Posts

Nest security camera hacked to broadcast warning of North Korea missile attack

/0 Comments/in /by
  • A family in California experienced a broadcast warning coming from their Nest security camera.
  • The surveillance system was compromised by a stolen password which was exposed online.

A family in Orinda, California experienced a broadcast warning coming from their Nest security camera. Attackers managed to hack their Nest surveillance system and broadcast a warning of an incoming nuclear missile attack from North Korea.

The family experienced a loud-alarm before the start for the broadcast warning. The sound was followed by an alert which claimed that three intercontinental ballistic missiles targeting Los Angeles, Chicago, and Ohi had been launched from North Korea.

Third-party hack

The family panicked and eventually checked news channels for the coverage of the aforementioned attack, but found nothing. The family also called the Nest customer service to investigate the warning. Later, they realized that a third-party hack allowed the attackers to hack their security camera.

A spokesperson for Nest confirmed that Nest was not breached. “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of security risk,” the spokesperson said, CNET reported.

The spokesperson further said that Nest is working on features that will reject compromised passwords, allow customers to monitor access to their accounts, and track third-party entities that abuse passwords.

Security experts say that companies should educate their customers on how to securely use devices in order to prevent attackers from using stolen credentials to log into security cameras and connected devices.

“Consumers can choose to use a stronger password and enable extra security features like two-factor authentication, but they aren’t required to do so. Device makers should flip that around,” Betsy Cooper, founding director of the Aspen Policy Hub said.

Enterprises must be prepared for mega cyber attacks: Check Point CEO

/0 Comments/in /by

BANGKOK: The world is on the brink of facing mega cyber attacks and the enterprises need to be prepared more than ever before, a top executive of Israel-based cybersecurity solution provider Check Point Software Technologies said here on Tuesday.

“Large-scale and fast-moving across mobile, Cloud and on premise networks, 5th Generation cyber attacks have increased over the past year, impacting more companies than ever before,” Gil Shwed, Check Point Founder and CEO, said in his keynote address during the company’s annual event here.

Cyber attacks and data fraud or theft were listed in the top five of the World Economic Forum’s 14th edition of “Global Risks Report 2019”.

“This is indicative of the fact that how much cyber risks have intensified, particularly in 2017 — both in their prevalence and disruptive potential,” noted Shwed.

Most companies focus particularly on detecting the fraud. By the time a cyber attack is detected, which, according to the industry standard, is 5-6 months, the damage is already done.

A good malware can breach critical data in a matter of minutes and shut down the networks in seconds. The need is to be future-ready and protect before the advent of such an event, Shwed emphasised.

Most enterprises today are generally protected for only Gen 2 and Gen 3 viruses.

“They need to close the security ‘generation gap’ by deploying infrastructures which combine real-time threat prevention, shared intelligence and the most-advanced security across all enterprise environments.

Shwed also unveiled “Maestro”, an industry-first hyperscale network security solution.

“Maestro” is a new architecture that enables businesses of any size enjoy the power of flexible Cloud-level security platforms and seamlessly expand their existing security gateways to hyperscale capacity.

Shwed also introduced “Nano Security” — Gen VI of cyber security which can be embedded on every device, web or Cloud service, applications and network, to protect the hyper-connected, hyperscale world.

The three-day “CPX360” event is aimed at addressing most-pressing cyber security challenges and helping organisations of all sizes develop strategies to prevent cyber threats and sophisticated hackers impacting their business.

How ASLR protects Linux systems from buffer overflow attacks

/0 Comments/in /by

ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it’s running, enable/disable it, and get a view of how it works.

Address Space Layout Randomization (ASLR) is a memory-protection process for operating systems that guards against buffer-overflow attacks. It helps to ensure that the memory addresses associated with running processes on systems are not predictable, thus flaws or vulnerabilities associated with these processes will be more difficult to exploit.

ASLR is used today on Linux, Windows, and MacOS systems. It was first implemented on Linux in 2005. In 2007, the technique was deployed on Microsoft Windows and MacOS. While ASLR provides the same function on each of these operating systems, it is implemented differently on each one.

The effectiveness of ASLR is dependent on the entirety of the address space layout remaining unknown to the attacker. In addition, only executables that are compiled as Position Independent Executable (PIE) programs will be able to claim the maximum protection from ASLR technique because all sections of the code will be loaded at random locations. PIE machine code will execute properly regardless of its absolute address.

ASLR limitations

In spite of ASLR making exploitation of system vulnerabilities more difficult, its role in protecting systems is limited. It’s important to understand that ASLR:

  • Doesn’t resolve vulnerabilities, but makes exploiting them more of a challenge
  • Doesn’t track or report vulnerabilities
  • Doesn’t offer any protection for binaries that are not built with ASLR support
  • Isn’t immune to circumvention

How ASLR works

ASLR increases the control-flow integrity of a system by making it more difficult for an attacker to execute a successful buffer-overflow attack by randomizing the offsets it uses in memory layouts.

ASLR works considerably better on 64-bit systems, as these systems provide much greater entropy (randomization potential).

Is ASLR working on your Linux system?

Either of the two commands shown below will tell you whether ASLR is enabled on your system.

$ cat /proc/sys/kernel/randomize_va_space
2
$ sysctl -a --pattern randomize
kernel.randomize_va_space = 2

The value (2) shown in the commands above indicates that ASLR is working in full randomization mode. The value shown will be one of the following:

0 = Disabled
1 = Conservative Randomization
2 = Full Randomization

If you disable ASLR and run the commands below, you should notice that the addresses shown in the ldd output below are all the same in the successive ldd commands. The ldd command works by loading the shared objects and showing where they end up in memory.

udo sysctl -w kernel.randomize_va_space=0	<== disable
[sudo] password for shs:
kernel.randomize_va_space = 0
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffff7fd1000) <== same addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007ffff7c69000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000)
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffff7fd1000) <== same addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007ffff7c69000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000)
If the value is set back to 2 to enable ASLR, you will see that the addresses
 will change each time you run the command.
$ sudo sysctl -w kernel.randomize_va_space=2	<== enable
[sudo] password for shs:
kernel.randomize_va_space = 2
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007fff47d0e000) <== first set of addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f1cb7ce0000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1cb7cda000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1cb7af0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f1cb8045000)
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffe1cbd7000) <== second set of addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007fed59742000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fed5973c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fed59552000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fed59aa7000)

Attempting to bypass ASLR

In spite of its advantages, attempts to bypass ASLR are not uncommon and seem to fall into several categories:

  • Using address leaks
  • Gaining access to data relative to particular addresses
  • Exploiting implementation weaknesses that allow attackers to guess addresses when entropy is low or when the ASLR implementation is faulty
  • Using side channels of hardware operation

Wrap-up

ASLR is of great value, especially when run on 64 bit systems and implemented properly. While not immune from circumvention attempts, it does make exploitation of system vulnerabilities considerably more difficult. Here is a reference that can provide a lot more detail on the Effectiveness of Full-ASLR on 64-bit Linux, and here is a paper on one circumvention effort to bypass ASLR using branch predictors.