Security Week 49: Used certificates, data theft from children's toys, Microsoft blocks unwanted software

Nothing happened this week. Well, the flow of news about security in IT was normal - it was hacked, there was a vulnerability, there was a patch - but without any serious revelations. When I was just starting to conduct a weekly digest, it seemed to me that there would be plenty of such weeks, but so far, since August, only two have turned out: the current one and one more . But you see what this supposedly vacuum consists of:

- The manufacturer of toys stole the data of millions of customers, a bunch of personal information about children who own smart devices with cameras and other things.
- Thousands of modems, routers and similar devices from many manufacturers use the same certificates and keys for access via SSH.
- In the US, the FBI’s requests “give us data and do not tell anyone about it” are being vigorously discussed, the details of which were first made public since 2001, when this practice was introduced.

Normal is "nothing", although yes, there were no superb cracks, nothing thoroughly fell, and that is good. However, our experts, summing up the year on the most high-profile information security events, do not see any reduction in activity, rather the opposite. Well, we will not relax, winter is near. Traditional rules: Every week, the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found by tag .

Thousands of modems, routers and other network devices use the same keys and certificates
News Original study .
')
OK, in any other news about hacking routers, you can also write about thousands of devices, and even about hundreds of thousands and millions. Each serious vulnerability in mass devices that are constantly connected to the network can also be supplied with detailed response instructions. Here is this:



Because even the most serious vulnerability, about which the maximum number of people learns, will not affect the number of patched devices: there will still be a lot of leaky ones. So, the fact that the researcher Stefan Vibok from SEC Consult dug up is even more serious. He analyzed the firmware of more than 4 thousand devices from 70 different manufacturers: network gateways, routers, IP cameras, telephones and so on. In the firmware of each such device, keys and certificates for access are protected, either via SSH or via a web console, the researchers specifically looked for SSH keys and X.509 certificates. A total of 4000 devices found 580 unique keys. Yes, this means that on some devices, the keys are not entirely unique.

Using network scanners, researchers went through the network and found that keys and certificates from the list are available on 9% of all HTTPS hosts on the Internet (150 certificates, 3.2 million hosts) and on 6% of SSH hosts (80 keys, 900 thousand hosts ). How is it going?

There are examples. The certificate, issued in the name of a Broadcom employee, is present in the SDK (apparently for this company's SoC), which is almost automatically transferred to the firmware of various devices from different manufacturers. On the network, the certificate was detected on 480,000 hosts on the network. Another certificate from Texas Instruments, apparently in the same way, is found in 300 thousand devices in a company with a static SSH key. What this all threatens is also understandable: man-in-the-middle attacks, password theft and other data interception. In general, we found another hole, from which it is not very clear what to do, and it is not even completely clear where it can still surface.

The hacking of the manufacturer of smart toys VTech led to a data leak of 5 million users
News Company statement. FAQ from the manufacturer .

In the modern cyber world there are many places where your personal data is stored. So much that none of us, in fact, know where exactly and how they are protected. The history of the Chinese manufacturer of "smart" toys VTech once again confirms this: the hacking of the company's servers led to a leak of data not only "customers" (parents), but also children. At a minimum, the names and dates of birth of children have flowed away; at most, photos taken with a camera built into some toys. Parents lost passwords, and they were badly protected (they were encrypted, but the salt was not used, so using rainbow tables it is easy to translate them into plain text), contact details, in general, everything except payment information - it was processed by a third party. Total suffered up to five million accounts.


Series “My first leaks of personal data”

How did that happen? The company’s official statement says: “Unfortunately, our database was not as secure as we would like.” Moreover, the hacking took place on November 14, and the company only found out about it on the 24th, ten days later, and then after a request from a journalist, the merged base had already leaked into the network. Of course, this hacking does not pretend to be the most massive laurels, but it is somewhat startling with its surprise: 5 million users around the world will now have to think about changing all passwords to all services, but not only. I am sure that the majority of users did not even suspect what the manufacturer of the children's tablet was keeping.

That is, the generation of the current parents is not a fact that the computer had in childhood. I was here, but there wasn’t even a game there, not so much the Internet: instead of “video chat with mom” I had to play with bubble sorting and assembler. But today's children perceive all the gadgets around us as something natural, almost from birth. Until now, all the talk about protecting children online has been limited to restricting access to content. Perhaps it is time to think about the fact that the data on children, their behavior and activity is stored by the third party somewhat more than can be assumed. This is, in general, normal, but to protect these data is clearly not the residual principle, based on the strategy "well, who would think of breaking us." Here, someone has come.

Microsoft blocks “misleading software,” hinting at the additions to popular software and software.
News Post in the company blog .

Microsoft has introduced a new term: PUA or Potential Unwanted Application or Potentially Unwanted Application. The definition of this very PNSP is quite general, but we all understand what the company is hinting at. Applications that use the technology of inserting advertising banners, software that spreads as a “supplement” to conventional software, as well as software “aggressively offering to pay for services with signs of fraud” may be subject to blocking. As we all know, the line between more or less legitimate programs using such tactics and completely illegitimate ones - for example, fake antivirus programs, is very thin.


We have found and deleted something from you.

Therefore, the service for deleting or blocking PNSP will be provided only to corporate users, and not to all at once. The service has been turned off, as any such blocking can lead to false positives. Perhaps the feature will help make the company a bit safer, although a really working system still implies a ban on everything that is not allowed.

What else happened:
A legal collision in a US court led to the disclosure of what the FBI calls the National Security Letter, and companies usually call it a “gag order” when the intelligence services ask for information about the user while keeping the disclosure secret. Many companies have consistently opposed this tactic, and even came up with a way to bypass secrecy: first we post a statement on the site that we did not provide information to the secret services in secret, and if such a case happens, we remove the statement. There are a lot of discussions on privacy issues, but not a single gram of technology.

In China, found another APT, merging data victims through Dropbox.

Antiquities:
Darth Family

Resident very dangerous viruses, infect .COM files when they are written to them (int 21h, ah = 40h). They are written to the beginning of the file without saving its old contents. Embedded in the DOS segment. Replace the address of the function 40h in the table of functions of the interrupt 21h. Contain the text "Darth Vader".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 28.


Image credit: Stefano Buttafoco / Shutterstock.com

Although something in this world does not change, and it is perhaps even pleasant. May the force be with you!

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.