Stryker not fit for combat?

A recent report released by the US Department of Defense Office of the Director of Test and Evaluation (DOT&E) has issued a report detailing vulnerabilities in the Stryker Dragoon war-fighting platform. Recommendations from the DOT&E are to ‘Correct or mitigate cyber vulnerabilities for the platform and government-furnished equipment.’

My Recommendation: Immediately pull all affected rolling stock from active utility until any contemplated investigation is completed along with full remediation and/or mitigation. Thoroughly investigate all systems with or without connectivity, and test for any form of vulnerability from standalone sabotage to suspected electronic warfare perspectives (including ‘cyberattacks’, network attacks, radio-telephony and coherent light attacks, or stand-alone one-off opportunistic aggressor-delivered attacks) utilizing both automated and non-automated code review, network packet analysis, operating system examination, etcetera. All of this accomplished with the full rigor that can be brought to bear on this problematic deployment by the most powerful defense organization on Earth. Time to get this platform squared-away before letting or most valueable assets (our warfighters) loose on these lethal machines.”

Apparently, the platform, which includes the much anticipated 30mm canon was hacked during a recent NATO exercise. It is most likely that the hack was directed at the Stryker’s data-sharing, navigation, or digital communications capabilities. Affecting any of these systems, or adding false or confusing information into the networks, could greatly affect US forces in combat. These vehicles use GPS, as well as a GPS-enabled systems referred to as Blue Force Trackers that provide their relative position to hostile forces, but more importantly when they are in proximity to friendly forces, which can help prevent blue-on-blue or friendly fire incidents. 

Interesting Traffic Analysis Related to Google Network Issues

Hello All. Just came across a recent post Ameet Naik from ThousandEyes. This was information from a recent Google outage and traffic information they analyzed from their endpoint product.

“ThousandEyes noticed issues connecting to G Suite, a critical application for our organization. Reviewing ThousandEyes Endpoint Agent stats, we noticed this was impacting all users at the ThousandEyes office. The outage not only affected G Suite, but also Google Search as well as Google Analytics. What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a
Russian ISP in the traffic path, which definitely sparked some concerns.”

The full post is available on ThousandEyes’ blog site – https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/

Public Power Magazine

I want to send a huge thanks to the American Public Power Association for allowing me to contribute with others on a recent article called Drones, AI, IoT, and the brave new world of cybersecurity talking about the various cyber disruptors affecting everyday life, especially the electric utilities and their use of next generation smart meters and other IoT devices. The APPA have a fabulous editorial and content staff and they were a blast to work with. I will also be keynoting at their Cybersecurity Summit on November 13-14, 2018 in Austin, TX. #PublicPower

HP iLO4 Vulnerable to Simple Authentication Bypass

Hello All. HP iLO devices are widely used by organizations looking to manage their servers in a lights-out scenario. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features.

In 2017, security researchers from Synactiv (https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html) discovered a vulnerability, which could be exploited remotely, via an Internet connection, putting all iLO servers exposed online at risk.

The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles.This access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.

Besides being a remotely exploitable flaw, this vulnerability is incredibly simple to exploitation, requiring a cURL request and 29 letter “A” characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability —tracked as CVE-2017-12542— has received a severity score of 9.8 out of 10. Rapid7 published a Metasploit module for it (https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account) and it’s also downloadable on Exploit-DB (https://www.exploit-db.com/exploits/44005/)

HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. So what is the issue? Well researchers are presenting their PoCs at conferences and publishing all kinds of great info on the subject. Unless you have an organization who is diligent at patching servers, beyond the operating system, there are most likely a tonne of servers out there that are affected. Many administrators I have spoken to are not overly worried about their internal servers. Think of the attacker who wants to pivot on a network, they now have a valid method of doing this.

Of course, where is the first place my brain wandered to…..Shodan.

https://www.shodan.io/search?query=HP-iLO-4 – nice initial 3,600 hits.

As you can see, not hard to find pre-2.5.3 versions ripe for the taking.

So all I can say boys and girls, is have a look at your HP servers, check your iLO version and ensure you patch ASAP.

Latest Retailer to Get Hit…

Hello All. Looks like Macy’s is the latest retailer to get hit be cyber criminals. Macy’s mentioned last week that attackers had obtained the names and passwords of some customers and may even have gained access to their credit card numbers and expiration dates, though not the CVV2 codes, which it does not store. Macy’s claims that the breach was small in scale, only affecting approx. 0.5% of customers registered on macys.com or bloomingdales.com. The breach apparently occurred between April 26 and June 10. On June 11, Macy’s detected the suspicious activity and soon after blocked the profiles in question. Macy’s said it has contacted the affected customers and will provide consumer protection services free of charge.

With a string of retail breaches since Target and Home Depot years ago such as Adidas a few weeks ago, HBC (Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores) as well as companies hit by breaches in the last year such as Sears and Kmart, Whole Foods, and Under Armour, it doesn’t look like there is any end to the breaches and that organizations aren’t implementing strong enough controls to protect the valuable customer data they are custodians of.