Tis the #1 reason no insurance company’s gadget is plugging into my OBDII port. Ever.
Ivan Lindenfeld From: [email protected] [mailto:[email protected]] On Behalf Of Marcum, John Sent: Tuesday, August 11, 2015 3:34 PM To: [email protected] Subject: RE: [mssms] WSUS SSL Man in the middle attack And today they’ve hacked the brakes on a new Corvette. One simply needs to have plugged a device that was not designed by GM into the Corvette first. ☺ Guess nobody would read the article if it were titled, “Hackers Hack a Cheap, Widely-Available Gadget” http://www.bing.com/search?q=Hackers+cut+Corvette+brakes&filters=tnTID%3a%2283AC55AA-E796-45e1-8616-3C7510E336DD%22+tnVersion%3a%221021708%22+segment%3a%22popularnow.carousel%22+tnCol%3a%225%22+tnOrder%3a%228f7491ce-d499-425d-8a75-df4d3175c895%22&efirst=3&FORM=HPNN01 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Wallace Sent: Tuesday, August 11, 2015 2:02 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] WSUS SSL Man in the middle attack The main thrust of the article is that I if you run WSUS a Windows Update client can download and execute code and run it in an administrative context. They did make the very valid point that while the manifest and the content are digitally signed the command line which is executed on the client is not checked. With the correct access it would be possible to execute commands rather than run the actual update. They particularly called out device drivers as being an area of concern - something which in a CM12 environment you will not be updating in this way. The fact that WSUS should be configured with SSL and that content is executed in an administrative context and that Microsoft does not warrant what a device driver does on your systems really is not news. The syncing of the SUP will talk to MS using SSL as at this point. After that it is the SUPs in house which you would potentially want to enable for SSL. If you are using SCUP then you will have a code signing certificate (quite likely self signed) which you will be using to sign the update as valid. This does not in any material way affect the issue reported at DEFCON. BTW two security researchers also demonstrated how to hack a Tesla and be able to lock and unlock it at will. First you have to unlock the car with the remote control then dismantle the dashboard and build yourself a custom ethernet cable all the while ensuring that the car does not have Internet connectivity. Sent from my Windows Phone ________________________________ From: SCCM FUN<mailto:[email protected]> Sent: 11/08/2015 20:24 To: [email protected]<mailto:[email protected]> Subject: [mssms] WSUS SSL Man in the middle attack I'm terrible when it comes to SSL, just never been able to get my brain wrapped around it. When reading this article about how WSUS if it isn't secured with SSL can be hijacked by a man in the middle attack, they state that the WSUS server contacting MS needs to have SSL enabled. What if you have a CAS that contacts MS, does the primary that also has WSUS need SSL enabled, or since it wont contact MS, enabling SSL isn't needed? https://threatpost.com/manipulating-wsus-to-own-enterprises/114168 What about if you're using SCUP and you need to download the .cab from Adobe, will enabling SSL on the CAS WSUS cause any issues? How have others remediated this? ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ NOTICE: The information contained in this message is proprietary and/or confidential and may be privileged. If you are not the intended recipient of this communication, you are hereby notified to: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately.
