2016 made IoT one of the hottest topics across the cyber security industry as Internet-connected devices became a major tool for DDoS attacks. Researchers expect that the role of IoT will only grow in the coming years. Although very recent, the first signs for this new threat vector were visible over the past two years, with malicious actors engaging in IoT exploitability and attacks utilizing these devices. In fact, IoT botnets are not new. In 2015, Continue reading “The IoT Threat – Infographic”
2016 witnessed an unprecedented volume of cyber events of varying impact and future significance. Following a detailed analysis of those events deemed to have the most strategic future ramifications, we have identified a number of major trends and concerning developments expected to gain momentum in 2017. Check out our new Continue reading “SenseCy’s Predictions for the Cyber Global Arena in 2017 – Infographic”
The following is an excerpt from the report. To receive a copy, please send a request to: email@example.com
2016 has been replete with an unprecedented volume of cyber events of varying impact and future significance. From our perspective, on account of our persistent presence and active participation in discussions Continue reading “SenseCy 2016 Annual CTI Report”
The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”
On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.
The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.
According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.
When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.
According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:
- A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
- The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
- The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
- The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.
Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”
Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.
So how should you approach this vulnerability?
The researchers provided some simple answers to this question:
If you run a server:
If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.
If you use a browser:
Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).
If you are a system administrator or developer:
Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.
You can check if your browser is vulnerable here.
You can download the complete research document from here.
Lately, we have been hearing an awful lot about the Internet of Things (IoT).
What this buzzword describes is a world where every device is connected to the Web and communicates with other devices, and us humans, usually via Smartphone interface.
And, to a certain extent, this is an everyday reality, even today – smart TVs, printers, thermostats, and other home appliances are connected to the Web via wireless communication and receive orders from their owners who are often miles away. And, sure enough, this trend has not been overlooked by hackers.
Since each such device now has a unique IP address, Internet connectivity and the ability to send and receive packets of information, hackers can (in theory) connect them, infect them with malware and use them to send traffic – basically anything that can be performed with a regular PC. An evidence that such schemes are being planned and implemented is growing rapidly.
Security research firm Proofpoint recently announced that they discovered that hackers broke into more than 100,000 gadgets – including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23, 2013 and January 6, 2014 (I guess asking for a Smart TV for Christmas wasn’t such a good idea after all…).
So, while the (now-growing) popular belief is that such appliances can be hacked, tinkered with and turned into malicious machines attacking their human masters is not true, it is very likely that they will be used for all kinds of cyber crime, from sending SPAM, spreading malicious files or participating in DDoS attacks (these are, after all, robots).
Even more interesting are the discussions on various communication platforms regarding the possibilities presented by this trend. References to the above incident were found in Arab media and also on the Facebook page of the famous “Alkrsan” hacker forum. The latter may indicate a rising interest among Arab hackers for this method of cyber-attack.
As for the Russian-speaking Internet, the HabrHabr computer blog published a post entitled “a botnet consisting of ‘smart’ TVs, media centers, PCs and … refrigerators was discovered”.
Generally, news sites refer to this affair as an evolving new threat in the cyber world and lively discussions are being held on closed forums regarding the trend.
So, will your toaster turn against you anytime soon? Not likely. But we have every reason to believe that any device that can be hacked is a legitimate target for hackers and will be breached sooner or later, changing the “Internet of Things” into the “Internet of Vulnerabilities”.