An estimated 175,000 Internet of Things (IoT) connected security cameras manufactured by Shenzhen Neo Electronics are vulnerable to cyber attacks. According to a new report from security provider Bitdefender, roughly 175,000 connected security cameras are vulnerable to cyber attacks.

The vulnerable cameras are manufactured by the Chinese company Shenzhen Neo Electronics that offers surveillance and security solutions, including IP cameras, sensors and alarms.

The experts discovered several buffer overflow vulnerabilities in two models of cameras manufactured by the company, the iDoorbell and the NIP-22 models.

The researchers believe that other models commercialized by the Chinese company are vulnerable because they use the same firmware.

“Several buffer overflow vulnerabilities (some before authentication) are present in the two cameras studied, the iDoorbell model and NIP-22 model, but we suspect that all cameras sold by the company use the same software and are thus vulnerable.” reads the report published by BitDefender. “These vulnerabilities could allow, under certain conditions, remote code execution on the device. This type of vulnerabilities is also present on the gateway which controls the sensors and alarms.”

The security cameras use UPnP (Universal Plug and Play) to automatically open ports in the router’s firewall to allow the access from the Internet. Querying the Shodan search engine for vulnerable devices the researchers discovered between 100,000 and 140,000 vulnerable devices worldwide.

“Internet. We found between 100,000 and 140,000 devices when searching for the HTTP web server, and a similar number when searching for the RTSP server (both vulnerable). These are not necessarily the same devices, as some have only one service forwarded. We estimate that the real number of unique devices is around 175,000.” continues the report.

The experts noticed that both security camera models are vulnerable to two different cyber attacks, one that affects the web server service running on cameras and another that affects the RSTP (Real Time Streaming Protocol) server.

Researchers demomstrated that was quite easy to exploit the flaws in the security cameras, anyone can hack access the livestream by simply logging in with default credentials (i.e. “user,” “user,” and “guest,” “guest”).

The researchers also discovered a buffer overflow vulnerability that could be exploited to take control of the cameras remotely.

Shenzhen Neo did not comment the discovery.

Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 18 Jul 2017 - VU#547255 - Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow

Dahua IP camera products include an application known as Sonia (/usr/bin/sonia) that provides the web interface and other services for controlling the IP camera remotely.

Versions of Sonia included in firmware versions prior to DH_IPC-Consumer-Zi-Themis_Eng_P_V2.408.0000.11.R.20170621 do not validate input data length for the 'password' field of the web interface. A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution.

A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution.

Solution: Apply Update. Dahua has released firmware version DH_IPC-ACK-Themis_Eng_P_V2.400.0000.14.R.20170713.bin to address this issue. All affected users should update their firmware as soon as possible. If you have any questions, you may contact cybersecurity@dahuatech.com.

20 Jul 2017 - VU#586501 - Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account

Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 (AC8), which was designed to be utilized over satellite networks in a highly optimized manner. A third-party security research firm has identified two security vulnerabilities in the client software: On-board ship network access could provide visibility of user names and passwords configured on the client device. A backdoor account has been identified in the client that provides full system privileges. This vulnerability could be exploited remotely. An attacker with high skill would be able to exploit this vulnerability. AmosConnect 8 has been deemed end of life, and no longer supported. Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software.

Unauthenticated attackers having network access to the AmosConnect Server can exploit a Blind SQL Injection vulnerability in the login form to gain access to credentials stored in its internal database, containing user names and passwords.

Successful exploitation of this vulnerability may allow a remote attacker to access or influence AmosConnect 8 email databases on computers that are installed onboard ships.

Solution: Delete Software. As of July 2017, support for The Inmarsat AmosConnect8 service has been decommissioned and clients will no longer be able to download the software from the software distribution website. Customers can contact Inmarsat Customer Service to obtain further information/updates for the replacement email client.

25 Jul 2017 - VU#838200 - Telerik Web UI contains cryptographic weakness

The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.

The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the  Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey. Versions R2 2017 (2017.2.503) and prior are vulnerable.

A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. Software vendors who use Telerik web components may also be impacted.

Solution: Apply an update. Please see the Telerik's support article for update information for specific versions.

27 Jul 2017 - VU#793496 - Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution: Install updates. The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability

Tor network based messaging app Briar Enters Beta Stage

With the concerns about privacy and data protection at an all time high, the one thing users crave for the most is a messaging app that is encrypted and completely safe. Quite a few apps have risen to meet this demand by offering end-to-end encryption but as every avid internet user knows, there is nothing quite like the Tor network when it comes to security on the internet.

Briar clears security hurdle

Briar is the name of this messaging service that has been developed to run over the Tor network. The app is currently available for Android and is in its beta stage today. As with many free to use software, the developers of Briar are in no hurry to give Whatsapp a run for its money so expect a longer development time but a much better end product.

The team has revealed that they had an independent security audit done on their project by Cure53 – the same organization that has reviewed services such as SecureDrop, Cryptocat, and Dovecot in the past. The security report concluded that Briar for Android provides “an overall good handling of matters linked to security and privacy.”  The main aspect of the project – the code that deals with the cryptography – “was found to be exceptionally clear and sound, with no vulnerabilities spotted,” Cure53  said. On a side note, there were bugs detected during the audit but they are said to have been fixed in the version that has been made available.

Cannot be taken down

The major advantage of using the Tor network is that the network cannot be taken down completely by any entity or government and Briar sticks to that notion thus making this a haven for journalists and activists for whom secrecy is key. Under the hood, Briar uses a peer-to-peer network to relay information rather than central servers. In addition, all messages use forward secrecy and do not contain any meta data. These very things also make it censorship resistant. By default, the app will use the Tor network to communicate but in case the network is not accessible, the app can also work on WiFi or Bluetooth networks.

“Like with many Free Software projects, it will be done when it is done,” said Torsten Grote, one of the app’s developers. “Briar is built as modular as possible. There are two libraries that can be used to build apps on top of them. We definitely want to do a desktop app.”

“An iOS app is trickier because iOS is more closed than Android,” Grote added. “There are heavier restrictions on background services for example that are required for P2P apps.We are currently collecting issues to address for a second beta release. Our private beta testers were mostly worried about two things: battery usage and the ability to add contacts remotely.”

He also noted that the app is designed to be agnostic to the data transport that is used which means that the developers can switch from the Tor network to something else if a better medium emerges in the future. The Tor project meanwhile, has its own messenger app but that is restricted to Linux, Windows and Mac. Though Briar is a direct competitor to Tor, the developers are said to be on cordial terms. “Our developers know many of the Tor developers and they know us,” Grote said. “We discuss issues like battery usage of Tor on mobile devices and work together to improve that.”

Source: BleepingComputer

When the team at HOUSEsports LLC decided to expand its offerings to sports fans from podcasts to an online platform for sports fan to talk and connect, the co-founders knew cybersecurity was going to be a key metric on which they would have to focus.

“After we had proof of concept and a clean design, our first concern was to protect the entity and the website platform,” Devin Emory, one of the co-founders of HOUSEsports, said.

They decided to go with Meteor, a JavaScript web framework, to build their platform. The framework not only works across mobile and web platforms, they were also sold on some of the security features built into the code.

“Meteor’s page rendering engine takes care of escaping special symbols when dealing with data bindings which saves us from very basic XSS attacks,” Emory said.

Cross-site scripting attacks, otherwise known as XSS attacks, inject malicious scripts into otherwise benign or trusted websites, according to Excess XSS. This is one of the most common methods hackers employ to gain access to a server.

Another common form of attack, cross-site requests forgery attacks, allows an attacker to force a user who is logged-in to perform an important action without their consent or knowledge, as defined by Tinfoil Security. These attacks are also not possible in Meteor as the framework itself is much harder to spoof, Emory said.

The problem is that not all small businesses have the knowledge required to bake in such protections. And while firms in the finance and technology-related industries tend to have a higher awareness of cybersecurity, overall preparedness is still low, experts say.

Small businesses are also at risk

Half of all small and medium businesses have experienced a data breach in the past 12 months, with 55 percent having experienced a cyberattack, according to data from Ponemon Institute’s survey of 598 companies in 2016.

According to the study, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429, said the institute, which conducts independent research on privacy, data protection and information security policy.

Kristin Judge, director of special projects and government relations for the National Cyber Security Alliance said small businesses are not yet sufficiently prepared, but they are listening for the first time.

“Over the past year, I feel like when we are out talking to audiences, the small and medium businesses that didn’t come out before are actually engaging now.They understand that they are under-prepared and are actually paying attention,” she said.

Recent cybersecurity threats, including the U.S. intelligence community’s conclusion that Russia attempted to influence the 2016 U.S. presidential election, and the WannaCry ransomware attack have further raised awareness of the importance of cybersecurity among businesses and individuals.

“As a small business owner and operator, there are so many other things they are managing on a daily basis that it can be easy to overlook and forget that cyber threat is almost a day-to-day, hour-to-hour presence that they have to keep an eye on,” Kaili Harding, president of the Schaumburg Business Association, said.

Businesses cite their top five challenges for growth and survival as growing revenue, increasing profit, managing cash flow, and attracting and retaining qualified employees, according to a study of more than 1,500 businesses in the U.S. and Canada conducted by the Better Business Bureau in September 2016.

Even with a trend of increasing digitalization and cyber incidents, seven out of 10 considered it unlikely that their business will suffer a cyber attack in the next 24 months, according to the report.

“It's definitely adding to an expense that a lot of businesses have not had to deal with in the past 20 or 30 years,” Harding said.

But, she stresses, businesses must be prepared. “The expense on the front end is well worth the time and effort because it gets a lot more expensive once you've been targeted. Not only that, but you could lose your customers' confidence in the company if they feel the company didn't do the most it could to protect the information that they have,” Harding said.

What small businesses can do

At the minimum, companies need to patch their systems, browsers, and plugins on a regular basis, have a firewall in place, ensure that users are using strong passwords, and are doing vulnerability scanning and remediating the findings, however low-level the vulnerabilities seem, Joshua Crumbaugh, founder and CEO of PeopleSec, a cybersecurity firm that offers security awareness training and penetration testing, said.

A vulnerability scanner identifies devices on a network that are open to known vulnerabilities and alerts the user to the weaknesses before they are attacked.

“The biggest thing is if you really have zero information technology expertise and zero information security expertise, which most companies do, you should probably just look at a managed service provider,” Crumbaugh said.

Indeed, this is the most common method employed by small businesses, Judge said.

“I’m very comfortable in suggesting that small and medium businesses use outside vendors that are reputable to handle their cybersecurity because I don’t have any confidence that small and medium businesses are going to be able to afford staff to handle cybersecurity. And there are wonderful companies that can do it at scale to make it more affordable for smaller companies,” Judge said.

The aftermath of a breach

Having a good setup in place is also instrumental to protecting the organization legally.

“If I'm a customer for a retailer and my private information was stolen from their system, it's harder for me to win as an individual in a case against the company if they can show ‘Hey listen we had routine meetings, we have up-to-date insurance, our board always talks to us about these things, we did everything that we could, we maintained our systems and had a plan,’” said Richik Sarkar, litigator and business strategist at McGlinchey Stafford PLLC.

The customer may still have a claim against the business if they can prove actual damages but business owners can fall back on these defenses to protect themselves against individual liability, Sarkar said.

Sarkar also recommended talking with an attorney when reviewing cyber-liability insurance.

“The devil is in the details, when you are looking at all these policies, there may be all sorts of exclusions or riders you need to get. so you need to work with either a really experienced insurance professional or get an attorney to have a look at these policies for you,” Sarkar said.

The benefit of discussing your options with an attorney is that the discussion is privileged.

“If you’re only having that conversation with your insurance company and something happened later on and somebody wanted to attack what you did and how reasonable it was, there’s no privilege between a small business and their insurance company. There is privilege between a small business firm and their attorney,” Sarkar said.

Source: Mindy Tan

Today’s cars are complex machines comprised of tens of thousands of interconnected parts. Among those parts are microprocessors, broadband chips and sensors, designed to collect valuable information about the way a connected car operates and how its driver behaves.

All of this information is used to help connected cars function, but is the data utilized for anything else? And who has access to it? Those are important questions to answer, since many drivers are wary about sharing in the first place. A recent CARFAX study revealed that drivers are hesitant to share specific types of info, depending upon who is seeing it. Let’s explore the who, what and why of car data sharing.

What Data Is Collected?

Connected cars have a range of technology features designed to make driving safer and more convenient. Most of these are not standard offerings (buyers must opt for driver-assist packages); however, demand for these features is growing. The CARFAX study showed that while a small percentage of drivers considered driver assist as “must-have” features in their current car, when they go to buy their next car that demand will grow by 80 percent. Driver override features, such as automatic breaking, will see the “must-have” demand increase by 70 percent. The study showed a general overall positive view of technology, which means more connected cars on the road – and more collected data – in the future. 

Depending on the car technology features you have, the data your car collects is used to help you avoid heavy traffic, stay in your lane, maintain a safe distance between vehicles, increase fuel economy and quickly notify 911 if you’re in an accident. However, that might not be all.

In 2015, the Fédération Internationale de l'Automobile (FiA), which represents auto and motoring clubs across the globe, conducted independent research to gauge how much information new vehicles are able to collect and share. Researchers found that the information gathered included driver profiles, vehicle location, maintenance details and trip length. Moreover, synced smartphones (think Bluetooth) also supplied manufacturers with personal information, such as contact details.

Who Sees The Data?

At present, all that data stays with the automakers and is not disclosed to third parties. This is good news, since drivers are hesitant to share with specific groups due to privacy concerns. According to the CARFAX study, 56 percent of respondents are not willing to share any data with app companies and 72 percent want to protect their data from advertisers. On the other hand, respondents were more amenable to other third parties: three out of four drivers were willing to disclose some level of data with insurance companies, vehicle manufacturers or law enforcement.

How Is the Data Protected?

Car manufacturers are sensitive to these consumer concerns. In fact, the Alliance of Automobile Manufacturers (Auto Alliance), which represents 12 car manufacturers, has issued automotive privacy principles enacted to reassure car owners about collecting data. The Auto Alliance bases its three hallmarks on such sources as the White House Consumer Privacy Bill of Rights and the Federal Trade Commission.

The three principles are:

• Transparency: Automakers have pledged to be candid about data collection and promulgation. In particular, owner’s manuals and company websites are two sources where consumers may find policy information.
• Sensitivity: Utmost care for collecting information is of critical concern to consumers. Indeed, manufacturers say more sensitive information receives heightened protection. Information gathered is for legitimate business purposes only and retained only for as long as it’s needed.
• Limitations: Only under limited circumstances is information shared with government authorities; however, what those circumstances are and precisely what data gets shared isn’t clear. Consequently, ongoing consumer vigilance is recommended to ensure privacy policies get the job done.

Looking Ahead

Ultimately, connected car technologies serve as a harbinger of what is to come – namely autonomous vehicles. Driverless cars will add a layer of connectivity not employed today, specifically vehicle-to-vehicle (V2V) technology. Truly, V2V will save lives as it keeps autonomous cars from crashing into each other, perhaps overriding whatever public concerns may persist over data sharing.

Source: CARFAX