## Archive for the ‘Security’ Category

### Hacking Fingerprints (Yours, Mine, Theirs)

Thursday, May 25th, 2017

From the post:

Fingerprints are supposed to be unique markers of a person’s identity. Detectives look for fingerprints in crime scenes. Your phone’s fingerprint sensor means only you can unlock the screen. The truth, however, is that fingerprints might not be as secure as you think – at least not in an age of machine learning.

A team of researchers has demonstrated that, with the help of neural networks, a “masterprint” can be used to fool verification systems. A masterprint, like a master key, is a fingerprint that can be open many different doors. In the case of fingerprint identification, it does this by tricking a computer into thinking the print could belong to a number of different people.

“Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting,” the researchers ­– Philip Bontrager, Julian Togelius and Nasir Memon – claim in a paper.

The tweet that brought this post to my attention didn’t seem to take this as good news.

But it is, very good news!

Think about it for a moment. Who is most likely to have “strict security settings?”

Your average cubicle dweller/home owner or …, large corporation or government entity?

What is more, if you, as a cubicle dweller are ever accosted for a breach of security, leaking fingerprint protected files, etc., what better defense than known spoofing of fingerprints?

Not that you would be guilty of such an offense but its always nice to have a credible defense in addition to being innocent!

For further details:

Abstract:

We present two related methods for creating MasterPrints, synthetic fingerprints that a fingerprint verification system identifies as many different people. Both methods start with training a Generative Adversarial Network (GAN) on a set of real fingerprint images. The generator network is then used to search for images that can be recognized as multiple individuals. The first method uses evolutionary optimization in the space of latent variables, and the second uses gradient-based search. Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting.

Defeating fingerprints as “conclusive proof” of presence is an important step towards freedom for us all.

### Banking Malware Tip: Don’t Kill The Goose

Thursday, May 25th, 2017

From the post:

### Zero-Day versus Tried-n-True Methods

Monday, May 8th, 2017

From the post:

Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.

An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.

An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.

One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.

Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!

Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.

Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.

Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.

😉

The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.

### Guessing Valid GMail Addresses – Not A Bug (Must Be A Feature)

Monday, May 8th, 2017

Abusing Gmail to get previously unlisted e-mail addresses

From the post:

tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown. DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉
… (emphasis in original)

Cutting to the chase:

This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.
… (emphasis in original)

When advised of the issue, Google responded its not a security bug.

### Hijacking Fleets of PCs

Sunday, May 7th, 2017

From the post:

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The “critical”-rated bug, disclosed by Intel last week, lies in a feature of Intel’s Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer’s keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser — accessible even when the remote PC is asleep — that’s protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.

Embedi researchers, credited with finding the bug, explained in a whitepaper posted Friday that a flaw in how the default “admin” account for the web interface processes the user’s passwords effectively lets anyone log in by entering nothing at the log-on prompt.

Opportunity to stretch your technical chops as fixes are due to roll out May 8th and thereafter.

Of course, as Verizon posted last week:

81% of hacking-related breaches leveraged either stolen and/or weak passwords. (page 3)

### Archive.org (Internet Archive) Security Warning!

Friday, May 5th, 2017

Just in case you forgot, every packet of Internet traffic can disclose your identity.

I have no idea if this was the actual Macron leaker or an account being used to mask their true identity.

But, it’s worth a quick heads up to say:

Presume every packet from your computer is being captured (not necessarily read if encrypted) somewhere by someone.

Plan accordingly.

### Verizon’s Hacking Retrospective For 2016 (2017 Report)

Friday, May 5th, 2017

Instead of running afoul of It’s hard to make predictions, especially about the future, Verizon is looking backwards at hacking in 2016.

The full report runs over seventy pages of hacker success stories but if you lack the time or stomach to read it in full, consider Kelly Sweeney’s Verizon 2017 Data Breach Investigation Report Released, which reads in part:

We follow the Verizon Data Breach Investigation Report each year. It just hit the news stand and as always, is full of insights.

The report collected data from 65 organizations in 84 countries, including 42,068 cybersecurity incidents and 1,935 data breaches.

The major themes of the report are:

• No one thinks it’s going to be them. Until it is.
• Organizations think they’ve got the basics covered.
• People are also still failing to set strong passwords.
• People rely on how they’ve always done things.

The conclusion is that all organizations and industries are at risk of cyber-attacks, and 61 percent of the data breaches experienced by those responding were companies with less than 1,000 employees.

You should not be asking why there is so much cybercrime, but rather, why isn’t there more?

My unscientific explanation is the number of potential targets out number hackers by two or more orders of magnitude.

Yours?

### Hacking Not Limited To Rocket/CS Scientists

Friday, May 5th, 2017

Want be a successful hacker but you’re not a rocket/CS scientist? There’s hope!

Over the past year, a group of attackers has managed to infect hundreds of computers belonging to government agencies with a malware framework stitched together from JavaScript code and publicly available tools.

The attack, analyzed by researchers from antivirus firm Bitdefender, shows that cyberespionage groups don’t necessarily need to invest a lot of money in developing unique and powerful malware programs to achieve their goals. In fact, the use of publicly available tools designed for system administration can increase an attack’s efficiency and makes it harder for security vendors to detect it and link it to a particular threat actor.

The Bitdefender researchers have dubbed the newly discovered attack group Netrepser and traced back some of its attack campaigns to May 2016. The group is still active, but to Bitdefender’s knowledge its attacks have never been publicly documented before, which might be in part because its campaigns are highly targeted.

Some tools were developed at public expense (read CIA) and have gained wider usage.

You may not be Stephen Hawking but the effort you are willing to invest determines your success as a hacker.

The question to ask yourself: What am I going to learn today?

### Hacker Wish Book 2017 (Who Got Left Out?)

Wednesday, May 3rd, 2017

Symantec continues the Sears Wish Book tradition:

for hackers with the 2017 Internet Security Threat Report (Symantec, ISTR 22).

Like the original, the Hacker Wish Book 2017 has:

Flashy graphics:

(Did you make the top ten?)

Exciting textual tidbits:

Our data found that 76 percent of websites scanned contained vulnerabilities—the same percentage as 2014 and just two percent less than the 2015 figure. at page 33)

Holiday tips (best practices):

• Targeted attacks: Espionage, subversion, & sabotage (page 22)
• Email: Malware, spam, & phishing (page 31)
• Web attacks, toolkits, & exploiting vulnerabilities online (page 36)
• Cyber crime & the underground economy (page 54)
• Ransomware: Extorting businesses & consumers (page 62)
• New frontiers: Internet of Things, mobile, & cloud threats (page 67)
• Mobile (page 72)
• Cloud (page 74)

Who Was Left Out?

Before you print a full-color copy of 2017 Internet Security Threat Report (Symantec, ISTR 22) for your “reading” room, ask who was left out?

Hackers are covered by the list of schemes, devices and strategies. Managers are interested in comparative statistics, “see, almost everybody else gets hacked too.” Hmmmm, but a class of people are missing.

Here’s a hint: Use the search function to look for salary (0 hits), hiring (0 hits), training (0 hits), compensation (0 hits).

The cyberdefense community gets no joy from the Hacker Wish Book 2017.

Not one mention of the need to pay competitive compensation for cyberdefense employees (not part-time contractors) with benefits and working conditions suitable for that community.

We have all seen legislatures flail about on cybercrime (CFAA). Not to mention management’s foolish belief that urging present staff “to do better,” is a solution to cyber-insecurity (the best practices mentioned above).

If you credit the Symantec report at all, how would you grade both of those strategies?

If your answer is anything other than “F,” contact me as I have the deed to bridges in New York City. (Apologies to other readers, it’s hard to resist clipping business types with more money than judgment.)

Anyone interested in improved cybersecurity needs to invest in cybersecurity. Including full-time staff and resources.

When I say “full-time” staff, I mean just that. Not sysadmin, DBA, webmaster, and cybersecurity all rolled into one position. Any one of those, with further sub-specialization as necessary, is a full-time job. (Just because you don’t understand a task doesn’t make it easy.)

Of course you can have your data breach figure in the Hacker Wish Book 2018. Or be the first in your industry to get tagged with punitive damages for a data breach. That’s going to happen. The question is: Will it be you?

### One For The Hounds – C & C Servers

Tuesday, May 2nd, 2017

From the post:

Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into Shodan, a search engine for discovering Internet-connected devices.

Malware Hunter works via search bots that crawl the Internet looking for computers configured to function as a botnet C&C server.

In order to trick a C&C server to reveal its location, the search bot uses various predefined requests to pretend to be infected computer that’s reporting back to the C&C server. If the scanned computer responds, Malware Hunter logs the IP and makes it available via the Shodan interface.

Take this news as encouragement to step up your game.

On the upside, perhaps Malware Hunter or some successor will “out” government spy malware.

### Airport WiFi Passwords Map (Frequent Face?)

Monday, May 1st, 2017

From the post:

Finding an open wireless connection in many airports isn’t always easy, or possible, without a password (or local phone number which is stupid). The difficulty of getting online is why I asked you for and created an always-up-to-date list of airport wireless passwords around the world. You’ve been sending me your tips regularly and I post on the foXnoMad Facebook page when there’s a new password or airport added.

Recently, reader Zach made a great suggestion that will make it easier for you to search, add, and keep up with this airport wireless password list.
….

I applaud Polat taking the initiative and investing the effort to make this wonderful resource available. Certainly a benefit to travelers who are quite casual about WiFi security.

I say “travelers who are quite casual about WiFi security” because any false WiFi hotspot is going to set the same password as the pay-to-play airport WiFi.

Being charged for a service is no guarantee of non-abuse. Any cable subscriber knows that already.

The password list makes airports sound like great hacking locations. Free WiFi, cheap food, easy targets, but, not such a great spot after all.

Presume all faces are scanned at airports, processed and stored. Becoming a “frequent face (FF)” doesn’t carry the same benefits as “frequent flyer.? You have been warned.

### How Do Hackers Live on $53.57? (‘Hack the Air Force’) Wednesday, April 26th, 2017 I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’: Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites. You find: Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit. Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid$75,000 in bounties.

“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.

Let’s see, $75,000 split between 1,400 hackers, that’s$53.57 per hacker, on average. Some got more than average, some got nothing at all.

‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change.

I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks.

However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity.

Not my decision, not my problem.

Want an effective solution?

First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins.

Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it.

Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers.

Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes?

Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts.

### Metron – A Fist Full of Subjects

Monday, April 24th, 2017

Metron – Apache Incubator

From the description:

Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform.

Metron can be divided into 4 areas:

1. A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics.
2. Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the “who” and “where” information that is critical for investigation.
3. Efficient information storage based on how the information will be used:
1. Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility
2. The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent
3. Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection.
4. An interface that gives a security investigator a centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.

Big data is a natural fit for powerful security analytics. The Metron framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With Metron, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats.

Metron (website)

Metron wiki

Metron Jira

Metron Git

Security threats aren’t going to assign themselves unique and immutable IDs. Which means they will be identified by characteristics and associated with particular acts (think associations), which are composed of other subjects, such as particular malware, dates, etc.

Being able to robustly share such identifications (unlike the “we’ve seen this before at some unknown time, with unknown characteristics,” typical of Russian attribution reports) would be a real plus.

Looks like a great opportunity for topic maps-like thinking.

Yes?

### Anonymous Domain Registration Service [Update: 24 April 2017]

Sunday, April 23rd, 2017

Pirate Bay Founder Launches Anonymous Domain Registration Service

Does this sound anonymous to you?

With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

Njalla

Perhaps I’m being overly suspicious but what is the basis for trusting Njalla?

I would feel better if Njalla only possessed a key that would decrypt (read authenticate) messages as arriving from the owner of some.domain.

Other than payment, what other interest do they have in an owner’s actual identity?

Perhaps I should bump them about that idea.

Update: On further inquiry, registration only requires an email or jabber contact point. You can handle being anonymous to Njalla at those points. So, more anonymous than I thought.

### Leak “Threatens Windows Users Around The World?”

Thursday, April 20th, 2017

Really? Shadow Brokers leaking alleged NSA malware “threatens users around the world?”

Hmmm, I would think that the NSA developing Windows malware is what threatens users around the world.

Yes?

Unlike the apparent industry concealment of vulnerabilities, the leaking of NSA malware puts all users on an equal footing with regard to those vulnerabilities.

In a phrase, users are better off for the NSA malware leak than they were before.

They know (or at least it has been alleged) that these leaked vulnerabilities have been patched in supported Microsoft products. By upgrading to those products, they can avoid these particular pieces of NSA malware.

Leaking vulnerabilities enables users to avoid perils themselves, in this case by upgrading, and/or to demand patches from vendors responsible for the vulnerabilities.

Do you see a downside I don’t?

Well, aside from trashing the market for vulnerabilities and gelding security agencies, neither one of which I will lose any sleep over.

### Who Prefers Zero Days over 7 Year Old Bugs? + Legalization of Hacking

Thursday, April 20th, 2017

“Who” is not clear but Dan Goodin reports in Windows bug used to spread Stuxnet remains world’s most exploited that:

One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab.

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.

A market share of almost 25%, despite being patched in 2010, marks CVE-2010-2568 as one of the top bugs a hacker should have in their toolkit.

Not to denigrate finding zero day flaws in vibrators and other IoT devices, or more exotic potential exploits in the Linux kernel but if you approach hacking as an investment, the “best” tools aren’t always the most recent ones. (“Best” defined as the highest return for mastery and use.)

Looking forward to the legalization of hacking, unauthorized penetration of information systems, with civil and criminal penalties for owners of those systems who get hacked.

I suggest that because hacking being illegal, has done nothing to stem the tide of hacking. Mostly because threatening people you can’t find or who think they won’t be found, is by definition, ineffectual.

Making hacking legal and penalizing business interests who get hacked, is a threat against people you can find on a regular basis. They pay taxes, register their stocks, market their products.

Speaking of paying taxes, there could be an OS upgrade tax credit. Something to nudge all the Windows XP, Vista, 7 instances out of existence. That alone would be the largest single improvement in cybersecurity since that because a term.

Legalized, hackers would provide a continuing incentive (fines and penalties) for better software and more consistent upgrade practices. Take advantage of that large pool of unpaid but enthusiastic labor (hackers).

### More Leveling – Undetectable Phishing Attack

Monday, April 17th, 2017

From the post:

Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others.

Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001.

This particular hack depends upon variant characters being available within one language set, which avoids characters from different languages (deemed phishing attempts).

To make this work, you will need a domain name written using Punycode (RFC 3492), which enables the writing of Unicode in ASCII.

There’s a task for deep learning, scanning the Unicode Code Charts for characters that are easy to confuse with ASCII characters.

If you have a link to such results, ping me with it.

### Shadow Brokers Level The Playing Field

Monday, April 17th, 2017

The whining and moaning from some security analysts over Shadow Broker dumps is a mystery to me.

Apologies for the pie chart, but the blue area represents the widely vulnerable population pre-Shadow Brokers leak:

I’m sorry, you can’t really see the 0.01% or less, who weren’t vulnerable pre-Shadow Brokers leak. Try this enlargement:

Shadow Brokers, especially if they leak more current tools, are leveling the playing field for the average user/hacker.

Instead of 99.99% of users being in danger from people who buy/sell zero-day exploits, some governments and corporations, now it is closer to 100% of all users who are in danger.

Listen to them howl!

Was was not big deal, since people with power could hack the other 99.99% of us, certainly is now a really big deal.

Maybe we will see incentives for more secure software when everyone and I mean everyone is at equal risk.

Help Shadow Brokers level the security playing field.

A post on discovery policy for vulnerabilities promotes user equality.

Do you favor user equality or some other social regime?

### The Line Between Safety and Peril – (patched) “Supported Products”

Saturday, April 15th, 2017

Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks.

Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson.

Microsoft has responded with: Protecting customers and evaluating risk:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.