In it, he explored how and why these systems are insecure, and demonstrated the ability to hack into certain models of D-Link NVRs.
Who’s Watching You?
The session left me wondering about the relative security of my own home video surveillance system. It’s nice that I’m able to view my living room from virtually anywhere in the world using an iPhone app, but how many hackers are watching my living room as well?
That’s essentially the crux of the issue. These Internet-connected surveillance cameras are marketed as a security tool. They are used by businesses and homeowners to monitor the premises, or by parents to keep an eye on a child’s bedroom. Some companies focus them on sensitive areas or items of value as a means of protecting them or monitoring for suspicious activity.
Research uncovered flaws in D-Link DNR-322L and DNR-326 NVR devices that expose the surveillance system to denial-of-service, information disclosure, and other critical flaws all without requiring authentication. The cameras and NVRs are typically connected to the Internet by design, and these critical vulnerabilities enable an attacker to hack into the system remotely from anywhere in the world.
Critical Flaws
There are number of attacks possible in such surveillance cams. An attacker can add a new user to the device with a simple, unauthenticated request, or even reset the password for the device’s administrator account.
The ability to add a new user allows the attacker to view the live stream of video from the cameras, or access recorded video on the NVR without having to crack or reset the passwords of any existing accounts. It enables the attacker to stay hidden longer, since resetting a password would be a red flag when the legitimate user discovers he or she is no longer able to log in.
I also found ways to get the NVR to spill sensitive information like the IP addresses associated with individual cameras, and the credentials to access them, as well as the login credentials for any attached FTP servers. As if that’s not enough, I discovered you can also remotely upload new shell script to the device, enabling an attacker to upload malicious programs.
Finally, attackers can create a denial-of-service that takes the system offline temporarily by forcing it to reboot. To take it offline even longer, an attacker could even reset the device to its factory default settings.

What Does It All Mean?
Aside from the “creepy factor” of knowing that a stranger could be hacked in to your video surveillance system and watching you or your family right now, there are some potentially more serious concerns.
A thief could hack into the NVR at a home or office and use it to scope out the premises, and figure out where valuable items are located without even stepping foot in the building. The thief could then use these vulnerabilities to hack into the system and disable cameras or reboot the system so it is offline and does not capture any activity while he or she infiltrates the premises to rob you.
For a business, it might be possible for an attacker to conduct cyber espionage and steal intellectual property. If the cameras have a view of ongoing research and development or intellectual property, it could be viewable by an attacker with access to the NVR.
Probably Not Limited to D-Link
D-Link NAS device might have similar flaws, but he had not yet done the research to confirm that. Regardless of whether or not the D-Link NAS is affected, it’s safe to assume that these two specific models of NVR from D-Link are not the only ones at risk.
Regardless of which video surveillance or NVR system you choose, you should be conscious of the fact that if you can access the video feed over the Internet from anywhere in the world on your mobile device, an attacker may very well be able to do the same.

Reference: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/4-1-1-you-are-being-watched-bharat-jogi

Vaibhav Deshmukh
MSCLIS
IIIT Allahabad
CyberExpert Blogger

Talking about PAST:
Earlier, these attackers were using emails with fancy / surprising names or attachments like “I LOVE U” or “You have Won Lottery” or subject lines similar to this. Attackers target individuals belonging to a specific organization through phishing attacks so that they can gain access over to its critical information. These specific targeted individuals help in navigating the organization’s employee’s hierarchy or in identifying digital certificate compromises that lead them to gain illegal access and gives them control over the organization’s IT infrastructure.

NOWADAYS:
With the increasing awareness of the employees, these traditional methods have become much more challenging. The most sophisticated type of attack is hitting the enterprise through “Watering Hole Attack”. In this attack, the attacker injects the malicious code into the website that the company trusts. For this they stalk an employee or group in order to spread malicious code inside the organization.

How to find TRUSTED sites:
To insert the malicious code in the most frequently visited sites like yahoo, espn.com or cnn.com is very tough because they are less vulnerable. So, to insert the code in a less secure site which is frequently visited by employees of the targeted company, attacker finds the most frequently visited site by automated tracking methods used by marketing and ad tracking services when employees surfs Internet using their company’s network. This method helps them in identifying the traffic patterns. These tracking services map the web pattern or behavior of the organization. This indicates which sites employees visited frequently. This information helps the attacker to deduce the organization’s browsing history and cloud services access policies. In other words, it tells an attacker about which watering hole you let your employees visit.
WAIT!!

The attacker plants the malicious code in watering hole site. They also insert the code in less secure blogs and the most vulnerable sites. They wait for the users to visit the frequently visited sites in past. When user visits those sites, the malicious code redirects the user’s browser to malicious sites and user’s machine can be assessed for uncovering the vulnerabilities. The probability of success is usually high because attacker uses the tracking services data to confirm that traffic to sites is allowed and frequent.

Once the TRAP is laid — Ready for the real attack:
When user falls in trap, the attacker starts assessing for vulnerabilities and exploits in the victims system. When user visits the watering hole, a small piece of code is downloaded in the background automatically & there is no need to click or download any code or file. This is possible by “drive -by downloading techniques”. Once the code is run, it searches for recently discovered exploits and zero -day vulnerabilities. Because there is a chance those users have not patched these exploits in Java, Internet Explorer, and Flash or Adobe reader. If the attacker succeeds in finding the vulnerabilities / exploits; then depending on the user’s access right, he can access sensitive and critical information of the organization. The sensitive information means Internet protocol, customer’s information, employee’s data or financial data.

RAVINDER VERMA
MSCLIS
IIIT Allahabad

Structure of Flame:
Flame Program was written in Lua scripting language that is a compiled C++ code linked in exceptionally large program for malwares of 20 megabytes. It allows other attacking modules to load after initial action being performed. This malware uses five types of encryption methods and SQL Lite database to store structured information. It uses hidden method to inject code into various processes in such a way that attacking modules do not appears into processes loaded and malware memory pages, which are protected by READ,WRITE and EXECUTE permission that makes them inaccessible through user-mode applications. The malware collect details about which anti-virus software is installed so that it can customize its own behavior, that’s why it is not detected easily or by some mutex and registry activity, such as installation of a fake audio driver to be in persistence on the compromised system.

Flame enabled a “kill” function for eliminating all its traces of files and operation from a system whenever it receives receipt of a module from its controller.
Flame was signed with a fraudulent certificate purportedly by the Microsoft Enforced Licensing Intermediate PCA certificate authority. Malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing & still used the weak MD5 hashing algorithm & produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft.
Flame is only designed for espionage instead of targeting any particular industry. This malware uses a technique known as sink-holing. The report presented by Kaspersky reflected that huge majority of this attack targets Iran, where in most of the attackers were looking for PDFs, text files and AutoCAD Drawings. It is also mentioned by Computer experts that this malware is also seeking for technical secret diagrams for Intelligence purposes.
Flame has around 80 servers across Asia, Europe and North America which does provide access to the victim’s machines remotely.

Evidence about Flame Attacks:
Flame came into existence when Iran detected a spate of Cyber-attacks on its oil industry. The attacks credit has been supposed by Israel in unilateral operation that’s caught its American partners off guard, spoke by several American U.S. and western officials on the case of anonymity. They had found speculation which revealed that Washington was also involved in development of flame, but collaboration between U.S. and Israel in the development of flame has not been confirmed yet.
According to researchers “Flame” is designed to replicate across even highly secure networks and responds to eventually all the secret information and activity back to its creators. This malware is designed to do masquerading as a routine Microsoft software update, it is using a sophisticated program to crack an encryption algorithm in such a way that helps it to evade detection many a times.
“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for Fusion X, firm that specializes in simulating state- sponsored cyber-attacks. He said he does not know who was behind the virus.” You’d expect that only the most advanced crypto mathematicians, such as those working at NSA.

History of Flame:
Flame was developed about five years ago as a part of classified effort code named Olympic Games, according to officials familiar with U.S cyber –operations and experts who have scrutinize its code. The motive behind the collaboration of the U.S. – Israel was to break down the Iran’s nuclear program so that it could reduce pressure from military activity.

The best known cyber weapon attack on Iran was Stuxnet, which was discovered two years ago, infected a specific type of industrial based control at Iran’s Uranium- enrichment plant in Natanz which caused almost 1,000 centrifuges to spin out of control. Due to lack of knowledge and awareness Iranian officials thought it was result of incompetency.
The scale of espionage and sabotage effort” is directly proportion to problem being resolved,” said by Former intelligence official, referring to the Iranian nuclear program.
There were many key players who are accused of indirect involvement in developing these tools, including two of USAs elite spy agencies. First one is NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, and second one is CIA which lack’s the NSA’s sophistication in building malware but is deeply into cyber –campaign.

References:

http://en.wikipedia.org/

http://en.wikipedia.org/

http://articles.washingtonpost.com/

Image Source:
telegraph.co.uk
news.com.au

ABHISHEK RAI
MSCLIS
IIIT Allahabad