could

Great if you want to hear someone chew or breathe. Pic: The Lives of Others

Experimental malware has highlighted the possibility that hackers might be able to turn headphones into microphones in order to snoop on computer users.

Research by computer scientists at Ben-Gurion University, Israel, has revealed that both headphones and loudspeakers present a potential bugging risk. The boffins put together proof-of-concept malware, dubbed SPEAKE(a)R, in order to validate the risk.

"Malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped or turned off," the researchers warn. In a paper, SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit (PDF), the researchers survey the scope of the risk and access potential countermeasures. Possible hardware-based defences include using only active one-way speakers or deploying either white noise emitters or an audio jammer.

Youtube Video

A speaker converts an electric signal into a sound wave. A microphone converts sound to an electrical signal. "The difference between these two pieces of equipment is that they have been optimised for the direction of conversion," according to Paul Farrington, manager of EMEA solution architects at application security firm Veracode. "However, there is little to prevent the conversion happening in the reverse direction."

This feature of consumer tech coupled with the possibility of hacking an audio port's role in the PC from output to input creates a bugging risk.

"The RealTek codec chip vulnerability is apparently allowing malware running on the device to take advantage of the physical properties of the connected equipment to use the ports to accept input when they should be restricted to output only," Farrington continued.

RealTek or operating system developers might be able to deliver a software patch to mitigate this chip vulnerability and help secure IO ports, according to Farrington. ®

Sponsored: The state of mobile security maturity


The Register - Security

People who are upset that Hillary Clinton’s personal email server may have been hacked are missing the big picture. Nearly everything that is worth hacking and connected to the internet is already hacked -- and that which is not can be hacked at will.

I don’t want to get into the morass of whether Clinton’s use of personal email while she was Secretary of State was legal or ethical. That’s been debated to death.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

Instead, I’m talking about whether it was hacked. Could it have been? I'll say it again: Everything is hackable. Stuxnet took down Iranian centrifuges that were running on an air-gapped private network. The State Department’s email was hacked -- very likely before, during, and after Clinton's tenure there.

Was Clinton's email server hacked?

As for Clinton's personal email server, the fact is we’ll never know whether it was hacked.

Her server ran Microsoft Exchange 2010. Arrested Romanian hacker Marcel Lazăr (aka Guccifer) claimed he had hacked it. But beyond his public claim no evidence has come to light to back up his statement.

The FBI forensic investigation into the server did not corroborate his statement. As far as I can tell, Guccifer socially engineered her aide, Sidney Blumenthal, out of his AOL account password and nothing more. The same hacking technique was used against her senior adviser John Podesta for the thousands of emails now shared via Wikileaks. I’ve yet to hear any evidence that the server itself was exploited.

Could someone have hacked the server without leaving evidence?

Yes, although it seems unlikely. Most hackers leave behind lots of evidence because it doesn't matter if they do. Almost no one gets caught, much less prosecuted. Thus, hackers have become lazy and don’t attempt to clear log files or cover up evidence of their crimes.

For the sake of argument, let's say a Russian superhacker broke into Clinton's server without leaving behind signs of compromise. In that case, wouldn't we see emails other than those coming from two aides? It’s highly unlikely that a hacker would gain complete access, download every email, and fail to leak emails from Hillary and Bill Clinton.

Don't get me wrong -- I think plenty of hackers are capable of hacking her server and not leaving behind evidence. But I seriously doubt those hackers realized the importance of the email server serving up the @clintonemail.com domain. The FBI’s own investigation revealed the server was scanned and a few hacks were attempted, but none seemed to get through.

How would you hack Clinton’s email server?

This is penetration testing 101. First, you canvas your target. It’s Microsoft Exchange 2010 running on Microsoft Windows -- you can get that much by sending a few SMTP query commands to the email service port or running a port scanner like Nmap against the IP address. Using a port scanner and a few fingerprinting apps, you’d likely come away with the Windows version and perhaps even its patch status, along with whatever other services it was running.

We know from reports that it was running Microsoft Outlook Web Access (OWA) and Remote Desktop Protocol (RDP) for remote access. That helps a lot. OWA means it’s also running Microsoft’s Internet Information Services (IIS). Any hacker worth his or her salt already has all the possible exploits that might work against Microsoft Windows, IIS, Exchange, and RDP. Lots of hackers like to use the Metasploit Framework, but I’m partial to custom code for each vulnerability.

RDP and OWA also give you remote logons to try. Even if they have account lockout enabled, you can guess slowly. Better yet, you can guess against the Administrator account. As long as it hasn’t been renamed, you can guess forever as many times as you like and you won’t get locked out. If you have Bill's or Hillary’s email address, the logon account name is likely to be the same as their email address.

One of my favorite penetration tests, when I have the time, is to identify all  running software and wait until a new vulnerability appears. Microsoft releases new patches at least once a month, and almost every Windows server needs to be patched each time. All you need to do is wait for the patch announcement and exploit the identified vulnerability before the system administrator can patch it. You usually have a day or so before the admin patches a server, if not longer.

If the exploit gets you on the email server, you can then configure Exchange to forward copies of all new emails. Or you can use a program like ExMerge to suck up every existing email, including deleted ones. Once you're on the server, you can create new accounts, add backdoors, or do pretty much anything else.

A few critics have noted that Clinton’s email server didn’t have SSL protection. The SSL page was available, but the system admin didn’t populate it with an SSL certificate. This means the connections to the server were in plaintext. While not having an SSL cert to protect the server isn’t great, it isn’t necessarily game over. It isn’t easy to pop onto someone else’s network streams simply because you know they are there. You have to get close to the server’s original point and perform a man-in-the-middle attack on the main connection. It’s easy to do if you’re already on the local network, but not so easy if you’re not.

One of the more interesting feats you can perform with a public email server is to try and take over its domain. Perhaps Clinton’s server is bulletproof -- fully patched and unhackable. Email hackers are famous for gaining control over DNS domains (in this case, clintonemail.com and wjcoffice.com) and, if successful, redirect all email and connections headed to those domains to a fraudulent email server. You wouldn’t be able to see preexisting emails, but you'd be able to capture new inbound emails (and all the long threads of previous emails they probably contain).

What would have stopped the leak?

In the social engineering instances, using a system that required two-factor authentication (2FA) would have helped. Gmail had 2FA available back then, although I’m not sure about AOL. Clinton should have been using the State Department systems for all business email, and her personal email server should have required 2FA (although the system admin would have to know how to set it up and show the Clintons how to use it).

That’s water under the bridge now.

What I’m sure Clinton really wishes she had used, besides the State Department email system, is a mechanism that prevents private email from being easily read by unauthorized parties. There are myriad solutions, including Microsoft’s Rights Management System (RMS).

Information protection software such as RMS is pretty nifty. It encrypts all protected email and requires the user to retrieve an authorized personal digital certificate to view, print, or copy the email. At any time the personal certificate can be revoked. Hence, if a hacker stole the email, as soon as someone noticed, the certificate could be revoked and the email would become unreadable. Try posting that to Wikileaks.

After all the huge corporate hacking incidents, in which embarrassing private emails were leaked, I’m surprised the email information protection market isn’t growing faster. Remember, we are either hacked or the attackers haven't gotten around to it yet. Your confidential emails should be protected in a manner that prevents your emails from being so easy to share.

What happened to Clinton could absolutely happen to any person in any company who fails to use strong information protection for email. That’s the real lesson we all should take away.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security Adviser

Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona).

CVE-2016-6662

One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted. This could lead to total compromise of the server running the vulnerable MySQL version.

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,” Golunski has explained in an advisory published on Monday.

“Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

So far, Oracle – who acquired the software company that developed MySQL in 2010 – has yet to push out a fix for this and other issues. Golunski reported them to Oracle and the vendors of other affected forks in late July, and Percona and MariaDB vendors have already pushed out new releases that plugged CVE-2016-6662.

As these new releases were accompanied by details about the vulnerability, and Oracle’s next Critical Patch Update is scheduled for 18 October 2016, Golunski has decided to start disclosing the vulnerabilities he found, so that users can do everything in their power to minimize risk of exploitation until patches are made available.

The advisory also contains a limited PoC exploit. A full exploit and details about CVE-2016-6663, the flaw that allows low-privileged attackers to effect the same attack, will be published soon.

“As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,” Golunski advised, but stressed that applying official vendor patches as soon as they become available will be the ultimate solution for this issue.


Help Net Security

If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the source of the infection is the Seagate Central NAS sitting on your network.

Seagate Central NAS

The malware

Sophos researchers recently analyzed a newer version of a malware that’s set on mining the Monero (XMR), a new digital cryptocurrency that is much easier to mine than Bitcoin.

Mal/Miner-C, as they’ve dubbed the threat, does not use the NAS for the mining, but as an “outpost” from which it infects various systems.

Seagate Central comes with a “public” folder, which is accessible to anyone on the same network as the device, and anyone who has a remote access account on it.

“This public folder and account cannot be deleted or deactivated,” threat researcher Attila Marosi pointed out. “The admin user has the ability to enable the device for remote access or turn this feature off entirely. But, if the device is enabled for remote access, all the accounts will be available on the device, including the anonymous user. In this state, your device is open for anyone to write to your public folder.”

The attackers who wield this malware take advantage of this fact, and place into this public folder a malicious script file (Photo.scr), which was made to use the standard Windows folder icon. A curious user that tries to access the “folder” will trigger the installation of the miner on his or her system.

How widespread is it?

The researchers decided to see how widespread the threat is, and have scanned the internet for Seagate Central NAS devices that have been “contaminated” with Mal/Miner-C.

The results are as follows: of the 207,110 active devices that allow anonymous remote access, 7,263 have write access enabled, and of these, 5,137 have the malware planted on them. The affected devices can be found in almost every corner of the world:

Contaminated Seagate Central NAS devices

“More than 70% of the servers where write access was enabled had already been found, visited and ‘borrowed’ by crooks looking for innocent-sounding repositories for their malware,” Marosi noted.

“If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.”

He estimates that the crooks behind this scheme earn around 428 euros ($ 482) per day.


Help Net Security

Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.
Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.

Researchers at Rapid7 discovered vulnerabilities in Fisher-Price's Smart Toy and hereO's GPS platforms that could allow an attacker to collect the personal information of a user.

The Smart Toy is a stuffed animal that connects to an online account via Wi-Fi to provide users with a customizable educational and entertainment experience.

The toy's platform contained an improper authentication handling vulnerability that could allow an unauthorized user to obtain a child's name, age, date of birth, gender, spoken language and more, according to a Feb. 2 security blog post.

Many of the platform's web service application program interface (API) calls didn't appropriately verify the “sender” of messages and could allow a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions, according to the post.

In addition to compromising privacy, an attacker could use the bug to launch social engineering campaigns or to force the toy to perform actions that users didn't intend, the researchers wrote.

The platform in a GPS tracker that allows family members to share their location with each other was also vulnerable to outside manipulation.

The hereO GPS platform contained an authorization bypass vulnerability which could allow an attacker to access every family member's location, according to the post.

Once exploited, an attacker could discreetly add their account to any family's network and manipulate notifications through social engineering to avoid detection.

Researchers gave the example of an attacker adding themselves to a family's network under the “name” 'This is only a test, please ignore,' in an attempt to avoid raising suspicion.

Both vulnerabilities were reported to their respective vendors and have since been rectified. Rapid7's Security Research Manager Tod Beardsley told SCMagazine.com in an email correspondence that these issues didn't require patches or firmware upgrades.

Beardsley said that both vendors acted “reasonably and responsibly” during the disclosure process. It's nearly impossible to ship products without some bugs when dealing with the internet of things (IoT) or software in general, he said.

“The goals of companies dedicated to securing personal information should be twofold,” Beardsley said.

”One, make sure that bugs are found in the design and development phases, and two, once vulnerabilities are identified after launch, they are easily and quickly remediated without too much effort by the end users,” he said.

Other IoT toys have been found to pose risks to users as well.

Last year, researchers identified security concerns in Mattel's Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll.

ToyTalk, the company that operates the doll's speech services, reportedly admitted the doll could be hacked but said the vulnerable information did not identify children, nor did it compromise any audio of a child speaking.


Latest articles from SC Magazine News

Even password manager LastPass can be fooled. A Google security researcher has found a way to remotely hijack the software.

It works by first luring the user to a malicious site. The site will then exploit a flaw in a LastPass add-on for the Firefox browser, giving it control over the password management software.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

LastPass wrote about the vulnerability on Wednesday and said that a fix is already out for Firefox users.

Google security research Tavis Ormandy first discovered the issue. When examining the password manager, he tweeted on Tuesday, "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."

Any vulnerability with LastPass could pose a big risk for users. The popular software is supposed to securely store and autofill all the passwords users have for their different sites.

Ormandy isn't the only security researcher to find flaws with the password manager. On Wednesday, Mathias Karlsson at Detectify Labs said that he had also managed to hack LastPass -- in this case, to steal user passwords.

He did so by exploiting a bug in the password manager's Chrome browser extension, Karlsson
InfoWorld Security