Obscurity is not Security | TechSNAP 55

Obscurity is not Security | TechSNAP 55

Cryptic Studios suffered a database breach, but we’ve got more questions than answers, more vulnerabilities have been found in critical infrastructure hardware, and a WiFi hack you can so easy its fun!

Plus why you might have had trouble downloading Jupiter Broadcasting shows, and so much more!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!

 

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Support the Show:

Show Notes:

Rugged OS contains backdoor maintenance account with insufficent security

  • Rugged OS makes devices for controlling SCADA systems, including enabling management of non-networked SCADA devices via an IP-to-Serial interface
  • Rugged OS devices are used to manage traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites
  • The issue is that all Rugged OS devices contain an account with the username ‘factory’, that cannot be disabled
  • This account is obviously meant to allow the manufacturer to service the device, however it is insufficiently secured
  • Instead of using strong cryptography or SSL/SSH keys or something like that, the Factory Account uses a password derived from the MAC address of the device (so, the password is unique per device)
  • However, this password is simple the MAC address run through a short perl script that reverses the octets and takes the modulus of a static constant
  • This means that all of the factory user passwords are at most 9 digits in length and always contain only numeric values
  • The RuggedCom devices appear to use plain Telnet, rather than SSH, so all communications to and from the device are in the clear, meaning the password to the device could be sniffed by another with access to the network segment
  • The MAC address of the device is presented automatically as part of the login banner, making the compromise of these devices extremely trivial
  • Researchers notified the manufacturer more than a year ago, but rarely got a response
  • The researchers forced the issue via US-CERT in February of this year, and in the beginning of April CERT set a disclosure date due to a lack of response
  • This vulnerability was discovered by analyzing the firmware of a used Rugged OS device bought on eBay by the researchers
  • RuggedCom was acquired by the Canadian subsidiary of Siemens last month
  • Full Disclosure Mailing List Post

Cryptic Studios Customer Database Stolen, in Dec 2010

  • The database that was compromised contained user login names, game handles, and ‘encrypted’ passwords
  • The official notice is sparse on details and does not explain what type of ‘encryption’ was used for the passwords
  • “Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database”
  • Given the fact that it has been more than a year since the database was compromised before a string of accounts started being compromised suggests that the passwords may have been properly hashed
  • The delay suggests that the attackers had to brute force the password database, and that this took significant time, however the time factor is relative, if the attacker only used a single machine to crack the passwords, or was unaware of Rainbow Tables, plain MD5 sums could easily take this long
  • Cryptographically hashed MD5 (meaning, with a salt) or better yet SHA256 would take significantly longer to crack and would be immune to rainbow tables
  • Salted passwords mean that even if two users have the same password, you have to brute force each hash separately (if you use plain MD5 sums, then all users with the same password can be cracked in one attempt)
  • It is also very likely that the attacker saved up the passwords they were able to crack in order to compromise all of the accounts at once, to avoid Cryptic taking the step they have taken now, and forcing a password reset on all affected accounts
  • The risk in waiting is that users will change their passwords over time, and the cracked passwords will then be rendered useless
  • Even cryptographic hashes can be cracked eventually, that is why it is important to change your passwords periodically

Arcadyan Wifi Routers have accidental backdoor in WPS

  • The flaw, which was likely originally in place as a debugging tool, allows any user to authenticate to your network using the WPS pin 12345670
  • This attack is worse than the previous WPS attach that reduced the keyspace, because it does not require someone to press the WPS button on the device
  • Worse, this override pin still works even if the WPS feature is disabled in the settings on the router
  • Arcadyan makes routers specifically for ISPs, and there are more than 100,000 of these $275 routers deployed in Germany alone, all of which are vulnerable
  • Both the stock shipped 1.08 and the latest downloadable version 1.16 of the firmware are vulnerable
  • The only available workaround is to disable wireless entirely
  • Since the routers are often white labeled to the name of your ISP, Arcadyan devices will have MAC addresses that start with one of the following:
  • 00–12-BF
  • 00–1A–2A
  • 00–1D–19
  • 00–23–08
  • 00–26–4D
  • 1C-C6–3C
  • 74–31–70
  • 7C–4F-B5
  • 88–25–2C

Feedback:

Q: The entire Internet writes….

Why can’t I download JB shows? My world is ending!

A: Blip.tv (our video CDN) has made changes, that are stupid. We are moving off blip.tv and will keep you updated. If you want to grab something that is still hosted on blip.tv and are having issues downloading the files, here are some example work arounds:

Round-Up:

8 Responses to “Obscurity is not Security | TechSNAP 55”

  1. Garegin16 Says:

    obscurity is not security. hear that linux, windows has better security but is the most attacked because linux has a unstable API/ABI and a 1% marketshare.

  2. Cameron Heard Says:

    Is there a download for the “Patch Your Shit” photo? I like it xD

  3. ChrisLAS Says:

    There are some folks who have it in the chatroom, they dropped it in there during the show.. But I forgot to save it!

    -Chris

  4. clem11388 Says:

    Hey Chris, The Keepvid thing is no longer working on my machine. So I can’t get the shows in WebM  anymore. I know currently the hardware limitations prevent you guys from producing a WebM version in a timely fasion. But eventually as transcoders are updated, and maybe you guys get up enough income to purchase a new rig, could you start encoding into WebM again?

    Or perhaps have a small fund raiser where people can donate a little bit to go towards a new rig that would be dedicated to us WebM fanatics?? That would be super Awesome. :-)

  5. clem11388 Says:

    Security on Windows has gotten better. Even Bryan and Chris have said that before. But as many, many, many security professionals say. The #1 problem is not the software. Its the input from between the chair and the keyboard. 

    If you just go around downloading anything you get your hands on. Then eventually you WILL get some kind of virus or malaware. To an operating system, it can’t the difference between a normal program, and a malicious process that was installed by an ignorant user. Anti-viruses can only do so much. And are not by any means a substitute for for common sense.

    I use GNU/Linux operating systems, not cause they are secure. But because they are Open Source and “Freedom Based” software. That you are almost 100% guaranteed to not have any malicious things in them from the programmers or original developers (meaning Canonical or RedHat) Because you have people all over the world looking at the code. And if a malicious bit is caught, its exposed and the company’s reputation is destroyed. THAT is what makes GNU/Linux, and other Freedom Based operating systems and software so great. 

    Please, don’t just go talking about things you don’t know about. 

  6. PromykZamojski Says:

    USE Bit torrent DNA…  use a CDN but load balance with a torrent.

  7. Daniel Sandman Says:

    Live Bittorrent might be your answer.. http://download.cnet.com/8301-2007_4-57370120-12/bittorrent-live-attracts-steady-stream-of-interest/

  8. Terry Says:

    Blip.TV no longer being used is very disappointing news as its how I watch Jupiter Broadcasting on the ROKU.

Leave a Reply