Hack Naked News #193
Recorded October 16, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Join us for our Webcast with Signal Sciences about Which way should you shift testing in the SDLC?, November 8th @3-4pm EST. Go to securityweekly.com/signalsciences to register now!
- Millions of Voter Records Found for Sale on the Dark Web - The seller of the voter registration databases from 19 different states also advertises that weekly updates of the data come from contacts within state governments. "Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum," Anomali said in a detailed report on the sale. Additional Details From Security Affairs Blog
- 5 Ways Attackers Are Targeting the Healthcare Industry - The state of Healthcare security is always an interesting topic. While Healthcare is a generic term, an attacker could target hospitals or health insurance providers and it will get lumped into "healthcare". The article lists common attacks as the ways healthcare is being targeted, including data breaches, ransomware, social engineering, DDoS attacks and insider threats. We must underscore, as many of our listeners already know, that security (or lack thereof) impacts patient care. It's a tricky environment to secure, and many leaders in the security community have made progress applying security to an industry that demands ease of use, fast access to information, along with privacy and security. Not an easy task, but some points to consider that I believe this article was missing.
- Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone - The bug allows the attacker to select photos and send them to anyone using Apple Messages.The new passcode bypass attack works on all current iPhone models, including iPhone X and XS devices, running the latest version of iOS 12 to 12.0.1 version. The attack involves 13 steps, the first of which is calling the phone you are trying to attack (which means you have to know the number!). We are waiting for a patch, however there is a workaround in the mean time, that I believe you should do anyhow, as the article states: it is possible to mitigate the issue by disabling Siri from the lockscreen (Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked).
- How Chrome and Firefox could ruin your online business this month - Well, that title is a bit overstated! Chome 70 has been released today and Firefox 63 will be released next week. Each of the browsers will be updated such that Symantec issued certificates will be invalid. Why? Digitcert to the rescue: Symantec sold off its CA business to Digicert, and Digicert agreed on a timeline for replacing any existing Symantec certificates, thus helping the community get off to a fresh start. Digicert is a proud sponsor of Paul's Security Weekly.
- Google using lock screen passwords to encrypt Android Cloud backups - In the case of Android backups, starting with its ninth operating system – that would be Android Pie, released in August – Android devices can take advantage of the new encryption by way of a decryption key that will be randomly generated on the device. The decryption key is encrypted using the user’s lock screen PIN/pattern/passcode, which Google doesn’t know. That passcode-protected key will then be encrypted to a Titan security chip on a Google server. Google says its Titan chip is configured to only release the decryption key when presented with a “correct claim” coming from a user’s passcode. The Titan chip will keep track of how many attempts are made while inputting a passcode, thus blocking brute-force account attacks.
- Microsoft Zero-Day Patch for JET Bug Incomplete, Claims Firm - Microsoft patched a zero-day in its JET Database Engine this week – but the patch was incomplete, according to researchers at 0patch. The company has developed a micropatch that corrects that hole, it said Friday. The memory corruption vulnerability (CVE-2018-8423) could allow remote code-execution. It was found by Trend Micro’s Zero Day Initiative (ZDI), which subsequently released the flaw as a zero-day 135 days after reporting it to Microsoft. Eighteen days later, Microsoft issued a fix as part of its Patch Tuesday updates this week.
- Fake Adobe update really *does* update Flash (while also installing cryptominer) - Security researchers at Palo Alto Networks published details of how XMRig cryptomining code has been installed under the cover of fake Adobe Flash updates. Fake Flash updates that borrow genuine pop-up notifications from the official Adobe installer do indeed update their victim’s Flash Player installation. Reminds me of a story back at the University where an attacker gained control of a super computer and was discovered by the sysadmin because the attacker was applying patches to keep other attackers out!
Expert Commentary: Doug White, RWU
For me this story started with the military. I was asked in this panel focus something about potential threats in the future and I spun up this scenario where a tank which has a lot of screens, especially in a command tank, and the whole tank thing is run from there (not with guys and binoculars circa wwii). The idea was "what if you could just send a simple signal that would be detected by a chip (you do know what's in all these right) in a board and could issue an instruction to the CPU that would just brick the thing. Now the tank commander has to climb up out and get out the binoculars like Rommel. I had been thinking about that because of this thing called the orange drop capacitor scandal.
[used in guitar building, unscrupulous manufacturers filled the orange drop shells with really low quality capacitors and then dipped them in resin so they looked fine].
As you might guess this got a lot of "can't happen", "quality control standards, blah blah blah". But a couple of people asked me to talk about that some more. So my idea was that you just put an extra receiver on the motherboard labled as something else. That's where the signal comes in. Then you need some sort of instruction chip on the board, but there was no reason these tiny things couldn't fit into a capacitor case on the motherboard, or under a heat sink or somewhere.
Fade in: Lonely gas station in West Texas., 2015... Agent Mulder has run out of gas but notices a strange light shining under the door of a shed out back. Inside, it's Amazon's dark server center. As he is poking around, he notices a strange and tiny chip on the on one of the blades. The blade says superm... but the rest can't be seen. Seconds later, he hears a guard and has to run. When he brings Scully back the next day, there is nothing there but an abandoned outhouse...
So, you probably have or have built a supermicro server at some point. I built a lot of them. This was the sort of initial point of contact for AWS since they were testing Supermicros years ago for security and guess what, they found a stray chip (they should have used my capacitor approach to hide it but they didn't bother. It wasn't on the design so someone noticed. Turns out the federal govt bought a lot of supermicro motherboards over the years so all of sudden, oops. Now, me being me, I wonder how many other motherboard brands for servers are also made in a hostile foreign superpower. Hmmm, maybe all of them. Interestinger and interstinger [sic].
Supposedly, this chip would inject code into the stack that would create a vulnerability when "something" triggered it. Apple had dropped Supermicro as a supplier in 2016 due to security vulnerabilities but supermicro claimed that it was a bad firmware download not a hardware vulnerability.
The data line says that Zhongguo makes 75% of all mobile phones and 90 percent of all PCs [bloomberg.com]. According the the United States investigation (this also from bloomberg.com) the People's Liberation Army operatives carried out "the most significant supply chain attack in history" against american companies. Oops. I guess when you buy all your parts from your largest superpower enemy, it can get kind of sticky. A plethora of denials began. So, how does this work.
The chips themselves were designed to look like signal conditioning couplers which are really tiny but they were actually microprocessors (really simple ones) (shoulda used a capacitor). The code supposedly accessed the baseboard stack and then pinged some server on the internet to allow access for further mod/exfilation of data. According to the bloomberg article, 30 companies were victims of this attack. That makes sense. It could work that way as the BMC can have an IP address and can be accessed by a "management network" for centralized control. So, if you compromised the stack on the BMC, phoned home, and then that remote started talking to the system via that, well...
Now, then the story gets really interesting:
Apple denies that any of this is true. In a separate statement, Apple said, "Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented. No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it. .
China also said there was no indication that Apple or AWS had actually found altered equipment. So, all of this came back to a bloomberg story  which was widely picked up which claimed a lot of things.
In the end, Bloomberg cited three apple insiders and six US officials. They cllaim that 17 people confirmed the manipulation of supermicros hardware and other elemets of the attack but said these were anonymous sources. There were a couple of people named. Joe Fitzpatrick is one of them and claimed that most of the stories seem to have come from him in a conversation with a reporter but that the hack itself "doesn't make sense" and the technical details are "jumbled"  but Blookberg stands by the story and even reported another Supermicro hack on the ethernet connector. . Now supchina (guess who publishes that) goes on and says that someone is lying, possibly to damage Zhongguo's reputation, and so forth. But, they do go on to say that "it's possible that well meaning sources confused malware Apple found in the firmware with some sort of Tom Clancyesque espionage campaign."
So someone, Bloomberg? Apple? Zhongguo? is wrong here.
So, all these true or not leads us back to the idea of hardware hacks. All of us have been jailbreaking phones since I bought my first twister box on Temple Street in about 2004 (and yes I had to go all the way to Hong Kong to get one back then). So, the idea of a hack on the hardware seems sound. I think the concept is valid and I could definitely see a delivery vehicle like this being something that could work. But and here's the big one... where are these chips? No one can seem to produce one. Where is the code? That's where I started. I wanted to get the code for this hack which since it's on the mobo, I should be able to get right? Not so. Currently, it's just tumbleweeds.
But let's talk about my original idea of a sleeper cell in your hardware. When I was thinking of this a long time ago, we didn't have flashable chips very often but now, the firmware can flashed and you could certainly push out malware like that so is there any real reason to do this? Here's the ultimate logic for me:
1) If you embed illicit hardware, you can't get it back (viz the orange drop capacitor scandal). So, if superrmicro allowed PLA operatives to come in and solder chips onto server boards, that is a pretty nasty paper trail (solder trail?) back to Zhongguo. International incident, loss of sales, end of the world monetarily.
2) If you did this with a truly "long view" you would have to assume these products would end up in the right place, at the right time, and could be accessed and activated consistently long in the future. I love the idea of the "mummy's curse" kind of attack but I don't think it's viable militarily since you just couldn't count on it. I mean, do you want to base a military strategy on the hope that it's not shielded, etc.?
3) So considering 1 and 2, what's the upside?
4) This would assume that your management network was NATTED to the outside or PATTED to the outside as well. So, if you do that sort of thing, well...
I truly believe in the idea of a supply chain risk when dealing with the global supply chain. But, everyone thinks they are being "bugged", it's a common paranoia. Does Zhongguo spy on the United States, yes. Does the United States spy on China, yes. Everyone is spying. But in this case, mostly due to lack of evidence and occam's razor the story is true. Bloomberg may have sources who think it's true, but if there is chip, I would really like to see one. Now, maybe like the Ark of the Covenant, the Army has already found them all, taken the boards and put them in wooden crates and stored them at Area 51. But, they sold a lot of these and not just to the Army.
As of last week, the Senate Commerce committee has demanded some answers and not received any from supermicro. Rob Joyce of the NSA said they have not been able to corraborate the story nor found any evidence. DHS said they had no reason to doubt apple and amazon's claims that nothing had been found. But all of them said, hey if you have this chip or the code from the chip, or even just some guy named Chip, let us know. (I would get a cash advance if I were you).