Thousands of unsecured 3D printers discovered online

By John E Dunn

You’ve installed an exciting new 3D printer in the office and decide you want to access it remotely because – heck – that sounds convenient… now what do you do?

According to an alert put out by the SANS Internet Storm Center (ISC), for 3,759 owners using an open-source monitoring utility called OctoPrint, the answer was to hook up their expensive 3D printer to the internet without bothering with the nuisance of authentication.

This is a bad idea because it’s trivially easy for someone with malicious intentions to spot the unsecured printer using Shodan (a search engine for internet-connected devices). In fact, the ISC was tipped off about the issue by someone who’d done just that.

The great thing about OctoPrint is how easy it makes it for an owner to control their complex 3D printer, but that applies to any other internet user connecting to it when access control is turned off.

In this state a hacker could steal valuable IP by downloading previous print job files in the unencrypted G-code format or, worse, try to damage the printer by uploading specially-crafted print files. Because most 3D printers have a built-in webcam for print monitoring, they could even watch their malicious print handiwork from afar.

Read more at https://nakedsecurity.sophos.com/2018/09/06/thousands-of-unsecured-3d-printers-discovered-online/

Ungagged Google warns users about FBI accessing their accounts

By Lisa Vaas

Dozens of people say they’ve received an email from Google informing them that the FBI has been sniffing around for information on their accounts. Now that a gag order has been lifted, the company is able to “disclose the receipt of the legal process” to any affected users, Google said.

That’s not entirely surprising: the gag orders that often accompany such requests keep organizations such as Google, Microsoft, Facebook and Apple from disclosing the order for a given period of time. Any email provider worth its salt nowadays issues transparency reports, and the biggest companies have called for increased transparency in government surveillance requests.

But these nondisclosure orders can be lifted, cybercrime lawyer Marcia Hoffman told Motherboard:

It looks to me like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There’s nothing unusual about that per se. It’s common when law enforcement is seeking info during an ongoing investigation and doesn’t want to tip off the target(s).

Who are the targets in the FBI’s inquiry – targets who can now be safely tipped off?

The emails lack specific details about whatever the FBI was investigating, though they did contain a case number that corresponded to a sealed case when Motherboard looked it up on PACER.

Read more at https://nakedsecurity.sophos.com/2018/09/06/ungagged-google-warns-users-about-fbi-accessing-their-accounts/

MEGA secure upload service gets its Chrome extension hacked

By Paul Ducklin

Remember MEGA – or, more precisely, Megaupload as it once was?

Sure, you do!

It was a New Zealand cloud storage business masterminded by Kim Dotcom, a larger-than-life digital-era entrepreneur (Dotcom is literally as well as figuratively big, standing more than 2m tall).

Megaupload is no more, having ended up embroiled in piracy allegations that led to a controversial raid on Dotcom’s home, Dotcom’s high-profile arrest, and the demise of the company.

Dotcom himself is still in New Zealand, where he’s been fighting extradition to the US for the past six years.

As far as we know, three Kiwi courts have already pronounced that his extradition can go ahead, so Dotcom is down to his final legal appeal now, assuming he can persuade the Supreme Court to hear his case.

After the bust

After the bust, the Megaupload service noisily reinvented itself, minus the controversial word “upload”, as the capital-lettered MEGA, bullishly and very pointedly launching on the anniversary of Dotcom’s arrest.

Read more at https://nakedsecurity.sophos.com/2018/09/05/mega-secure-upload-service-gets-its-chrome-extension-hacked/

Serious Fraud Office trialling AI for data-heavy cases

By Lisa Vaas

The BBC says it looks like a kids’ digital game: a mass of blue and green rubber balls bounce around the screen like they’re on elastic bands in a galaxy of paddle balls.

It’s no game, however. It is a new artificial intelligence (AI) tool that connects, and then visualizes, the parties and their interactions in a complex fraud inquiry. The UK’s Serious Fraud Office (SFO) recently gave the BBC a look at the system, called OpenText Axcelerate, which staff have been training on Enron: a massive corporate fraud case from 2001 that’s no longer actively being investigated.

The lines between the colored balls represent links between two people involved in the fraud inquiry, including the emails they sent and received, the people they carbon-copied, and the more discrete messages in which nobody was cc’ed.

SFO investigator Edgar Pacevicius told the BBC that a major advantage of the AI is that it can spot connections between individuals far more quickly than humans can. It’s designed to help investigators keep track of all the parties involved in a given, wide-scale fraud, with all their communications, along with individuals’ interactions with each other. The tool also groups documents with similar content, and it can pick out phrases and word forms that might be significant to an investigation.

Pacevicius:

Just click a couple of buttons and it takes me directly to what I’m interested to see, to pursue a line of inquiry or to close that line of inquiry, or something I’d like to put to a suspect.

We normally see a lot of euphemisms; there’s a lot of potential deception about the way people do corrupt activity.

What we’re trying to achieve is to find an intelligent technological solution that will allow us to not only identify those phrases but everyone involved.

In a speech on Monday, newly appointed SFO Director Lisa Osofsky said that she plans to focus on this type of cutting-edge technology. It’s a necessity, she said, given that the SFO is investigating “some of the most complex and data-heavy criminal investigations in any jurisdiction.”

Investigators have to deal with increasingly data-heavy cases. The SFO currently has a case that involves over 65 million files, and there’s an investigation in the pipeline that will involve more than 100 million files, Osofsky said.

Read more at https://nakedsecurity.sophos.com/2018/09/05/serious-fraud-office-trialling-ai-for-data-heavy-cases/

Knock, knock: Digital key flaw unlocks door control systems

By Danny Bradbury

Attackers could be able to unlock doors in office buildings, factories and other corporate buildings at will, thanks to a flaw in a popular door controller, discovered by a Google security researcher.

David Tomaschik, who works as senior security engineer and tech lead at Google, uncovered the flaw in devices made by Software House, a Johnson Controls company. Forbes reports that he conducted his research on Google’s own door control system.

Tomaschik, who described his project at a talk in August at DEF CON’s IoT Village, explored two devices. The first was iStar Ultra, a Linux-based door controller that supports hardwired and wireless locks. The second was the IP-ACM Ethernet Door Module, a door controller that communicates with iStar.

When a user presents an RFID badge, the door controller sends the information to the iStar device, which checks to see if the user is authorized. It then returns an instruction to the door controller, telling it to either unlock the door or to deny access.

Software House’s website still promotes the original version of its IP-ACM as a “highly secure option to manage their security”. But judging from Tomaschik’s research, that’s a bit wide of the mark.

The devices were using encryption to protect their network communication – however, digging through their network traffic, Tomaschik found that Software House had apparently been rolling its own crypto rather than relying on tried and tested solutions.

Read more at https://nakedsecurity.sophos.com/2018/09/05/knock-knock-digital-key-flaw-unlocks-door-control-systems/

Can ‘sonar’ sniff out your Android’s lock code?

By John E Dunn

Researchers have demonstrated a novel – if slightly James Bond technique – for clandestinely discovering the unlock pattern used to secure an Android smartphone.

Dubbed ‘SonarSnoop’ by a combined team from Lancaster University in the UK and Linköping University in Sweden, the idea is reminiscent of the way bats locate objects in space by bouncing sound waves off them.

Sound frequencies inaudible to humans between 18kHz and 20kHz are emitted from the smartphone’s speaker under the control of a malicious app that has been sneaked on to the target device.

These bounce off the user’s fingers as the pattern lock is entered before being recorded through the microphone. With the application of machine learning algorithms specific to each device (whose speakers and microphones positions vary), an attacker can use this echo to infer finger position and movement.

Technically, this is known as a side-channel attack because it exploits the characteristics of the system without the need to discover a specific weakness or vulnerability in its makeup (the Meltdown and Spectre CPU cache timing attacks from earlier this year are famous examples of this principle).

In the context of acoustic attacks, this method is considered to be active because sound frequencies must be generated to make it work, as opposed to a passive method where naturally-occurring sounds would be captured.

Read more at https://nakedsecurity.sophos.com/2018/09/05/can-sonar-sniff-out-your-androids-lock-code/