Remotely hacking a Jeep, while in motion..

Here’s something that I never thought I would say, or see in writing.. If you own a late model Chrysler, it’s time to update your software. A couple of astute hackers have figured out a way to leverage the cellular connected entertainment dashboard to take over control of your ride.

This is especially disturbing since it comes only months after another recent news story about a commercial aircraft passenger supposedly hacking into the planes controls via wifi, and altering the flight trajectory.

Via Wired.

I think the bottom line is, don’t connect critical controls to anything that can be controlled remotely. And if this is somehow absolutely necessary (though I can’t seem to find a use-case) then don’t make it available to the internet at large. That’s just security 101, protect your assets..

Encrypted email, Snowden style

us

Curious if anyone else has used an end-to-end encrypted email service like ProtonMail and if so, have any thoughts on it? I’ve been doing a lot of reading up on the subject, and there’s really no definitive “yes it’s secure” or “no, it’s shit” answers out there.

Given the digital surveillance world we live in today, I think it’s perfectly reasonable to try and protect your personal (and business) correspondence without worrying about big brother listening in. PGP, Entrust and the like were built exactly for this reason – to protect data while in transit through networks you don’t control.

A little background on ProtonMail if you haven’t heard of it yet, this is from what I’ve cobbled together from their website:

They are based out of Switzerland, claims not to have access to your private key and has what amounts to two-factor authentication because of a login password and mailbox decryption password.

Emails to non-protonmail addresses can be decrypted by the recipients visiting a special URL and entering the message specific password, which allows them to reply up to three times (I think).

Overall, it’s a very nice interface and feature rich. I guess the underlying question is: how secure is your data there. Would you trust it? Send something sensitive to a pal and feel confident that prying eyes can’t get at it?

Cloud Instance + No Services != No Worries — Secure your servers

Spun up a new server on Linode last night. Didn’t do anything with it except power it up, no webserver or external services. Shouldn’t be surprised about this, but in the course of less than 12 hours, this new server instance had 9,445 failed root login attempts. All by IP – this server has no associated forward or reverse DNS entries published.

sshd:
    Authentication Failures:
       root (115.231.222.45): 3739 Time(s) - China
       root (103.41.124.50): 2698 Time(s) - China
       root (103.41.124.47): 494 Time(s) - China
       root (103.41.124.12): 474 Time(s) - China
       root (103.41.124.66): 453 Time(s) - China
       root (103.41.124.64): 435 Time(s) - China
       root (103.41.124.58): 426 Time(s) - China
       root (103.41.124.55): 423 Time(s) - China
       root (115.239.228.9): 90 Time(s) - China
       root (115.231.223.170): 89 Time(s) - China
       root (115.239.228.6): 50 Time(s) - China
       root (61.174.49.103): 27 Time(s) - China
       root (178.162.212.20): 13 Time(s) - Germany
       root (124.95.128.253): 12 Time(s) - China
       unknown (124.95.128.253): 11 Time(s) - China
       unknown (178.162.212.20): 9 Time(s) - Germany
       unknown (213.136.68.234): 2 Time(s) - Germany

Big props to China for weighing in at #1 with 9,421 failed login attempts. Germany needs to step their game up, only 24 times?

It’s game over now, thanks to tcpwrappers, fail2ban and CSF. Just a friendly reminder to secure your servers. Had there been production data and a weak password on this instance, things would have been bad. Throw in a database, and who knows.

Since the IP address space can be easily queried for on-demand providers like Linode, Amazon, LiquidWeb, etc, it’s very probable that there are constant scans being run there; hoping to find a weak password or vulnerability to exploit.

Thinking of spinning up another instance as a honeypot to run for a while, might have some interesting results.

More on Heartbleed, and a site check tool

heartbleedOooh, the scary Heartbleed Bug.  Actually, if you’ve been keeping up with the news, you may have heard of this and should know that it’s a pretty serious security issue impacting sites using OpenSSL. Right now, Google is returning almost two million search results for the term – so it’s being talked about. A lot.

So above I mentioned OpenSSL, what’s that? Simply put, it’s a cryptographic library that many websites and businesses leverage to secure communications between you and them, preventing outsiders from seeing the exchange.  Think of it as being in a whispering gallery … where you don’t expect others would be able to overhear your conversation, but they can, should they choose to.

Enter Heartbleed, a nasty bug that’s been running undiscovered in the wild for over two years. So wait, what the heck is Heartbleed? Glad you asked, this is the technical description from http://heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

So in english please?

Basically, this bug has existed for the last two years, completely undetected. During that time, websites using a vulnerable version of OpenSSL could have exposed user data without even knowing it.

  • Worst case scenario: sensitive information such as credit cards, bank statements, email passwords, etc. could have been stolen.
  • Best case scenario: this bug wasn’t discovered or exploited. Don’t count on this.

How can I tell if a site I use has been exploited?

No way to know at this time, if you have concerns then you should contact the site in question.

What sites should I worry about?

Mashable has been compiling a list of popular sites, if they were vulnerable, what fixes have been applied and if you should need to take action:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

It should be noted that this is not a completely comprehensive list, smaller sites may or may not have been impacted. You should contact those sites directly if you have concerns.

What about self-hosted sites, how can I check?

You can test any site for CVE-2014-0160 (Heartbleed) here:

http://filippo.io/Heartbleed/

Are you some sort of expert on this, can I contact you?

Nope, I’m not an expert on this particular security issue. Just a concerned netizen who felt compelled to post about it.  There’s a vast wealth of information on the Heartbleed site: http://heartbleed.com/, I encourage you to review it. And of course if you have questions about a specific entity, you can always contact them directly.