Obscurity is not Security | TechSNAP 55

Rugged OS contains backdoor maintenance account with insufficent security

• Rugged OS makes devices for controlling SCADA systems, including enabling management of non-networked SCADA devices via an IP-to-Serial interface
• Rugged OS devices are used to manage traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites
• The issue is that all Rugged OS devices contain an account with the username ‘factory’, that cannot be disabled
• This account is obviously meant to allow the manufacturer to service the device, however it is insufficiently secured
• Instead of using strong cryptography or SSL/SSH keys or something like that, the Factory Account uses a password derived from the MAC address of the device (so, the password is unique per device)
• However, this password is simple the MAC address run through a short perl script that reverses the octets and takes the modulus of a static constant
• This means that all of the factory user passwords are at most 9 digits in length and always contain only numeric values
• The RuggedCom devices appear to use plain Telnet, rather than SSH, so all communications to and from the device are in the clear, meaning the password to the device could be sniffed by another with access to the network segment
• The MAC address of the device is presented automatically as part of the login banner, making the compromise of these devices extremely trivial
• Researchers notified the manufacturer more than a year ago, but rarely got a response
• The researchers forced the issue via US-CERT in February of this year, and in the beginning of April CERT set a disclosure date due to a lack of response
• This vulnerability was discovered by analyzing the firmware of a used Rugged OS device bought on eBay by the researchers
• RuggedCom was acquired by the Canadian subsidiary of Siemens last month
• Full Disclosure Mailing List Post

Cryptic Studios Customer Database Stolen, in Dec 2010

• The database that was compromised contained user login names, game handles, and ‘encrypted’ passwords
• The official notice is sparse on details and does not explain what type of ‘encryption’ was used for the passwords
• “Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database”
• Given the fact that it has been more than a year since the database was compromised before a string of accounts started being compromised suggests that the passwords may have been properly hashed
• The delay suggests that the attackers had to brute force the password database, and that this took significant time, however the time factor is relative, if the attacker only used a single machine to crack the passwords, or was unaware of Rainbow Tables, plain MD5 sums could easily take this long
• Cryptographically hashed MD5 (meaning, with a salt) or better yet SHA256 would take significantly longer to crack and would be immune to rainbow tables
• Salted passwords mean that even if two users have the same password, you have to brute force each hash separately (if you use plain MD5 sums, then all users with the same password can be cracked in one attempt)
• It is also very likely that the attacker saved up the passwords they were able to crack in order to compromise all of the accounts at once, to avoid Cryptic taking the step they have taken now, and forcing a password reset on all affected accounts
• The risk in waiting is that users will change their passwords over time, and the cracked passwords will then be rendered useless
• Even cryptographic hashes can be cracked eventually, that is why it is important to change your passwords periodically

Arcadyan Wifi Routers have accidental backdoor in WPS

• The flaw, which was likely originally in place as a debugging tool, allows any user to authenticate to your network using the WPS pin 12345670
• This attack is worse than the previous WPS attach that reduced the keyspace, because it does not require someone to press the WPS button on the device
• Worse, this override pin still works even if the WPS feature is disabled in the settings on the router
• Arcadyan makes routers specifically for ISPs, and there are more than 100,000 of these $275 routers deployed in Germany alone, all of which are vulnerable
• Both the stock shipped 1.08 and the latest downloadable version 1.16 of the firmware are vulnerable
• The only available workaround is to disable wireless entirely
• Since the routers are often white labeled to the name of your ISP, Arcadyan devices will have MAC addresses that start with one of the following:
• 00–12-BF
• 00–1A–2A
• 00–1D–19
• 00–23–08
• 00–26–4D
• 1C-C6–3C
• 74–31–70
• 7C–4F-B5
• 88–25–2C

Feedback:

Q: The entire Internet writes….

Why can’t I download JB shows? My world is ending!

A: Blip.tv (our video CDN) has made changes, that are stupid. We are moving off blip.tv and will keep you updated. If you want to grab something that is still hosted on blip.tv and are having issues downloading the files, here are some example work arounds:

• BeyondPond Blip.tv workaround
• DoggCatcher blip.tv Workaround

Round-Up:

• Cispa cybersecurity bill opposed by Obama administration
  • Obama Authorizes Sanctions Against Surveillance Tech in Syria, Iran
• Company accidently fires all employees instead of just one
• Iran: Oil Industry Hit By Malware Attack
• Security researcher discovered flaw in Samsung SmartTVs while trying to play a trick on his brother
• Microsoft research shows that all conficker infections were the result of weak passwords or vulnerabilities for which Microsoft had already released patches
• Microsoft asks bloggers to try hotmail again after years of gmail, hotmail account promptly hacked. Compromises Bloggers Xbox and other MS Live identities
• FBI DNS Shutdown debunking – Allan’s long explaination
• Check your IP against the FBI DNS database
• HALL OF SHAME: Cryptic Studios Hacked Dec 2010. Figure out Apirl 25, 2012
  • FYI – Your Cryptic Account was hacked in 2010