Digital Carelessness – a disease without a chance of cure

12 August 2018

Two messages this week showed that there is no cure in sight for the fatal disease called digital carelessness.

ONE: Two remote code execution (RCE) vulnerabilities found in certain HP Inkjet printers (1).

CVE-2018-5924: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2018-5925: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This sort of vulnerabilities is particularly popular in the cyber crime scene because they are network exploitable (Attack Vector AV:Network), attack complexity is low (AC:L), no privileges required (PR:None) and no user interaction is required (Ui:None).

Under normal conditions, Inkjet printers are operated inside the company network. Thus there is no need to enter into panic mode because the vulnerability can not be exploited from the internet.

Unfortunately, some HP Inkjet printers are, for whatever reason, accessible from the internet. A Shodan search reveals that 539 HP DesignJet printers are directly connected to the internet. One of the vulnerable printer models is the HP DesignJet T520 24-in ePrinter, Product number CQ890A, Firmware version 1829B. For a complete list of the affected printers please see the HP Security Bulletin HPSBHF03589 (2).

HP DesignJet T520 Map

HP DesignJet T520 Map. Click to enlarge.

As of today, 79 printers of this type are directly attached to the internet. Some of them are ready for printing and with this prone to CVE-2018-5924 or CVE-2018-5925 because the HP JetDirect Line Printer Daemon port 515 is open.

But why should an attacker exploit these RCE vulnerabilities if he can hijack the printer because basic security is not configured?

HP advised its customers to update the firmware of the affected printers as soon as possible. This is the best opportunity

  • to configure basis security,
  • to eliminate the http protocol, and
  • to close unnecessary open ports.

TWO: TSMC Chip Maker Blames WannaCry Malware for Production Halt

Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest makers of semiconductors and processors, was hit by a variant of the WannaCry ransomware last week. According to TSMC, its computer systems were not directly attacked, but instead, were exposed to the malware when a supplier installed corrupted software without a virus scan.

“We are surprised and shocked,” TSMC CEO C.C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened. (3)

It doesn’t matter how often installations went well in the past. It’s always the next installation that counts.

Have a good week.


  1. Zorz Z. HP plugs critical RCE flaws in InkJet printers [Internet]. Help Net Security. 2018 [cited 2018 Aug 6]. Available from: https://www.helpnetsecurity.com/2018/08/06/hp-inkjet-printer-vulnerabilities/
  2. HP Customer Support. HPSBHF03589 rev. 2 – HP Ink Printers Remote Code Execution. 2018 [cited 2018 Aug 6]. Available from: https://support.hp.com/us-en/document/c06097712
  3. Wu D. iPhone Chipmaker Blames WannaCry Variant for Plant Closures. Bloomberg.com [Internet]. 2018 Aug 6 [cited 2018 Aug 12]; Available from: https://www.bloomberg.com/news/articles/2018-08-06/iphone-chipmaker-blames-wannacry-variant-for-plant-closures
Advertisements

Chrome’s new Site Isolation feature protects users from the Spectre vulnerability

14 July 2018

Spectre

Spectre

A new variant Spectre V1.1 (1) was published on July, 10 2018 by Vladimir Kiriansky and Carl Waldspurger. The vulnerability is tracked in CVE-2018-3693 (2). The good news is that the CVSS V3 score is 5.6 (Medium) with attack vector Local.

As with the original Spectre vulnerability CVE-2017-5753 (3) published in January 2018 the greatest risk for business users and consumers bears in malicious websites weaponized with drive-by downloads or viruses (4) using the Spectre POC code.

The virus issue is easy to mitigate. The inbuilt auto-update feature of anti-malware solutions ensures that the latest pattern updates are available within few hours after a virus shows up in the wild.

But the internet issue is much harder to solve, in particular for consumers and SME. Fortunately, Goggle announced on July 11, 2018 a new feature Site Isolation for the Chrome browser that mitigates the risk borne from the Spectre vulnerability.

Chrome is based on a multi-process architecture. Different tabs are rendered by different renderer processes. With site isolation enabled, cross-site iframes are rendered in different processes than the parent frame and data exchange between the parent and the iframe processes is blocked. For a technical overview see Charlie Reis’s post ‘Mitigating Spectre with Site Isolation in Chrome’ (5). Further details are available from the Chromium Projects (6).

Site Isolation is available since Chrome 67. Input chrome://flags/#enable-site-per-process to check if the feature is enabled:

Chromium Strict Site Isolation Feature

Chromium Strict Site Isolation Feature

If you use an older version of Chrome Site Isolation is the best opportunity to update to the latest version.

Have a great weekend.


  1. Beltov M. CVE-2018-3693: New Spectre 1.1 Vulnerability Emerges [Internet]. SensorsTechForum. 2018 [cited 2018 Jul 14]. Available from: https://sensorstechforum.com/cve-2018-3693-new-spectre-1-1-vulnerability-emerges/
  2. CVE-2018-3693 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-3693
  3. CVE-2017-5753 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2017-5753
  4. FortiGuard SE Team. Meltdown/Spectre Update [Internet]. Fortinet Blog. 2018 [cited 2018 Jul 14]. Available from: https://www.fortinet.com/blog/threat-research/the-exponential-growth-of-detected-malware-targeted-at-meltdown-and-spectre.html
  5. Reis C. Mitigating Spectre with Site Isolation in Chrome [Internet]. Google Online Security Blog. 2018 [cited 2018 Jul 14]. Available from: https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
  6. The Chromium Projects. Site Isolation – The Chromium Projects [Internet]. [cited 2018 Jul 14]. Available from: https://www.chromium.org/Home/chromium-security/site-isolation

Windows 2008 Server End of Life: The best chance to move to the cloud

30 June 2018

Windows 2008 Server End of Life is near. Within the next months many companies are busy with the replacement of Windows 2008 based infrastructure and application servers to avoid the next Wannacry or NotPetya.

It appears to me that this is the best opportunity to migrate at least application servers to the cloud. And, in the best case, to get rid of the servers at all by transforming the application to SAAS. If technical or the organizational limitations do not allow this at least the transformation to PAAS and IAAS should be considered.

What stops us from doing this? Very often it is the fear of loss of access to critical business data or the fear of loss of the data at all. At least in the latter case technical protection measures can be applied to mitigate this issue.

Transparent database encryption

Transparent database encryption (TDE) is often the matter of choice. All encryption is performed transparently by the database service, with no impact on the application and the users because only the database files or critical attributes in tables are encrypted. User interaction is required only during database startup to activate the encryption engine.

Unfortunately, TDE provides only encryption at rest. Thus TDE stops infrastructure admins from using unauthorized copies of a database or a virtual database server because they cannot activate the encryption engine. Once the database is started all users and database administrators have access.

Application level encryption

With Application level encryption (ALE) all encryption is performed by the application. Data is encrypted when entered in or retrieved through the application. Thus data is encrypted during transfer and at rest.

As long as the access is not routed through the application server the data are accessible for no one. Even infrastructure or database admins are barred unless they have access to the encryption key.

The security problem is shifted towards that of operational security of the application server. A solution to this problem could be to encrypt the data in the database with a key that is encrypted against the users access keys. This ensures that the encrypted data cannot be decrypted without access to at least one users key.

The remaining risk is that an attacker reads the keys or the plain text data from the process memory of the application service.

The effort to implement application level encryption is high because the application has to be changed. In addition, a key infrastructure must be set up to avoid data loss in the case a user key is e.g. inaccessible. But the gain in information and operational security is high.

The pros and cons of the encryption concepts in summary.

Table 1: Database Encryption Concepts Summary

Table 1: Database Encryption Concepts Summary

With Application Level Encryption, outsourcing or cloud adoption is made easy.

Have a good weekend.

What can we learn from the latest hack on an U.S. Navy contractor?

17 June 2018

Report “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare” (1) published on 8 June 2018 in the Washington Post is really worth reading.

Attacks on the supply chain have become more common in recent years. Contractors are e.g. used as gateways to the customer network or customer information is exfiltrated from the contractors network.

The latter is the case here. The product development is outsourced. The information required for product development is available only in the contractors network and, in the worst case, remains there after handover to the customer.

Under normal conditions this is not critical. But when it comes to national security matters, e.g. in product development for defense agencies or for critical infrastructures, this may end in a catastrophe.

Picture credits: Wikimedia

In such cases proper classification of the information handed over to and created by the contractor is of crucial need. Since many contractors run an information security management system, the selection of protective measures is based upon the proper classification.

At least 614 GB of data were obviously not properly classified since “highly sensitive data related to undersea warfare” was stolen from the contractor’s unclassified network.

It is always good to remember Aristotle’s proverb “The whole is greater than the sum of its parts” when it comes to classification of information.

Have a great week.


1. Nakashima E, Sonne P. China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare. Washington Post [Internet]. 2018 Jun 8 [cited 2018 Jun 16]; Available from: https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

Blockchain unchained?

3 June 2018

Blockchain technology is a digital platform for applications where seamless traceability and full transparency is required.

For example, in pharmaceutical industry blockchain could give full traceability of drugs across the entire supply chain up to the patients.

Another interesting application is mobile voting. From the Brookings publication “How blockchain could improve election transparency” (1) on the use of blockchain for internet voting in the West Virginia primaries in May this year we learn that “all data of the election process can be recorded on a publicly verifiable ledger while maintaining the anonymity of voters, with results available instantly”.

This sounds very promising.

Blockchain Grid

Picture By Davidstankiewicz, for details see below (5)

Unfortunately, every software has bugs. On May 28th, 2018 Swati Khandelwal reported in “The Hacker News” about a remote code execution (RCE) vulnerability in the blockchain-based EOS smart contract system (2).

If an attacker exploits this RCE he could destroy the integrity of the entire system:

“Since the super node system can be controlled, the researchers said the attackers can “do whatever they want,” including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user’s key stored in the wallet, key user profiles, privacy data, and much more.”

Although it is not clear whether the voting system used in West Virginia is based on the Blockchain 3.0 platform there is urgent need for action. EOSIO set up a bug bounty program (3) to improve their code. But should we rely on bug bounty programs for such important issues like elections or patient safety?

From the Qihoo 360 security researchers report (4) we learn that the vulnerability is created by “a buffer out-of-bounds write” error. This means that this vulnerability could have been avoided by performing a static code analysis prior to release.

The big question is: How many errors of this type are still included in the blockchain infrastructure? A bug bounty program is a good approach to improve security, a static code analysis is indispensable in my view. In particular when the outcome of an election can be influenced or patient safety is endangered.

Have a great week.


References

1. Desouza KC, Somvanshi KK. How blockchain could improve election transparency [Internet]. Brookings. 2018 [cited 2018 Jun 1]. Available from: https://www.brookings.edu/blog/techtank/2018/05/30/how-blockchain-could-improve-election-transparency/

2. Khandelwal S. Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System [Internet]. The Hacker News. 2018 [cited 2018 Jun 1]. Available from: https://thehackernews.com/2018/05/eos-blockchain-smart-contract.html

3. eosio. Calling all Devs: The EOSIO Bug Bounty Program is Live [Internet]. Medium. 2018 [cited 2018 Jun 3]. Available from: https://medium.com/eosio/calling-all-devs-the-eosio-bug-bounty-program-is-live-7219c625a444

4. Chen Y, Peng Z. EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds – 奇虎360技术博客 [Internet]. 2018 [cited 2018 Jun 1]. Available from: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/

Picture Credits

5. By Davidstankiewicz [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)%5D, from Wikimedia Commons

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.


  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Two-factor authentication hackable?

13 May 2018

Report “Two-factor authentication hackable” (1) published by Doug Olenick’ on May 10, 2018 at SC Media US is really frightening.

Two-factor authentication (TFA) is a great means to secure users of web services against phishing attacks. I’m aware that TFA with SMS or authenticator apps is not 100% secure because the login is not bound to the service, which means that TFA is prone to Man-in-the-Middle attacks. But the title of the report suggests that TFA is no longer secure at all.

A closer look at the report shows that Doug Olenick describes a Man-in-the-Middle attack initiated by a fake URL in an e-mail. The URL points to a web services which acts as a proxy for LinkedIn in this case. The proxy collects the users account details and the session cookie. Since the session cookie contains all details required to login to LinkedIn the attacker can hijack the users account without being requested of the password and the second factor.

For details about the attack see Kuba Gretzky’s post “Evilginx – Advanced Phishing with Two-factor Authentication Bypass” (2).

What can we learn from these reports?

TFA is vulnerable against phishing and Man-in-the-Middle attacks. User awareness and anti-phishing training become not obsolete once TFA with authenticator app or SMS is rolled out in an organization.

Although TFA is vulnerable this should not stop you from implementing TFA.

FIDO U2F Key (6)

FIDO U2F Key (6)

If you want to get it right the first time implement TFA with hardware keys, e.g. FIDO U2F keys. With hardware keys the user login is bound to the original service, which means that only the real site can authenticate with the service. For details see the FIDO alliance (3) homepage or the Yubico (4) homepage. For a great user story see report “Google Eliminates Account Takeover with the YubiKey” (5).

Have a great week.


  1. Olenick D. Two-factor authentication hackable [Internet]. SC Media US. 2018 [cited 2018 May 13]. Available from: https://www.scmagazine.com/network-security/two-factor-authentication-hackable/article/765135/

  2. Gretzky K. Evilginx – Advanced Phishing with Two-factor Authentication Bypass [Internet]. BREAKDEV. 2017 [cited 2018 May 13]. Available from: http://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass

  3. FIDO Alliance. https://fidoalliance.org/ [Internet]. FIDO Alliance. [cited 2018 May 13]. Available from: https://fidoalliance.org/

  4. U2F – FIDO Universal 2nd Factor Authentication [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/solutions/fido-u2f/

  5. Yubico.com. Google Eliminates Account Takeover with the YubiKey [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/about/reference-customers/google/

  6. Picture Credits: Amazon.de. [cited 2018 May 13]. Available from: https://www.amazon.de/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8