(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Dystopian corporate surveillance threats today come at us from all directions. Companies offer “always-on” devices that listen for our voice commands, and marketers follow us around the web to create personalized user profiles so they can (maybe) show us ads we’ll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can’t. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself.

The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices.

Beyond the abstract creep factor of ultrasonic tracking, the larger worry about the technology is that it requires giving an app the ability to listen to everything around you, says Vasilios Mavroudis, a privacy and security researcher at University College London who worked on the research being presented at Black Hat. “The bad thing is that if you’re a company that wants to provide ultrasound tracking there is no other way to do it currently, you have to use the microphone,” says Mavroudis.  “So you will be what we call ‘over-privileged,’ because you don’t need access to audible sounds but you have to get them.”

Read 9 remaining paragraphs | Comments

I-O DATA DEVICE WFS-SR01 Multiple Security Vulnerabilities
Multiple Samsung Galaxy Product CVE-2016-7991 Security Bypass Vulnerability

One charactersitcs of many of the telnet explois we have seen over the last few years has been the transmission of malware using echo commands. Even the recent versions of Mirai used this trick. Reconstruction the malware from packet captures can be a little bit tricky, in particular if you are trying to automate the process. So here is what I have been doing for my honeypot DVR:

First of all, the DVR is connected to a remote controlled power outlet, to make it easy to reboot it as needed. I do use a shell script to reboot the DVR after it gets infected.

Next, I run snort to alert me that the honeypotgotinfected again. I dont trigger on the initial compromise, but on the outbound telnet scans. They usually start once the exploit completes. The signature I am using:

alert tcp $HONEYPOTIPany - any 23 (msg: MIRAI end)

I just run snort like: snort -c ./snort.conf -A console -N -q -i eth0and once it starts flooding the terminal with alerts, it is time to reboot (I havent automated that part yet... soon). In addition I run a full packet capture of all traffic going to/from the DVR.

Once the honeypot is compromised (usually every 15 minutes or less), I take the packet capture and run it through tcpflow.

tcpflow will extract all TCP sessions, and reassemble the payloads. The only step that is left is to extract the transmitted files. To do this, I wrote a little perl script. Just pipe the telnet session files to it, and it will extract the malware. You can find it, and other tools/samples here:https://github.com/jullrich/dvrxploits .

The current script is in a works for me state. It will not work if multiple files are transmitted at the same time . For example:

echo -en \x.... file1
echo -en \x... file2
echo -en \x... file1

interleaving of echo statements like this is something I havent seen so far, but it wouldnt be hard to adjust the script to deal with it.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenStack Compute (Nova) CVE-2016-2140 Security Bypass Vulnerability
JPKI Client Software CVE-2016-4902 DLL Loading Remote Code Execution Vulnerability

Julian Oliver has for years harbored a strange obsession with spotting poorly disguised cellphone towers, those massive roadside antennae draped in fake palm fronds to impersonate a tree, or even hidden as spoofed lamp posts and flag poles. The incognito base stations gave him another, more mischievous idea. What about a far better-disguised cell tower that could sit anonymously in office, invisibly hijacking cellphone conversations and texts?

Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages.

“For quite some time I’ve had an interest in this bizarre uncanny design practice of disguising cell towers as other things like trees,” says Oliver. “So I decided to build one into a printer, the most ubiquitous of indoor flora, and have it actually antagonize people’s implicit trust in these technologies.”

Read 7 remaining paragraphs | Comments

Foxit Reader and PhantomPDF Multiple Security Vulnerabilities
Google Chrome Information Disclosure and Security Bypass Vulnerabilities
Cisco Application Policy Infrastructure Controller CVE-2016-6457 Denial of Service Vulnerability
Google V8 CVE-2016-5198 Unspecified Security Vulnerability
Cisco Meeting Server CVE-2016-6448 Buffer Overflow Vulnerability
Cisco Prime Home CVE-2016-6452 Authentication Bypass Vulnerability
Cisco Meeting Server and Meeting App CVE-2016-6447 Buffer Underflow Vulnerability
Cisco AsyncOS CVE-2016-6458 Remote Security Bypass Vulnerability
Cisco IOS XE Software CVE-2016-6441 Buffer Overflow Vulnerability
[security bulletin] HPSBUX03664 SSRT110248 rev.1 - HP-UX BIND Service running named, Remote Denial of Service (DoS)
Cisco Security Advisory: Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability
Cisco Security Advisory: Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability
Internet Storm Center Infocon Status