from the Apple App or Google Play stores and install it on their smartphones. With Bose Connect, customers can “pair” their smartphones with their Bose wireless products, which allows them to access and control their settings and features.

2. Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.

Affected are all users of the Bose Connect App, that is minimum users of the QuietComfort 35, SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II (“Bose Wireless Products”), but possibly more.

Fun Fact: The German adjective meaning “evil” is “böse”.

3 Comments

Shadowbrokers released NSA exploits, most not 0days any more

The Shadowbrokers released a number of Windows exploits that have been leaked from the NSAs exploit cache.

A lot of blogs and tech opinion pieces appeared, most of them being up in arms about the NSA not only sitting on these exploits, but also not being in communication with microsoft about them since the last 90+ in which these exploits have been known to be compromised.

Turns out, all of these exploits are actually fixed already (or appear not to be working on current platforms in the first place), and though both MS and the NSA do not comment, both parties apparently have been in communication about this.

So the situation is not nearly as dire as those opinion pieces make it look.

So the main question is: have you been patching all your systems up to MS17-010 (March, 14th of 2017), already? And what about your Windows XP habit?

Right. Thought as much.

Leave a Comment

Tumblr of the Day: Roots of Design

I have just finished reading the Project Zero Blog entries about the Broadcom Wifi SoC used in Cellphones, and how to utilise that SoC to take over the main CPU of a phone.

While this is awesome reading, it reminded me about my interest in taking up a career in landscape gardening.

So here is my Tumblr of the Day recommendation for today: Roots of Design, a podcast about… Landscape Gardening.

It’s awesome, exploit free and about design, so it’s everything that IT isn’t.

It’s also defunct, the last episode is from almost 2 years ago, so it has at least something in common with the patch level of your phone.

4 Comments

Signed pointers

So those real hackers keep telling me that back then in the times of the LISP machine they had tagged pointers and stuff.

Those pesky mobile Whizkids at Qualcomm could not let that stand, so they created signed pointers for ARM 8.3. Two families of new instructions have been made, one for signing pointers, the other for checking the signature. How does that work? The PDF at Qualcomm describes the details.

Basically, when pushing a return address onto the stack on subroutine call, that pointer is authenticated with a PAC* instruction, on return that pointer is checked with an AUT* instruction. The actual RET will fail with an address violation if the pointer has been messed with. PAC* and AUT* are out of NOP space, so they can be executed as NOPs on older CPUs.

PAC* signs the return address, AUT* checks it. On pre-8.3 CPUs, they decode as NOP instructions. RETing to an address that does not AUT is an illegal address exception.

A 64 bit pointer in an 40 bit cellphone processor is good for 24 bit signatures, but other partitions are possible depending on address space layout and size.

2 Comments

CVE-2016-10229: Remote UDP Exploit or why did your Nexus want a new kernel this morning?

CVE-2016-10229: Almost perfect score.

CVSS v3 Base Score 9.8 (Critical)

»udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.«

Affects your Linux, and hence all the unupdateable Android you own. Or “why did your Nexus need a reboot this morning?”

3 Comments

Let’s Encrypt and Comodo targeted by Phishers for TLS certs

A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.

Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as update.wellsfargo.com.casaecologica.cl) demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen casaecologica.cl upon registration).

The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.

6 Comments