Security Week 04: Lenovo's WiFi Hotspot Conf-Call Backdoor, Amazon Distributes HTTPS for Free

The past week was nothing special: there was a lot of news, but almost everything, except for the latest vulnerability in the Lenovo software, could easily be defined in the “What else happened” category. And after all, the incidents were important: in OpenSSL , new vulnerabilities were closed (but not as terrible as Heartbleed); Critical holes are closed in iOS and Mac OS X; in PayPal, we found and closed a serious bug found in Apache Commons Collections last year through the bug bounty program. Yes, such that theoretically allowed to bypass the protection and get direct access to the servers!

Everything is interesting, but somehow without a twinkle. However, this is not my first attempt to dig into the digest that the landscape of threats is no longer the same. Indeed, over the past six months, with rare exceptions, hacks have occurred every week, vulnerabilities have been discovered very, very serious. But in general, a news digest in a fairly narrow area of ​​information security should be like a boring production runoff! Where work is being done, plans are being fulfilled, holes are being closed, software is being updated, new protection technologies are emerging. Much more often the description of incidents in IT Security looks like a messenger of the apocalypse - fun, spectacular, but not at all cool. And this week, yes, everything was quite positive. There were no epic failures, but a couple of anecdotal stories happened. All issues are here .

In the proprietary software Lenovo SHAREit found stitched password. Guess what.
News Lenovo's security advisory .

Lenovo Shareit is a standard program that can be found on many laptops on Windows and Andoid smartphones manufactured by this company. If you, of course, did not change anything in the system after the purchase. Pursuing this program, in general, a good goal: it makes it possible to exchange files between laptops or between a laptop and a smartphone is relatively simple. If this feature can be implemented in smartphones in other ways, then in Windows everything is more complicated (but Dropbox will help you anyway). The program works simply: it creates a temporary access point to which the second device is connected and transmits the data. True, this apparent simplicity: inside (on Windows) there is both an embedded web server and much more.
')
So, the Windows client created a temporary WiFi network with a password embedded, which the user could not change. In general, this is such a routine vulnerability, which is found in many places - from cheap webcams to industrial routers, but there is a nuance. The password is 12345678. Lenovo’s worst sin (and most likely an independent developer-contractor) turned out to be that the company prepared delicious food for jokes. In the list of the most unsuccessful passwords, which, in principle, you can think up, such a password is always on top places .



I am 100% sure that the system of interaction between the two devices, and especially such a password, did not undergo a security audit at all, and not a single person with at least a remote relationship to security was involved in the work. In fact, everything is somewhat more complicated than they are described in Core Security, which discovered a vulnerability (what a vulnerability, failure!). There is a protected mode in the Windows client, where you can choose your own password for the WiFi network. But the default password is an insecure password, because, I believe, it will be more convenient for users . This is exactly what vendors need to get rid of such an attitude - it is always possible to make it convenient and safe, and this is a problem of the developer, and not of users who, de, are “hard to master technologies”.

What about the Android version? There is another problem - there is no password at all. That is, anyone can connect to the temporarily created network. Moreover, in any case, the data is transmitted via HTTP, that is, intercepting them (knowing the password or connecting to an open network) will have no difficulty. Finally, the access point connected to the created program on Windows can view the list of files on the computer using requests to that very embedded web server. Everything? No, not all. The Windows client can still be attacked by crashing it.

In general, everything is not so bad. Devices become vulnerable only for a relatively short moment of lifting the access point. Download any files from the Windows system will not work. But the interception of transmitted data, fairly easy to organize - this is bad. The password 12345678 is very bad, and the system would not be safer if there was something else there. This is a matter of reputation. I already said that the further, the more important for companies will be their reputation in the field of security?

Built-in backdoor was removed from the secure conference facility
News

Want more passwords? I have them. The company AMX specializes in the development of devices for audio and video conferencing, with an aspect to security - its products are used, among other things, in the military and in US government agencies. Modern conferencing is essentially a specialized computer network, and the vulnerability was discovered in the AMX NX-1200 device, which is, in short, a mixture of a network hub with a converter for various audio and video devices. In this device, SEC Consult found an undocumented account that allows you to connect to it remotely.

Then the joke begins again. First, the hidden account was called the Black Widow.



Secondly, when security experts informed the vendor, they “solved the problem” by removing Widow, but adding another account named Batman. Batman! Well, more precisely, it was about a kind of 1MB @ tMan. That is, on the one hand, we have a network infrastructure that is installed in the White House, at air bases and at the American marines, and on the other, the accounts of “Batman” and “Widows”.



Not OK. However, following the results of the two hidden accounts have been deleted in the next firmware update.

Amazon gives customers HTTPS certificates for free.
News

For a change, news without jokes. A year ago, Amazon decided to become a certification authority, which allowed it to issue its own SSL / TLS certificates. This week it was announced that users of Amazon cloud services will be able to get certificates for free to connect visitors via HTTPS. A similar initiative of Let's Encrypt, which also recently launched the issuance of free certificates, distributes them "for free, for everyone, for nothing, and let no one leave offended," although with restrictions. The process of obtaining a certificate there is really simple and highly automated, which really led to the emergence of malicious sites with HTTPS support. A good idea, however, does not spoil it.

Amazon has certificates that are available for free, but not for everyone. So far, certificates will be distributed to customers using Elastic Load Balancing and Amazon CloudFront services, but not EC2. That is, the rate on small customers is not done, and philanthropy does not smell here. In any case, it’s good that SSL / TLS certificates, which are quite expensive for commercial providers, become a nice bonus and competitive advantage. This means that the share of encrypted traffic will grow.

What else happened:
Samsung was sued , demanding to force the company to update Android more often, not to abandon old devices without support, and so on. Interesting, but I'm not sure that a technical problem can be solved in court in principle.

A vulnerability discovered last week in the Linux kernel has been patched to Android. Google claims there are not so many affected devices, thanks to SELinux policies. Perception Point, which discovered the vulnerability, does not agree and promises in the near future to organize the disruption of covers. We wait!

Antiquities:
"Condom-1581"

Resident non-dangerous virus. It is standardly written to triggered .COM files (except COMMAND.COM). Intercepts int 8 and int 21h. It contains the text: "command". Depending on the value of the system timer, the virus exhibits poetic abilities and displays the following work on the screen:



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 63.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.