UPnP deixa milhões de dispositivos vulneráveis

Algumas implementações do Universal Plug and Play (UPnP) têm vulnerabilidades que permitem exploração remota. Um excerto da notícia na ZDnet:

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other's presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.

In a white paper released today, researchers from the security software maker said that while UPnP might make network setup cheaper and more efficient, it harbours a severe security risk.

The paper focuses on programming flaws in common UPnP discovery protocol (SSDP) implementations, which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the "misconfiguration" of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software-development kits (SDKs).

In addition, the UPnP SOAP service was found to provide access to device functions that should not be allowed from distrusted networks--such as opening holes in a firewall.

Rapid7 also said that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. For example, in the case of the Portable UPnP SDK, "over 23 million IPs are vulnerable to remote code execution through a single UDP packet." A patch has been released, but it will take a long time before this patch is included in vendor products, according to the firm.

Notícia completa na ZDnet. Outra notícia sobre o assunto na ZDnet: Homeland Security levou o alerta a sério.

Desmontando a botnet Gozi

Uma história interessante sobre o shutdown da botnet relacionada como o virus Gozi.

How the feds put a bullet in a “bulletproof” Web host

"Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested a regular basis.

By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted."

notícia completa

Phishing e Google Docs

Tenho recebido vários mails de phishing ("A sua password estás quase a expirar blá blá") em que pedem para aceder a uma página no Google Docs. Duas explicações:

Spammers Now Phishing via Google Docs

"In a new SecureList blog post, Kaspersky Lab researcher Vicente Diaz has described a new frontier in a relatively old online scam. Phishers, tired of building fake websites to lure victims into unintentionally giving away email addresses, passwords or even financial information are beginning to use Google Docs to siphon data from the unwary.

This approach makes it easy for spammers to bypass filters, as emails with links to a shared Google document don’t get flagged, giving the recipient the illusion that the message is legit.

Mr. Diaz writes that tricking someone into entering personal data into a sketchy Google Doc is only “the tip of the iceberg”:

Google Docs allows hosting other contents such as executable files in different formats, resulting in a very convenient and free hosting service for malicious content. As a bonus the connection is HTTPS by default, making it even more convenient for cybercriminals the use of this service.


Fonte: NakedSecurity

Malware em centrais eléctricas

Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.

Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter for October, November, and December of 2012. The authors didn't identify the owners of the facilities and there's no indication the infections resulted in injuries or equipment failures.

The incidents were reported earlier by Threat Post, and they are the latest to underscore the vulnerabilities posed by so-called supervisory control and data acquisition systems that aren't properly secured. SCADA and industrial control systems use computers to flip switches, turn dials, and manipulate other controls inside dams, power-generation plants, and other critical infrastructure. Computer malware that infects those systems can pose a threat by giving remote attackers the ability to sabotage sensitive equipment. Last year, a backdoor in a widely used piece of industrial software allowed hackers to illegally access a New Jersey company's internal heating and air-conditioning system.


The other infection affected 10 computers in a turbine control system. It was also spread by a USB drive and "resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks," the article stated. It went on to encourage owners and operators of critical infrastructure to "develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media."

Artigo completo na ArsTechnica
Newsletter ICS-CERT Monitor Out-Dec 2012

Operação "Outubro Vermelho"

An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”
While most of the victims documented are in Eastern Europe or Central Asia, targets have been hit in 69 countries in total, including the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan and the United Arab Emirates. Kaspersky calls the victims “high profile,” but declined to identify them other than to note that they’re government agencies and embassies, institutions involved in nuclear and energy research and companies in the oil and gas and aerospace industries.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”
The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year.

So far, so close - ataques a telefones

Internet phones sold by Cisco Systems are vulnerable to stealthy hacks that turn them into remote bugging devices that eavesdrop on private calls and nearby conversations.

The networking giant warned of the vulnerability on Wednesday, almost two weeks after a security expert demonstrated how people with physical access to the phones could cause them to execute malicious code. Cisco plans to release a stop-gap software patch later this month for the weakness, which affects several models in the CiscoUnified IP Phone 7900 series. The vulnerability can also be exploited remotely over corporate networks, although Cisco has issued workarounds to make those hacks more difficult.

Artigo completo na ArtTechnica

SCADA (in)Security

Poor SCADA security will keep attackers and researchers busy in 2013

IDG News Service - An increasing number of vulnerability researchers will focus their attention on industrial control systems (ICS) in the year to come, but so will cyberattackers, security experts believe.

Control systems are made up of supervisory software running on dedicated workstations or servers and computer-like programmable hardware devices that are connected to and control electromechanical processes. These systems are used to monitor and control a variety of operations in industrial facilities, military installations, power grids, water distribution systems and even public and private buildings.

MORE: Researcher finds over 20 vulnerabilities in SCADA software

Some are used in critical infrastructure -- the systems that large populations depend on for electricity, clean water, transport, etc. -- so their potential sabotage could have far-reaching consequences. Others, however, are relevant only to their owners' businesses and their malfunction would not have widespread impact.

The security of SCADA (supervisory control and data acquisition) and other types of industrial control systems has been a topic of much debate in the IT security industry since the Stuxnet malware was discovered in 2010.


artigo completo na NetworkWorld