Suramya's Blog : Welcome to my crazy life…

April 15, 2022

Life found a way a lot earlier than when we thought it had

Filed under: Interesting Sites,Science Related — Suramya @ 2:57 AM

According to scientific the current understanding earth formed about 4.54 billion years ago and till now the theory was that life evolved on earth about 3.7bn years ago. This was primarily based on the fact that the oldest reported micro-fossils found dated to 3.46bn and 3.7bn years ago. However recent discoveries in Canada have changed the calculus as they found evidence of microbes thriving near hydrothermal vents on Earth’s surface just 300m years after the planet formed, making them between 3.75bn and 4.28bn years old which makes this by far the oldest micro-fossils ever found.

If confirmed, it would suggest the conditions necessary for the emergence of life are relatively basic. “If life is relatively quick to emerge, given the right conditions, this increases the chance that life exists on other planets,” said Dominic Papineau, of University College London, who led the research. Five years ago, Papineau and colleagues announced they had found microfossils in iron-rich sedimentary rocks from the Nuvvuagittuq supracrustal belt in Quebec, Canada. The team suggested that these tiny filaments, knobs and tubes of an iron oxide called haematite could have been made by bacteria living around hydrothermal vents that used iron-based chemical reactions to obtain their energy.

Scientific dating of the rocks has suggested they are at least 3.75bn years old, and possibly as old as 4.28bn years, the age of the volcanic rocks they are embedded in. Before this, the oldest reported microfossils dated to 3.46bn and 3.7bn years ago, potentially making the Canadian specimens the oldest direct evidence of life on Earth. Now, further analysis of the rock has revealed a much larger and more complex structure — a stem with parallel branches on one side that is nearly a centimetre long — as well as hundreds of distorted spheres, or ellipsoids, alongside the tubes and filaments.

It is a fascinating find because it gives us an idea of how quickly life evolved on Earth which in turn enables us to search for it on other planets both in our own solar-system and the ones we have found around other stars (once we can get to them). Whether the life would have evolved into something akin to Humans or still be in the micro-organism stage is something up in the air. My feel is that we will find evidence for something in the middle of both extremes, but the longer we search the more the possibility of finding intelligent life improves.

Source: Microfossils may be evidence life began very quickly after Earth formed

– Suramya

April 14, 2022

Ensure your BCP plan accounts for the Cloud services you depend on going down

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 1:53 AM

Long time readers of the blog and folks who know me know that I am not a huge fan of putting everything on the cloud and I have written about this in the past (“Cloud haters: You too will be assimilated” – Yeah Right…), I mean don’t get me wrong, the cloud does have it’s uses and advantages (some of them are significant) but it is not something that you want to get into without significant planning and thought about the risks. You need to ensure that the ROI for the move is more than the increased risk to your company/data.

One of the major misconceptions about the cloud is that when we put something on there we don’t need to worry about backups/uptimes etc because the service provider takes care of it. This is obviously not true. You need to ensure you have local backups and you need to ensure that your BCP (Business Continuity Plan) accounts for what you would do if the provider itself went down and the data on the cloud is not available.

You think that this is not something that could happen? The 9 day and counting outage over at Atlassian begs to differ. On Monday, April 4th, 20:12 UTC, approximately 400 Atlassian Cloud customers experienced a full outage across their Atlassian products. This is just the latest instance where a cloud provider has gone down leaving it’s users in a bit of a pickle and as per information sent to some of the clients it might take another 2 weeks to restore the services for all users.

One of our standalone apps for Jira Service Management and Jira Software, called “Insight – Asset Management,” was fully integrated into our products as native functionality. Because of this, we needed to deactivate the standalone legacy app on customer sites that had it installed. Our engineering teams planned to use an existing script to deactivate instances of this standalone application. However, two critical problems ensued:

Communication gap. First, there was a communication gap between the team that requested the deactivation and the team that ran the deactivation. Instead of providing the IDs of the intended app being marked for deactivation, the team provided the IDs of the entire cloud site where the apps were to be deactivated.
Faulty script. Second, the script we used provided both the “mark for deletion” capability used in normal day-to-day operations (where recoverability is desirable), and the “permanently delete” capability that is required to permanently remove data when required for compliance reasons. The script was executed with the wrong execution mode and the wrong list of IDs. The result was that sites for approximately 400 customers were improperly deleted.

To recover from this incident, our global engineering team has implemented a methodical process for restoring our impacted customers.

To give you an idea of how serious this outage is, I will use my personal experience with their products and how they were used in one of my previous companies. Without Jira & Crucible/Fisheye no one will be able to commit code into the repositories or do code reviews of existing commits. The users will not be able to do production / dev releases of any product. Since Confluence is down users/teams can’t access guides/instructions/SOP documents/documentation for any of their systems. Folks who use Bitbucket/sourcetree would not be able to commit code. This is the minimal impact scenario. It gets worse for organizations who use CI/CD pipelines and proper SDLC processes/lifecycles that depend on their products.

If the outage was on the on-premises servers then the teams could fail over to the backup servers and continue, but unfortunately for them the issue is on the Atlassian side and now everyone just has to wait for it to be fixed.

Code commits blocks (pre-commit/post-commit hooks etc) can be disabled but unless you have local copies of the documentation stored in Confluence you are SOL. We actually faced this issue once with our on-prem install where the instructions on how to do the failover were stored on the confluence server that had gone down. We managed to get it back up by a lot of hit & try methods but after that all teams were notified that their BCP/failover documentation needed to be kept in multiple locations including hardcopy.

If the companies using their services didn’t prepare for a scenario where Atlassian went down then there are a lot of people scrambling to keep their businesses and processes running.

To prevent issues, we should look at setting up systems that take auto-backups of the online systems and store it on a different system (can be in the cloud but use a different provider or locally). All documentation should have local copies and for really critical documents we should ensure hard copy versions are available. Similarly we need to ensure that any online repositories are backed up locally or on other providers.

This is a bad situation to be in and I sympathize with all the IT staff and teams trying to ensure that their companies business is running uninterrupted during this time. The person who ran the script on the other hand on the Atlassian server should seriously consider getting some sort of bad eye charm to protect themselves against all the curses flying their way (I am joking… mostly.)

Well this is all for now. Will write more later.

April 13, 2022

Internet of Things (IoT) Forensics: Challenges and Approaches

Filed under: Article Releases,Computer Related,Computer Security,Emerging Tech,My Thoughts,Tech Related — Suramya @ 6:18 AM

Internet of Things or IoT consists of interconnected devices that have sensors and software, which are connected to automated systems to gather information and depending on the information collected various actions can be performed. It is one of the fastest growing markets, with enterprise IoT spending to grow by 24% in 2021 from $128.9 billion. (IoT Analytics, 2021).

This massive growth brings new challenges to the table as administrators need to secure IoT devices in their network to prevent them from being security threats to the network and attackers have found multiple ways through which they can gain unauthorized access to systems by compromising IoT systems.

IoT Forensics is a subset of the digital forensics field and is the new kid on the block. It deals with forensics data collected from IoT devices and follows the same procedure as regular computer forensics, i.e., identification, preservation, analysis, presentation, and report writing. The challenges of IoT come into play when we realize that in addition to the IoT sensor or device we also need to collect forensic data from the internal network or Cloud when performing a forensic investigation. This highlights the fact that Forensics can be divided into three categories: IoT device level, network forensics and cloud forensics. This is relevant because IoT forensics is heavily dependent on cloud forensics (as a lot of data is stored in the cloud) and analyzing the communication between devices in addition to data gathered from the physical device or sensor.

Why IoT Forensics is needed

The proliferation of Internet connected devices and sensors have made life a lot easier for users and has a lot of benefits associated with it. However, it also creates a larger attack surface which is vulnerable to cyberattacks. In the past IoT devices have been involved in incidents that include identity theft, data leakage, accessing and using Internet connected printers, commandeering of cloud-based CCTV units, SQL injections, phishing, ransomware and malware targeting specific appliances such as VoIP devices and smart vehicles.

With attackers targeting IoT devices and then using them to compromise enterprise systems, we need the ability to extract and review data from the IoT devices in a forensically sound way to find out how the device was compromised, what other systems were accessed from the device etc.

In addition, the forensic data from these devices can be used to reconstruct crime scenes and be used to prove or disprove hypothesis. For example, data from a IoT connected alarm can be used to determine where and when the alarm was disabled and a door was opened. If there is a suspect who wears a smartwatch then the data from the watch can be used to identify the person or infer what the person was doing at the time. In a recent arson case, the data from the suspects smartwatch was used to implicate him in arson. (Reardon, 2018)

The data from IoT devices can be crucial in identifying how a breach occurred and what should be done to mitigate the risk. This makes IoT forensics a critical part of the Digital Forensics program.

Current Forensic Challenges Within the IoT

The IoT forensics field has a lot of challenges that need to be addressed but unfortunately none of them have a simple solution. As shown in the research done by M. Harbawi and A. Varol (Harbawi, 2017) we can divide the challenges into six major groups. Identification, collection, preservation, analysis and correlation, attack attribution, and evidence presentation. We will cover the challenges each of these presents in the paper.

A. Evidence Identification

One of the most important steps in forensics examination is to identify where the evidence is stored and collect it. This is usually quite simple in the traditional Digital Forensics but in IoT forensics this can be a challenge as the data required could be stored in a multitude of places such as on the cloud, or in a proprietary local storage.

Another problem is that since IoT fundamentally means that the nodes were in real-time and autonomous interaction with each other, it is extremely difficult to reconstruct the crime scene and to identify the scope of the damage.

A report conducted by the International Data Corporation (IDC) states that the estimated growth of data generated by IoT devices between 2005 to 2020 is going to be more than 40,000 exabytes (Yakubu et al., 2016) making it very difficult for investigators to identify data that is relevant to the investigation while discarding the irrelevant data.

B. Evidence Acquisition

Once the evidence required for the case has been identified the investigative team still has to collect the information in a forensically sound manner that will allow them to perform analysis of the evidence and be able to present it in the court for prosecution.

Due to the lack of a common framework or forensic model for IoT investigations this can be a challenge. Since the method used to collect evidence can be challenged in court due to omissions in the way it was collected.

C. Evidence Preservation and Protection

After the data is collected it is essential that the chain of custody is maintained, and the integrity of the data needs to be validated and verifiable. In the case of IoT Forensics, evidence is collected from multiple remote servers, which makes maintaining proper Chain of Custody a lot more complicated. Another complication is that since these devices usually have a limited storage capacity and the system is continuously running there is a possibility of the evidence being overwritten. We can transfer the data to a local storage device but then ensuring the chain of custody is unbroken and verifiable becomes more difficult.

D. Evidence Analysis and Correlation

Due to the fact that IoT nodes are continuously operating, they produce an extremely high volume of data making it difficult to analyze and process all the data collected. Also, since in IoT Forensics there is less certainty about the source of data and who created or modified the data, it makes it difficult to extract information about ownership and modification history of the data in question.

With most of the IoT devices not storing metadata such as timestamps or location information along with issues created by different time zones and clock skew/drift it is difficult for investigators to create causal links from the data collected and perform analysis that is sound, not subject to interpretation bias and can be defended in court.

E. Attack and Deficit Attribution

IoT forensics requires a lot of additional work to ensure that the device physical and digital identity are in sync and the device was not being used by another person at the time. For example, if a command was given to Alexa by a user and that is evidence in the case against them then the examiner needs to confirm that the person giving the command was physically near the device at the time and that the command was not given over the phone remotely.

F. Evidence Presentation

Due to the highly complex nature of IoT forensics and how the evidence was collected it is difficult to present the data in court in an easy to understand way. This makes it easier for the defense to challenge the evidence and its interpretation by the prosecution.

VI. Opportunities of IoT Forensics

IoT devices bring new sources of information into play that can provide evidence that is hard to delete and most of the time collected without the suspect’s knowledge. This makes it hard for them to account for that evidence in their testimony and can be used to trip them up. This information is also harder to destroy because it is stored in the cloud.

New frameworks and tools such Zetta, Kaa and M2mLabs Mainspring are now becoming available in the market which make it easier to collect forensic information from IoT devices in a forensically sound way.

Another group is pushing for including blockchain based evidence chains into the digital and IoT forensics field to ensure that data collected can be stored in a forensically verifiable method that can’t be tampered with.

Conclusion

IoT Forensics is becoming a vital field of investigation and a major subcategory of digital forensics. With more and more devices getting connected to each other and increasing the attack surface of the target it is very important that these devices are secured and have a sound way of investigating if and when a breach happens.

Tools using Artificial Intelligence and Machine learning are being created that will allow us to leverage their capabilities to investigate breaches, attacks etc faster and more accurately.

References

Reardon. M. (2018, April 5). Your Alexa and Fitbit can testify against you in court. Retrieved from https://www.cnet.com/tech/mobile/alexa-fitbit-apple-watch-pacemaker-can-testify-against-you-in-court/.

M. Harbawi and A. Varol, “An improved digital evidence acquisition model for the Internet of Things forensic I: A theoretical framework”, Proc. 5th Int. Symp. Digit. Forensics Security (ISDFS), pp. 1-6, 2017.

Yakubu, O., Adjei, O., & Babu, N. (2016). A review of prospects and challenges of internet of things. International Journal of Computer Applications, 139(10), 33–39. https://doi.org/10.5120/ijca2016909390

Note: This was originally written as a paper for one of my classes at EC-Council University in Q4 2021, which is why the tone is a lot more formal than my regular posts.

– Suramya

April 12, 2022

How not to ask for help on Online Forums

Filed under: Linux/Unix Related,My Thoughts — Suramya @ 1:12 AM

It is quite normal to be stuck while exploring a new operating system, or a new programming language or anything new to be honest and one of the great advantages we have now is the ability to go online & search for answers on the Internet and if you are unable to find a fix then you can request for help on forums. There are forums specific to all sorts of niche areas and some of them are quite active. I doubt that it will be a surprise to many that I am part of multiple Linux Forums and in this post I am going to talk about a specific post on one of them that is a masterclass on how not to ask questions/how not to ask for help/how to ensure your questions are never answered.

Let’s start with the post, then we can dig into each line of this gem (The first line is the subject of the post and the rest are the contents). 

Linux is bad
Dear Linux users,

Here is the top 3 reasons, I think Linux is bad:
1- Hard.
2- NVIDIA drivers.
3- I don't know how to write shell scripts.

My friend told me that I don't need to, the community is very helpful.
So I thought I should test them and see if they can help me finish my simple shell homework.

Sorry for the bait. I will switch to Linux if I get help, but you probably don't care.
Hopefully there is a weirdo who will think this is fun.

I have a hard time believing this is not some troll posting crap just to get a rise out of people but if that is not the case then this goes out of it’s way to ensure people react badly to the request, so without further ado lets dig in. 

Here is the top 3 reasons, I think Linux is bad:
1- Hard.
2- NVIDIA drivers.
3- I don't know how to write shell scripts.

Ok, not a great start. You are posting on a linux forum stating that it is bad because you find it hard, and don’t know how to write shell scripts. (I will partially give them the point about NVIDIA drivers because historically they have been a pain.) How is it Linux’s fault that you don’t know how to write shell scripts? Did you honestly believe that the creator of the OS should have come to your house to teach you shell scripting so that you don’t find it ‘hard’? There are multiple resources online that teach shell scripting, including some great courses on Udemy, YouTube, Coursera etc etc. All you have to do is be willing to put in the effort.

To the other point about Linux being hard, it is not. It is different than Windows and does things differently, that doesn’t make it hard. It’s just what you are used to, I use Linux for my primary OS and when I have to troubleshoot my wife’s Windows 11 laptop there is usually a lot of cursing involved. When I started with Linux it was the other way round, for the longest time I kept trying to do things the ‘Windows way’ and it didn’t always work. However, once you take time and explore the system the flexibility it gives you is fantastic. Don’t like the Desktop UI, change to a different one, don’t like the file manager, use a different one etc etc.

My friend told me that I don't need to, the community is very helpful.
So I thought I should test them and see if they can help me finish my simple shell homework.

Umm, who do you think you are that you need to test the community. Plus ‘testing’ by having them do your homework is not testing. This is called negging, where you give backhanded compliments and generally making comments that express indifference toward another person (in this case an Operating System) in an attempt to get them to go out of their way to impress you/do things for you. It is a tactic used by pickup artists to get women by putting them down so that they would go out with them/sleep with them to gain their approval. Sorry, that only works with emotionally distressed folks and not folks on a technical forum. We have no need to gain your approval.

Someone on the forum had the perfect answer for this: “The community is helpful, but you seem to have put more effort into trying to get someone else to do your homework for you, than into actually doing it yourself. We aren’t going to do your homework for you (and if you bothered to check the LQ Rules and “Question Guidelines” you’d see that), but we will help you if you’re stuck. “

Sorry for the bait. I will switch to Linux if I get help, but you probably don't care.

Yes we don’t care and why should we care that you swtich to Linux? Do you think you are someone important? This person needs to realize that they are not the center of the universe and that it is irrelevant to others if they decide to switch to Linux or not. Honestly speaking I don’t care if you use Linux or not. Linux users (for the most part) are no longer the anti-Microsoft zealots who will try to force you to use Linux. In my opinion you should use it if you like it, if you feel Windows or Mac works better for you, use that. 

Hopefully there is a weirdo who will think this is fun.

What a way to encourage people to help you! As calling people names is sure to make them want to help you… Right? No? How is that possible??? I thought I was the center of the universe and all the lesser people would fall over themselves to help me as they should feel honored that I am allowing them to help me.

Nope, it doesn’t work that way. It only works like that in movies (and maybe in some of the schools/colleges) where the Jocks/popular kids are treated like divine beings and others fall over themselves to help them so that they can bask in the glory of having interacted with the cool kids. Real life doesn’t work like that and most places you will be laughed out if you try to do this nonsense at work.

If you want help it helps to be humble, talk about what you have already tried, what specific portion is giving you problems and stow the attitude.

Interestingly enough people on the forum still gave hints on how they could approach the problem and pointed them to resources that can help if they put in the effort.

What do you think? Is it ok to post for help like this? Would you answer this person if you came across the post?

Original forum post in all it’s glory: linux is bad for reference.

– Suramya

April 11, 2022

I am now a Certified SOC Analyst (CSA)

Filed under: Computer Security,My Life,Tech Related — Suramya @ 5:08 AM

Over the weekend I gave my first Cybersecurity Certification exam and I am now a Certified SOC Analyst (CSA). 🙂 This is the first of five certifications I will be completing this year as part of my Degree in Cybersecurity.


Certificate No: ECC2945876310

The exam was interesting and for me the hardest part was remembering all the Windows event codes as I have a hard time remembering numbers. I feel that they should allow users access to their windows system (registry/event logs) as in a real life scenario we would always have access to the system and internet. Testing without the ability to search the internet doesn’t make much sense as it is not realistic.

That being said, I am looking forward to the next certification exam which I am planning to take end of the month/early next month.

Well this is all for now. Will write more later.

– Suramya

January 29, 2022

Getting random values from the quantum fluctuations of vacuum using an API

Filed under: Computer Security,Interesting Sites,Tech Related — Suramya @ 10:35 PM

Generating truly random numbers programmatically is something that sounds like it should be simple to do but is in fact quite hard. Most algorithms that generate numbers are in fact pseudo-random numbers, which means that they look random but can be predicted at times. So the ability to generate/get truly random numbers is a big deal. Cloudflare uses a wall to wall setup of Lava Lamps to generate random numbers that are used to encrypt the traffic on their servers. Other organizations have other methods where they measure the atmospheric radiation, sound etc etc.

The ANU QRNG website managed by Australian National University offers true random numbers to anyone on the internet. The random numbers are generated in real-time in the lab by measuring the quantum fluctuations of the vacuum.

They have API access enabled for accessing the numbers and users can download blocks of random numbers as well as a .zip file which is updated periodically.

The vacuum is described very differently in the quantum physics and classical physics. In classical physics, a vacuum is considered as a space that is empty of matter or photons. Quantum physics however says that that same space resembles a sea of virtual particles appearing and disappearing all the time. This is because the vacuum still possesses a zero-point energy. Consequently, the electromagnetic field of the vacuum exhibits random fluctuations in phase and amplitude at all frequencies. By carefully measuring these fluctuations, we are able to generate ultra-high bandwidth random numbers.

This website allows everybody to see, listen or download our quantum random numbers, assess in real time the quality of the numbers generated and learn more about the physics behind it. The technical details on how the random numbers are generated can be found in Appl. Phys. Lett. 98, 231103 (2011) and Phys. Rev. Applied 3, 054004 (2015).

I think this is a cool application and a lot of reputable sites/users are using this for their setup so it seems like a reputable source of random numbers. I would still take these numbers and then use that as the seed in a pseudo-random generator and use that result in your application instead of using the number directly.

– Suramya

January 28, 2022

IoT Devices and Reducing their Impact on Enterprise Security

Filed under: Article Releases,Computer Security,My Thoughts,Security Tutorials,Tech Related — Suramya @ 11:34 PM

IoT devices are becoming more and more prevalent in the corporate world, as they allow us to automate tasks and activities without manual intervention, which increases the risk to the organization by increasing the attack surface available to attackers. This is because IoT devices can act as entry points to the organization’s internal network. In order to reduce the security impact of these devices the attack channels and threats from the devices need to be mitigated. This can be done by implementing the suggestions in this paper

IoT or Internet of Things is a collection of devices that are connected to the internet and can be controlled over a network or provide data over the internet. It is one of the fastest growing markets, with enterprise IoT spending growing by 24% in 2021 from $128.9 billion. (IoT Analytics, 2021). This massive growth brings new challenges to the table as administrators need to secure IoT devices in their network to prevent them from being security threats to the network.

IoT devices allow us to manage, monitor and control devices and sensors remotely which in turn allows us to automate tasks and activities without manual intervention. But this capacity comes at an increased risk of vulnerability due to a massive increase of the attack surface available. They are becoming more and more prevalent in an enterprise setting, especially in the office automation and operational technology areas. This increases the risk to the organization by increasing the possibility of threats in areas that traditionally don’t pose cyber security risks.

IoT devices can act as entry points to an organizations internal network and be used to exfiltrate data from the network without raising flags. In 2018, attackers used a compromised IoT thermometer in the lobby aquarium of a casino to breach their system and exfiltrate their high-roller database (~10GB of data) out of the corporate network to servers they controlled via the thermostat. (Williams-Grut, 2018).

In this paper we will review some of the major threats and attack channels targeting IoT devices and look at how we can reduce the impact of these threats on the enterprise security.

IoT Threats and Attack Channels

IoT devices have multiple attack surfaces due to their design and usage. We will cover the major vulnerabilities in this section along with mitigation steps for each threat and attack channel.

A. Physical Vulnerabilities

Since these devices are usually physically deployed in the field in addition to the typical software and communication vulnerabilities, they are also vulnerable to physical attacks where the device can be physically modified to gain access. Some of the examples of Physical attacks are as follows:

  • Attackers physically remove the device memory or flash chips to read & analyze the data and software on the chip.
  • Attackers tamper with the microcontroller to gain access to or identify sensitive information
  • Physically modify the device to return incorrect data or telemetry. For example, camera’s or motion sensors overseeing sensitive locations could be modified to ignore breaches.
  • Use the device connectivity to act as a bridge to gain access to the corporate network.
  • Attackers authenticate locally to the device using debug interface on the device to gain access to the device internals

The best way to protect against such attacks is to ensure the following preventive measures are taken for all devices on the network:

  • Ensure that the device or sensor is not easily accessible physically.
  • All sensors and devices should have tamper proof seals installed on them with regular checks to verify that they are not tampered with.
  • Unused ports, connections, diagnostic connectors etc should be physically disabled when possible.
  • If possible, ensure the devices have hardware-based security checks on it.

B. Outdated Firmware

Many of the IoT devices and sensors run older versions of Linux with no easy way to update the firmware, installed software or applications to the latest versions. This creates a major security risk as the device is running software with known security vulnerabilities which allows attackers to easily compromise a device.

There is no easy way to resolve this problem and protect the devices as a lot of these sensors and devices are not designed with security in mind. The best way to approach this problem is to ensure you are working with reputable device manufacturers who will ensure that appropriate support and updates are going to be available for the device/sensor.

The organization should review the recommendations by the IoT working group of the Cloud Security alliance on how to perform IoT Firmware updates securely and regularly. (Khemissa et al., 2018) The should also include the IoT sensors and devices in the organization’s update cycles which will allow them to ensure that patches and updates are installed in a timely manner on them.

Another option is to explore installing open source firmware and software on the IoT device/sensor if this option is available. The opensource firmware’s are usually updated more frequently and can be customized to better secure the device.

C. Hard Coded Passwords/Accounts

Some of the IoT devices have hard coded account passwords that cannot be changed, and this gives an attacker backdoor access to the device that is difficult to protect against. Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing attackers to hijack firmware, devices, systems, and software etc. A famous case of such an exploit was found in 2017 when researchers found default hardcoded passwords in IoT camera’s manufactured by Foscam. (Heller, 2017) that gave admin access to anyone who used them. These passwords allow an attacker to gain access to the device and use it as a launch surface against attacks on the network.

Another famous attack exploiting this was by the Mirai malware in 2016. It scanned for and exploited Linux-based IoT boxes with Busybox (such as DVRs and WebIP Cameras) using hardcoded usernames and passwords. Once it gained access these devices were enrolled in a botnet containing over 400,000 connected devices which were then used to perform DDoS attacks on major companies across the world. (Fruhlinger, 2018)

To protect against these attacks, we should ensure the default passwords on all devices are changed frequently. An active pentest against the device should be conducted to uncover any hidden or hardcoded accounts. If any are found, the manufacturer should be contacted to prove an update to disable these accounts.

D. Poor IoT device management

A study published in July 2020 found that almost 15% of IoT devices on an enterprise network were unknown or unauthorized and between 5 to 19% of these devices were using unsupported legacy operating systems (Help Net Security, 2020). These devices make up what is known as a Shadow IoT network that is implemented without the knowledge of the organization’s IT team and can be a major weak point in the organization’s security perimeter.

The best way to protect against this scenario is to ensure regular scans are done on the network to identify any unknown or new devices connected to the network. The pentest will enable us to identify these unauthorized devices which can then be incorporated into the official network and update cycle or disconnected depending the requirements. Another way to find these unauthorized devices is to monitor and analyze network connections and traffic. New devices will change the network data flow, and this can be used to identify or locate new devices or sensors connected to the network.

E. Man-in-the-Middle Attacks

Communication channels in IoT devices are usually very trivially protected and an attacker can compromise the channel to intercept the messages between devices and modify them. This allows the attacker to cause malfunctions or show incorrect data. This can potentially cause serious harm if the targeted IoT devices are connected to or managing industrial or medical equipment. It can also allow attackers to hide their tracks and physical evidence of their work.

F. Industrial Espionage & Eavesdropping

IoT devices such as cameras, microphones etc are used to monitor sensitive areas or devices for problems remotely. If an attacker compromises these cameras, they allow them to visually and audially monitor their target compromising their privacy and potentially gaining access to sensitive data or video. For example, IoT cameras deployed in bedrooms have been used to record and leak intimate videos of the residents without their knowledge. Compromised security cameras have been used to record ATM pins entered by unsuspecting users.

Other steps that should be taken to reduce risk from IoT devices on your network:

  • Segregate your Networks: IoT devices should be on a separate segment of the network which is isolated from the production and user network with a firewall sitting between the two. This will allow you to block access to the production network from the IoT network which will prevent an attacker from gaining full access to the enterprise network in case they breach the IoT network.
  • Enable HTTPS/Encrypted connectivity for IoT devices: All connections to and from the IoT devices should be encrypted to protect against Man-in-the-middle attacks.
  • Deploy an IDS: Deploying an Intrusion Detection System (IDS) on the network can alert us to attack attempts. All alerts from the IDS should be investigated and verified.

These are just some of the attack surfaces available to attackers targeting IoT devices, in fact with the increase in computing power available to these devices they are almost mini computers and most of the attacks that impact traditional systems such as servers or desktops can target IoT devices as well with minimal modifications. So, it is essential that security trainings are conducted for all employees in the organization to make them aware of the risks posed by IoT devices and train the security team in methods to secure these devices from attackers.

Note: This was originally written as a paper for one of my classes at EC-Council University in Q3 2021, which is why the tone is a lot more formal than my regular posts.

– Suramya

January 27, 2022

New MoonBounce UEFI Bootkit that can’t be removed by replacing the Hard Disk

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 1:05 AM

Viruses and malware have evolved a lot in the past 2-2.5 decades. I remember the first virus that infected my computer back in 1998, it corrupted the boot sector and the partition table to the point where I couldn’t even format the drive as it wasn’t detected by the OS. I tried booting via a floppy and running scandisk on it (this is on DOS 6.1/Windows 3.1) but it wouldn’t detect the disk, same issue with Norton Disk Doctor (NDD). Was scared to tell the parents that I had broken the new computer but after a whole night of trying various things based on conversations with friends, suggestions in books etc I managed to get NDD to detect the disk and repair the partition table. After that it was a relatively simple task to format the disk and reinstall DOS. Similarly all the other viruses I encountered could be erased by formatting the disk or replacing it.

There were a few that tried using the BIOS for storing info but not many. I did create a prank program that would throw insults at you when you typed the wrong command every 5th boot. The counter for the boot was kept in the BIOS. But this didn’t have any propagation logic in the code and had to be manually run on each machine, plus it had to be customized manually for very new BIOS type/version so wasn’t something that could spread on its own.

With the new malware/viruses that have come out in the past few decades we are seeing more advanced capabilities of propagation and persistence, but till now you could still replace the drive infected with a virus and be able to start with a clean slate. However, that has now changed with the new MoonBounce UEFI Bootkit which can’t be removed by replacing the Hard Drive as it stores itself in the SPI flaws memory that is found on the motherboard. Which means that the bootkit will remain on the device till the SPI memory is re-flashed or the whole motherboard is replaced. Which makes it very difficult and expensive to recover from the infection.

Securelist has a very detailed breakdown of the Bootkit which you should check out. The scary part is that this is not the only bootkit that uses this method, there are a few others such as ESPectre, FinSpy’s UEFI bootkit that prove that the capability is becoming more mainstream and that we should expect to see more such bootkits in the near future.

Source: Slashdot: New MoonBounce UEFI Bootkit Can’t Be Removed by Replacing the Hard Drive

– Suramya

January 26, 2022

Got a new Biometric lock installed

Filed under: My Life — Suramya @ 3:39 AM

Yesterday I finally replaced my old Biometric lock that I have been using for the past 8 years with a newer model. The old one was still working fine for the most part but gave a fright a few weeks ago when its batteries died (I think that is what happened) and I couldn’t unlock the door. We did have a manual override key for the lock but I guess I don’t know my own strength because I broke off the key (in the lock) when I tried to unlock using the key. It looked like I would have to break the lock to get in but thankfully I remembered at the last minute that the lock had the option of providing power externally and was able to unlock using a 9 volt battery. Due to this and other small issues that were cropping up in the lock we decided to replace the lock with a newer version.

Searching online I found a lot of locks available but decided against most of them because I didn’t want the lock to be internet connected. There are enough security issues with the apps and I don’t like the idea of random folks being able to connect to my lock remotely for fun and profit. Finally narrowed down to two options, 1st was a godrej model and the other was the one we got. The Godrej one looked good but as per their support team required a door with a min thickness of 42mm and our door is only 35mm. We could have gotten extra plywood put in to thicken the door but since the other option was 10k cheaper, had more functionality and didn’t require modification we decided to go with that one instead.

Ordered the lock online and it was delivered in ~3 days, installation took a while because they took a while to assign a technician for some reason but after yelling at them for a bit (and offering to return the lock) it was finally installed yesterday. The installation person was pretty good and the whole thing took about 40 mins to complete.

Now with the new lock I can unlock the door with Finger prints, pin, RFID card and manual override key. In case of power going off it has the option of using a powerbank as external power so that is a relief. Plus it doesn’t require dismantling the handle to get access to the override key so that is a big advantage.

The new lock’s sensor is a lot more sensitive and processes faster than my old one. Thinking about what to do with the old one, one option is to send it to my parents place in Delhi another is to use it for secure storage here in Bangalore itself but that would require work and I honestly don’t have that many valuables that would require a biometric storage locker. In any case for now it is going into storage.

Well this is all for now, will post more later.

– Suramya

PS: I didn’t specify the lock model / make in the post specifically because I don’t think I want to make that public. But if you are interested in discussing more or are planning to buy you can reach out offline and we can talk in more detail.

January 25, 2022

Intentionally breaking popular opensource projects for… something

Filed under: Computer Software,My Thoughts,Tech Related — Suramya @ 10:23 AM

Recently Marak Squires, the developer of extremely popular npm modules Colors & Faker decided to intentionally commit changes into the code that broke the module and brought down thousands of apps world wide. Initially it was thought that the modules were hacked as others have been in the past, but looking at the commit history it was obvious that the changes were committed by the developer themselves. Which brings us to the question of why on earth would someone do something like this? Marak didn’t explicitly state on why the changes were made but considering their past comments it does seem like this was done intentionally:

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six figure” salary.

“Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn’t much else to say,” the developer previously wrote.

“Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

The aftermath of the changes is that NPM has revoked the developers rights to commit code, their github account has been suspended and the modules in question have been forked. Now Marak is pleading for his accounts to be reinstated because the issue was caused due to a ‘programming mistake’ which seems like a far fetched excuse. Especially given how they made fun of the problem right after people reporting it. That doesn’t seem like the reaction we would see if this was a legitimate mistake.

My guess is that they thought this would play out differently with companies falling over themselves to give them money/contracts etc or something but didn’t anticipate how it would blow back on them. I mean if I was hiring right now and their resume came up I would think twice about hiring them because of this stunt. They have shown that they can’t be trusted and what is to stop them from making changes to my company’s software and bring it a screeching halt because they felt that they were not being paid their dues? I mean they have already done it once, what is to stop them from doing it again? This looks like a textbook example of what not to do in order to get people to work with you/hire you.

One of the things that I have heard from detractors of OpenSource software when I was pushing for it in my previous companies is the question about how can we be sure the software will be there a year for now and who do we blame if the software is broken and we need help. Stunts like this don’t help improving the image of Open Source software and this person is now reaping their just deserts.

The positive side is that because the code is opensource, it has already been forked and others have taken over the codebase to ensure we don’t hit similar issues going forward.

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress