* Posts by cybergibbons

53 publicly visible posts • joined 24 Sep 2014

Page:

Pentester says he broke into datacenter via hidden route running behind toilets

cybergibbons

Re: The Security Was Possibly Via a Screwdriver

Yep - it was just a square key! Very easy.

Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers

cybergibbons

There was no way to tell if the email had been received and acted on. Given the issue hadn't been fixed, it was chased.

I've personally disclosed over 50 issues so far, never accepted payment to not disclose them.

There is no hacking gang.

cybergibbons

I don't accept rewards unless the bug is submitted via an already established bug bounty.

cybergibbons

I sent one email chasing the original report to make sure it had been received.

They don't have a means to report security issues, so there is a significant chance that the email doesn't reach the person responsible for the security of these systems, and the issue remains unfixed, leaving them at risk.

This is not "pestering".

cybergibbons

I'm not a freelance penetration tester, but not sure I have seen any operate under that model either. It's not exactly going to be lucrative working like that.

As you can see, the way we report issues, we ensure that we aren't offering any services:

https://twitter.com/cybergibbons/status/1446022192928595973

Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users

cybergibbons

Re: obvious words

I'm confused - are you referring to generic DVRs or the NurseryCam system here?

cybergibbons

Re: obvious words

Why did I hide the password?

Because it isn't admin888.

The DVRs used don't have the default password of admin888, they enforce a change on setup. They aren't bargain basement DVRs.

cybergibbons

By that analogy, if there were cameras in your dining room, that would be fine, because there are public restaurants.

It hurts the people being watched because their reasonable expectation of privacy in a private place. Everyone has been told that the system is secure, and it isn't.

You've also missed that this is the place of work for the staff, who can be viewed out of hours.

And that the cameras are installed in receptions and offices as well.

And that some cameras have audio.

Your ship comms app is 'secured' with a Flash interface, doesn't sanitise SQL inputs and leaks user data, you say?

cybergibbons

Re: Credit where it's due

As it was MD5, we exhausted any password lists we used in less than a few seconds. We'd moved onto a plain exhaustive search using alphanumeric.

We've paused Sigfox roof aerial payments, says WND-UK, but we'll make you whole after COVID

cybergibbons

Re: Yagi?

Ah, OK. I think what was meant to be communicated is that they are installed by TV aerial installers. There are no yagis directly involved.

cybergibbons

Re: right thing to do

I mean, if WND are having cashflow problems such that they can't pay people, it's not unreasonable to assume that other people are also having cashflow problems. Many people are coming close to the line due to COVID, and there is a massive lack of respect in not asking or even notifying people that you can't pay.

It sounds like the network is currently supported by investors rather than subscribers. At £2/device/year, they need over 250k devices subscribed to pay the rent. There's a chance that investment doesn't materialise, and they can't pay. People are paying for electricity to support these nodes - by the time 6 months is up, that could be £30 in bills.

cybergibbons

Re: Yagi?

What's the relevance of a yagi here?

Xiaomi emits phone browser updates after almighty row over web activity harvested even in incognito mode

cybergibbons

Re: What's the difference between Mi Browser and Google Chrome?

Chrome doesn't take the URLs you visit and send them to Google whilst in Incognito mode.

This seems like a fairly clear difference to me.

Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners

cybergibbons

Re: And yet...

I don't think we do though - you are under the notion that the crew are infallible. That they will notice, that it will be obvious.

https://www.gov.uk/maib-reports/collision-between-ro-ro-passenger-ferry-red-falcon-and-moored-yacht-greylag

"the master became fixated upon the information displayed on his electronic chart and operating engine controls, ignored information displayed on other electronic equipment, and became cognitively overloaded due to high stress"

It's a downplaying of the risks because you are not accounting for human factors.

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

Which flag? What type of vessel?

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

Well, since you need to obey the law of the flag state of the vessel, which is pretty obvious, you need to obey their rules:

https://www.ics-shipping.org/docs/default-source/Piracy-Docs/comparison-of-flag-state-laws-on-armed-guards-and-arms-on-board-2017.pdf?sfvrsn=0

I've been on plenty of voyages passing dangerous parts of the world. No guns. It's a rarity.

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

Yes, give that I was one of the crew who would be supposedly trained to use them...

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

More to the point, that would require the crew are licensed to use firearms.

What type of ship have you seen this on? What area of the world?

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

I've been on 15+ ships in the two years, none have carried weapons.

cybergibbons

Re: A few comments

Totally agree.

A big challenge with implementing a system with cards or similar is that there are so many different systems on board, and they aren't all controlled by the same people. Really hard to implement a common authentication token.

cybergibbons

Re: And yet...

Ah, the good old "topic drift" thing. I'm here too, and it drifted back to what the article is about.

We've had access to common-rail engine PLCs from the corporate network before. So, they can be attacked.

You've picked clear weather, with an alert crew, not taken into account human factors.

I will just leave this here.

https://features.propublica.org/navy-uss-mccain-crash/navy-installed-touch-screen-steering-ten-sailors-paid-with-their-lives/

cybergibbons

Re: A few points

Yep - the most probable and highest impact risk we could see was unconstrained spread of malware across the network. If vitually every PC stopped working on a rig, it would be virtually impossible to work.

cybergibbons

Re: And yet...

That's nice and all, but the article is about an oil rig.

You know that many of the new common-rail engines simply don't have manual controls? How would you handle those if every PLC had been disabled?

cybergibbons

Re: A few points

I'd love to come up for a solution for 3.

There are certain systems - like the ECDIS - where it's just not possible to set passwords that are long, complex, per-user, and confidential.

But it is possible to set the password on your switches and PLCs to not be the same across all 150 rigs with the same drilling package.

Same with HMI consoles - it may need a basic level of access with simple creds, but the Windows box doesn't need to have local admin password of 00000000.

cybergibbons

Re: And yet...

You've got a totally broken threat model.

The article describes and oil rig using dynamic positioning. The generators are running pretty much all the time, as the thrusters are continuously working to keep the rig on station.

If there is significant mechanical failure, and the position cannot be held, then a big red button is pressed. This triggers the BOP, cutting the drill chain at the seabed, and drop the drillchain from the top.

The operator of the rig performed a risk analysis and found that even under normal mechanical failure, manual control was simply not quick enough to stop this happening. The generators, if you cannot control them from the bridge, are around 3-4 minutes away from the bridge. The thruster controls are in the legs, two of which are 1-2 minutes away, the other 3-4 minutes away, then a slow lift ride (unless the weather is rough - then it's a ladder climb). You now have 6+ people (1 for the four legs, 1 for the two generators needed) communicating via phone with the bridge to keep things working. They cannot fully practice this with every crew, as unlike on a ship, as it would cause too much risk. When it has been practiced, the control required to use 4 separate thrusters to keep it on station is incredibly hard without the control systems in place.

Now, an attacker comes along. We found you could disable the phone system, causing them to fall back to radios - which even with leaky feeders, were found to be unreliable in the legs. You now don't have comms. We found that it was possible to wipe the configuration of the breakers in the main switchboard, preventing automatic synchronisation. This highlighted the problem that although the generators had synchroscopes, the bus ties did not. This made operation much more awkward. At the same time, totally control over the drilling control network had been obtained. We could brick every switch and PLC, stopping that working entirely. That's just the start of systems we took control of.

So now you've got the potential for drive-off incident, which costs millions of dollars. Even if you don't, you have the potential to cost the company huge sums whilst they restore the config of over 400 PLCs, many of which don't have up-to-date backups.

And no, you won't wake up with the sound small changes on a rig, unless you never sleep.

So remember kiddo, if you paint the only risk as the most severe one and in limited situations, yes, you can ignore it.

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

Urban myth. Virtually no merchant ships carry guns, and those that do, it's no the crew using them.

cybergibbons

Re: And yet...

It's normally 10MB/s and above, and always on.

cybergibbons

Re: Bad design

Ships do need better design, from a human factors perspective. They ignore human costs, and push crews to their limits.

cybergibbons

Re: "bridging designed gaps between...engineering control systems and human interface"

Honestly, this isn't the big risk.

It's either bricking hundreds of ships at a time, or disabling the BOP and causing a rig to drive off station and cause an ecological disaster.

cybergibbons

Re: So, the ship is 300M long...and you don't want to walk

This attitude is why there are problems.

Last time I checked, I didn't need to put on a boiler suit, hard hat, safety boots, and gloves to go out to a PC in an air-conditioned space to fix a user's PC.

Then there's the weather. People die on vessels going out 300m.

https://www.londonpandi.com/knowledge/news-alerts/maib-report-on-fatal-accident-on-board-maersk-kithira/

There are no IT crew. Outside of cruise ships, there is no one with training in this. It's down to the person who knows the most IT.

Honestly, your comment is glib and pretty offensive, and totally lacking in understanding that not everyone is a desk jockey.

Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked

cybergibbons

Re: *sigh*

Why is a rooted phone more secure?

Unbreakable smart lock devastated to discover screwdrivers exist

cybergibbons

The three we bought to find issues cannot be opened in this way. The one of those I opened has the pin in place.

Container ship loading plans are 'easily hackable'

cybergibbons

Eh?

SOLAS VGM pretty much says that you can't estimate weight anymore. It doesn't stipulate using load cells on cranes, and that hasn't been what is implemented in most ports.

Evil pixels: Researcher demos data-theft over screen-share protocols

cybergibbons

Re: Bizarre security

Yes - you can type an executable base64 encoded onto the remote host and run it. Without admin privilege, you can then get data back with this method.

Half-baked security: Hackers can hijack your smart Aga oven 'with a text message'

cybergibbons

Re: Nothing new here really..

I doubt your village hall has a website allowing it's number to be enumerated though?

cybergibbons

Re: OK, daft question

Specifically, in this instance, the user interface of the Aga web application allows enumeration of registered numbers.

With most M2M products, the numbers are allocated from groups. I have often seem numbers sequentially allocated in similar products.

cybergibbons

Re: Contact

An attempt? At least 10 attempts were made.

It's very much Aga's responsibility to deal with service providers and hardware vendors involved with their products.

cybergibbons

That's actually a lot of money for most IoT devices, where the entire cost of the device will typcially be less than £5. It's got a lot more power than you would ever need, as well.

That said, there have been Pi-based commercial products, such as the early revisions of this:

https://www.geniushub.co.uk

cybergibbons

Re: Security

This really isn't the case though.

The PIC18F - which currently only support SSLv3 and below with weak ciphers - is ~£1.75 in bulk. An ARM Cortex-M3 that costs the same, has more functonality and more flash can support TLSv1.2 with good ciphers.

Time and time again I see people saying "but the hardware can't do it". It's perfectly possible to design your hardware to the same cost and have the functionality required.

cybergibbons

Re: Security

There was no reason, in 2012, to put a device in that was so limiting.

Hackers actively stealing Wi-Fi keys from vulnerable routers

cybergibbons

Re: Simples, buy your own better router and secure it properly.

Using a directional antenna outside of someone's house falls firmly into the territory of "tough time" and covers the typical threat model of a home user.

cybergibbons

If you are using the provided HomeHub or any of the common BT VDSL modems, we haven't seen any particular issues with TR-064 being exposed publically. I don't think anyone has got your key via the same route.

IoT worm can hack Philips Hue lightbulbs, spread across cities

cybergibbons

Re: ANY i.o.t

This isn't enough to isolate you from risk though. If this device is on the same network as your PC or phone, they can attack the device, and the device attack them.

Boffin's anti-worm bot could silence epic Mirai DDoS attack army

cybergibbons

Re: "prompt the user to reboot"

Why would the user be logging in via telnet? They don't even know the device is running telnet.

cybergibbons

It's worth noting that the worm doesn't actually have the ability to change the passwords. It's not a trivial task on many of them - it needs a firmware update.

Comcast's Xfinity home alarms can be disabled by wireless jammers

cybergibbons

Re: Wireless Alarms are toys

People really seem to be losing perspective of what an alarm is protecting you from...

You don't expect your front door to withstand a hydraulic breach tool, or your lock to withstand a drill for 30 minutes. That's because they have been designed to protect a normal domestic property, with a small value of goods inside. The attacker is a normal burglar.

The basic wireless alarms are designed to add a layer to that protection from those attackers. It isn't meant to protect you from advanced, knowledgeable criminals. If you want that protection, you buy a graded, wired, professionally installed alarm.

Researcher criticises 'weak' crypto in Internet of Things alarm system

cybergibbons

Re: Optional

The device only has Ethernet - not sure where all the WiFi stuff has come from.

cybergibbons

Re: Checklist

Or:

1. Find an unoccupied house

2. Break into it

3. Steal everything you can in under 5 minutes

4. Leave

Whilst the system isn't secure, the attacks being proposed are pure fantasy.

cybergibbons

Re: Huh?

I can build a device that will disable a significant number of wireless alarms on the market in the UK. It costs about £12 to make. It took very little research (relatively) to work it out.

Never seen anyone else sell them - I've even tried asking on some of the forums that are used for trading ATM skimmers, fake chip&pin terminals etc. They just aren't made - criminals aren't currently interested in bypassing alarms on domestic properties.

cybergibbons

Re: Huh?

Which would probably be why they said "it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips".

Are you arguing that most burglars would be capable of this? That would strongly go against the available evidence.

Burglary and car theft have very different risks and rewards, which you seem to have ignored in your analogy/comparison.

You can almost entirely work out the security system on a car just by the model and year. There is very little variation. Not possible with a home alarm. It's easy for criminals to identify and target cars like this.

Once you have bypassed the security system on most modern cars, that's it. You can open the door and start the engine. Not so with a house - bypass the alarm, and you still need to deal with physical security.

Most burglaries don't result in a good reward of a known value. You might get £500, you might get £5k. Lift a high-end car, and you will be looking at a lot more.

Page: