Category Archives: Security

EternalRocks: Neue Attacke nach WannaCry

Mehrere Sicherheitsexperten haben einen neuen “SMB worm” entdeckt, der gleich 7 der von den ShadowBrokers veröffentlichten NSA-Hacks ausnutzt. (WannaCry hat lediglich 2 verwendet) Damit ist dieser neue Wurm in diesem Bereich zwar weitaus gefährlicher – auf der anderen Seite enthält er (zumindest bisher) anscheinend keinen Crypto-Locker.

Keinen Kill-Switch

Nach einer Analyse kontaktiert der Wurm nach einer Infektion einen C&C-Server im Tor-Netzwerk. Erst nach 24 Stunden erhält er eine Antwort. Anschließend lädt er ein Archiv herunter und installiert dieses auf dem lokalen PC. Mit dieser neuen Software werden zufällige IPs kontaktiert, auf die dann eine weitere Installation versucht wird.

Keine Entwarnung

Auch die Tatsache, daß EternalRocks bisher keine Schadsoftware zu enthalten scheint bedeutet nicht, daß es sich um einen ungefährlichen Wurm handelt. Immerhin besteht eine Verbindung zu einem C&C-Server, von der jederzeit Schadsoftware verteilt werden kann.

Es besteht aber auch die Möglichkeit, daß es sich mit EternalRocks lediglich um einen Testlauf für eine neue Ransomware handelt. Die Angreifer könnten in einem Probelauf etwaige Probleme ermitteln um anschließend eine “echte Schadsoftware” zu verbreiten.

BGH: Datenspeicherung doch (nicht) erlaubt ?

Eine Regelung, die eine allgemeine und unterschiedslose Vorratsdatenspeicherung vorsieht, […] überschreitet somit die Grenzen des absolut Notwendigen und kann nicht als in einer demokratischen Gesellschaft gerechtfertigt angesehen werden, wie es die Richtlinie im Licht der Grundrechtecharta verlangt.

Dies ist ein Auszug aus der Pressemitteilung des Europäischen Gerichtshofs betreffend mehrerer Klagen zur Vorratsdatenspeicherung in einzelnen europäischen Staaten.

https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145de.pdf

Nach diesem Urteil ist es den Mitgliedstaaten untersagt, jegliche persönliche Daten massenhaft auf Vorrat zu speichern – es sei denn es ist eine entsprechende Gefahr zu verhindern. Der deutsche Gesetzgeber hat die Vorratsdatenspeicherung aktuell auf 7 Tage begrenzt (nachdem das vorherige Gesetz bereits vom BGH gekippt wurde) – hier wurden ebenfalls klagen eingereicht.

Um so seltsamer ist es, daß der BGH heute in einer Klage gegen die Webseitenbetreiber des Bundes und der Länder nicht so enge Grenzen gesetzt hat.

Webseitenbetreiber dürfen die IP-Adressen ihrer Seitenbesucher speichern, wenn es für die Abwehr von Cyberangriffen erforderlich ist. Nach einer Entscheidung des BGH muss dann auch das Persönlichkeitsrecht des Nutzers zurückstehen.
(Quelle: tagesschau.de)

Nach dieser Logik dürfen nun doch Daten auf Vorrat gespeichert werden – denn ein “Cyberangriff” kann ja theoretisch jederzeit von jeder IP ausgehen.

Massive Cyberattack hits UK Health System, Deutsche Bahn

A massive Cyberattack that seems to have source in Russia currently spreads the world. After first analysis by Kaspersky and Avast they think it’s a new version of the crypt locker WannaCry. The software requires a payment of 300$ in bitcoins to release the encryption key, and blackmails the owners that the key would be deleted in few days if not being payed.

Following the latest updates, the ransomware meanwhile successfully attacked more than 75.000 PCs in 100 countries worldwide. Analysing the ransoware, a way to stop spreading seems to be found. According to some press, a security expert noticed a domain being accessed from the ransomware and registered this. After activating that domain the ransomware stopped spreading. Seems some routine stops its work when the domain could be contaced.

In general, this new attack was made possible after some NSA documents were leaked. NSA knew about this security issue for several times, but did not inform the software vendor, keeping millions of PCs unsafe. After the documents were leached, the vendor released a patch for this issue very shortly, which is available since March. Following current situtation, several PCs have yet not installed that update.

Before you now say “user’s fault – why dont install the update?” keep in mind that according to current information big companies or public organisations are affected. Following the usual “update-mess” of some vendors (fix one issue but create two others at the same time) it is absolutely normal for todays administrators NOT to install a patch as soon as it’s available.

SHA-1 broken

Seems that a team around Google managed to hit the first SHA1 Collision, creating two identical SHA1 checksums for two absolutely different documents.

At current time, they took about nearly 7000 years of single-CPU and GPU calculation (12 million GPU years) – but we had similar high rates at first attack on PPTP. As we all know, in 2012 it only took 23 hours to attack PPTP due to faster computing power. Within a few more years of development, SHA1 attack might work in similar timeframes.

http://shattered.io/

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Flaw in Intel C2000 Chipset series

Ok, we all heard or read that there is a flaw in a series of Intel’s Avoton CPUs. Currently, it seems the only “official” statement is the following quote from The Register:

The well-placed insider, who spoke to The Register on condition of anonymity, said the problem – which results in bricked systems – became apparent to engineers at product makers when the return rate on gear spiked about 18 months ago.

We have a “well-placed insider” who wants to remain anonymous, and based on this everyone starts to blame hardware vendors that do have this Chip installed ? It seems the only official statement at this time from Intel – the guys that produce the CPU itself – is the following:

“AVR54: System May Experience Inability to Boot or May Cease Operation” … “The SoC LPC_CLKOUT0 and/or LPC_CLKOUT1 signals (Low Pin Count bus clock outputs) may stop functioning.”

http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/atom-c2000-family-spec-update.pdf

According to my experience, ANY computer related product may stop functioning without any further warning. According to Intel, C2000 Series seems to have a slightly higher possibility that they may stop functioning. 

Let’s face the truth – those devices out there are runnnig for more than 18 months. Most of them did not fail, otherwise we would have already read about “All units of Series xxx of company yyy are dying after short time of usage” in the usual news.

Moving from HMA to IPVanish

As some of you out there, I am using a VPN software from time to time to hide my original identity when browsing the net. One of the main reasons is the high censorship – and lawyers waiting about to sue you after accidentally visiting a “wrong” site, here in germany,

Previously I used HMA – “Hide my Ass” for my privacy. They offer a simple UI, Android client, lots of servers worldwide and they also provide a manual about how to setup your Synology NAS to work with HMA.

Also, when just browsing for “good VPN provider” they are in the top list. So, that was my previous reason.

I guess I took this the too easy way, and I must admit that I did not check for any details when I started to use them. After some time I read some bad news.

-https://vpn.hidemyass.com/vpncontrol/privacy.html

Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our services. We may store this data for up to two years, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period.

And yes, HMA is able to track down the IP address of any connection to any user (found at Reddit):

View post on imgur.com

After this, I cancelled my account immediately and searched for another VPN provider. My current favourite is IP Vanish, which offers similar services but no trackable logging. They do not offer a detailed setup, but it was a simple way to also configure my Synology NAS for using IP Vanish.