Why Is Your TV & NAS On The Internet? – PSW #824

This reminds me of Joel's backdoor. Joel's backdoor and this recent vulnerability seem to share the same design mistake, at least that's my guess. Judging by the username "messagebus" it would seem that backend processes need to access the web interface or API, therefore the developers just build in a backdoor, complete with the ability to run commands. I'm not even sure how to fix this ongoing problem, lessons are not learned and vendors just keep cranking out firmware that is vulnerable to the same things. We are losing the battle.

EV charging stations represent even more vulnerable devices (IoT?) that contain vulnerabilities. The attack surface, and impact, is interesting: "Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO." - Despite all of the issues and MANY myths, charging stations are becoming critical infrastructure and should be treated as such, with minimum standards for security and integrity.

The authentication bypass is interesting: "We can request the creation of an account with no permissions, which will be automatically granted. Then we request another account with elevated permissions, but we specify the companion-client-key variable to match the key we got when we created the first account. The server will confirm that this key exists but will not verify if it belongs to the correct account. Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV." And then two command injection vulnerabilities (authenticated) are present as well. Why are there so many of these TVs exposed to the Internet? Also, now I want to look at the firmware, some quick poking around, I found this: https://github.com/openlgtv/epk2extract - Adding to my long list of projects!

Let's move to Rust! Except, like all software, it has flaws too: "The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping." - While this has been fixed, applications could still be vulnerable if not updated. More supply chain fun!

Also, I really want a dumb TV. The problem is TV manufacturers make money on advertising and including apps such as YouTube and Netflix on the TVs OS. This means smart TVs are cheaper, as they are taking a loss on the hardware and making it back in other ways. This article has more details and links to purchase dumb TVs: https://www.tomsguide.com/features/dumb-tvs-heres-why-you-cant-find-them-anymore

Great article, and I love this quote: "Do you mean a bunch of nerds who don’t really know each other in real life but work like clocks to build the most sophisticated software in the world through the internet and make it free for people to use?"

I am failing to see how this is new: "Typically, once a device gets compromised by malware, this malware beacons to attacker-controlled C2 domains for instructions. Threat actors can instruct the malware to perform scanning attacks. Then, the malware on the compromised device initiates scanning requests to various target domains." - This is something we can easily detect. Have we lost site of basic network monitoring that can detect activity such as port scanning and vulnerability scanning? I used to detect this behavior all the time when monitoring the network, in fact, I remember one case where a host was compromised and port scanning. My detections at the time flagged this behavior right away. Why? Because it's not "normal". You can monitor host logs and network traffic and pickup on this pretty easily. Are attackers doing more of it now because we've slacked on monitoring network traffic?

Interesting scenario: "The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you." Made possible because an attacker can control the CSS in HTML emails, meaning, the forwarded message will display something different than the original email. Neat trick!

Interesting project, I did a similar one. I still believe that looking for default creds is something that is not done thoroughly enough in most organizations.

This is pretty hot: "In early 2023 an awesome colleague (Andreas) spoke about an incident response case featuring thugs plugging a media keyboard into an ATM, and breaking out of its ATM kiosk software to install malware causing it to dispense $$$. This prompted me to spend some time during spring and summer of 2023 looking into Consumer Control, a subset of USB functionality, which is what allows media keyboards to launch and control various applications over USB with the press of single buttons; so called Consumer Control Buttons (CCBs)."

Worth a read if you are interested in cryptography and how cryptanalysis is actually done.

I met one of the hosts of "The Team House", David Parke, at Shmoocon earlier this year. After chatting a bit he invited me to be interviewed on his podcast at some point in the future. That happened last week, and this is the result.

(I took the lead from Paul and spoke for over 3 hours!)

It's like déjà vu all over again!

But not really. Technically this was not a breach but an invadvertent disclosure attributed to a third party SaaS provider.

If you recall, Home Depot suffered a payment card breach ten years ago that was caused by a breach of a third-party HVAC provider. Which only makes this recent breach that much more embarassing.

Speaking of déjà vu, Omni Hotels suffered an outage this past week that they attributed to a cyberattack (reportedly a ransomware attack) that impacted operations including credit card payments. Omni also was victim to an attack in 2016 that targeted Point-of-Sale (POS) systems.

Panera Bread's recent week-long outage was caused by a ransomware attack, according to people familiar with the matter.

Not a new breach disclosure, but rather a report on how 7 million current customers are still impacted - I'm guessing because they never changed their passwors/authentication data.

Reading this article a week after having my toothpasted confiscated (ironically at TF Green Airport in Providence) I'm even more flummoxed by airport security. PRV has the newer baggage check machines that take about 250 times longer to get your bags through and a really cool automated system that moves questionable bags to a separate queue for inspection. This is what happened to me, and after about 8 minutes of waiting for someone to inpsect my bag they finally took a very detailed look and ulitmately held up my toothpast and said "this is too big!" All I could think at the time was, "thank you for making air travel more secure". Of course, I could have successfully carried on 10 tubes of regulation sized toothpaste that easily exceed the volume of my offending tube, but that wasn't the point. The machine worked and the TSA agents did their job! Of course, I'd been carrying the same tube of toothpaste on probably a dozen other flights over the previous six months...I'll stop now.

Aren't all security failures preventable????

The offender and his identity theft victim worked together at a hotdog cart in Albuquerque, New Mexico, in the late 1980s. He assumed the victim’s identity and, for the next three decades, used that identity in every aspect of his life.

Jonathan Haidt is telling a scary story about children’s development: that children are being harmed by smartphones and social media. The evidence is unconvincing. This reviewer recommends hiring more school psychologists to help troubled children rather than seeking a single magic-pill solution like age-gating social media.

Amazon is removing Just Walk Out tech from all of its Fresh grocery stores in the US. The system uses a host of cameras, and over 1,000 real people in India scanning the camera feeds to ensure accurate checkouts.

As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.

HTTP/2 accounts for around 60% of all human HTTP traffic. The protocol has a design flaw: a HEADERS frame can be sent without the END_HEADERS bit set, followed by an endless stream of CONTINUATION frames, consuming resources on the server, creating a DoS condition.

This is total nonsense. The hack of government email on Microsoft servers last year used a stolen signing key, and Microsoft proposed dozens of theories about how it was stolen. Apparently one theory is the China has a super quantum computer and the US Sun ran with that idea as if it were supported by any evidence.

Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. The details are murky, but it may be the affiliate gang who performed the original attack, but never got paid.

The attack targets hardware-based trusted execution environments, which isolate servers running in the cloud. By using malicious hypervisors and interrupts, the researchers could bypass authentication and gain root access to the targeted Confidential VM. Azure is not affected, but Amazon Linux is.

The Biden administration is preparing to take the unusual step of issuing an order that would  prevent US companies and citizens from using Kaspersky software. The move, which is being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities built on executive orders signed by Presidents Joe Biden and Donald Trump to prohibit Kaspersky Lab from providing certain products and services in the US, the sources said.