Hidden backdoor API to root privileges in Apple OS X
The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system. [image credit: Len Radin]
Source: truesecdev.wordpress.com
At a New America Foundation conference on cybersecurity Monday, NSA Director Mike Rogers gave an interview that—despite his best efforts to deal exclusively in uninformative platitudes—did produce a few lively moments. The most interesting of these came when techies in the audience—security guru Bruce Schneier and Yahoo's chief information security officer Alex Stamos—challenged Rogers' endorsement of a...
"We need a backdoor at least *this* big"
Source: Ars Technica
- Overview of a number of undocumented high-value forensic services running on every iOS device
- How they’ve evolved
- What kind of data they provide
- Examples of forensic artifacts acquired that should never come off the device without user consent
- Surveillance mechanisms to bypass personal security (intended for enterprises), but make potential targets
- Suspicious design omissions in iOS that make collection easier
Prosecutors: Backdoor and digital key gave him near unfettered access.
Vulnerability Note VU#281284 Samsung Printer firmware contains a hardcoded SNMP community string
Overview Samsung printers contain a hardcoded SNMP community string that could allow a remote attacker to take control of an affected device.
Description Samsung printers (as well as some Dell printers manufactured by Samsung) contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility.
This hard coded admin account in firmware could enable attackers to change their configuration, read their network information or stored credentials and access sensitive information passed to them by users.
Even if SNMP is disabled, this "backdoor administrator account" is still active and could be used by an attacker to access the printer. SNMP is an Internet protocol commonly used to monitor and read statistics from network-attached devices.
US-CERT did not provide a list with the exact printer models affected by the issue, but said that, according to Samsung, models released after Oct. 31, 2012, are not vulnerable. As for the Dell model, Samsung builds Dell printers such as the B1160w modeled after Samsung's ML-2165W compact all-in-one printer. It's unclear what other Dell branded printers may be affected.
- Mohit Kumar, The Hacker News
Impact A remote, unauthenticated attacker could access an affected device with administrative read/write privileges. Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and possibility the ability to leverage further attacks through arbitrary code execution.
Solution Samsung and Dell have stated that models released after October 31, 2012 are not affected by this vulnerability. Samsung and Dell have also indicated that they will be releasing a patch tool later this year to address vulnerable devices. Block Port 1118/udp The reporter has stated that blocking the custom SNMP trap port of 1118/udp will help mitigate the risks. Restrict Access As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location. (e.g. Using IP filtering and Mac address filtering) Disable SNMP protocol Samsung is advising end users to disable SNMPv1, 2 or use the secure SNMPv3 mode until the firmware updates are released. *Note that the vulnerability reporter has stated that the community string that remains active even when SNMP is disabled in the printer management utility.
Source: kb.cert.org
Latest news on my Hardware Security Research by Sergei Skorobogatov
Hardware Assurance and its importance to National Security
Current issues.
UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment. The Stuxnet worm is the most famous and best case example of a cyber attack on a network which wreaked devastation having easily compromised conventional software defensive systems. There have been many cases of computer hardware having backdoors, Trojans or other programs to allow an attacker to gain access or transmit confidential data to a third party. Considerable focus and expense has been invested in software computer networks and system defences to detect and eradicate such threats.
However, similar technology with antivirus or anti Trojan capability for hardware (silicon chips) is not available. The computer or network hardware underpins and runs all the software defence systems. If the hardware has a vulnerability then all the energy in defending at the software level is redundant. An effort must be made to defend and detect at the hardware level for a more comprehensive strategy.
Our findings.
Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims.
We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
Key features of our technology: - scans silicon/hardware for backdoors, Trojans and unexpected behaviour - low cost - very fast result turnaround time - high portability - adaptable - scale up to include many types of chip
Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.
Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.
Conclusions.
It is clear that cyber attacks will increasingly be of this nature, having most impact; it is imperative that this issue is addressed as a matter of urgency. We would suggest making hardware assurance (HWA) & hardware defence (HWD), the testing of silicon chips for backdoors and Trojans, and their defence, a greater priority within the National Cyber Strategy. Until now it was not possible to perform such analysis in a timely or cost effective manner. Our technology provides a solution. A variation in this technology could be used as a backstop defence on a computer or network system where it can monitor instructions and possible reprogramming or activation of a buried spy system in a real time environment, thereby preventing Stuxnet type attacks.
Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.
FBI: We need wiretap-ready Web sites -- now
by Declan McCullagh May 4, 2012
CNET learns the FBI is quietly pushing its plan to force surveillance backdoors on social networks, VoIP, and Web e-mail providers, and is asking Internet companies not to oppose a law making those backdoors mandatory.
The FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.
In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.
The FBI general counsel's office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.
"If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding," an industry representative who has reviewed the FBI's draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.
The FBI's proposal would amend a 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, that currently applies only to telecommunications providers, not Web companies. The Federal Communications Commission extended CALEA in 2004 to apply to broadband networks.