Tag: Hacking

Your TV as a Beachhead

Post author By Christopher Parsons
Post date July 5, 2013

The Internet of Things is moving apace and consumers are increasingly purchasing Internet-connected devices for their homes. In the case of SmartTVs it appears that manufacturers’ poor security design(s) could pose a direct threat to the network the TV is integrated with:

Since the well-known Javascript object XmlHttpRequest is available within the DAE, not only the TV is the target of possible attacks but also other networked devices in the user’s home network.

Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet. This could be used for user profiling and for finding further attack targets.

The next step for the attackers could be the reconfiguration of components in the local area network in order to facilitate further attacks via different vectors. For example the home router – which in many cases has no password protection when accessed from the LAN – could be reconfigured by the attacker to have no protection against attacks from the internet.

In order to gain personal information, attackers could access well-known services like UPnP or http in the user’s network via the connected TV. For example IP cameras or printers could be compromised using this technique.

Also using the XmlHttpRequest object, attackers can transfer all of the gained information to arbitrary Internet drop-zones, which would also expose the victim’s IP address.

As a lot of these attacks have been publicized in the context of browser hacking, there is a lot of available code on the Internet that might be used for also compromising Smart TVs.

While the researcher who’s done this work is presently posing SmartTVs as potential – rather than necessary, or actual – threats, now that the cat’s out of the bag it’s almost guaranteed that more people will be working on weaponizing your TV. Isn’t the pervasive connection of equipment to the Internet just great?

Tags Hacking, Samsung, Smart TV, Television

Aside

Promotional video of the FinFisher surveillance malware

Post author By Christopher Parsons
Post date March 23, 2013

This promotional video of the FinFisher surveillance malware has some interesting components:

they are talking about older Blackberry devices – I’m curious to know if they already have a ‘solution’ for more contemporary devices;
the video speaks of infecting websites, which seems to suggest that an element of the FinFisher process is attacking unrelated website to then hunt targets. Crazy illegal in most jurisdictions I’m familiar with;
the company focuses on TrueCrypt, which confirms the position the TC is a pretty awesome way of securing things you want to remain confidential….so long as you’re not infected with surveillance malware.

Tags FinFisher, Hacking, Malware, Security, Surveillance

Quotations

2013.3.3

Post author By Christopher Parsons
Post date March 3, 2013

Being crass should not be a crime, but that’s essentially what Andrew Auernheimer was convicted of. This was the case where AT&T accidentally published the emails and device ideas of the first iPad customers. Andrew downloaded them and published proof of the problem to Gawker. His “coconspirator” pled guilty, testified against Andrew, and provided private emails to prosecutors that “proved” Andrew’s bad intentions. These emails disclose things like Andrew talking about stealing the information and wanting to profit from the event. That made his simple actions look very nefarious.

But that’s how we in the cybersec community always talk. When we find cybersec problems, we dream of the worst ways we can be horrible people and exploit them. If you listened to any of our private conversations, you’d be convinced that we were all secretly one step away from triggering World War III.

I’m pretty sure had I been in Andrew’s place, the prosecutors would’ve found much worse to hang me by. Indeed, you’ll find much in my public Twitter feed and blog posts to convict me of. When the Mars Curiosity Rover landed last August, and the first pictures arrived from the planet, I was about to tweet the URL to view those pictures. But the site was already failing under the load of all the nerds worldwide getting those pictures. Therefore, I changed my tweet to comment on the fact that this was essentially a DDoS attack – the sort of attack that activists do against large corporations they don’t like. I therefore made the humorous tweet “Join our DDoS against NASA and click” on their website.

Of course, I’m not against NASA, nor do I think anybody else is. I can’t imagine why anybody would want to DDoS them. It should be obvious that my tweet is humor. But, prosecutors taking this out of context might use it to try to convict me, to prove to jurors of my evil intent.
Robert Graham, “Context matters: we only appear to be blackhats”

Tags CFAA, Hacking, Law

Aside Links

If You Can’t Breach the OS, Target Developer Watering Holes

Post author By Christopher Parsons
Post date February 20, 2013

F-Secure has a good, quick, overview of the recent attacks against Facebook, Twitter, and (presumably) other mobile developers. Significantly, we’re seeing an uptick in attacks against developers rather than just against platform manufacturers. The significance? Even though the phone OS may be ‘secure’, the applications you’re loading onto those devices may have been compromised at inception.

Smartphones: the source of anxiety and worry for IT managers that keeps on going.

Tags Android, Developers, Hacking, iOS, Smart Phone

Quotations

2013.2.10

Post author By Christopher Parsons
Post date February 10, 2013

It saddens me that America’s so-called government for the people, by the people, and of the people has less compassion and enlightenment toward their fellow man than a corporation. Having been a party myself to subsequent legal bullying by other entities, I am all too familiar with how ugly and gut-wrenching a high-stakes lawsuit can be. Fortunately, the stakes in my cases were not as high, nor my adversaries as formidable as Aaron’s, otherwise I too might have succumbed to hopelessness and fear. A few years ago, I started rebuilding my life overseas, and I find a quantum of solace in the thought that my residence abroad makes it a little more difficult to be served.
Bunnie Huang, “A Moment of Silence for Aaron Swartz”

Tags Aaron Schwartz, Government, Hacking, Lawsuit, Power, United States

Humour Links

Cat Found With Malware Strapped to Collar

Post author By Christopher Parsons
Post date February 2, 2013

No, really, no joke: a Japanese hacker is playing with the authorities. The latest gambit involved attaching an SD card with malware code to a cat’s collar. Authorities still have no clue who designed the software or who the individual(s) is/are.

Tags Hacking, Japan, Malware, Police

Quotations

2013.1.19

Post author By Christopher Parsons
Post date January 19, 2013

It’s not good to be on Power’s bad side, however. When you are on that side, Power piles on charges rather than shrugging off felonies as simple mistakes. Especially if what you do falls into the gray area of enforcing the letter as opposed to the principles of the law.

…

You can file all the petitions you like with the powers that be. You can try to make Power –whether in the form of wiretapping without warrants or violating international conventions against torture — follow its own laws. But Power is, as you might suspect, on the side of Power. Which is to say, Power never pleads guilty.
Ryan Singel, “Aaron Swartz and the Two Faces of Power”

Tags Cyber Security, Hacker, Hacking, Law, Power, Quotation, United States

Quotations

2013.1.17

Post author By Christopher Parsons
Post date January 17, 2013

The same vulnerabilities that enable crime in the first place also give law enforcement a way to wiretap — when they have a narrowly targeted warrant and can’t get what they’re after some other way. The very reasons why we have Patch Tuesday followed by Exploit Wednesday, why opening e-mail attachments feels like Russian roulette, and why anti-virus software and firewalls aren’t enough to keep us safe online provide the very backdoors the FBI wants.
Matt Blaze and Susan Landau, “The FBI Needs Hackers, Not Backdoors”

Tags FBI, Hacking, Police, Quotation, Security, Telecommunications, Wiretap

Quotations

2012.10.30

Post author By Christopher Parsons
Post date October 30, 2012

It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.
Gov. Nikki Haley’s reason for why social security numbers stolen by a hacker weren’t encrypted

Tags Encryption, Hacking, Humor

Links

Vulnerabilities in Huawei Routers Discovered

Post author By Christopher Parsons
Post date July 31, 2012

While not exactly news that home and small enterprise routers tend to be insecure, the magnitude of the problems with Huawei’s devices was revealed at DefCon this year. Given the failure of the company’s engineers to recognize and navigate around longstanding security issues it seems particularly prudent for a public accounting of Huawei’s enterprise and ISP-focused routing products.

Tags Hacking, Huawei, Insecurity, Router, Security