10 times ethical hackers spotted a software vulnerability and averted a crisis
A rise in multiple cyber-attacks and the lack of knowledge and defenses to tackle them has made it extremely important for companies to use ethical hacking to combat hackers. While Black Hat hackers use their skills for malicious purposes to defraud high-profile companies or personalities, Ethical Hackers or White Hat hackers use the same techniques ( penetration testing, different password cracking methods or social engineering) to break into a company’s cyber defense but to help companies fix these vulnerabilities or loose ends to strengthen their systems.
Ethical hackers are employed directly by the company’s CTO or the management with a certain level of secrecy without the knowledge of the staff or other cybersecurity teams. Ethical hacking can also be crowdsourced through bug bounty programs (BBP) and via responsible disclosure (RP).
There are multiple examples in just the past couple of years where ethical hackers have come to the rescue of software firms to avert a crisis that would have potentially incurred the organizations huge losses and put their product users in harm’s way.
10 instances where ethical hackers saved the day for companies with software vulnerabilities
1. An ethical hacker accessed Homebrew’s GitHub repo in under 30 minutes
On 31st July 2018, Eric Holmes, a security researcher reported that he could easily gain access to Homebrew’s GitHub repo. Homebrew is a popular, free and open-source software package management system with well-known packages like node, git, and many more, and also simplifies the installation of software on macOS.
Under 30 minutes, Holmes gained access to an exposed GitHub API token that opened commit access to the core Homebrew repo; thus, exposing the entire Homebrew supply chain.
On July 31, Holmes first reported this vulnerability to Homebrew’s developer, Mike McQuaid. Following which, McQuaid publicly disclosed the issue on Homebrew blog on August 5, 2018. After receiving the report, within a few hours the credentials had been revoked, replaced and sanitized within Jenkins so they would not be revealed in the future.
In a detailed post about the attack invasion on Medium, Eric mentioned that if he were a malicious actor, he could easily make a small unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.
2. Zimperium zLabs security researcher disclosed a critical vulnerability in multiple high-privileged Android services to Google
In mid-2018, Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs, informed Google of a critical vulnerability affecting multiple privileged Android services. This vulnerability was found in a library, hidl_memory, introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. The vulnerability was in a commonly used library affecting many high-privileged services.
The hidl_memory comprises of: mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data.
Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller.
Google designated this vulnerability as CVE-2018-9411 and patched it in the July security update (2018-07-01 patch level), including additional patches in the September security update (2018-09-01 patch level). Brunner later published a detailed post explaining technical details of the vulnerability and the exploit, in October 2018.
3. A security researcher revealed a vulnerability in a WordPress plugin that leaked the Twitter account information of users
Early this year, on January 17, a French security researcher, Baptiste Robert, popularly known by his online handle, Elliot Alderson found a vulnerability in a WordPress plugin called Social Network Tabs. This vulnerability was assigned with the vulnerability ID- CVE-2018-20555 by MITRE.
The plugin leaked a user’s Twitter account info thus exposing the personal details to be compromised. The plugin allowed websites to help users share content on social media sites. Elliot informed Twitter of this vulnerability on December 1, 2018, prompting Twitter to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.
4. A Google vulnerability researcher revealed an unpatched bug in Windows’ cryptographic library that could take down an entire Windows fleet
On June 11, 2019, Tavis Ormandy, a vulnerability researcher at Google, revealed a security issue in SymCrypt, the core cryptographic library for Windows. The vulnerability could take down an entire Windows fleet relatively easily, Ormandy said. He reported the vulnerability on March 13 on Google’s Project Zero site and got a response from Microsoft saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run.
Further on June 11, he received a message from Microsoft Security Response Center (MSRC) saying “that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing”.
Ormandy disclosed the vulnerability a day after the 90-day deadline elapsed. This was in line with Google’s 90 days deadline for fixing or publicly disclosing bugs that its researchers find.
5. Oracle’s critical vulnerability in its WebLogic servers
On June 17, this year, Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. The vulnerability was brought to light when it was reported by the security firm, KnownSec404.
The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability was a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war.
6. Security flaws in Boeing 787 Crew Information System/Maintenance System (CIS/MS) code can be misused by hackers
At the Black Hat 2019, Ruben Santamarta, an IOActive Principal Security Consultant in his presentation said that there were vulnerabilities in the Boeing 787 Dreamliner’s components, which could be misused by hackers. The security flaws were in the code for a component known as a Crew Information Service/Maintenance System. Santamarta identified three networks in the 787, the Open Data Network (ODN), the Isolated Data Network (IDN), and the Common Data Network (CDN).
Boeing, however, strongly disagreed with Santamarta’s findings saying that such an attack is not possible and rejected Santamarta’s “claim of having discovered a potential path to pull it off.”
He further highlighted a white paper released in September 2018 that mentioned that a publicly accessible Boeing server was identified using a simple Google search, exposing multiple files. On further analysis, the exposed files contained parts of the firmware running on the Crew Information System/Maintenance System (CIS/MS) and Onboard Networking System (ONS) for the Boeing 787 and 737 models respectively. These included documents, binaries, and configuration files. Also, a Linux-based Virtual Machine used to allow engineers to access part of the Boeing’s network access was also available.
A reader on Bruce Schneier’s (public-interest technologist) blog post argued that Boeing should allow SantaMarta’s team to conduct a test, for the betterment of the passengers, “I really wish Boeing would just let them test against an actual 787 instead of immediately dismissing it. In the long run, it would work out way better for them, and even the short term PR would probably be a better look.”
Boeing in a statement said, “Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack.”
Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta’s attack. While the DHS didn’t respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it’s “satisfied with the manufacturer’s assessment of the issue.”
Santamarta’s research, despite Boeing’s denials and assurances, should be a reminder that aircraft security is far from a solved area of cybersecurity research. Stefan Savage, a computer science professor at the University of California at San Diego said, “This is a reminder that planes, like cars, depend on increasingly complex networked computer systems. They don’t get to escape the vulnerabilities that come with this.”
Some companies still find it difficult to embrace unknown researchers finding flaws in their networks. Companies might be wary of ethical hackers given these people work as freelancers under no contract, potentially causing issues around confidentiality and whether the company’s security flaws will remain a secret. As hackers do not have a positive impression, the company fails to understand it is for their own betterment.
7. Vulnerability in contactless Visa card that can bypass payment limits
On July 29 this year, two security researchers from Positive Technologies, Leigh-Anne Galloway, Cyber Security Resilience Lead and Tim Yunusov, Head of banking security, discovered flaws in Visa contactless cards, that can allow hackers to bypass the payment limits.
The researchers added that the attack was tested with “five major UK banks where it successfully bypassed the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal”. They also warned that this contactless Visa card vulnerability can be possible on cards outside the UK as well.
When Forbes asked Visa about this vulnerability, they weren’t alarmed by the situation and said they weren’t planning on updating their systems anytime soon.
“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world,” a Visa spokesperson told Forbes.
8. Mac Zoom Client vulnerability allowed ethical hackers to enable users’ camera
On July 9, this year, a security researcher, Jonathan Leitschuh, publicly disclosed a vulnerability in Mac’s Zoom Client that could allow any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Around 750,000 companies around the world who use the video conferencing app on their Macs, to conduct day-to-day business activities, were vulnerable.
Leitschuh disclosed the issue on March 26 on Google’s Project Zero blog, with a 90-day disclosure policy. He also suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. Zoom took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick-fix solution.
Apple quickly patched the vulnerable component on the same day when Leitschuh disclosed the vulnerability via Twitter (July 9).
9. Vulnerabilities in the PTP protocol of Canon’s EOS 80D DSLR camera allows injection of ransomware
At the DefCon27 held this year, Eyal Itkin, a vulnerability researcher at Check Point Software Technologies, revealed vulnerabilities in the Canon EOS 80D DSLR. He demonstrated how vulnerabilities in the Picture Transfer Protocol (PTP) allowed him to infect the DSLR model with ransomware over a rogue WiFi connection.
Itkin highlighted six vulnerabilities in the PTP that could easily allow a hacker to infiltrate the DSLRs and inject ransomware and lock the device. This could lead the users to pay ransom to free up their camera and picture files.
Itkin’s team informed Canon about the vulnerabilities in their DSLR on March 31, 2019. On August 6, Canon published a security advisory informing users that, “at this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm” and asking them to take advised measures to ensure safety.
10. Security researcher at DefCon 27 revealed an old Webmin backdoor that allowed unauthenticated attackers to execute commands with root privileges on servers
At the DefCon27, a Turkish security researcher, Özkan Mustafa Akkuş presented a zero-day remote code execution vulnerability in Webmin, a web-based system configuration system for Unix-like systems.
This vulnerability, tracked as CVE-2019-15107, was found in the Webmin security feature and was present in the password reset page. It allowed an administrator to enforce a password expiration policy for other users’ accounts. It also allowed a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers by simply adding a pipe command (“|”) in the old password field through POST requests.
The Webmin team was informed of the vulnerability on August 17th 2019. In response, the exploit code was removed and Webmin version 1.930 created and released to all users.
Jamie Cameron, the author of Webmin, in a blog post talked about how and when this backdoor was injected. He revealed that this backdoor was no accident, and was in fact, injected deliberately in the code by a malicious actor. He wrote, “Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” he wrote.
TD;LR: Companies should welcome ethical hackers for their own good
Ethical hackers are an important addition to our cybersecurity ecosystem. They help organizations examine security systems and analyze minor gaps that lead to compromising the entire organization. One way companies can seek their help is by arranging Bug bounty programs that allow ethical hackers to participate and report vulnerabilities to companies in exchange for rewards that can consist of money or, just recognition. Most of the other times, a white hat hacker may report of the vulnerability as a part of their research, which can be misunderstood by organizations as an attempt to break into their system or simply that they are confident of their internal security systems. Organizations should keep their software security upto date by welcoming additional support from these white hat hackers in finding undetected vulnerabilities.
Read Next
How has ethical hacking benefited the software industry
5 pen testing rules of engagement: What to consider while performing Penetration testing
Social engineering attacks – things to watch out for while online
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Savia Lobo. Read the original post at: https://hub.packtpub.com/10-times-ethical-hackers-spotted-a-software-vulnerability-and-averted-a-crisis/
