Security Week 04: Lenovo WiFi hole, conf-call-backdoor, Amazon hands out HTTPS for free

    The past week was not marked by anything special: there was a lot of news, but almost everything except the next vulnerability in Lenovo software could easily be defined in the category of “What else happened”. And after all, the incidents were important: in OpenSSL , new vulnerabilities were closed (but not as terrible as Heartbleed); On iOS and Mac OS X , critical holes are closed ; in PayPal, through the bug bounty program, they found and closed a serious bug found last year in Apache Commons Collections. Yes, such that theoretically allowed to bypass the protection and get direct access to the servers!

    Everything is interesting, but somehow without a twinkle. However, this is not my first attempt, within the framework of the digest, to understand that the threat landscape is no longer the same. Indeed, over the past six months, with rare exceptions, hacks have occurred every week, vulnerabilities have been revealed very, very serious. But in general, a news digest in a fairly narrow area of ​​information security should look like a boring production run! Where work is being done, plans are being implemented, holes are being closed, software is being updated, new protection technologies are appearing. More often, the description of incidents in IT Security looks like a messenger of the apocalypse - fun, entertaining, but not at all cool. And this week, yes, everything was quite positive. There were no epic failures, but a couple of anecdotal stories happened. All issues are here .

    A firmware password was found in the Lenovo SHAREit proprietary software. Guess which one.
    The news . Security advisory Lenovo.

    Lenovo Shareit is a standard program that can be found on many Windows laptops and Andoid smartphones manufactured by this company. If you, of course, did not change anything in the system after the purchase. This program pursues, in general, a good goal: it makes it possible to exchange files between laptops or between a laptop and a smartphone is relatively simple. If in smartphones such a feature can be implemented in other ways, then in Windows everything is more complicated (but Dropbox will help you in any case). The program works simply: creates a temporary access point to which the second device connects, and transmits data. True, this apparent simplicity: inside (on Windows) there is also a built-in web server and much more.

    So, the client for Windows created a temporary WiFi network with a wired password, which the user could not change. In general, this is such a routine vulnerability, which occurs a lot where - from cheap webcams to industrial routers, but there is a nuance. The password is 12345678. The most serious sin of Lenovo (and most likely an independent developer-contractor) turned out to be that the company prepared delicious food for jokes. In the list of the most unsuccessful passwords that you can think of in principle, such a password is always in the top places .



    I am 100% sure that the system of interaction between the two devices, and especially such a password, did not pass a security audit at all, and not a single person with at least a distant relation to security participated in the work. In fact, everything is somewhat more complicated than they describe in Core Security, which discovered the vulnerability (yes there is a vulnerability, failure!). The client for Windows has a protected mode, where the password for the WiFi network can be selected independently. But by default, an insecure password is used, because, I believe, it will be more convenient for users . This is exactly what vendors need to get rid of - an easy and safe way is always possible to do, and this is a problem for the developer, and not for users who, de, are "hard to master technologies".

    And what about the Android version? There is another problem - there is no password at all. That is, anyone can connect to the temporary network. Moreover, in any case, the data is transmitted via HTTP, that is, intercepting them (knowing the password or connecting to an open network) will not be difficult. Finally, the access point connected to the created program on Windows can view the list of files on the computer using queries to the very same built-in web server. All? No, not all. The Windows client can still be attacked by caving it.

    In general, everything is not so bad. Devices become vulnerable only for a relatively short time when the access point rises. Downloading any files from a Windows system will fail. But the interception of transmitted data, quite easily organized, is bad. Password 12345678 is very bad, and the system would not be safer if there was something else. This is a matter of reputation. I have already said that the farther, the more important for companies will be a reputation in the field of security?

    The wired backdoor
    News was removed from the secure conference complex .

    Want more password protection? I have them. AMX company specializes in the development of devices for audio and video conferencing, with an aspect of security - its products are also used by the military and government agencies in the United States. Modern conference calling is essentially a specialized computer network, and vulnerability was discovered in the AMX NX-1200 device, which, in short, is a mixture of a network hub and a converter for various audio and video devices. In this device, SEC Consult found an undocumented account that allows you to connect to it remotely.

    Then the joke begins again. Firstly, the hidden account was called the Black Widow.



    Secondly, when security specialists informed the vendor, they “solved the problem” by deleting the “Widow”, but adding another account named “Batman”. Batman! Well, more precisely, it was about a certain 1MB @ tMan. That is, on the one hand, we have a network infrastructure that is installed in the White House, at airbases and at the US Marines, and on the other hand, Batman and Widow accounts.



    Not OK. However, following the results of both hidden accounts were deleted in the next firmware update.

    Amazon gives out certificates for HTTPS
    News to customers for free .

    For a change, news without jokes. A year ago, Amazon decided to become a certification authority, which allowed it to issue its own SSL / TLS certificates. This week it was announced that Amazon cloud service users will be able to get certificates for free to connect visitors via HTTPS. A similar initiative, Let's Encrypt, also recently launchedthe issuance of free certificates, distributes them "for free, by all, for nothing, and let no one go offended", although with restrictions. The process of obtaining a certificate there is really simple and as automated as possible, which really led to the emergence of malicious sites that support HTTPS. This, however, does not spoil a good idea.

    At Amazon, certificates are available, albeit for nothing, but not to everyone. So far, certificates will be issued to customers using Elastic Load Balancing and Amazon CloudFront, but not EC2. That is, betting on small customers is not done, and philanthropy does not smell here. In any case, it is good that SSL / TLS certificates, which are very expensive for commercial providers, become a pleasant bonus and a competitive advantage. This means that the share of encrypted traffic will increase.

    What else happened:
    Samsung sued , demanding to force the company to update Android more often, not to abandon old devices without support, and so on. Interesting, but I'm not sure that in principle a technical problem can be solved in court.

    Discovered last weekvulnerability in the Linux kernel, patched in Android. Google claims that there are not many affected devices, thanks to SELinux policies. Perception Point, which discovered the vulnerability, does not agree and promises to organize a disruption in the near future. We wait!

    Antiquities:
    "Condom-1581"

    A resident non-dangerous virus. By default, it is written to executable .COM files (except for COMMAND.COM). It hooks int 8 and int 21h. Contains the text: "command". Depending on the value of the system timer, the virus displays poetic abilities and displays the following work:



    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 63.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: