The IoT Threat – Infographic

2016 made IoT one of the hottest topics across the cyber security industry as Internet-connected devices became a major tool for DDoS attacks. Researchers expect that the role of IoT will only grow in the coming years. Although very recent, the first signs for this new threat vector were visible over the past two years, with malicious actors engaging in IoT exploitability and attacks utilizing these devices. In fact, IoT botnets are not new. In 2015, Continue reading “The IoT Threat – Infographic”

SenseCy’s Predictions for the Cyber Global Arena in 2017 – Infographic

2016 witnessed an unprecedented volume of cyber events of varying impact and future significance. Following a detailed analysis of those events deemed to have the most strategic future ramifications, we have identified a number of major trends and concerning developments expected to gain momentum in 2017. Check out our new Continue reading “SenseCy’s Predictions for the Cyber Global Arena in 2017 – Infographic”

Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai

The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”

LogJam, Little Sister of FREAK

On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.

The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.

According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.

When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.

According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:

  • A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
  • The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
  • The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
  • The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.

LogJam_1

Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.

LogJam_2

So how should you approach this vulnerability?

The researchers provided some simple answers to this question:

If you run a server:

If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.

If you use a browser:

Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).

If you are a system administrator or developer:

Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.

You can check if your browser is vulnerable here.

You can download the complete research document from here.

Will Your Toaster Attack You?

Lately, we have been hearing an awful lot about the Internet of Things (IoT).

What this buzzword describes is a world where every device is connected to the Web and communicates with other devices, and us humans, usually via Smartphone interface.

And, to a certain extent, this is an everyday reality, even today – smart TVs, printers, thermostats, and other home appliances are connected to the Web via wireless communication and receive orders from their owners who are often miles away. And, sure enough, this trend has not been overlooked by hackers.

Since each such device now has a unique IP address, Internet connectivity and the ability to send and receive packets of information, hackers can (in theory) connect them, infect them with malware and use them to send traffic – basically anything that can be performed with a regular PC. An evidence that such schemes are being planned and implemented is growing rapidly.

Security research firm Proofpoint recently announced  that they discovered that hackers broke into more than 100,000 gadgets – including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23, 2013 and January 6, 2014 (I guess asking for a Smart TV for Christmas wasn’t such a good idea after all…).

So, while the (now-growing) popular belief is that such appliances can be hacked, tinkered with and turned into malicious machines attacking their human masters is not true, it is very likely that they will be used for all kinds of cyber crime, from sending SPAM, spreading malicious files or participating in DDoS attacks (these are, after all, robots).

Will these appliances attack you?
Will these appliances attack you anytime soon?

Even more interesting are the discussions on various communication platforms regarding the possibilities presented by this trend. References to the above incident were found in Arab media and also on the Facebook page of the famous “Alkrsan” hacker forum. The latter may indicate a rising interest among Arab hackers for this method of cyber-attack.

Reference to IoT hacking at the famous hackers' forum "Alkrsan"
Reference to IoT hacking on the famous hacker forum “Alkrsan”

As for the Russian-speaking Internet, the HabrHabr computer blog published a post entitled “a botnet consisting of ‘smart’ TVs, media centers, PCs and … refrigerators was discovered”.

Generally, news sites refer to this affair as an evolving new threat in the cyber world and lively discussions are being held on closed forums regarding the trend.

Russian computers blog HabrHabr  discusses  IoT hacking
Russian computer blog HabrHabr discusses IoT hacking

So, will your toaster turn against you anytime soon? Not likely. But we have every reason to believe that any device that can be hacked is a legitimate target for hackers and will be breached sooner or later, changing the “Internet of Things” into the “Internet of Vulnerabilities”.