I’m more in #ShellShock about the speed of the attackers !

If you haven’t caught up with it yet, there is a vulnerability out there which is quite a serious one.

What’s gone wrong now ?

If you have Linux, Unix or Mac OS X then you need to keep your eyes out for updates … and then learn how to test them for vulnerabilities !

 

So this is the issue … Bash. It’s in all the languages above and this is the problem with it :

I’ve given you a couple of links so you can get some breadth on the issue …

  1. Troy Hunt (LINK)
  2. Threatpost (LINK)
  3. CVE-2014-6271 (LINK)
  4. Akamai (LINK)

Well, am I affected ?

So yeah – that’s a biggie hey ?

Plenty of vendors have jumped on the scanner side of things to see if you are vulnerable :

  1. Errata Security (LINK)
  2. WebSecurify (LINK)
  3. Nessus (LINK)

Please note – you should use any tools you find on the internet with caution … only choose those you know or have been recommended by a competent security professional.

 

OK, you’ve probably ran that and found you are vulnerable. Yep, bad times ahead, I’m afraid. For those with multiple systems, it’s going to be a long night in the office.

Woah, so how do I fix it ?

Well it looks as simple as running update manager

  1. Update Manager (LINK)
  2. Ubuntu (LINK)
  3. Command line : apt-get update; apt-get upgrade; (Thanks to Matthew Pettitt for that ! LINK)

But … you said !

Disclaimer – this may fix this bug but could break everything that you were running, there may be a reboot and you never see your system again … backups please ladies and gents …. backups and test restores please.

OK, I’m still alive – now what ?

Test again … yes that’s right, check it’s been applied properly. (see section above !)

Phew, no problems here then !

Well not quite …

There is this bypass to look at :

bypass #shellshock patch: X='() { (a)=>\’ bash -c “echo date” creates ./echo with contents of `date` output

 

Oh and also – keep an eye out for the bots that have been trying to gain access for the last 24 hours !

  • What ?!! there’s already an active bot for this ?!! (LINK)
  • Yeah – there’s also this reverse shell too (LINK)
  • Oh and this daemon that reboots machines (LINK)

And is that it ?

Well essentially yes for now but keep a lookout on Twitter as there is sure going to be some big problems ahead which may be coming as a result of this. If you aren’t sure then go get some help … it’ll be on the news shortly so your boss will be OK by then to talk to you about it and will understand it. If you need a quick analogy … tell him we’re screwed and you’re going to resign. It’s easier than trying to fight the management team to try to get it fixed !!

 

The take away :

As technology becomes more pervasive and integrated into our lives and as some systems come to the fore, so the patching of those technologies has to be thought about. In this situation there are going to be some systems which simply cannot be patched. There will be some embedded systems, legacy Unix boxes etc which simply will not be able to be updated. The criminals were able to create an exploitive bot within hours while we were still warming up the PR departments to draft a catchy logo and first blog. The attackers yet again beat us. Add in to the mix the TVs, routers, medical equipment, SCADA systems and other devices yet to be discovered, we’re in for a bumpy ride – make sure you do your bit to keep the internet safe.

Advertisements

Underground, overground, travelling free !

So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?

We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.

 

So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.

I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.

This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !

 

I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.

I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?

 

In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.

I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.

 

But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :

  1. looking at it (vendor, supplier and corporate)
  2. thinking about it at a coding level at the vendor
  3. working out the legals of what is involved – is it illegal ? What are the laws around this ?

 

An interesting subject that I think could grow especially with iPay from Apple also.

 

*UPDATE

And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.

 

What do you think ?

 

I’m seeking new opportunities

After nearly 3 1/2 years in my previous role, I have decided to move on to find to pastures new.

Security is a personal passion of mine as you may have seen from my Twitter account (@SPCoulson) and I want to now bring security to the doorstep of organisations and help highlight and repair weaknesses, but also demonstrate how they can effectively prevent themselves becoming a victim of crime.

So many organisations spend vast amounts of time, money and resources to create powerful brands and great products but because security is often seen as a barrier to innovation, it only gets added on afterwards, usually in a reactionary way, and rarely implemented well.

Having seen and heard the pain that organisations go through during breaches and compromises, I want to reach out and use my knowledge and expertise to guide organisations to safer and securer times so their people, physical and data assets, and intellectual property are appropriately protected.

If you think you might be able to use my services, or have a position I may be relevant for – please get in touch. I am actively hunting so there is a chance you are on my radar !

As I have a broad set of skills, you may find this list of some guidance :

* Commercial –

Business Development, Business Process Management, Project Management, Process Re-Organisation, Project Build, Market Research, Sector Analysis, Competitor Research,

* Educational –

Training, Coaching & Mentoring, Side-by-Side Coaching, Researcher, Speaker.

* Compliance –

Quality Management, ISO 9001, ISO27001, ISO14001, PAS 2060, Basic PCI

* Security –

Ethical Security Testing, Social Engineering, Penetration Testing, Vulnerability Scanning, Security Professional, Physical Security Design,

* Datacentres –

Datacentre Design, Operation and Security.

[LINK] – Reduced CV for download, full CV available on request

[LINK] – Link to my LinkedIn Profile

 

Get in touch if you think I can help you !

Undersea data – the evidence of the snoop ?

It’s been a while since I put out a blog, but this caught my eye.

This [LINK] interactive graphic shows the undersea cable maps of the world. It’s a really good graphic and is very useful in giving us some intelligence. We’ve seen other graphics of the undersea cable maps [LINK] but this new interactive one can show the cable routes per year.

So how come this important ?

Well, if we look at the Snowden leak info of the NSA PowerPoint screenshots, we can see that most of the dates quoted on these documents are from 2004 onwards. [LINK]

If we also add this intelligence with the time to lay a cable – which is around 100-150km per day [LINK] we can start making projections backwards as to which cables are being used for which projects and where the boosts in investment may have come from. If you fancy having a go and putting projects to cables, feel free to get in touch and I’ll add an update to this blog.

More info about undersea cables [LINK]

 

@SPCoulson

When a bug goes viral.

It was 3pm GMT when a 19-year-old Austrian nicknamed Firo was sending a tweet. There were millions of us tweeting too and his actions were not unusual. As he typed his tweet, he inserted a heart character and noticed that two appeared. Curiosity got the better of him and he started playing with his tweet. His discovery was that he could insert code into his tweet and yet it was only showing his love heart.

 

The thing about Twitter is that it attracts like-minded individuals together. When Firo’s followers received his tweet in Tweetdeck, they got a pop-up box with some text in it. When they re-tweeted it, so did their followers and so we see an initial growth. Firo knows computing, his friends know computing too and their circles are all in the same areas. After 30 minutes, the UK was receiving these curious messages and word was out…

 

XSS in Tweetdeck

 

When the tinkerers saw what they could do with simple script, they had a field day sending funny messages over Twitter. As the Tweets grew, so did the curiosity, Firo was past playing with the bug and the message was spreading. Within 2 hours, Tweetdeck was almost becoming a ghost town as the message sank in…

 

There is an XSS in Tweetdeck

– this is serious.

 

We shut it down, un-linked our Twitter accounts. Two hours after the initial finding of the bug, the users were savvy enough to understand its severity and was protecting itself.

 

Shortly after this was where we saw the self a propagating tweet. Using the same framework, it gave you the pop-up message but you automatically re-tweeted it. When this variant hit the BBC breaking site, 10.1 million followers received that tweet. Any using Tweetdeck automatically re-tweeted it. This was now a dangerous game and Tweetdeck pulled the plug.

A wise move by all accounts, had it been allowed to proliferate, Twitter could have fast become overrun and more harmful code code have been injected into a Tweet. Fingers were pointed to bad programming, the Twitter takeover and yes, I dare say the Governments probably got a finger pointed or two.

Bugs exist in code because we write code. Humans write code. We are not perfect. Bugs are found every day, some are low impact and some critical. A bug is simple to introduce by accident and can lay in some cases for over a decade (OpenSSL).

 

Firo did no wrong, he is a good definition of a hacker, he got curious and worked out what it could do. The media should not demonify him for his actions, in the same way Codenomicon should not be demonified for finding HeartBleed. Firo is a hacker. The media should learn that this is a good thing. He is not a criminal. Someone who finds bugs and has the intent to cause harm is a criminal. We need to separate these terms and this is a perfect opportunity.

 

Well done to the hacker Firo for finding this bug even if it was by accident (as most great discoveries are!).

We must also applaud Tweetdeck for such a fantastic and speedy resolution to the bug fix. I have no idea how many thousand lines of code they had to go through, but they did and they fix it.

I wonder what the next bug will be that is found today ?

I wonder if it will be in an 90s game that if you press IDDQD, IDKFA, IDCLIP ……..

 

Associated articles :
Original article identifying Firo
Doom

XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

Digital Freedom – the manifesto is launched

Mikko Hypponen and David Hasselhoff have appeared on stage at re:publica 14 and launched the new Digital Freedom manifesto.

The manifesto is based on 4 points :

  1. Freedom from mass surveillance (target / blanket)
  2. Freedom from digital persecution (privacy in the future)
  3. Freedom from digital colonisation
  4. Freedom of digital access, movement and speech

 

I watched the keynote with interest and have the following thoughts :

Freedom from mass surveillance (target / blanket)

I appreciate that there is a time and place for surveillance. CCTV watches our every move and our internet traffic is scanned for key words. To remove this I believe would be a mistake – but instead, they should be more transparent instead. Go ahead, watch me and scan me … but only if you do something useful with this data to keep me safer. Sure I have secrets and sure, I am aware of what I post … but can you imagine a world where facial recognition does not pick up the criminals ? I think that there is a specific use case for mass surveillance, but it is currently not being handled well and certainly not following the same standard of disclosure globally.

Freedom from digital persecution (privacy in the future)

This I understand and totally support. Right now, May 2014, it is OK to have certain views, prejudices etc, but in 2020, will those standards still hold. Will my old opinion still be the same ? I once thought I was going to be an electrical engineer – that didn’t work out, so why should the opinions I have still hold ANY weight in the future ? We need to isolate a case, sure, look back in history to see if it a long-held opinion, but certainly not to use it to persecute in the future.

Freedom from digital colonisation

The lines between technology and our existence are more blurred than ever. With the Internet of Things, mobile tech etc … we see more intrusion of technology into our lives. And it is just that .. an intrusion. We need to learn to adopt the divide between tech and life. Just because technology exists doesn’t mean we have to shoe-horn it into every day lives – especially if it is to the detriment of our privacy. We all need to learn to have down-days. Non-tech days … and if you don’t know the answer to a problem, instead of Googling it … use this method:

  • Brain – think about it, work out the options and the theory.
  • Book – read it in a book, they are more than paperweights !
  • Buddy – ask a friend, a colleague … the meat space !
  • Boss – ask a person in authority, your boss, a department head, a lecturer, they generally got there by knowing something !

Freedom of digital access, movement and speech

Should I be allowed to write what I want ? What about offending someone or prejudice ? Should I be restricted in what I can/can’t say ? I think this comes down to an old skill that we seem to have forgotten with the advent of technology – the art of common sense. So I would like to introduce you to Gran’s law. Think about an elderly relative (a Grand-parent for example). Now go ahead and type your real feelings about something you feel passionate about. If your Gran were to read it, would she be offended, clip you round the ear, would she be horrified about it … if the answer is yes, then it is probably best to keep it off the internet ! Common sense can save you a lot of conversations later. You should not be thinking about your intended audience but that the internet sees all.

 

What are your thoughts ? Have you posted on the Digital Freedom site ?