Interesting Traffic Analysis Related to Google Network Issues

Hello All. Just came across a recent post Ameet Naik from ThousandEyes. This was information from a recent Google outage and traffic information they analyzed from their endpoint product.

“ThousandEyes noticed issues connecting to G Suite, a critical application for our organization. Reviewing ThousandEyes Endpoint Agent stats, we noticed this was impacting all users at the ThousandEyes office. The outage not only affected G Suite, but also Google Search as well as Google Analytics. What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a
Russian ISP in the traffic path, which definitely sparked some concerns.”

The full post is available on ThousandEyes’ blog site – https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/

Public Power Magazine

I want to send a huge thanks to the American Public Power Association for allowing me to contribute with others on a recent article called Drones, AI, IoT, and the brave new world of cybersecurity talking about the various cyber disruptors affecting everyday life, especially the electric utilities and their use of next generation smart meters and other IoT devices. The APPA have a fabulous editorial and content staff and they were a blast to work with. I will also be keynoting at their Cybersecurity Summit on November 13-14, 2018 in Austin, TX. #PublicPower

HP iLO4 Vulnerable to Simple Authentication Bypass

Hello All. HP iLO devices are widely used by organizations looking to manage their servers in a lights-out scenario. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features.

In 2017, security researchers from Synactiv (https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html) discovered a vulnerability, which could be exploited remotely, via an Internet connection, putting all iLO servers exposed online at risk.

The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles.This access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.

Besides being a remotely exploitable flaw, this vulnerability is incredibly simple to exploitation, requiring a cURL request and 29 letter “A” characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability —tracked as CVE-2017-12542— has received a severity score of 9.8 out of 10. Rapid7 published a Metasploit module for it (https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account) and it’s also downloadable on Exploit-DB (https://www.exploit-db.com/exploits/44005/)

HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. So what is the issue? Well researchers are presenting their PoCs at conferences and publishing all kinds of great info on the subject. Unless you have an organization who is diligent at patching servers, beyond the operating system, there are most likely a tonne of servers out there that are affected. Many administrators I have spoken to are not overly worried about their internal servers. Think of the attacker who wants to pivot on a network, they now have a valid method of doing this.

Of course, where is the first place my brain wandered to…..Shodan.

https://www.shodan.io/search?query=HP-iLO-4 – nice initial 3,600 hits.

As you can see, not hard to find pre-2.5.3 versions ripe for the taking.

So all I can say boys and girls, is have a look at your HP servers, check your iLO version and ensure you patch ASAP.

Latest Retailer to Get Hit…

Hello All. Looks like Macy’s is the latest retailer to get hit be cyber criminals. Macy’s mentioned last week that attackers had obtained the names and passwords of some customers and may even have gained access to their credit card numbers and expiration dates, though not the CVV2 codes, which it does not store. Macy’s claims that the breach was small in scale, only affecting approx. 0.5% of customers registered on macys.com or bloomingdales.com. The breach apparently occurred between April 26 and June 10. On June 11, Macy’s detected the suspicious activity and soon after blocked the profiles in question. Macy’s said it has contacted the affected customers and will provide consumer protection services free of charge.

With a string of retail breaches since Target and Home Depot years ago such as Adidas a few weeks ago, HBC (Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores) as well as companies hit by breaches in the last year such as Sears and Kmart, Whole Foods, and Under Armour, it doesn’t look like there is any end to the breaches and that organizations aren’t implementing strong enough controls to protect the valuable customer data they are custodians of.

Intel in trouble?

Hello All. As you may have heard, Intel CEO Brian Krzanich is out after being appointed to lead the company only 5 years ago. It was a shocking announcement given Krzanich was an Intel lifer, who first joined Intel more than 35 years ago and spent most of his time at the company on the operations side. Intel has been hard at work trying to make its way out of the security deluge it has been in over the past 6 months with execution vulnerabilities Spectre and Meltdown. Krzanich has played a central role in the response, authoring a set of corporate principles known as the “Security-First Pledge.” He said in March the company would ship new, more secure chips in the second half of 2018.

Krzanich quit or was forced out on Thursday after disclosure of a “consensual relationship with an Intel employee,” and has also left the board. “An ongoing investigation by internal and external counsel has confirmed a violation of Intel’s non-fraternization policy, which applies to all managers,” Intel said in a statement. “Given the expectation that all employees will respect Intel’s values and adhere to the company’s code of conduct, the Board has accepted Mr. Krzanich’s resignation.”

Krzanich violated a policy that said managers cannot have relationships with people who report to them either directly or indirectly. Krzanich’s total compensation topped $21 million last year, and the company paid for his transportation and residential security, according to company filings.