Month: August 2016

According to a recent report, banking customers are hesitant to use mobile features due to fraud and security concerns. The findings showed that of those not using mobile banking at all today (36 percent), more than half of them (74 percent) cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding. Ryan Wilk, director at NuData Security offered the following comment to @DFMag

“We’re not at all surprised to see this reluctance on the part of consumers to adopt mobile banking wholeheartedly. It’s entirely understandable given the onslaught of daily stories about breaches, and the growing awareness about the security vulnerabilities of many mobile apps.

Consumers are gradually being schooled in online security, even if it is by getting their hands burned first. According to the new ACI 2016 Fraud Report, almost one in three UK consumers (29%) has been a victim of card fraud in the last five years, with much of that fraud perpetrated by fraudsters who made online purchases using hacked or stolen card details. Just as chilling, is the figure that a full 17% have been victimised multiple times.

Perhaps customers are learning from these negative experiences, or it might be a trust issue. They likely fear that banks really don’t have control of their mobile security, or a combination of both.

What’s concerning to us is the finding that 44% of those surveyed would significantly increase their mobile banking usage with more security. In general, we’d be in favour, provided this security is actual security and not just more “security theatre” as we’ve seen time and time again. By this, we mean that adding more single-modal endpoint security layers are likely to just add more and more friction into the process and have marginal fraud prevention impacts.

Instead of layering on more solutions that will continue to provide limited data, FI’s can see this study as an opportunity. It’s clear that customers actually want real security. This means looking at the entire lifecycle of the account and continuously identifying patterns of behaviour that indicate fraud. Understanding how good customers behave will enable them to address these customer fears and concerns.

The good news is that these solutions are readily available on the market and are positioned to help banks provide winning customer experiences, improve their rates of false declines and lower account-based fraud.”

(72)

In the light of the recent news on the approval of the IP Bill by David Anderson, it is crucial to understand public’s opinion and concerns about government surveillance, data privacy and security. Even if such scrutiny measures are only harvesting large quantities of data from the Internet and emails (bulk interception), the public needs to be aware of the government’s actions and their right to privacy.

Earlier this year, Comparitech.com commissioned a survey of 1,000 people across the United Kingdom which questioned respondents on government bulk surveillance and the sale of their personal data to third parties. Part of the survey results unveiled that:

• 79.3% of respondents say they would not pay a premium for any of the major social networks or Google in exchange for a guarantee that their private information would not be sold to third parties.
• 47.1 % of the UK survey takers said they think the the government currently snoops on their data.
• When asked in what scenarios the government should be legally allowed to intercept any communications, 77.2% of respondents answered “terrorism” and 64.9% replied “criminal activity”. 

Richard Patterson, Director of Comparitech.com said “The public’s lack of concern for their privacy rights, borne out by these statistics, is worrying and begs the question how much further such rights will be eroded before the realisation dawns on quite what has been sacrificed.“

For more insights and data from Comparitech’s survey visit their blog: https://www.comparitech.com/blog/vpn-privacy/uk-supports-bulk-interception-spying/

(127)

In today’s digital age, almost everyone has left a footprint on the World Wide 0Web. With so much data being shared online daily, there are those who use the relative anonymity of the internet to maliciously steal valuable and private information. The question is how does a cyber security professional identify potential cyber issues and combat threats to the security landscape? 

Find out how in this article; http://bit.ly/2bm4CzR 

or simply email: mailto:enquire@iqpcexchange.com to request a copy.

In November, Cyber Security Exchange Asia will be addressing these issues. If you are interested, you can download the Delegate Information Pack  

http://bit.ly/2blGg7Z or the Sponsorship Information pack http://bit.ly/2bbWZeK. 

(105)

By: David Parker

The demand for tech gurus who can solve crimes is growing all the time as hackers from home and abroad seek to crack servers and networks in the United States.

Cyber security is fast becoming a necessary component to all businesses and agencies. The demand for tech gurus who can solve crimes is growing all the time as hackers from home and abroad seek to crack servers and networks in the United States. Why not work to thwart them with a computer forensics certification? Though this is not an easy credential to add to your resume, it will be worth the hard work and effort when you have the gratification of busting cyber bad guys. You will also qualify for a broad range of jobs and your salary will likely see a dramatic increase, too.

The Certification Exam

To become eligible for a computer forensics certification, you will need to pass a test. Prior to the test, you will need to study the field and sharpen both your soft and hard skills. You can get prepared either in a purely academic scenario, by taking forensics courses online, or with professional experience. If you have professional experience only, it may be beneficial to read up on areas that you might might not cover in your daily work. For instance, you might not work with all the laws that apply to the field, and those might show up on a soft skills test.

Your hard skills might be put to the test in a set of practical scenarios where you will need to demonstrate your knowledge in a simulation. You will often be given a significant amount of time to complete the simulation. Successful candidates will analyze the files they’ve been given and then write up a report that could be entered as evidence in a court of law. Certification programs will seek stellar outcomes in areas that include, but aren’t limited to the following subjects:

• Computer ethics and law
• Investigation procedures
• Tools of forensic investigators
• Legal data recovery that follows the rules of evidence
• Data structure forensics
• Assessing evidence
• Recovering evidence from various operating systems, including windows and Linux
• Collecting evidence from volatile memory
• Report writing

Benefits of Certification

Depending upon which professional body provides your certification, you may find that a host of benefits become available to you. Often, certifying bodies allow you to participate in their private listservs, receive group benefits for things like professional liability insurance, and have access to a wide network of other forensics professionals. Other benefits may include access to proprietary professional journals, research and development projects and newsletters.

Once you pass your certification exam, you may find that you are eligible for a wider range of jobs. While your on-the-job experience might have qualified you previously, it is important to gain a respected credential that demonstrates a dedication to the field, as well as providing solid evidence that you have mastered certain areas in the field. Professional designations always help garner immediate respect and qualify you as the professional you are so that you can advance faster without having to prove your worth.

Career Paths

You can then move your career forward with a number of different paths. You can apply to work with law enforcement agencies who are hungry for computer investigators, or you might seek work with a corporation that finds your particular skill set valuable to their information technology department. Some of the job titles that you can consider might include the following:

• Digital Forensic Analyst
• Computer Security Incident Response & Recovery
• Cyber Security Malware Analyst
• Security Engineer
• Forensics Cyber Weapons and Tactics Advisor
• Application Security Analyst
• Security Auditor
• Security Manager
• Penetration Tester

Consultancy Practices

Many computer forensics specialists also pursue careers as business consultants. If you choose this path, you are likely to join a team that might include penetration testers, programmers and other IT professionals with a wide range of specialties. As a consultant, you might work with a firm or on your own. In a firm, you will have a support system that will handle various aspects of work such as benefits, administrative support and a dedicated team. If you work as an independent consultant, you may need to find subcontractors in your field and having a solid network from your certification program could prove invaluable.

Your consultancy practice might take a few different tracks as well. You could work as a legal consultant for law enforcement departments and agencies that don’t keep forensics experts on staff. In that scenario, or you might be called to a job on a moment’s notice. Investigators will need your expertise as soon as possible so that you can begin the evidence-collection process.

It may also be that you consult for legal defense teams, helping to exonerate those who have been wrongfully accused. Those cases will often involve you arriving after investigators have amassed evidence. Your job will then be to provide an independent opinion of the evidence and what it really means for the court. Whether you work for the prosecution or the defense, you will probably be asked to write a comprehensive report along with testifying in court.

Homeland Security Jobs

The Department of Homeland Security is also actively seeking professionals who can help thwart and investigate cyber crimes. After you have done a significant tenure helping to protect the national interest, you might find yourself all the more hireable by independent contractors. If you have some of the following skills, you could qualify for a full-time position with federal law enforcement:

• Cyber Incident Response
• Cyber Risk and Strategic Analysis
• Vulnerability Detection
• Intelligence and Investigation
• Networks and Systems Engineering
• Digital Forensics Analysis
• Software Assurance

Salary and Career Outlook

Salaries for those with a computer forensics certification vary according to the stage of your career, your chosen path and even where you live in the country, as salaries are often calibrated according to the local cost of living. Nonetheless, the U.S. Bureau of Labor Statistics cites the median annual income for Information Security Analysts at $88,890 for 2014. That number is for a professional with a bachelor’s degree and less than five years’ experience. You might find that you earn more with a higher level of education and experience. The BLS projects that the field will grow by 18 percent through 2024, which is much faster than average for all career fields.

(417)

Clothing store chain Eddie Bauer said it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of January may have been compromised in the breach.

George Rice, senior director, payments at HPE Security – Data Security told @DFMag;

“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Any businesses using POS systems can avoid the impact of these types of advanced attacks. Proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.

The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”

(83)

By: Michael Baker

As any business and IT professional will tell you, protecting data within a business is critical so a company server room has to have optimal physical and technical security. Companies need to be aware of the vulnerability of data to hacking by those who would use it for malicious purposes. Hackers could use data about customers or that relating to the company itself for financial gain. The company may also have sensitive information relating to its own operations and future plans that it does not want to share.

Compliance with data regulation is another issue that needs to be taken into account when developing and maintaining security procedures for company server rooms. Loss of data can also impact on the productivity of a company and its staff, with people left for potentially long periods of time trying to resolve customer issues or even with little to do owing to awaiting restoration of IT systems following a breach of security. In this day and age, many companies are operating on a round-the-clock basis and that is certainly the case in respect of IT systems, so any slowdown or halt to productivity can be very damaging indeed. 
In terms of physical security, the server room structure itself needs to be secure. Access should be granted to authorised individuals only. This could mean restricting the number of key holders or, if a company’s budget allows it, the installation of a system using fingerprint recognition technology. Another alternative would be to install a proximity card reader system. It is understood that alarm and alarm monitoring systems are also essential, not just for protection of a server room but also for an entire business premises. In the case of a server room built separately from the rest of the business premises, security caging and toughened security gates would be highly advisable. 

We live in a digital age, of course, so security of data means cyber security as well as physical security of the server room itself. The physical entry system should be aligned with the login systems inside in the room so that only those individuals who have physical access can log on to the systems from within the server room. Have a company-wide cyber security policy and ensure everyone knows their responsibilities. Cyber attacks identify and exploit points of vulnerability and those are often attributable to employees lacking basic knowledge of good cyber security. As for the company itself, it needs to keep abreast of the latest threats and ensure that its systems are up to date. At its most basic, cybersecurity means ensuring that IT systems can proactively identify threats, block access and prevent the loss of data, while having the ability to patch vulnerabilities at the same time.  

The security of a server room starts with the server room fit out and a professional installation company will work with you through each step of the design process to ensure your security needs are met and that compliance with security regulations is taken into account. 

A company server room needs to be secure because data regulators expect full compliance with regulations and customers naturally expect their data to be secure. Loss of information can mean loss of reputation as well as a financial loss for a company.  

(102)

A new ransomware sample poses as a version of Pokémon Go for Windows. These features include a backdoor Windows account, spreading the executable to other drives, and creating network shares.

IT security experts from Lieberman Software, ESET and Tripwire discuss the ransomware:

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Is there anything different/interesting about this ransomware?
“This Hidden-Tear ransomware is either the cutting edge or class clown of the malware world. Generally, ransomware is built to extract money and leave no traces. Hidden-Tear behaves like a malware hybrid that encrypts files and asks for ransom, but all attempts to spread in ways normally associated with a virus. Maybe that’s the start of something new and dangerous. But it’s equally likely this is the work of someone who is taking ideas from all over without really understanding their implications. Anyone who has used software has run into features added where they can’t imagine what the developer was thinking. Hidden-Tear may be a malware developer throwing in features just because it’s possible versus because it’s a good idea.”

What can users do to protect themselves?
“One thing Hidden-Tear does well is try to play on people’s desires. Malware always needs an angle to get you to click, and few things capture the spirit of the day like Pokémon Go. With many Arab countries moving to ban or limit the game, a malware that offers people a way to perhaps play despite the government interference is click bait that’s sure to trap some. People need to use what should be common sense here – in the case realizing that a mobile app appearing on their PC is *actually* too good to be true.”

How successful can this ransomware be?
“If we’re going to measure Hidden-Tear as ransomware, then its success should be measured in cash. It’s likely not got the same professional approach as many eastern European ransomware operations, which often boast legitimate call centers and oddly get high marks from victims on customer service. Without this high grade money collection system, is unlikely it will grab any huge amount of cash unless the creator gets very lucky.”

Mark James, Security Specialist at ESET:

“As with most projects or events that generate so much interest in the IT world, it’s inevitable that malware will soon follow, often tailored to help, mimic or guide you. The whole PokemonGo phenomenon was of course going to be no different; people will want to play it on all platforms, IOS, Android and their desktop systems. This particular piece of malware is a little different though, it not only wants to infect you with ransomware, it appears to have a hidden agenda, most ransomware deletes itself once the job is done, but this particular piece of malware goes a little further by installing a hidden user account with admin privileges, that could enable someone at a later date to remotely connect back to the infected computer and perform other malicious tasks.

It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries. Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose. Ransomware these days is a very real threat and having a good backup solution will enable you to restore your data easily and quickly and not succumb to funding criminal activity by paying the ransom.”

Travis Smith, Senior Security Research Engineer at Tripwire discusses:

“Fans of the Pokemon Go game are eager to catch them all, but must be weary of catching malware.  While the malware is not fully production code, it highlights the intent of some malware creators to capitalize on the Pokemon Go craze.  Users looking for Pokemon should be wary of any third party applications or services looking to assist your search. 

The fact that the malware is creating users is a new ransomware development.  It’s unclear if the intent is to maintain persistence or be an indicator to avoid multiple infections of the same box.  Either way, it’s clear the ransomware is looking to spread itself to network shares and removable drives to both spread infection and potentially cripple backups; the primary recovery method for ransomware.”

(200)

Following the news that hackers have attacked 20 hotels run by HEI Hotels and Resorts, including Hyatt, Marriott, Starwood and Intercontinental with a targeted malware, Ken Bechtel, malware research analyst, Tenable Network Security offered @DFMag the following comment;

“The latest string of point-of-sale (POS) malware attacks on retail and hospitality systems is indicative of the evolving threat environment. Mobile devices have become one of the largest growing threats for malware, and storing credit card data in various e-wallets, and in some cases apps, such as those used in fast service coffee shops, provides a lucrative target for profit-driven malware authors.

“However, we often forget that the consumer is at a distinct disadvantage when dealing with POS malware, as this threat is beyond their control. While card holders can help protect their accounts by watching for skimmers, keeping their card within sight while paying bills and checking credit card statements for fraudulent activity, once a POS system is compromised there is nothing the user can do to prevent the activity. It’s the responsibility of the organisation to detect anomalies in credit card transactions and then take ongoing steps to prevent and remediate potential malware threats.

“Unfortunately, many companies struggle to keep up on security due to staff shortages, or a lack of proper tools to look for and identify abnormal network activities that could indicate a new piece of malware on the network. Although one-hundred percent prevention is unrealistic, having complete visibility into the overall security posture will help organisations lessen the risk of exposure to customers and detect vulnerabilities earlier.”

(63)

It has been reported that 200 million Yahoo! accounts appear to have been compromised following their appearance on dark web site, TheRealDeal. Usernames, hashed passwords and dates of birth appear to have been compromised. The data sample includes some credentials which correspond with real accounts. Several industry experts offered the following comments:

Stephen Gates, chief research intelligence analyst at NSFOCUS:

“It appears that Peace is at it again.  The individual has dumped millions of user credentials from 4-year-old breaches online over the past few months, and has increased his or her income quite significantly – in a relatively short period of time.  Too bad that many of the hard working people all over the world who may have had their credentials breached in these cyber-attacks, spend years trying to make the same amounts of money Peace has made in a few short months.   Happy are those who work for what they earn and don’t take the easy way out by living a life of crime. Maybe Peace will begin to follow their lead and use his or her skills for a more noteworthy purpose.  There are lots of problems in the world that need fixing.  Filling our pockets will solve none of them.”

Lisa Baergen, director at NuData Security:

“All indications are that this is an old breach (2012) prior to Yahoo changing the method in which they store and protect passwords. This dark web “sale” of old data appears to have been triggered by the Sale of Yahoo to Verizon. The “hacker” sent his demand for extortion to the Verizon CISO, who appears to not have taken the bait… and now the data is “for sale”.

This hack illustrates that the software industry, as a whole, needs to stay vigilant because PII data continues to be targeted wherever it may live and that hackers aren’t taking the summer off. We’ve pointed out time and time again that data breaches don’t occur in a vacuum. Hackers are making a living by selling this data on the dark web, they do it because they can pay the bills doing it, and what everyone should be asking themselves is why are folks buying it? Because, that data — your data, my data and everyone’s data, gets bought for pennies, bundled up into bigger packages (identity sets) called “fullz”, and used as fuel. Fuel for a much more lucrative project that is making people even more money, and putting their kids through school. These folks don’t give a hoot about you, your privacy and your accounts. They’ll use your stolen credentials and take them over, apply for loans in your name, grab your refund from the IRS, and order that new TV from your favourite online electronics retailers account without even thinking about it. Once you’ve fixed that, they’ll do it again because they know your mom’s middle name and your hometown high-school. And, most of the time, it goes back to the breach. The infinite feed source.

That’s why behavioural biometrics analysis is so necessary. Using this intelligence, fraud can be stopped at any point where there is an authentication test because the software is so good at determining who’s a real user and who is a fraudster. Companies using these tools have a much more accurate understanding of the user, and a lot more options. Fraudsters logging in with your valid credentials just don’t get through because they don’t behave like you. Period.

Breaches may not be 100% preventable, but it is possible to prevent hackers from being able to use the data they steal in these incidents, effectively making it worthless. At the very least, behavioural biometrics and analysis would prevent fraudsters from taking the Yahoo data and leveraging it elsewhere.”

David Gibson, VP of strategy and market development at Varonis:

“These large-scale data dumps continue to chip away at our privacy. While specifics like account data, passwords and user preferences may have comparatively low value in the short term, over a longer time horizon data dumps will continue to make it easier for hackers to aggregate and establish a clear identity of their victims, especially as the sophistication of the aggregated data dumps advance. This Yahoo breach goes to show how a single significant breach can come back to haunt a business (and its customers) again and again. It also highlights just how in-the-dark companies typically are after a breach. After a breach occurs we usually see a statement claiming that the security team has “isolated the affected systems,” but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.

Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs. Spear phishing attacks that provide hackers with valid credentials are increasing in frequency and sophistication, so administrators and security practitioners should assume that if their networks aren’t already breached, there’s a good chance they may be some day.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”

Simon Crosby, CTO and co founder of Bromium;

“This incident at Yahoo will be a wake-up call for people, but it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.

Users need to be vigilant. If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider. Users should also be on the lookout for strange looking emails from friends who you would normally trust – their account might have been compromised. Finally, reset your online service passwords such as your bank, if you think your email may have been compromised, since many SaaS apps use email to confirm password changes.”

(393)

By: Craig Young

Wireless routers designed for consumers often do not employ proper security practices.  This topic was extensively covered in VERT’s 2014 report, “SOHO Wireless Router (In)security”.  Our research revealed that 74% of the 50 top selling consumer routers on Amazon shipped with security vulnerabilities, including 20 different models where the latest firmware from the vendor was exploitable. Many people I have discussed this research with have expressed the opinion that, for one reason or another, this problem is more or less confined to the consumer sector.  My suspicious was that feature wars and low profit margins could be contributing to the epidemic of insecure routers.  In an attempt to determine whether this issue was limited to the consumer market, I decided it would be necessary to obtain and evaluate a wireless router designed for enterprise networks.

Naturally the first step of this research project was to pick a target.  Whereas there are many brands of consumer routers and they are cheap enough that I could reasonably buy a variety of devices, enterprise equipment is not cheap, meaning that I would be limited to testing a single product family.  I started by conducting some war walking with the Android Wi-Fi Analyzer app to get an idea of what brands are being installed in real-world environments.  From this I found that Ruckus and Cisco seem to have a strong hold on the market.  A report from Dell’Oro Group stated that Ruckus accounted for 42% of the units shipped in 4Q14 and so, with that, I decided to proceed with Ruckus.

In order to keep my comparison meaningful, I decided it would be best to limit the scope of my testing to the HTTP interface and use the same methodology I used for finding vulnerabilities in the consumer routers.  This was easy because I had already established an effective testing process over the course of a few router security assessments.  At a high-level, I use a combination of manual fuzz testing and partially automated querying based on information extracted from firmware and shell access where available.  Earlier this year, I taught about these techniques at length during an AusCERT tutorial session titled ‘Brainwashing Embedded Systems’.  I am also happy to report that I will again be sharing this knowledge in a DEF CON 24 workshop as well as a SecTor 2016 training session. 

Before investing in an expensive high-end Ruckus model, I decided to start my tests with a second-hand Ruckus ZoneFlex running the latest available firmware as of 10/27/15.  Within a few minutes of setting up the device, I found a command injection which is exploitable through a forged request due to a general lack of CSRF tokens. As with many of the consumer routers I had tested, the ZoneFlex offers administrators an option to perform diagnostics including a simple ping test, with apparently no input sanitization.  In every case where I’ve found this flaw on a consumer router, it has been pretty devastating. Although the light-weight consumer embedded devices commonly have all processes running as uid 0 (root), I thought certainly an enterprise product would use privilege separation.  The ping operation requires no special privilege so it should be running as a user with limited access.  I tested this theory by crafting a ping parameter to spawn a telnet daemon and to my surprise it worked and I was granted a root shell.  This was more than enough confirmation to me that it would be worth the investment in a current model.  

After some Google searches, I found that I was not the only person aware of this blatant command injection.  My ZoneFlex model was EOL with rather old firmware so naturally I expected that this low-hanging fruit would have been fixed in the new product. My research picked up again 12/3/2015 when I set up a Ruckus H500 access point with the latest firmware (100.1.0.0.432); I was shocked to find that the ping injection still worked!  After obtaining a shell on this fully patched access point, I proceeded by creating a simple list of files contained in the web server’s document root.  This is a trivial process possible from either the shell access or through firmware extraction and can be supplemented by locating possible URIs embedded within the server’s binaries. In this particular case, I limited myself just to the files visible in the firmware update.  I then fed this list into a script I have for crawling an HTTP server and recording which files are accessible without authentication.  As was commonly the case with consumer devices, this rather simple process exposed a few flaws:

Authentication Bypass: All requests containing a particular string received ‘200 OK’ responses.  By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries.  This is a behavior I have observed in routers from NETGEAR, TrendNET, and Asus.

Denial of Service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable.  This is a serious issue as the product relies on HTTP when used as a hot spot.

Information Disclosure: The device’s serial number is exposed by the HTTP server.  It is unclear whether this has any direct security impact but it may be useful to an attacker as part of a social engineering ploy.  I have also observed other products where the serial number is used as a means to prove ownership of a device.

In addition to these three flaws, I also found that authenticated requests for a certain page would trigger excessive memory consumption causing the HTTP server to reload as well as possible disruption to other services.  This vector is exploitable via GET requests and therefore lends itself to CSRF attacks through malicious image tags in HTML documents or emails.  Over the next few weeks, I also confirmed that these vulnerabilities were present and exploitable within other Ruckus models including the Zone Director which allows centralized management of Ruckus APs.
These were not the only vulnerabilities in the Ruckus access point but at this point I reached out to the vendor.  Unlike with some vendors where it takes guess work to figure out an appropriate security contact, Ruckus has a page listing a PGP key and email address for reporting vulnerabilities.  While this is normally a good sign of a responsive organization, repeated attempts to email them my report resulted in bounces.  In early January 2016, about a month after I first reached out to Ruckus, I emailed several other posted addresses stating my problem reaching the security contact.  A webmaster contact responded letting me know that he would get the account setup but after resending the report and asking for receipt confirmation, I heard nothing.  Later that month, I contacted CERT who assigned VU#974320 and confirmed that they could not get a response from Ruckus.  To date Ruckus has not responded to Tripwire or CERT regarding these vulnerabilities.

The lesson from this research project seems to be that “enterprise-class” hardware does not necessarily mean enterprise quality in terms of security.  My experience auditing Ruckus equipment is very similar to some of the experiences I’ve had auditing the wireless routers you might find in a local computer store.  In fact, the authentication bypass and command injection are essentially the same as problems I have found on SOHO devices in the $100-$200 range. The biggest difference here is that my report to Ruckus appears to have been completely ignored. Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide customers with Wi-Fi access.  An intruder to one of these systems could potentially become man-in-the-middle to all other users of the wireless network allowing a wide range of exploitation opportunities.  My research was performed against devices with factory default settings and not those configured to be hot spot providers.  Without guidance from Ruckus, it is unclear what configurations or operating modes may mitigate the risks.
A full timeline of this disclosure process is as follows:

10/27/2015 – Initial Discovery of Command Injection on EOL ZoneFlex model

12/03/2015 – New Ruckus hardware received and multiple vulnerabilities discovered on current/supported product

12/07/2015 – Vulnerability report is written and sent (encrypted via PGP) to  HYPERLINK “mailto:security@ruckuswireless.com” security@ruckuswireless.com

12/07/2015 – Undeliverable email report received

12/08/2015 – Second attempt to email published security contact  HYPERLINK “mailto:security@ruckuswireless.com” security@ruckuswireless.com

12/08/2015 – Second undeliverable email report

01/05/2016 – Encrypted vulnerability report is sent to  HYPERLINK “mailto:security@ruckuswireless.com” security@ruckuswireless.com a third time

01/05/2016 – Third undeliverable report forwarded to webmaster@, publicrelations@, and  HYPERLINK “mailto:ir@ruckuswireless.com” ir@ruckuswireless.com

01/05/2016 – Vendor webmaster responds that they will be “getting to the bottom of this”

01/05/2016 – Vendor webmaster responds that the email address should work now

01/05/2016 – Resend of encrypted report to  HYPERLINK “mailto:security@ruckuswireless.com” security@ruckuswireless.com asking for receipt confirmation

01/26/2016 – Report submitted to US-CERT and assigned tracking ID VU#974320

01/28/2016 – Joel Land of CERT/CC has forwarded disclosures to vendor and requests a copy of Tripwire’s disclosure policy

01/29/2016 – Tripwire provides information regarding the disclosure policy

02/01/2016 – CERT/CC acknowledges receipt of information

04/05/2016 – CERT/CC indicates that the vendor did not respond and suggests that Tripwire proceed with disclosure

(264)