This is Gonna Get Ugly

So my focus is shifting largely due to focus on my professional career, limited time, and frankly the political scene is something that has me so damn angry I need shit to take my mind off of it. For instance I’ve spent my past three weekend moving servers around for a bunch of gun bloggers I take care of hosting for.

For those who don’t know I’m a host, who’s having random sabbaticals, over at The Gunblog Variety Cast.  And well if you know me or have been lucky enough to friend me on Facebook, sorry I don’t just accept anyone, overall I have a solid bead on the tech security space.

The Problem

So incase you’ve been under a rock there have been some major events recently about computer security. First up was “WannaCry“.

WannaCry propagates using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.[22][23] It was only when the existence of this vulnerability was revealed by The Shadow Brokers that Microsoft became aware of the issue,[24] and issued a “critical” security patch on 14 March 2017 to remove the underlying vulnerability on supported versions of Windows, though many organizations had not yet applied it.[25]

The thing is, there’s way more that was in the Shadow Brokers dump and the hits keep coming. CVE-2017-7494 came out May 30th, 2017. This affects “SAMBA”, which is the implementation of the Windows Server Message Block protocol for Linux. I expect a decent chunk of my readership, at least of what’s left since I haven’t written in a year, just went “What!?” It’s at this point I’m going to try to break it down Barney style, ask questions in the comments.

The Windows SMB protocol is how Windows does file sharing.  So when you type something like \mymachinename\ and you see a list of folders available, it’s making use of that protocol. This protocol is also  implemented for Linux that allows you to have a Linux server serving files for Windows machines.

So before I get too much further lets talk about these exploits.  Including a very recent CVE-2017-8543 that was patched Tuesday June 13th. All of them through various methods allowed for whats called “Unauthenticated Remote Code Execution.” The scary thing about 8543 is that it is a zero day, which means that it was found being actively exploited in the wild before the release of the patch.

Logo via Softpedia.

What does that mean, someone, anyone, could cause the end point service to execute arbitrary code sent to it. This wasn’t intentional, that is what makes this an exploit. Someone found a bug that causes the service to behave in this way.  What does that really mean though? It means anyone can send a carefully crafted message to your computer that will make it does whatever they want, including encrypting your data to deny you access.

What does this mean?

So, I hear many of you saying, “Well I have Windows not Linux so I’m good just applying the Microsoft patches right?” This is where I scare the crap out of everyone.

Embedded Linux is used almost everywhere, from cell phones, to ATMs, Network Attached Storage, to the common home wireless router. The good news is really old routers didn’t really offer this as a feature, the bad news is starting around 2013 routers started shipping with USB and eSATA ports so one could connect an external hard drive and share it across the network. It basically was a feature that allowed people to quickly deploy a NAS.

Image via Bob McKay

These embedded devices are all using the SAMBA service as they’re running embedded Linux. It’s worth noting the vulnerability exists going all the way back to March 1st of 2010. So basically any and every router with these features is affected. Going a step further every NAS (Network Attached Storage) device on the market is likewise affected.

So the devices have a software bug, which allows arbitrary code execution which can result in the following:

  • Denial of access to data. It’s encrypted and only decrypted, if they feel like it, after you pay them a ransom.
    • Do NOT pay the ransom. There is no escrow and thus no guarantee you will actually recover your data.
  • Exfiltration of data. Someone searches through your data, saves what they can make money from. Could be IP theft or blackmail.

But it’s a software bug, we just need to get the patch from the manufacturer and life is going to be good right?

The Rub

Image from PCWorld.com

Most of these devices aren’t being updated anymore. That is to say, manufacturers will most likely not be releasing an update to patch this issue if the device is more than a year old.

I’ve got a very nice WRT-1900AC.  The last firmware update was in the middle of 2015. It has features that fall under this and tools show it is vulnerable to the exploit. Let me put this another way. My 300 dollar router, yes that’s what it cost when I bought it, got updates for a year and was then out of service and now critical bugs are being found and left unfixed by the vendor.

Unlike Windows and WannaCry, manufacturers of these devices will leave users vulnerable. Worse, removing them from the network will remove one of the more beneficial features, Network Attached Storage. In the case of routers, these devices are often placed on the border between a users private network and the internet so they are exposed to malicious traffic.

Ideally the router does not present the SMB interface to the internet, however this isn’t to say malicious packets will not find their way into the interior network from the internet if other issues are found with the router. At which point the router will fall victim.

It gets worse…

While working on this post an article came out over at SearchSecurity, discussing CherryBlossom. This was a project by the CIA to attack router security issues including a lack of firmware validation.

“On the enterprise side, the big router manufacturers have offered validation of signed firmware for quite some time. The problem is that it’s not enabled by default for the most part, and it requires that a network admin actually go and do something,” Kuzma told SearchSecurity. “Both the Cisco and Juniper tools rely on MD5 hashes. MD5 is broken as a hashing algorithm, with several known and feasible techniques for generating identical hashes from wildly different binary content.”

Image from Fossbytes.

So this isn’t event just a commercial issue but even an enterprise level issue. Firmware can be updated remotely, over wireless in many cases and has no validation of the code being installed as being from the vendor. Additionally the router provides a fantastic vantage point for an attacker. He can sit in the middle and analyze all your traffic undetected.

It’s like climbing to the top of a peak overlooking a valley. You can see everything from the vantage point.  Not only see in this case, because the router can redirect and alter your traffic to do even more.

So What Do We Do?

First, maintain an offline backup of all your data. Grab a hard drive, copy your important files on to it, and update it periodically.  Do NOT leave it connected to your computer or network. Doing so will leave you vulnerable if something does get in. Plan on when, not if, someone gets in and locks up your data.

Part of this also stems from a “Jack of All Trades” view of equipment in the consumer space and improper defaults in the enterprise space. Really, who wants to buy multiple pieces of equipment and who wants to take the extra steps in configuration?

The problem is in the consumer space ongoing maintenance and support of products is nonexistent.  In the enterprise IT space there are products that are undergoing long-term use and support. Hardware that is often used is basically a mini computer and the router software and firewall is like installing an operating system.

This is where I say something I hate. Because honestly I prefer the easy route for anyone and everyone. It needs to be trivial for a user to do. The problem is this route is leading us down a horrible path because manufacturers are not maintaining their equipment for that path to work.

What’s that mean? You need to actually build a proper firewall appliance and use if for your network. I’m going to write-up a multi part series how-to with instructions. There are a bunch of hardware options, which in itself can lead to the paralysis of analysis. My goal through this is to give a guide of hardware and software to put you in a position you can easily succeed.

The thing is, that’s just bare hardware. It’s dumb, doesn’t do anything, and still needs software and a configuration to run.  So what should you use to protect your network.  Currently the desired guard dog is pFsense.  This takes some work to set up and configure, but in the end will last longer, will be better maintained, and protect your data more reliably.

Over the next couple weeks I will be writing up a how-to on deployment and  looking at creating a default deployment image for that hardware if possible. My hardware choice is slightly different, not because that hardware isn’t good, it’s because I’m doing some advanced deployment for my network.

OpenWRT/DD-WRT are both options as well but there’s a few issues. One they don’t solve the secure update problem seen in Cheery Blossom.  You will still need to disable and remove the mass storage features of the router. While one could look at this you’re also going to no longer use the router as a router but merely an access point.

Depending however on the capabilities of the router, you can do advanced things within your network which still will leverage those capabilities. Ideally though you would still update your router software to OpenWRT/DD-WRT to deal with the exploit, but there can still be a lag or lack of support for your router by either of these solutions. Not to mention the process can be unforgiving and leave you with a brick.

Conclusion:

If you know a friend who’s into IT and computers, now is a good time to buy a case of beer and invite him over to see if he can help. These issues are only going to get worse, especially since the Shadow Brokers are now charging for exploit dumps. Meaning Blackhat hackers will be buying the exploits and unless some whitehats also buy them, which is funding criminal enterprise, we will not know what exploits are in the wild until the malware hits.

Putting multiple eggs into the same basket is becoming more and more risky and we need to start diversifying and looking at using the best tools to protect critical assets. The last thing we want to do is combine the defensive position with the material we’re trying to defend.

This is going to get worse, defense is going to get harder, and the time to start building your earthworks and redoubts is now.

Update on Simplisafe….

A couple of years ago I wrote this piece warning about snake oil in sales pitches.  I wasn’t able to get my hands on the hardware to do my test but I knew there were most likely going to be serious flaws. I had stated I was more than willing to do an analysis for free if sent a sample product. Honestly I kind of wish I had bought one, because this shit is gold:

It appears SimpliSafe’s systems send messages unencrypted in the clear over the air. That means it’s trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.

blink This shit’s a joke right? An honest to god joke. This is so blatantly bad it is obvious someone made a proof of concept and then shipped it as a product.

The only thing that is worse is their canned response to the problem:

Thanks for writing in.
Please read this information below there hasn’t been any cases or situations.

Good freaking god, that’s as bad as the incident I had with Dreamhost.

If you have Simplisafe, ditch it. You’re keys are being broadcast to the world.

 

Quote of the Day – Tim Cook (2/17/2016)

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Tim Cook – A Message to Our Customers

February 16, 2016


[First, go read the whole thing; all of it. There are different things that can be used for quotes, but that final line says it all.

If you’re having trouble understanding why they wouldn’t help the government there’s a couple different things going on here. If you read their security document for iOS there is little that can actually be done. While no one on this side of the fence is supporting the actions of those asshats that shot up a Christmas party the most common argument I’ve seen has been appeal to emotion to catch those that supported them.

Yes, I want to catch them. Then break into their phone!!! Apple is aiding and abetting by not helping. No they’re not because there’s a lot more at stake than just one phone despite the claims by the government. Anything they build can be used against any other iPhone. Not only that, if it falls into the wrong hands it can be used for criminal enterprise.

Tim used the following line as well:

Criminals and bad actors will still encrypt, using tools that are readily available to them.

This is most definitely true. As pointed out to me by Ashley, if you replace the words and shift the subject this reads like letter from the President of the NRA.

I came to the following realization which cements just how important and how right this stance is. What the FBI wants fails the Jews in the Attic test. To think that this will only be used in this one case is naïve and without forethought.  There is no way you will keep a genie like this in the bottle. At some point it’s going to get out and it’s not going be pretty.

Say what you will about Apple, but at least they have the balls to stand up and not just play dead due to an “Appeal to Emotion.” -B ]

 

I’d say I told you so…

But what’s the point? The people who realize that using Javascript for everything is a bad idea don’t need me lecturing them. The people who want to use Javascript for everything couldn’t create a secure system, much less understand the realities of a hostile environment if their life depended on it. Their fandom precedes the ability for critical thinking.

This is why when I read this, this morning;

This impacts Node at the Buffer to UTF8 String conversion and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path.

I said, “And nothing will change.” At least, as a minor saving grace, HTTP(S) headers do not fall vulnerable to this particular bug, but that’s mainly the headers there is question to the remainder of the processing.

The fact is, nothing is perfect, nothing is fool-proof, and frankly my hate for Javascript is largely due to the people I find who fall over themselves defending it. Does it serve a purpose? Yup, you bet. Is is a hammer that should be used while seeing every problem as a nail? Absolutely NOT.