Month: July 2018


Bluetooth: King Harald’s Revenge

From avoiding awkward bus conversations to tether-less keyboards, Bluetooth is the magic sauce that frees us from the draconian bondage of wired peripherals. Who among us has not been enjoying some gnarly tunes and experienced the moment the music died when your headphone cord caught on a doorknob? That irrational split-second of rage followed by overwhelming concern that your beloved cans have been irreparably damaged (quality cans are user-serviceable, come at me audiophiles) is quickly becoming an experience of the past. Bluetooth, having come of age, has shown us the way of the future. It is good and wire-free. Unfortunately, as with many protocols that have grown up along with maturing cryptographic schemes and increasingly-sophisticated attacks (looking at you, DNS), a fundamental weakness in the protocol’s design has been uncovered – and published.

Professor Eli Biham and graduate Student Lior Neumann, at Technion’s Hiroshi Fujuwara Cyber Security Research Center & Computer Science Department at the Israel Institute of Technology, published their paper detailing an attack on the Bluetooth protocol last week. The Fixed Coordinate Invalid Curve attack targets the key exchange process when two devices are paired, giving attackers a privileged position in the chain of communication.

“The technology we developed reveals the encryption key shared by the devices and allows us, or a third device, to join the conversation. We can eavesdrop on or sabotage a conversation. As long as we do not actively participate, the user has no way of knowing that there is a third party listening in.”
– Prof. Biham, quoted in the paper’s press release.

A little history:

Bluetooth was developed as a wireless alternative to RS-232 in 1994 by Jaap Haartsen, an electrical engineer working for Ericsson. The standard uses the 2.4-2.485ghz wireless spectrum range for communication and can form peer-to-peer connections, piconets and personal area networks (PANs). Today, the Bluetooth Special Interest Group (SIG) manages development of the protocol and defines the standards manufacturers must meet to sell products as a “Bluetooth” device. What began as a low-bandwidth, limited protocol has blossomed into a well-rounded and indispensable technology.

Did I mention encryption? Bluetooth supports two security modes and four security levels. These can be mixed-and-matched by manufacturers to achieve a desired level of security. Check out Duo Security’s excellent article, “Understanding Bluetooth Security”, which takes a deep dive into the structure and implications of these options.

Fun fact: Bluetooth was named after 10th century Scandinavian king Harald Bluetooth, famed for uniting the Danish tribes under one banner. The Bluetooth logo is a combination of the Younger Futhark runes Hagall and Bjarkan (the famed king’s initials). Pretty metal, right?

Wait, didn’t I read about a serious Bluetooth vulnerability a while ago?

Yes, yes you did. In April 2017 security firm Armis discovered BlueBorne, a collection of vulnerabilities in the Bluetooth implementation in Windows, Linux, iOS and Android. This attack was serious business – just about every device with Bluetooth was vulnerable (estimated at 8.2 billion devices by Armis). Exploiting these vulnerabilities allowed attackers to connect to devices and systems without authentication, even if the target device was not already paired with the attacker’s or in a discoverable state. This bypass of security measures gave attackers to have full control over compromised devices.

Armis worked with affected companies to produce patches before publishing their research, as did Biham and Neumann. Responsible disclosure practices help keep users safe while allowing security researchers to receive credit where it’s due. Discovering and documenting vulnerabilities often represents a massive investment in time, resources and passion. Researchers deserve to be recognized for their contributions – by finding and responsibly disclosing vulnerabilities they greatly reduce the potential for damage.

A number of Bluetooth vulnerabilities have been discovered over the years. Some have been addressed with OS patches, others with improvements to the protocol. Consider this: if you have a device that’s unsupported or hasn’t been updated since mid-2017, you’re vulnerable to BlueBorne attack as well as the new Fixed Coordinate Invalid Curve attack.


Skwisgaar Skwigelf isn’t a a fan of Bluetooth, vulnerabilities or mediocre playing of the guitars.

How the Fixed Coordinate Invalid Curve works:

When devices are paired they use elliptic curve cryptography (Diffie-Hellman protocol) to secure the exchange of Bluetooth’s encryption keys. Each device generates a public DH key pair. These public keys are exchanged and used to generate the session key, which is used protect the Bluetooth traffic. This initial DH key exchange where the attacker must intervene.

The FCIC attack exploits a flaw in the way that devices validate solutions for the elliptic curve mathematical equation. Unpatched Bluetooth implementations don’t do a great job with this and allow an attacker to set a solution for the math problem that falls outside the curve. This attack has a success rate of 50% for pairing attempts.

With this vulnerability, the attacker is able to force devices to use a pre-determined key rather than one that was randomly-generated. Since the attacker knows the encryption key in use they can eavesdrop on data in a passive attack or issue commands and manipulate information in an active attack.

“In both cases, our attack recovers the session encryption key on success, while on failure our attack causes a denial of service.”
– Section 1.4  of Biham and Neumann’s research paper

In a successful attack, the attacker’s presence is undetectable as long as they’re only listening in on the conversation. In an unsuccessful attack the user would see the standard behavior presented by their device when pairing fails. This behavior is dependent on the software implementation in use. Android and iOS, for example, will have similar but distinct UI responses. We’ve all had this happen as users – you grumble about technology and move through the prompts to restart the pairing process. This presents the attacker with another opportunity to manipulate the conversation.

The fix for this vulnerability requires that the device verify the elliptic curve key being used is a valid solution (that it falls on the curve). If the key doesn’t fit, the devices will use a different key that does. The attacker won’t know the key being used and can’t eavesdrop on the conversation.

What you can do:

Fortunately, the mitigation for this attack is very straightforward: only one of the paired devices must be patched. For example, updating your smartphone protects the connection between it and a speaker or headset.

 Take inventory of devices and software. Knowing what you have is the first step in mitigating the threat this vulnerability poses. This process isn’t limited to enterprise environments – take a look around and think about the devices paired with your phone, tablet, computer… it’s likely a longer list than you thought and you’ll probably find a few surprises.

Update your software. For consumers, there is NO REASON to postpone updating your devices for more than a week. Bugs in patches will be found and fixed quickly. If you’re a company, being more cautious is prudent as IT services support the departments generating revenue. No computers, no money. No matter who you are, always ensure that your critical data is backed up before applying patches.

Leave computing devices that can’t be updated in the dust. The key here is to make sure at least one of the paired devices is patched. There’s no need to dump your beloved old Bluetooth speaker as long as the device it’s connected to is up to date. But if that Android tablet is stuck on KitKat and will never see an update, it’s time to:



Amok IoT

Armis Security, the firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol in 2017, released a blog analyzing IoT device susceptibility to DNS rebinding attacks. The bad news: nearly half a billion devices are vulnerable. Worse: Patches are unlikely to be developed. Worse still: Most of these IoT devices are treated like appliances and aren’t touched until they fail.

What is a DNS rebinding attack?

A DNS rebinding attack occurs when an attacker manipulates the DNS trust model to their advantage. When a user visits a website under the attacker’s control (usually through phishing emails or instant messages), the user’s browser is fed malicious code. This code issues HTTP requests that, manipulated through DNS rebinding, direct queries to addresses on the user’s local network. The attacker can use the victim’s browser as a proxy to communicate with the private network, enumerate devices and send commands.

IoT devices see commands coming from the victim’s computer on the local network and will allow access to management pages. The attacker gains access to these devices by using default passwords and exploiting vulnerabilities in software. Once the attacker has control of the device they can initiate connections outside the network, bypassing NAT and common firewall security measures. These compromised devices can be used to attack laterally on the network.

Armis has a great, short video on YouTube explaining the flow of the attack:

An attacker got into my IP camera… so what?

With a foothold on the network and persistence established in multiple locations, the attacker can do just about anything they want on the network. IoT devices are treated like appliances but are actually low-power Linux boxes attached to cameras, microphones, door locks, kitchen appliances… and your network. The same network your file server with your engineering files and financial data.

A short list of possibilities:

  1. Add members to a botnet. Your dozens of IoT devices may have low power but can still push packets out and amplification attacks help them punch above their weight as part of a DDoS attack.
  2. Hijack devices to perform reconnaissance. Security cameras and smart locks are designed to make you more secure but can only so when under your control. An attacker could hijack security feeds to establish employee patterns and support more damaging attacks. For example, consider this: when does your company take deposits to the bank? When does the IT staff knock off for a long weekend? Can your PTZ camera zoom close enough to see access codes entered into a keypad?
  3. Pivot to other network devices. A compromised device on the network can be used to attack servers that are protected from internet traffic. Yes, access to that crusty Accounting Department box running Server 2003 is forbidden from the internet but what about the SMB shares for reports?

That’s bad but I would literally die without my IoT. What do I do?

There are a few relatively simple steps that can be taken to vastly improve the state of IoT security on your network. We know that these devices aren’t updated regularly (if ever) and we know they often aren’t actively managed or monitored.

  1. Monitor egress traffic and apply rules to prevent unintended outbound communication. If an IoT device is compromised through a DNS rebinding attack but outbound communication is blocked at the network edge you’ve prevented your device from being a productive botnet member. By monitoring egress logs you would see connection attempts and be able to respond to the compromised device.
  1. Isolate IoT devices on their own network segment, virtually or physically. By implementing VLANs and restricting access between networks you can limit the damage a compromised IoT device can do. Blocking lateral movement will help protect assets that may be vulnerable to attacks from the local network. For anyone who played the “I’m not touching you” game in the back of the family minivan the answer is clear: Captain’s Chairs for your network.
  1. Monitor IoT devices, keep them up to date and don’t buy the cheapest solution. In IoT, you get what you pay for. Those no-name cameras offer a low entry cost but don’t include the support you receive from established, market-leading companies. Your upfront savings will be obliterated in the face of lost IP, stolen PII, bandwidth consumed and IT staff hours spent remediating the problem. You must also keep tabs on your IoT devices: is anyone reviewing the camera footage? Is one camera angling for a better shot of the back office housing the safe? What about the server room?


IoT promises so much – convenience, security, intelligent devices. Unfortunately, they can’t – and shouldn’t – be trusted on the same network as the servers that house your critical files or the workstations your users depend on to get work done. Think about the smartphone revolution… it’s 2018 and most mobile devices are supported for a few years at best. What’s the refresh cycle on your security cameras?

Taking a few simple architectural steps at the network level, monitoring network egress traffic, locking down outbound communication and checking in on IoT devices regularly can vastly improve the security posture of your network and limit damage caused by compromised devices. The IoT industry will mature over time and standards for patching and security will emerge. Until then, Trust No One.


BlogsRemote Access

RDP? Yeah, you know me.

A recent McAfee Advanced Threat Research team blog post discusses the world of dark web RDP shops – sites specializing in the sale of access to machines via Microsoft’s Remote Desktop Protocol. There are many things for sale on the dark web, from novelty MDMA pills to stolen drone documents. While illegal products and classified information are concerning, sites selling remote access to systems poses an exigent threat to public safety.


Image source: IBTimes

What is RDP?

Remote Desktop Protocol is a proprietary protocol developed by Microsoft to allow users to connect to a remote machine through a GUI. The connection supports transfer of video, audio, clipboard data, printer data and keyboard & mouse traffic. RDP can be configured to encrypt traffic with RSA’s RC4 cipher with a 56 or 128-bit key. Remote Desktop is an invaluable tool for administrators and remote workers but presents a serious security risk when configured with weak credentials and left exposed to the internet.

So, what’s the appeal for threat actors?

Imagine that you’re trying to break into a bank vault. You spent months carefully digging a tunnel from the basement of the dilapidated theater across the street. You’ve assembled a highly-skilled crew: femme-fatale safe cracker, Vegas-native security system specialist, the best conman in the tri-state area and some muscle in case things go south. Months of planning and thousands of dollars have been spent pulling off this heist and acquiring specialized tools. Your tunnel finally intersects the bank’s vault room. Heart pounding, you carefully cut your way through the reinforced concrete and, at long last, face your ultimate challenge – the grey, implacable face of the best vault money can buy.

The elevator dings behind you. Your crew spins around in unison, now-sweaty palms gripping the stippled texture of their weapons. You shout, “Who’s there?” with an adrenaline-fueled voice over the barrel of your pistol.

“Hey guys, chill. It’s me, Donnie, the getaway driver. Remember me?” Donnie steps out of the elevator, arms raised, a set of keys in one hand and a Post-It note in the other. “I was sitting in the car and saw the manager taking off. He left his keys in the door and there’s this thing on the keyring that turns the alarm off.”

“Like a car alarm, right? Then I checked out his office and found this.” Donnie hands the note over. It reads, “Vault Code – 3389”.

You punch the code in, the vault opens like you own the place. Everyone gets paid, but you can’t help but think about the money you could have saved with an easy way in. And next time you’ll try Donnie’s approach.

That’s what having RDP secured with weak credentials and exposed to the internet is like. Someone with a low level of technical skill can breach your security totally with minimal effort.

Malicious hackers benefit from using RDP as it avoids needing to employ specialized tools. Why bother with creating a spear phishing campaign, hoping you get some poor soul to open an attachment and waiting for that malware payload to successfully connect to your C&C when you can easily (and cheaply) purchase direct access to a system?


Does that sound bad? It is.

McAfee researchers examined a fresh Windows Server 2008 R2 entry on sale for $10 at one of the larger remote access shops. For that princely sum, an attacker would gain administrative access to machines controlling security and building automation systems at an international airport in the USA. The team was able to determine the target machine’s full IP address (the last two octets are redacted on the shop site until you’ve paid) by using the Shodan search engine and narrowing results by the city and default RDP port number (3389).

The query returned three results. WHOIS queries on those results determined that they belong to a major international airport. Exploring further, three accounts were available on the Server 2008 R2 machine for RDP connections. The Administrator account was obvious. The other two usernames were determined to be related to two companies that specialize in airport security – one in building automation and the other in video surveillance and analytics. Researchers were also able to determine that the computer was joined to a domain likely related to an inter-terminal passenger transport system. This machine and the available accounts are in a great position on the network to cause major damage and support lateral movement.


RDP is a great administrative tool and enables remote workers to chill in their adult jammies while cranking out a pivot table. It makes life easy for all, including cyber criminals. Fortunately for you, Defender of the Network, there are a few basic security steps you can take to harden RDP.

Use complex passwords + multi-factor authentication to defend against brute-force attacks. Strong passwords greatly increase the time needed to guess a password and multi-factor authentication provides an additional layer of security for accounts.

Enforce user & IP lockout policies when too many failed connection attempts. This prevents an account from being compromised and maintains the system’s integrity. If a specific account is attacked several times it may give insight into the attack.

Log connection attempts (successes and failures). Logging is important to identifying attacks, identifying the source of attacks and mitigating attacks in progress.

Use a VPN to wrap RDP up in a more secure shell. Don’t expose any machines directly to the internet that don’t have to be. Using a VPN provides stronger encryption as well as an excellent audit trail and nonrepudiation.

Remember: your security doesn’t have to (and can’t) be perfect. In many cases it just has to be better than the next guy down the IP block. Taking simple steps to harden your systems, applying the principle of least privilege to user access and looking at your network’s profile from the WAN side of the firewall are the first steps down the road of remote access security.

Accidental Disclosures

Quit Doxing Yourself, Tips to Sanitize Your Media

“Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners”, by Catalin Cimpanu at drops some unsettling news: two-thirds of used media cards contain personal data – from personal information to nudes.  Researchers from the University of Hertfordshire purchased 100 used memory cards and examined them to see what data was left behind. Of those cards, only a third had been wiped using a tool that overwrote the storage. Another third had been erased but not wiped – data was easy to recover using free utilities. Worst of all, previous owners of the final third had made no attempt to delete their data.

This isn’t the first time a study has shown that data destruction is an often-overlooked detail:
Photocopiers – that’s right, they have hard drives
Arkansas Democratic Party – Official’s friend sold a “dead” drive on eBay

You and I might use dd or the Sysinternals SDelete utility to sanitize our media before disposing of it. Simple – open a terminal window, carefully select (and double, triple-check) that useless 2gb memory card and let the erasing begin. But what can the average user do to prevent accidental disclosure of their sensitive information to Strangers on the Internet?

Data Confidentiality Tips:

Use Full Disk Encryption (FDE) whenever possible.
Modern operating systems have brought FDE to the masses with streamlined, GUI-driven processes and background operation. The performance hit from using encryption has been largely mitigated by AES instructions baked into chipsets and the proliferation of Solid State Drives. One of the biggest benefits to FDE is that it’s largely set-and-forget. If you’re on a train and leave your laptop behind or you put your laptop on eBay, you can rest easy knowing that your data is protected from prying eyes by a strong password (no Password01 or Monkey123 here, folks) and AES encryption. These utilities can also encrypt removable media like USB flash and hard drives.

Windows: Bitlocker
OS X: FileVault
iOS: Filesystem Encryption
Linux: Linux Unified Key Setup (LUKS)
Android: Filesystem Encryption

Securely Wipe Media.
While FDE will protect you in many scenarios, it also relies on the integrity of the encryption algorithm and the strength of your password. Technology and research advance relentlessly and today’s state-of-the-art becomes tomorrow’s 3DES and MD5. Take advantage of these free, user-friendly tools to sleep easy:

Windows: BleachBit
OS X: Disk Utility
iOS: Erase Your Device
Linux: BleachBit
Android: Wipe Your Device

Don’t Sell Your Media – Destroy it.
As a frequent eBay-er, I bargain-hunt new hardware and try to get every penny out of decommissioned parts. But consider this: non-volatile storage media is cheaper than ever before and, more importantly, new parts come with a warranty. Is it worth recouping a few bucks, knowing that your Compact Flash card is out there in someone else’s hands? This Cambridge study on data remanence will make you think twice. The truth is: no matter what you do, there is always a chance that sensitive data remains on storage media. The only solution? Nuke it from orbit, just to be sure. Use your creativity here but stay safe. The goal is to physically destroy the media, like drilling holes through a hard drive or smashing a USB drive with a sledgehammer.

In Summary:

Every computer user can take a few simple steps to protect their data from theft, and accidental disclosure by taking three simple steps:

Step 1: Encrypt your data
Step 2: Sanitize media before disposal
Step 3: Give your media a Viking funeral

8 July 2018 - Media Sanitization and Doxxing YourselfWorth it.