Killer USB Drive is Designed to Fry Laptops

March 12, 2015 – 5:40 AM

[Dark Purple] recently heard a story about how someone stole a flash drive from a passenger on the subway. The thief plugged the flash drive into his computer and discovered that instead of containing any valuable data, it completely fried his computer. The fake flash drive apparently contained circuitry designed to break whatever computer it was plugged into. Since the concept sounded pretty amazing, [Dark Purple] set out to make his own computer-frying USB drive.

While any electrical port on a computer is a great entry point for potentially hazardous signals, USB is pretty well protected. If you short power and ground together, the port simply shuts off. Pass through a few kV of static electricity and TVS diodes safely shunt the power. Feed in an RF signal and the inline filtering beads dissipate most of the energy.

To get around or break through these protections, [Dark Purple]’s design uses an inverting DC-DC converter. The converter takes power from the USB port to charge a capacitor bank up to -110VDC. After the caps are charged, the converter shuts down and a transistor shunts the capacitor voltage to the data pins of the port. Once the caps are discharged, the supply fires back up and the cycle repeats until the computer is fried (typically as long as bus voltage is present). The combination of high voltage and high current is enough to defeat the small TVS diodes on the bus lines and successfully fry some sensitive components—and often the CPU. USB is typically integrated with the CPU in most modern laptops, which makes this attack very effective.

Source:
http://hackaday.com/2015/03/11/killer-usb-drive-is-designed-to-fry-laptops/

Cutting-edge hack gives super user status by exploiting DRAM weakness

March 9, 2015 – 10:25 PM

In one of more impressive hacks in recent memory, researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux.

The technique, outlined in a blog post published Monday by Google’s Project Zero security initiative, works by reversing individual bits of data stored in DDR3 chip modules known as DIMMs. Last year, scientists proved that such “bit flipping” could be accomplished by repeatedly accessing small regions of memory, a feat that—like a magician who transforms a horse into a rabbit—allowed them to change the value of contents stored in computer memory. The research unveiled Monday showed how to fold such bit flipping into an actual attack.

“The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software,” David Kanter, senior editor of the Microprocessor Report, told Ars. “This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack.”

Source:
http://arstechnica.com/security/2015/03/cutting-edge-hack-gives-super-user-status-by-exploiting-dram-weakness/

Tracking the FREAK Attack

March 3, 2015 – 7:09 PM

On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptogrpahy, which can then be decrypted. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten.

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

This site focuses on tracking the impact of the attack.

Source:
https://freakattack.com/

Spam Uses Default Passwords to Hack Routers

February 28, 2015 – 11:22 PM

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

Source:
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

Software Privdog worse than Superfish

February 22, 2015 – 9:31 PM

tl;dr There is a software called Privdog. It totally breaks HTTPS security in a similar way as Superfish.

In case you haven’t heard it the past days an Adware called Superfish made headlines. It was preinstalled on Lenovo laptops and it is bad: It totally breaks the security of HTTPS connections. The story became bigger when it became clear that a lot of other software packages were using the same technology Komodia with the same security risk.

What Superfish and other tools do is that it intercepts encrypted HTTPS traffic to insert Advertising on webpages. It does so by breaking the HTTPS encryption with a Man-in-the-Middle-attack, which is possible because it installs its own certificate into the operating system.

A number of people gathered in a chatroom and we noted a thread on Hacker News where someone asked whether a tool called PrivDog is like Superfish. PrivDog’s functionality is to replace advertising in web pages with it’s own advertising “from trusted sources”. That by itself already sounds weird even without any security issues.

A quick analysis shows that it doesn’t have the same flaw as Superfish, but it has another one which arguably is even bigger. While Superfish used the same certificate and key on all hosts PrivDog recreates a key/cert on every installation. However here comes the big flaw: PrivDog will intercept every certificate and replace it with one signed by its root key. And that means also certificates that weren’t valid in the first place. It will turn your Browser into one that just accepts every HTTPS certificate out there, whether it’s been signed by a certificate authority or not. We’re still trying to figure out the details, but it looks pretty bad.

Source:
https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html