Article 43

 

Broadband Privacy

Monday, March 09, 2020

DNS Tunneling

image: cybercrime

How Hackers Use DNS Tunneling to Own Your Network

By Ron Lifinski, Cyber Security Researcher
Cynet
October 22, 2018

DNS Tunneling

Most organizations have a firewall that acts as a filter between their sensitive internal networks and the threatening global Internet. DNS tunneling has been around for a while.  But it continues to cost companies and has seen hackers invest more time and effort developing tools.  A recent study[1] found that DNS attacks in the UK alone have risen 105% in the past year.  DNS tunneling is attractivehackers can get any data in and out of your internal network while bypassing most firewalls. Whether it֒s used to command and control (C&C) compromised systems, leak sensitive data outside, or to tunnel inside your closed network, DNS Tunneling poses a substantial risk to your organization. Heres everything you need to know about the attack, the tools and how to stop it.

Introduction

DNS tunneling has been around since the early 2000s, when NSTX[2] an easy to use tool has been published to the masses. Since then there was a clear trend - tighter firewall security led to more widespread DNS tunneling. By 2011 it had already been used by malware such as Morto[3] and Feederbot[4] for C&C, and by the popular malicious payload for point-of-sale systems FrameworkPOS[5] for credit card exfiltration.

Why It’s a Problem

DNS was originally made for name resolution and not for data transfer, so its often not seen as a malicious communications and data exfiltration threat. Because DNS is a well-established and trusted protocol, hackers know that organizations rarely analyze DNS packets for malicious activity. DNS has less attention and most organizations focus resources on analyzing web or email traffic where they believe attacks often take place. In reality, diligent endpoint monitoring is required to find and prevent DNS tunneling.

Furthermore, tunneling toolkits have become an industry and are wildly available on the Internet, so hackers don’t really need technical sophistication to implement DNS tunneling attacks.

Common Abuse Cases (and the tools that make them possible)

Malware command and control (C&C) Malware can use DNS Tunneling to receive commands from its control servers, and upload data to the internet without opening a single TCP/UDP connection to an external server. Tools like DNSCAT2 are made specifically used for C&C purposes.

Create a “firewall bypassing tunnel” - DNS Tunneling allows an attacker to place himself into the internal network by creating a complete tunnel. Tools like IODINE allow you to create a common network between devices by creating a full IPv4 tunnel.

Bypass captive portals for paid Wi-Fi A lot of captive portal systems allow all DNS traffic out, so it’s possible to tunnel IP traffic without paying a fee. Some commercial services even provide a server-side tunnel as a service. Tools like YOUR-FREEDOM are made specifically for escaping captive portals.

How It Works

image: dns tunnel

The attacker acquires a domain, for example, evilsite.com.

The attacker configures the domains name servers to his own DNS server.

The attacker delegates a subdomain, such as “tun.evilsite.com” and configures his machine as the subdomain’s authoritative DNS server.

Any DNS request made by the victim to “{data}.tun.evilsite.com” will end up reaching the attacker’s machine.

The attacker’s machine encodes a response that will get routed back to the victim’s machine.

A bidirectional data transfer channel is achieved using a DNS tunneling tool.

References

[1] www dot infosecurity-magazine.com/news/dns-attack-costs-soar-105-in-uk

[2] thomer dot com/howtos/nstx.html

[3] www dot symantec.com/connect/blogs/morto-worm-sets-dns-record

[4] chrisdietri dot ch/post/feederbot-botnet-using-dns-command-and-control/

[5] www dot gdatasoftware.com/blog/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests

[6] github dot com/iagox86/dnscat

[7] github dot com/yarrick/iodine

[8] heyoka dot sourceforge.net/

SOURCE

Posted by Elvis on 03/09/20 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Tuesday, November 12, 2019

Project Nightingale

image: google

Google’s “Project Nightingale” analyzes medical records to create “Patient Search” for health providers

By Abner Li
9to5Google
Nov 2019

Beyond the ACQUISTION OF FITBIT earlier this month, Google’s health ambitions are multi-faceted and extend into services for hospitals and health providers. Such an effort named Project Nightingale was detailed today, along with the end product: Patient Search.

The Wall Street Journal today REPORTED on Project Nightingale, with Forbes providing more details on the effort, including screenshots.  Ascension - one of the country’s largest healthcare systems - is moving its patient records to Google Cloud. This complete health history includes lab results, doctor diagnoses, and hospitalization records.

In turn, Google is analyzing and compiling that data into a Patient Search tool that allows doctors and other health professionals to conveniently see all patient data on an overview page.

The page includes notes about patient medical issues, test results and medications, including information from scanned documents, according to presentations viewed by Forbes.

The interface is quite straightforward and not too different from hospitals that offer results directly to patients today.

Internally, the project is being developed within Google Cloud, and 150 Googlers reportedly have access to the data. This includes Google Brain, the companys internal AI research division. The WSJ describes another tool in development that uses machine learning to suggest possible patient treatment changes to doctors.

Google in this case is using the data, in part, to design new software, underpinned by advanced artificial intelligence and machine learning, that zeroes in on individual patients to suggest changes to their care.

That appears to be further off in the distance compared to ԒPatient Search, which is already deployed to Ascension facilities in Florida and Texas, with more locations planned this year. Google is apparently not charging Ascension for the work and could offer the tool to other health systems in the future.

When asked for comment, Google said Project Nightingale abides by all federal laws and that privacy protections are in place. Experts that spoke to the WSJ believe that this initiative is allowed under the Health Insurance Portability and Accountability Act (HIPPA).

SOURCE

Posted by Elvis on 11/12/19 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Wednesday, June 12, 2019

AC Phone Home

snooping on your pc

I got a new HONEYWELL THERMOSTAT for the air conditioner that has internet connectivity for remote access, and pulls a weather report.

Like everything IOT- it INSISTS ON A MIDDLEMAN (pretty much anyone after looking at their EULA) possibly peeking at the things connected to my network, and who knows WHAT ELSE:

The Internet has been around for around 20 years now, and its security is far from perfect. Hacker groups still ruthlessly take advantage of these flaws, despite spending billions on tech security. The IoT, on the other hand, is primitive. And so is its security.

Once everything we do, say, think, and eat, is tracked, the big data thats available about each of us is immensely valuable. When companies know our lives inside and out, they can use that data to make us buy even more stuff. Once they control your data, they control you.

Why can’t I just VPN into the house and connect to it that way?

Because then they can’t SNOOP.

Their EULA SAYS:

We may use your Contact Information to market Honeywell and third-party products and services to you via various methods

We also use third parties to help with certain aspects of our operations, which may require disclosure of your Consumer Information to them.

Honeywell uses industry standard web ANALYTICS to track web visits, Google Analytics and Adobe Analytics.

GOOGLE and Adobe may also TRANSFER this INFORMATION to third parties where required to do so by law, or where such third parties process the information on Google’s or Adobe’s behalf.

You acknowledge and agree that Honeywell and its affiliates, service providers, suppliers, and dealers are permitted at any time and without prior notice to remotely push software

collection and use of certain information as described in this Privacy Statement, including the transfer of this information to the United States and/or other countries for storage

Wonderful.

I connected it to the LAN without asking it to get the weather - or signing up for anything at HONEYWELL’S SITE.

As fast as I can turn my head to peek at the firewall - it was chatting on the internet, and crapped out with some SSL error:

‘SSL_PROTO_REJECT: 48: 192.168.0.226:61492 -> 199.62.84.151:443’
‘SSL_PROTO_REJECT: 48: 192.168.0.226:65035 -> 199.62.84.152:443’
‘SSL_PROTO_REJECT: 48: 192.168.0.226:55666 -> 199.62.84.153:443’

Maybe the website has a problem:

# curl -sslv2 199.62.84.151:443
* About to connect() to 199.62.84.151 port 443 (#0)
* Trying 199.62.84.151… connected
* Connected to 199.62.84.151 (199.62.84.151) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 199.62.84.151:443
> Accept: */*
>
* Closing connection #0
* Failure when receiving data from the peer

# curl -sslv3 199.62.84.151:443
* About to connect() to 199.62.84.151 port 443 (#0)
* Trying 199.62.84.151… connected
* Connected to 199.62.84.151 (199.62.84.151) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 199.62.84.151:443
> Accept: */*
>
* Closing connection #0
* Failure when receiving data from the peer

# curl -tlsv1 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.0 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.1 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.2 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl 199.62.84.151:80
curl: (56) Failure when receiving data from the peer

Then I pulled the plug.  Even if Honeywell’s website is broke - I still fear this thermostat will find a way to download software, and maybe START SPYING ON MY HOME NETWORK:

The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities.

Maybe, someday I’ll firewall off HONEYWELL’S NETBLOCKS, connect it again, see where it goes.

For now - I’m too AFRAID:

When the cybersecurity industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters.

---

Think that’s bad?  Check this out

Dont Toss That Bulb, It Knows Your Password

By Tom Nardi
Hackaday
January 28, 2019

Whether it was here on Hackaday or elsewhere on the Internet, youҒve surely heard more than a few cautionary tales about the Internet of ThingsӔ by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of POSTS on the [Limited Results] blog, low-cost smart bulbs are cracked open and investigated to see what kind of knowledge theyve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.’

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point were all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulbs WiFi module. Recovering that information is just a process of finding the correct traces on the bulbҒs PCB (often there are test points which make this very easy), and dumping the chips contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the cloudӔ platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted your data, OTA firmware upgrades, everything.  They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

SOURCE

Posted by Elvis on 06/12/19 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Wednesday, October 17, 2018

The Clouded Cloud

image: amazon honor system

AmazonAtlas

Wikileaks
October 11, 2018

Today, WikiLeaks publishes a “Highly Confidential” internal documentfrom the cloud computing provider Amazon. The documentfrom late 2015 lists the addresses and some operational details of over one hundred data centers spread across fifteen cities in nine countries. To accompany this document, WikiLeaks also created a map showing where Amazons data centers are LOCATED.

Amazon, which is the largest cloud provider, is notoriously secretive about the precise locations of its data centers. While a few are publicly tied to Amazon, this is the exception rather than the norm. More often, Amazon operates out of data centers owned by other companies with little indication that Amazon itself is based there too or runs its own data centers under less-identifiable subsidiaries such as VaData, Inc. In some cases, Amazon uses pseudonyms to obscure its presence. For example, at its IAD77 data center, the documentstates that Amazon is known as “Vandala Industries” on badges and all correspondence with building manager

Amazon is the leading cloud provider for the United States intelligence community. In 2013, Amazon entered into a $600 million contract with the CIA to build a cloud for use by intelligence agencies working with information classified as Top Secret. Then, in 2017, Amazon announced the AWS Secret Region, which allows storage of data classified up to the Secret level by a broader range of agencies and companies. Amazon also operates a special GovCloud region for US Government agencies hosting unclassified information.

Currently, Amazon is one of the leading contenders for an up to $10 billion contract to build a private cloud for the Department of Defense. Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon. Bids on this contract are due tomorrow.

While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralised in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.

Until now, this cloud infrastructure controlled by Amazon was largely hidden, with only the general geographic regions of the data centers publicised. While Amazons cloud is comprised of physical locations, indications of the existence of these places are primarily buried in government records or made visible only when cloud infrastructure fails due to natural disasters or other problems in the physical world.

In the process of dispelling the mystery around the locations of Amazon’s data centers, WikiLeaks also turned this documentinto a puzzle game, the Quest of Random Clues. The goal of this game was to encourage people to research these data centers in a fun and intriguing way, while highlighting related issues such as contracts with the intelligence community, Amazons complex corporate structures, and the physicality of the cloud.

SOURCE

Posted by Elvis on 10/17/18 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Thursday, August 09, 2018

Legalized Hacking

snooping on your pc

If I were to PORT SCAN any IP - I can be IN BIG TROUBLE.

Shouldn’t BIG BAD BANKS - and everyone else - be bound by the same rules?

Check this out:

Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers

---

Bank on it: It’s either legal to port-scan someone without consent or it’s not, fumes researcher
One rule for banks, another for us, says white hat

By John Leyden
The Register
August 7, 2018

Security researcher Paul Moore has made his objection to this practice in which the British bank is not alone - clear, even though it is done for good reasons. The researcher claimed that performing port scans on visitors without permission is a violation of the UK’s COMPUTER MISUSE ACT (CMA).

Halifax has disputed this, arguing that the port scans help it pick up evidence of malware infections on customers’ systems. The scans are legal, Halifax told Moore in response to a complaint he made on the topic last month.

When you visit the Halifax login page, even before you’ve logged in, JavaScripton the site, running in the browser, attempts to scan for open ports on your local computer to see if remote desktop or VNC services are running, and looks for some general remote access trojans (RATs) backdoors, in other words. Crooks are known to abuse these remote services to snoop on victims’ banking sessions.

Moore said he wouldn’t have an issue if Halifax carried out the security checks on people’s computers after they had logged on. It’s the lack of consent and the scanning of any visitor that bothers him. “If they ran the scriptafter you’ve logged in… they’d end up with the same end result, but they wouldn’t be scanning visitors, only customers,” Moore said.

According to Moore, when he called Halifax to complain, a representative told him: “We have to port scan your machine for security reasons.”

Having failed to either persuade Halifax Bank to change its practices or Action Fraud to act (thus far1), Moore last week launched a fundraising effort to privately prosecute Halifax Bank for allegedly breaching the Computer Misuse Act. This crowdfunding effort on GoFundMe aims to gather 15,000 (so far just 50 has been raised).

Halifax Bank’s “unauthorised” port scans are a clear violation of the CMA - and amounts to an action that security researchers are frequently criticised and/or convicted for, Moore argued. The CISO and part-time security researcher hopes his efforts in this matter might result in a clarification of the law.

“Ultimately, we can’t have it both ways,” Moore told El Reg. “It’s either legal to port scan someone without consent, or with consent but no malicious intent, or it’s illegal and Halifax need to change their deployment to only check customers, not visitors.”

The whole effort might smack of tilting at windmills, but Moore said he was acting on a point of principle.

“If security researchers operate in a similar fashion, we almost always run into the CMA, even if their intent isn’t malicious. The CMA should be applied fairly to both parties.”

Moore announced his findings, his crowdfunded litigation push and the reasons behind it on Twitter, sparking a lively debate. Security researchers are split on whether the effort is worthwhile.

The arguments for and against

The scanning happens on the customer login page and not the main Halifax Bank site, others were quick to point out. Moore acknowledged this but said it was besides the point.

Infosec pro Lee Burgess disagreed: “If they had added to the non-customer page then the issue would be different. They are only checking for open ports, nothing else, so [I] cannot really see the issue.”

Surely there needs to be intent to cause harm or recklessness for any criminal violation, neither of which is present in the case of Halifax, argued another.

UK security pro Kevin Beaumont added: “I’d question if [it was] truly illegal if [there was] not malicious intent. Half the infosec services would be illegal (Shodan, Censys etc). IRC networks check on connect, Xbox does, PlayStation does etc.”

Moore responded that two solicitors he’d spoken to agreed Halifax’s practice appeared to contravene the CMA. An IT solicitor contact of The Register, who said he’d rather not be quoted on the topic, agreed with this position. Halifax’s lawyers undoubtedly disagree.

Moore concluded: “Halifax explicitly says they’ll run software to detect malware… but that’s if you’re a customer. Halifax currently scan everyone, as soon as you land on their site.”

Enter the ThreatMetrix

Halifax Bank is part of Lloyds Banking Group, and a reference customer for ThreatMetrix, the firm whose technology is used to carry out the port scanning, via client-side JavaScripts.

The scripts run within the visitor’s browser, and are required to check if a machine is infected with malware. They test for this by trying to connect to a local port, but this is illegal without consent, according to Moore.

“Whilst their intentions are clear and understandable, the simple act of scanning and actively trying to connect to several ports, without consent, is a clear violation of the CMA,” Moore argued.

Beaumont countered: “It only connects to the port, it doesn’t send or receive any data (you can see from the code, it just checks if port is listening).”

Moore responded that even passively listening would break the CMA. “That’s sufficient to breach CMA. If I port-sweep Halifax to see what’s listening, I’d be breaching CMA too,” he said.

The same ThreatMetrix tech is used by multiple UK high street banks, according to Beaumont. “If one is forced to change, they all will,” Moore replied.

Moore went on to say that this testing - however well-intentioned - might have undesirable consequences.

“Halifax/Lloyds Banking Group are not trying to gain remote access to your device; they are merely testing to see if such a connection is possible and if the port responds. There is no immediate threat to your security or money,” he explained.

“The results of their unauthorised scan are sent back to Halifax and processed in a manner which is unclear. If you happen to allow remote desktop connections or VNC, someone (other than you) will be notified as such. If those applications have vulnerabilities of which you are unaware, you are potentially at greater risk.”

Moore expressed that his arguably quixotic actions may have beneficial effects. “Either Halifax [is] forced to correct it and pays researchers from the proceeds, or the CMA is revised to clarify that if [its] true intent isn’t malicious, [it’s] safe to continue,” he said.

We have asked ThreatMetrix for comment.

Updated at 1200 UTC to add

Halifax Bank has been to touch to say: “Keeping our customers safe is of paramount importance to the Group and we have a range of robust processes in place “to protect online banking customers.”

Bootnote

1 Action Fraud is the UK’s cyber security reporting centre. Moore has reported the issue to it. AF’s response left Moore pessimistic about finding any relief from that quarter.

SOURCE

Posted by Elvis on 08/09/18 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 1 of 25 pages  1 2 3 >  Last »

Statistics

Total page hits 9762786
Page rendered in 1.3096 seconds
40 queries executed
Debug mode is off
Total Entries: 3222
Total Comments: 337
Most Recent Entry: 05/04/2020 08:41 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 19
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

Science is not only compatible with spirituality; it is a profound source of spirituality. When we recognize our place in an immensity of light-years and in the passage of ages, when we grasp the intricacy, beauty, and subtlety of life, then that soaring feeling, that sense of elation and humility combined, is surely spiritual. So are our emotions in the the presence of great art or music or literature, or of acts of exemplary selfless courage such as those of Mohandas Gandhi or Martin Luther King, Jr. - Carl Sagan

Search


Advanced Search

Sections

Calendar

July 2020
S M T W T F S
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights