The Category5.TV Newsroom

Here are the stories we're following for the week of Wednesday March 1, 2017

Air-gapped computers can have data stolen by a nearby drone.

Air-gapped computers aren't physically connected to any network and so should be protected from remote hackers. However, Stuxnet showed air-gaps can be breached. Besides that, an insider could always insert a USB drive into an air-gapped computer.

Now, security researchers from Israel's Ben Gurion University have demonstrated that if an attacker did manage to infect an air-gapped computer, they could steal data semi-remotely at their leisure by using a camera to capture signals from the LED lights of its hard drive.

The LEDs normally flicker when the drive is undergoing read and write operations, but can be made to transmit data visually.

The malware that the researchers devised can force the hard drive LED to blink 6,000 times per second. If those lights are visible from a window, a camera-equipped drone or telescopic lens can capture the signals at a distance.

The researchers explain that data can be leaked via the LED at a rate of 4 kilobits per second. That speed is incredibly slow by today's standards, but it's more than enough to steal encryption keys or text and binary files. According to the researchers, it's an impressive 10 times faster than previous optical covert channels for leaking data from air-gapped computers.

The beauty of the attack is that hard drive's LED blinks anyway, making it easy to conceal that the infected machine is actually transmitting data.

Source: www.zdnet.com

Sent to us by: The Albuquerque Turque

Cloudflare had a bad data leak.

Cloudflare, a service that helps optimize the security and performance of more than 5 1/2 million websites, warned customers late last week that a recently fixed software bug exposed sensitive information that could have included passwords and cookies and tokens used to authenticate users on the sites they visited.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 to February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data by querying the search engines.

The leakage was the result of a bug in an HTML parser they use to modify webpages as they pass through the service. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.

When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak some of the content from memory and expose it on other web sites.

Graham-Cummings, the Cloudflare CTO, has ruled out the possibility that secret keys for customers' transport layer security certificates were exposed in the leaks. Still, he said end-user passwords, authentication cookies, OAuth tokens used to log into multiple website accounts, and encryption keys Cloudflare uses to protect server-to-server traffic were all at risk of being exposed.

They'e warning that Cloudflare customers should at a minimum strongly consider changing passwords.

Source: arstechnica.com

Sent to us by: Roy W. Nash

We might as well get used to it; yet another web-connected children's toy has leaked a ton of data.

Internet-connected teddy bears dubbed CloudPets leaked personal information. This put voice recordings, email addresses, and other sensitive data pertaining to children and their parents at risk of compromise by who-knows-how-many people.

CloudPets are billed as "a message you can hug." They read stories, play lullabies, feature interactive games, and let parents record messages for their children. The problem: The devices stored user data in an easily accessed database without any form of password protection.

Troy Hunt from "Have I Been Pwned" says the CloudPets database was indexed by a search engine for Internet of Things products, and has been accessed by "many people."

Hunt said information from roughly 821,000 people was compromised in this way. Within the databases, he said, "are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data." That would be enough of a problem on its own, but upon further examination of the CloudPets mobile app, Hunt discovered even more easily-exploited security problems.

CloudPets apparently stored user information in an Amazon S3 bucket that also doesn't require any form of authentication to access. The only thing needed to view someone's profile picture, the name of a child, and the name of the relatives with whom they can communicate via their futuristic teddy bears is the proper file path. Voice recordings from children and their family members can be found in the same way.

Hold on: it gets even worse.

Hunt discovered that CloudPets has no strength requirements for user passwords. Someone could just type "L" as their password--and CloudPets explicitly advises parents to use "qwe" as a password in a "getting started" YouTube video. Neither option is secure in any way, and Hunt explained that even though CloudPets stored passwords as a bcrypt hash, cracking those simple passwords would be trivial for any hacker.

As it turns out, the products' creators were warned about these issues at least four times but never responded to any of those emails.

Let's recap: a bunch of internet-connected teddy bears collected and then stored information in public-facing databases without password protection, served data via Amazon S3 buckets without safeguards, actively encouraged people to use weak passwords, and ignored several warnings.

CloudPets aren't the only internet-connected toys with privacy issues as we've heard in almost weekly news stories about data leaks. Right now the message seems clear: Don't buy internet-connected toys for your kids.

Source: www.tomshardware.com

Sent to us by: The Albuquerque Turque

The NextGEN Gallery plugin for WordPress is our next big exploit. Time to upgrade!

More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases.

The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

For the attack to work, a website would have to be set up to allow users to submit posts to be reviewed. An attacker could create an account on the site and submit a post that contains malformed NextGEN Gallery shortcodes.

Web security firm Sucuri has assigned a severity rating of 9 out of a possible 10 points to the vulnerability, which was fixed in version 2.1.79 of the plugin. Website administrators who rely on NextGEN Gallery should install the update immediately.

Source: arstechnica.com

Sent to us by: Roy W. Nash