Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

July 19, 2018

8 Big Processor Vulnerabilities in 2018

Filed under: Cybersecurity — Patrick Durusau @ 10:16 am

8 Big Processor Vulnerabilities in 2018 by Ericka Chickowski

Since the Spectre and Meltdown vulnerabilities knocked the glow off of the new year, 2018 has been the year of the CPU bug. Security researchers have been working in overdrive examining processors for design flaws, firmware bugs, and other vulnerabilities that put an entire computing architecture at risk.

They haven’t come up empty-handed.

Here’s what we’ve had to contend with this year on the CPU vulnerability front — and what we can expect in a couple of weeks when new research hits the stage at Black Hat.

Among those Chickowski dicusses:

BranchScope, Spectre Variants 3a and 4 (breaching barrier between cloud instances on the same CPU, think the IC’s planned cloud), not to leave AMD Ryzen chips unnoticed: Ryzenfall, Masterkey, Fallout, and Chimera, and others.

And the year is a little more than half over!

Enjoy!

July 18, 2018

Self-Help Transparency – Smoke Loader

Filed under: Cybersecurity,Malware,Transparency — Patrick Durusau @ 8:18 pm

Dissecting Smoke Loader by Michał Praszmo.

From the post:

Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families.

Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own.

Despite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.

In this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.

You can go the Freedom of Information Act (FOIA) route to become an “informed citizen,” provided you don’t mind:

  • Indeterminate exchanges to clarify your request
  • Delays and fees by agencies
  • Exemptions
  • Review and editing of documents by those most interested in non-disclosure

If you had access to the agency’s files:

  • No need to clarify your request
  • No delays or fees by the agency
  • No exemptions from disclosure
  • No review and editing of requested documents to prevent disclosure

Not to mention that self-help transparency saves the agency staff time and other resources in answering your request.

The other advantage of self-help transparency is that it works with political PACs, foreign governments, corporations and a host of other groups and institutions with no FOIA traditions.

All of those are incentives for closely attending to this blog post on the Smoke Loader.

Enjoy!

Is the GRU Running Windows 10?

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 7:44 pm

I ask if the GRU is running Windows 10 in part because of the fanciful indictment of twelve Russians that presumes key logging on GRU computers.

That and I saw: Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018), today.

From the post:

My contribution to the above result was a flag for the “Searchme” task authored by Eat, Sleep, Pwn, Repeat. It involved the exploitation of an off-by-one buffer overflow of a PagedPool allocation made by a vulnerable kernel driver loaded in Windows 10 64-bit. Shortly after the CTF, the original author (@_niklasb) published the source code of the driver and the corresponding exploit (see niklasb/elgoog on GitHub and discussion on Twitter), which revealed that my solution was partially unintended. Niklas used the off-by-one to corrupt allocation metadata and performed some pool feng-shui to get overlapping pool chunks. On the other hand, I achieved a similar outcome through a data-only attack without touching any pool metadata, which made the overall exploitation process somewhat simpler. I encourage you to closely analyze Niklas’ exploit, and if you’re interested in my approach, follow along.

If you want to jump straight to the exploit code, find it on GitHub.

Beyond my current skill level but a good example to follow for improving the same.

Aside to the GRU: Software compiled by others is untrustworthy. All cases, no exceptions. Consider Linux.

June 23, 2018

Got Bots? Canadians to Monitor Online Chatter for Threats

Filed under: Bots,Cybersecurity,Government — Patrick Durusau @ 7:58 pm

NEB seeks contractor to monitor ‘vast amounts’ of online chatter for potential security threats.

From the post:

The federal regulator responsible for pipelines is seeking an outside company to monitor online chatter en masse and aggregate the data in an effort to detect security risks ahead of time.

The National Energy Board has issued a request for information (RFI) from companies qualified to provide “real-time capability to algorithmically process vast amounts of traditional media, open source and public social media data.”

It is asking applicants to provide a “short demo session” of their security threat monitoring services in early July.

“This RFI is part of our processes to ensure we are getting the services we require to proactively manage security threats, risks and incidents to help protect its personnel, critical assets, information and services,” NEB communications officer Karen Ryhorchuk said in an email.

“It is not specific to any project, application or issue.”

The National Energy Board website is loaded with details on human mistakes (read pipelines) in varying degrees of detail. First stop if you are looking to oppose, interfere with, or degrade a pipeline located in Canada.

It’s interesting to note that despite the RFI being reported, you won’t find it on the News Releases page for the National Energy Board. It’s not on their Twitter feed, NEBCanada as well.

Someone in Canada should know the Yogi Berra line:

“It’s tough to make predictions, especially about the future.”

Well, perhaps not.

Still, if the Canadians are going to spend money on it, whoever they hire needs to earn their pay.

It’s would be trivial to create bots that randomly compose “alert” level posts, but the challenge would be to create an interlocking network of bots that “appear” to be interacting and responding to each others posts.

Thoughts on models of observed network communities that would be useful in training such a system?

There’s nothing guaranteed to stop governments from monitoring social media (if you believe government avowals of non-collection, well, that’s your bad), so the smart money is on generating too many credible signals for them to separate wheat from the chaff.

June 11, 2018

Speaking of Being Vulnerable: Tor Browser 7.5.5 and 8.0a8 released!

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 10:03 am

Tor Browser 7.5.5 is released (stable)

Tor Browser 8.0a8 is released (experimental)

BTW, if you want to use Tor in more than name only, follow these instructions (no exceptions):

Want Tor to really work?

You need to change some of your habits, as some things won’t work exactly as you are used to.

  1. Use Tor Browser

    Tor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.

  2. Don’t torrent over Tor

    Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.

  3. Don’t enable or install browser plugins

    Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity andprivacy.

  4. Use HTTPS versions of websites

    Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private
    encryption to websites, Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF’s interactive page explaining how Tor and HTTPS relate.

  5. Don’t open documents downloaded through Tor while online

    Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that’s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.

  6. Use bridges and/or find company

    Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less
    dangerous it will be that you are one of them. Convince other people to use Tor, too!

Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn’t complete, and we need your help identifying and documenting all the issues.

Volunteer, donate, spread the word about the Tor project! The privacy you protect, could well be your own!

Zip Slip – Universal Government Vulnerability?

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:25 am

Zip Slip vulnerability affects thousands of projects by Zeljka Zorz.

From the post:


The vulnerability, dubbed Zip Slip by the researchers, has been seen in the past before, but was never this widely spread, Snyk CEO Guy Podjarny told Help Net Security.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the company explained.

“The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.”

There is a list of vulnerable libraries/apps, good for checking versions to discover failures to update. For the technical details, see: Zip Slip Vulnerability.

A large number of libraries have been updated but effectiveness of those updates depends upon projects in the wild updating the libraries they use.

Considering the sluggishness of government IT operations, Zip Slip may be a universal government vulnerability even in the face of updated libraries.

Nothing ventured, nothing gained. The worse case scenario for attackers is the attack fails.

June 7, 2018

Not Quite Being A Pirate, But Close (Hacking Ships)

Filed under: Cybersecurity — Patrick Durusau @ 12:40 pm

Ship hack ‘risks chaos in English Channel’ by Leo Kelion.

From the post:


A French researcher, who goes by the nickname x0rz, had earlier demonstrated that many ships never changed their satellite communications equipment’s default username and password, and that it was relatively easy to find cases via an app to gain remote access.

Mr Munro has shown that it is possible to take advantage of this to reconfigure a ship’s Ecdis software in order to mis-identify the location of its GPS (global positioning system) receiver.

The receiver’s location can be moved by only about 300m (984ft), but he said that was enough to force an accident.

“That doesn’t sound like much, but in poor visibility it’s the difference between crashing and not crashing,” he said.

He added that it was also possible to make the software identify the boat as being much bigger than its true size – up to 1km sq.
… (emphasis in original)

Kelion’s non-specifics on hacking ships were posted within the last hour. One report, with actionable details, on hackable ships, appeared on July 17, 2017, Welp, even ships are hackable now by Matthew Hughes.

If you are interested in timely news on cyber-security weaknesses, follow @x0rz.

Great pirate pic from x0rz’s post in July of 2017:

The unimaginative use of the hack to “block the English channel” was suggested by the Pen Test Partners report, Hacking, tracking, stealing and sinking ships by Ken Munro.

The report imagines numerous ships in the English Channel being frightened into immobility due to false collision alarms.

American warships appear to lack collision alarms (or they don’t turn them on) so false ship locations may lead to more than simple confusion.

I haven’t seen this reported but one assumes that military gear comes with default user names and passwords as well. Not unlike the rumored nuclear missile launch codes being 00000000 for 20 years. User name and password defaults for military systems have definite potential.

May 21, 2018

Cyber Bullies and Script Kiddie Hacking

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:55 pm

I saw a tweet about: AutoSQLi, the new way script-kiddies hack websites saying:

Oh joy, a new tool for script kiddies

With all the initiatives to address cyber-bullying do you find it strange that no one speaks up for “script kiddies?” (It’s not a term of endearment.)

Learning a new skill, whether SQL injection, phishing, making biscuits or hand loading ammunition, you follow detailed instructions of others. A “script,” “recipe,” etc.

We have been at the “script kiddie” level for one or more skills in our lives.

What do we gain by trashing tools that introduce new skills and hopefully capture the interest of new users?

Nothing. Shaming tools or users is an attempt to gain status by downgrading others.

It doesn’t work for me.

Does it work for you?

May 9, 2018

Increasing Your Security (As Opposed to Thinking You Are Secure)

Filed under: Cybersecurity,Security,Tails,Tor — Patrick Durusau @ 8:36 pm

You can increase your security, against known hazards/bugs, by installing and using:

along with other appropriate practices and cautions.

Bear in mind that no software or encryption scheme is a defense against a $5 wrench.

May 5, 2018

Weekend Readings: Qubes (‘Reasonably Secure OS’)

Filed under: Cybersecurity,Linux OS,Security — Patrick Durusau @ 3:00 pm

Weekend Readings: Qubes by Carlie Fairchild.

From the post:

Qubes OS is a security-focused operating system that, as tech editor Kyle Rankin puts it, “is fundamentally different from any other Linux desktop I’ve used”. Join us this weekend in reading Kyle’s multi-part series on all things Qubes.

In order:

  1. Secure Desktops with Qubes: Introduction
  2. Secure Desktops with Qubes: Installation
  3. Secure Desktops with Qubes: Compartmentalization
  4. Secure Desktops with Qubes: Extra Protection
  5. Qubes Desktop Tips
  6. What’s New in Qubes 4

From the Qubes homepage: Motherboard: “Finally, a ‘Reasonably-Secure’ Operating System: Qubes R3” by J.M. Porup.

After reading Rankin’s posts, Qubes is high on my list of things to try.

May 3, 2018

One Protocol, 125+ Million Targets

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:55 pm

Disclosure: The Call of Duty protocol has been patched against the vulnerability discussed by momo5502. Take heart, it is software and therefore has multiple vulnerabilities. The post remains an instructive one.

Game hacking reinvented? – A cod exploit

From the post:

A few years ago, I became aware of a security issue in most Call of Duty games.

Although I did not discover it myself, I thought it might be interesting to see what it could be used for.

Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling.

In consquence, this allows full remote code execution!

To use this vulnerability to exploit the game, a few things have to be taken into consideration.

To exploit this vulnerability (or actually any vulnerability), you need to replicate the network protocol of the game.

This turns out to be somewhat complex, so I decided not to rewrite this myself but to actually use the game as a base and to simply force it into sending malicious hand-crafted packets that exploit it.

And indeed, this method seems to work, but the problem is that you need to modify the game in order to send the packets.

As Call of Duty has, just like any modern game these days, a not-so-bad anticheat mechanism (namely VAC), modifying it could result in myself getting banned from the game.

After a few other failed attempts of exploiting this vulnerability, I came up with something completely different: Why shouldn’t I use the game, without actually using the game?

The idea is still to take the game as base, but instead of hooking it, the underlying network transactions are analyzed to recreate the state of the game and to inject custom packets into the system’s network stack that look as if they were sent by the game.

So you don’t modify the game itself, but rather control all the data it sends and receives.

As this method doesn’t touch the game at all, it is not possible for current anti-cheat systems to detect this (it actually is possible, but I don’t think there is any anti-cheat that tries to detect that, yet).

Catalin Cimpanu tweeted a link to this post, along with links for a YouTube video: https://www.youtube.com/watch?v=j2N3_pDEsnE and GitHub PoC: https://github.com/momo5502/cod-exploit.

An elegant attack that relies on networked software, well, using a network for communication. However heavily protected the software, communication over a network can be captured and analyzed. Encryption may poses issues, but only if done well, which isn’t all that common.

Enjoy!

April 24, 2018

United Arab Emirates Imitates EU

Filed under: Bugs,Contest,Cybersecurity — Patrick Durusau @ 7:22 pm

Approach the webpage: Crowdfense Vulnerability Research Hub with caution! By posting:

Crowdfense budget for its first public Bug Bounty Program, launched April 2018, is $10 million USD.

Payouts for full-chain, previously unreported, exclusive capabilities range from $500,000 USD to $3 million USD per successful submission. Partial chains will be evaluated on a case-by-case basis and priced proportionally.

Within this program, Crowdfense evaluates only fully functional, top-quality 0-day exploits affecting the following platforms and products:

I have violated website restrictions, https://www.crowdfense.com/terms.html, clauses 1 and 4:

Subjecting me to:


Governing Law & Jurisdiction

These Terms will be governed by and interpreted in accordance with the laws of the United Arab Emirates, and you submit to the non-exclusive jurisdiction of the State and Federal Courts located in the Emirate of Abu Dhabi for the resolution of any disputes.

Sound absurd? It certainly is but no more absurd than the EU attempting to be the tail that wags the dog on issues of being forgotten or privacy.

The United Arab Emirates has as deep and storied a legal tradition as the EU but neither should be applied to actors outside their geographic borders.

If I am hosting content in the EU or United Arab Emirates, I am rightly subject to their laws. On other hand, if I am hosting content or consuming content outside their geographic boundaries, it’s absurd to apply their laws to me.

If the EU or United Arab Emirates wish to regulate (read censor) Internet traffic within their borders, it’s wrong-headed but their choice. But they should not be allowed to make decisions about Internet traffic for other countries.

April 4, 2018

192 Search Strings for Never To Be Patched Intel CPUs

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:42 pm

Mohit Kumar in Intel Admits It Won’t Be Possible to Fix Spectre (V2) Flaw in Some Processors points to a microcode revision guide from Intel, PDF), which points to CPUs which won’t be patched for Spectre (variant 2) flaws.

Kumar lists the product families, Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield, but those are Intel names, not product names.

To simplify your searching for never-to-be-patched Intel chips, I created a list of the public chips names, some 192 of them.

Good hunting!

March 11, 2018

Phishing, The 43% Option

Filed under: Cybersecurity,Politics,Security — Patrick Durusau @ 2:54 pm

How’s that for a motivational poster?

You can, and some do, spend hours plumbing in the depths of code or chip design for vulnerabilities.

Or, you can look behind door #2, the phishing door, and find 43% of data breaches start with phishing.

Phishing doesn’t have the glamor or prestige of finding a Meltdown or Spectre bug.

But, on the other hand, do you want to breach a congressional email account for the 2018 mid-term election, or for the 2038 election?

Just so you know, no rumors of breached congressional email accounts have surfaced, at least not yet.

Ping me if you see any such news.

PS: The tweet points to: https://qz.com/998949/can-you-outwit-a-hacker/, an ad for AT&T.

March 1, 2018

MSDAT: Microsoft SQL Database Attacking Tool

Filed under: Cybersecurity,Database,Security — Patrick Durusau @ 9:30 am

MSDAT: Microsoft SQL Database Attacking Tool

From the webpage:

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

  • You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
  • You have a valid Microsoft SQL account on a database and you want to escalate your privileges
  • You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)

Tested on Microsoft SQL database 2005, 2008 and 2012.

As I mentioned yesterday, you may have to wait a few years until the Office of Personnel Management (OMP) upgrades to a supported version of Microsoft SQL database, but think of the experience you will have gained with MSDAT by that time.

And by the time the OPM upgrades, new critical security flaws will emerge in Microsoft SQL database 2005, 2008 and 2012. Under current management, the OPM is becoming less and less secure over time.

Would it help if I posed a street/aerial view of OPM headquarters in DC? Would that help focus your efforts at dropping infected USB sticks, malware loaded DVDs and insecure sex toys for OPM management to find?

OPM headquarters is not marked on the standard tourist map for DC. The map does suggest a number of other fertile places for your wares.

February 27, 2018

Kiddie Hack – OPM

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 9:24 pm

Is it fair to point out the Office of Personnel Management (OMP) continues to fail to plan upgrades to its security?

That’s right, not OPM security upgrades are failing, but OPM is failing to plan for security upgrades. Three years after 21.5 million current and former fed data records were stolen from the OPM.

The inspector general report reads in part:


While we believe that the Plan is a step in the right direction toward modernizing OPM’s IT environment, it falls short of the requirements outlined in the Appropriations Act. The Plan identifies several modernization-related initiatives and allocates the $11 million amongst these areas, but the Plan does not
identify the full scope of OPM’s modernization effort or contain cost estimates for the individual initiatives or the effort as a whole. All of the other capital budgeting, project planning, and IT security requirements are similarly missing.

At this rate, hackers are stockpiling gear slow enough to work with OPM systems.

Be careful on eBay and other online sources. No doubt the FBI is monitoring purchases of older computer gear.

February 26, 2018

Governments Are Secure, But Only By Your Forbearance (happens-before (HB) graphs)

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:05 pm

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols by Caroline Trippel, Daniel Lustig, Margaret Martonosi.

Abstract:

The recent Meltdown and Spectre attacks highlight the importance of automated verification techniques for identifying hardware security vulnerabilities. We have developed a tool for synthesizing microarchitecture-specific programs capable of producing any user-specified hardware execution pattern of interest. Our tool takes two inputs: a formal description of (i) a microarchitecture in a domain-specific language, and (ii) a microarchitectural execution pattern of interest, e.g. a threat pattern. All programs synthesized by our tool are capable of producing the specified execution pattern on the supplied microarchitecture.

We used our tool to specify a hardware execution pattern common to Flush+Reload attacks and automatically synthesized security litmus tests representative of those that have been publicly disclosed for conducting Meltdown and Spectre attacks. We also formulated a Prime+Probe threat pattern, enabling our tool to synthesize a new variant of each—MeltdownPrime and SpectrePrime. Both of these new exploits use Prime+Probe approaches to conduct the timing attack. They are both also novel in that they are 2-core attacks which leverage the cache line invalidation mechanism in modern cache coherence protocols. These are the first proposed Prime+Probe variants of Meltdown and Spectre. But more importantly, both Prime attacks exploit invalidation-based coherence protocols to achieve the same level of precision as a Flush+Reload attack. While mitigation techniques in software (e.g., barriers that prevent speculation) will likely be the same for our Prime variants as for original Spectre and Meltdown, we believe that hardware protection against them will be distinct. As a proof of concept, we implemented SpectrePrime as a C program and ran it on an Intel x86 processor, averaging about the same accuracy as Spectre over 100 runs—97.9% for Spectre and 99.95% for SpectrePrime.

A separate paper is under review for the “tool” used in this article so more joy is on your way!

As a bonus, “happens-before (HB) graphs” are used, enabling exercise of those graph skills you built making cluttered Twitter graphs.

Good hunting!

February 22, 2018

Deep Voice – The Empire Grows Steadily Less Secure

Filed under: Artificial Intelligence,Cybersecurity — Patrick Durusau @ 5:17 pm

Baidu AI Can Clone Your Voice in Seconds

From the post:

Baidu’s research arm announced yesterday that its 2017 text-to-speech (TTS) system Deep Voice has learned how to imitate a person’s voice using a mere three seconds of voice sample data.

The technique, known as voice cloning, could be used to personalize virtual assistants such as Apple’s Siri, Google Assistant, Amazon Alexa; and Baidu’s Mandarin virtual assistant platform DuerOS, which supports 50 million devices in China with human-machine conversational interfaces.

In healthcare, voice cloning has helped patients who lost their voices by building a duplicate. Voice cloning may even find traction in the entertainment industry and in social media as a tool for satirists.

Baidu researchers implemented two approaches: speaker adaption and speaker encoding. Both deliver good performance with minimal audio input data, and can be integrated into a multi-speaker generative model in the Deep Voice system with speaker embeddings without degrading quality.

See the post for links to three-second voice clips and other details.

Concerns?


The recent breakthroughs in synthesizing human voices have also raised concerns. AI could potentially downgrade voice identity in real life or with security systems. For example voice technology could be used maliciously against a public figure by creating false statements in their voice. A BBC reporter’s test with his twin brother also demonstrated the capacity for voice mimicking to fool voiceprint security systems.

That’s a concern? 😉

I think cloned voices of battlefield military commanders, cloned politician voices with sex partners, or “known” voices badgering help desk staff into giving up utility plant or other access, those are “concerns.” Or “encouragements,” depending on your interests in such systems.

February 21, 2018

Self-Inflicted Insecurity in the Cloud – Selling Legal Firm Data

Filed under: Cloud Computing,Cybersecurity — Patrick Durusau @ 11:54 am

The self-inflicted insecurity phrase being “…behind your own firewall….”

You can see the rest of the Oracle huffing and puffing here.

The odds of breaching law firm security are increased by:

  • Changing to an unfamiliar computing environment (the cloud), or
  • Changing to unfamiliar security software (cloud firewalls).

Either one is sufficient but together, security breaching errors are nearly certain.

Even with an increase in vulnerability, hackers still face the question of how to monetize law firm data?

The economics and markets for stolen credit card and personal data are fairly well known. The Underground Economy of Data Breaches by Wade Williamson, and Once Stolen, What Do Hackers Do With Your Data?.

Dumping law firm data, such as the Panama Papers, generates a lot of PR but doesn’t add anything to your bank account.

Extracting value from law firm data is a variation on e-discovery, a non-trivial process, briefly described in: the Basics of E-Discovery.

However embarrassing law firm data may be, to its former possessors or their clients, market mechanisms akin to those for credit/personal data have yet to develop.

Pointers to the contrary?

February 20, 2018

The EFF, Privilege, Revolution

Filed under: Cybersecurity,Politics,Privacy — Patrick Durusau @ 8:57 pm

The Revolution and Slack by Gennie Gebhart and Cindy Cohn.

From the post:

The revolution will not be televised, but it may be hosted on Slack. Community groups, activists, and workers in the United States are increasingly gravitating toward the popular collaboration tool to communicate and coordinate efforts. But many of the people using Slack for political organizing and activism are not fully aware of the ways Slack falls short in serving their security needs. Slack has yet to support this community in its default settings or in its ongoing design.

We urge Slack to recognize the community organizers and activists using its platform and take more steps to protect them. In the meantime, this post provides context and things to consider when choosing a platform for political organizing, as well as some tips about how to set Slack up to best protect your community.

Great security advice for organizers and activists who choose to use Slack.

But let’s be realistic about “revolution.” The EFF, community organizers and activists who would use Slack, are by definition, not revolutionaries.

How else would you explain the pantheon of legal cases pursued by the EFF? When the EFF lost, did it seek remedies by other means? Did it take illegal action to protect/avenge injured innocents?

Privilege is what enables people to say, “I’m using the law to oppose to X,” while other people are suffering the consequences of X.

Privilege holders != revolutionaries.

FYI any potential revolutionaries: If “on the Internet, no one knows your a dog,” it’s also true “no one knows you are a government agent.”

February 14, 2018

Evolving a Decompiler

Filed under: C/C++,Compilers,Cybersecurity,Programming,Subject Identity — Patrick Durusau @ 8:36 am

Evolving a Decompiler by Matt Noonan.

From the post:

Back in 2016, Eric Schulte, Jason Ruchti, myself, Alexey Loginov, and David Ciarletta (all of the research arm of GrammaTech) spent some time diving into a new approach to decompilation. We made some progress but were eventually all pulled away to other projects, leaving a very interesting work-in-progress prototype behind.

Being a promising but incomplete research prototype, it was quite difficult to find a venue to publish our research. But I am very excited to announce that I will be presenting this work at the NDSS binary analysis research (BAR) workshop next week in San Diego, CA! BAR is a workshop on the state-of-the-art in binary analysis research, including talks about working systems as well as novel prototypes and works-in-progress; I’m really happy that the program committee decided to include discussion of these prototypes, because there are a lot of cool ideas out there that aren’t production-ready, but may flourish once the community gets a chance to start tinkering with them.

How wickedly cool!

Did I mention all the major components are open-source?


GrammaTech recently open-sourced all of the major components of BED, including:

  • SEL, the Software Evolution Library. This is a Common Lisp library for program synthesis and repair, and is quite nice to work with interactively. All of the C-specific mutations used in BED are available as part of SEL; the only missing component is the big code database; just bring your own!
  • clang-mutate, a command-line tool for performing low-level mutations on C and C++ code. All of the actual edits are performed using clang-mutate; it also includes a REPL-like interface for interactively manipulating C and C++ code to quickly produce variants.

The building of the “big code database” sounds like an exercise in subject identity doesn’t it?

Topic maps anyone?

February 13, 2018

Responsible Disclosure: You Lost 5 Months of Pwning Corporate/Government Computers

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:34 pm

Skype can’t fix a nasty security bug without a massive code rewrite by Zack Whittaker.

From the post:

A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.

Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking.

Impact of responsible disclosure?

Microsoft sat on its ass for over five months, five months you could have been pwning corporate and government computers, only to say (paraphrase): “It’s too hard.”

It wasn’t too hard for them to completely break Skype for Ubuntu and possibly other flavors of Linux. But fixing a large bug? No, let us introduce some new ones and then we’ll think about the existing ones.

Most corporations and governments maintain secrets only by lack of effort on the part of the public.

Give that some thought when deciding how to spend your leisure time.

February 12, 2018

Improving Your Phishing Game

Filed under: Cybersecurity,Ethics,Phishing for Leaks,Security — Patrick Durusau @ 7:52 pm

Did you know that KnowBe4 publishes quarterly phishing test analysis? Ranks the top lines that get links in phishing emails followed.

The entire site of KnowBe4 is a reference source if you don’t want to fall for or look like a Nigerian spammer when it comes to phishing emails.

Their definition of phishing:

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.

I think:

It’s a form of criminally fraudulent social engineering.

sounds a bit harsh and not nuanced at all.

For example, these aren’t criminally fraudulent cases of phishing:

  • CIA sends phishing emails to foreign diplomats
  • FBI sends phishing emails to anti-war and social reform groups
  • NSA sends phishing emails to government officials (ours, theirs, etc.)

Phishing is an amoral weapon, just like any other weapon.

If you use phishing to uncover child sex traffickers, is that a criminally fraudulent use of phishing? Not to me.

If you hear a different conclusion in a windy discussion of ethics, don’t bother to write. I’ll just treat it as spam.

Don’t let other people make broad ethical pronouncements on your behalf. They have an agenda and it’s not likely to be one in your interest.

Meanwhile, improve your phishing game!

February 9, 2018

Fear Keeps People in Line (And Ignorant of Apple Source Code)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 11:05 am

Apple’s top-secret iBoot firmware source code spills onto GitHub for some insane reason by Chris Williams.

From the post:

The confidential source code to Apple’s iBoot firmware in iPhones, iPads and other iOS devices has leaked into a public GitHub repo.

The closed-source code is top-secret, proprietary, copyright Apple, and yet has been quietly doing the rounds between security researchers and device jailbreakers on Reddit for four or so months, if not longer.

We’re not going to link to it. Also, downloading it is not recommended. Just remember what happened when people shared or sold copies of the stolen Microsoft Windows 2000 source code back in the day.

Notice that Williams cites scary language about the prior Windows source code but not a single example of an actual prosecution for downloading or sharing that source code. I have strong suspicions why no examples were cited.*

You?

The other thing to notice is “security researchers” have been sharing it for months, but if the great unwashed public gets to see it, well, that’s a five alarm fire.

Williams has sided with access only for the privileged, although I would be hard pressed to say why?

BTW, if you want to search Github for source code that claims to originate from Apple, use the search term iBoot.

No direct link because in the DCMA cat and mouse game, any link will be quickly broken and I have no way to verify whether a repository is or isn’t Apple source code.

Don’t let fear keep you ignorant.

*My suspicions are that anyone reading Microsoft Windows 2000 source code became a poorer programmer and that was viewed as penalty enough.

February 8, 2018

Introducing HacSpec (“specification language for cryptographic primitives”)

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 2:58 pm

Introducing HacSpec by Franziskus Kiefer.

From the post:

HacSpec is a proposal for a new specification language for cryptographic primitives that is succinct, that is easy to read and implement, and that lends itself to formal verification. It aims to formalise the pseudocode used in cryptographic standards by proposing a formal syntax that can be checked for simple errors. HacSpec specifications are further executable to test against test vectors specified in a common syntax.

The main focus of HacSpec is to allow specifications to be compiled to formal languages such as cryptol, coq, F*, and easycrypt and thus make it easier to formally verify implementations. This allows a specification using HacSpec to be the basis not only for implementations but also for formal proofs of functional correctness, cryptographic security, and side-channel resistance.

The idea of having a language like HacSpec stems from discussions at the recent HACS workshop in Zurich. The High-Assurance-Cryptographic-Software workshop (HACS) is an invite-only workshop co-located with the Real World Crypto symposium.

Anyone interested in moving this project forward should subscribe to the mailing list or file issues and pull requests against the Github repository.

Cryptography projects should be monitored like the NSA does NIST cryptography standards. If you see an error or weakness, you’re under no obligation to help. The NSA won’t.

Given security fails from software, users, etc., end-to-end encryption resembles transporting people from one homeless camp to another in an armored car.

Secure in transit but not secure at either end.

February 7, 2018

Kali Linux 2018.1 Release

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:52 pm

Kali Linux 2018.1 Release

From the post:

Welcome to our first release of 2018, Kali Linux 2018.1. This fine release contains all updated packages and bug fixes since our 2017.3 release last November. This release wasn’t without its challenges–from the Meltdown and Spectre excitement (patches will be in the 4.15 kernel) to a couple of other nasty bugs, we had our work cut out for us but we prevailed in time to deliver this latest and greatest version for your installation pleasure.

Churn, especially in security practices and software, is the best state imaginable for generating vulnerabilities.

New software means new bugs, unfamiliar setup requirements, newbie user mistakes, in addition to the 33% or more of users who accept phishing emails.

2018 looks like a great year for security churn.

How stable is your security? (Don’t answer over a clear channel.)

February 6, 2018

Dive into BPF: a list of reading material

Filed under: Cybersecurity,Networks — Patrick Durusau @ 8:22 pm

Dive into BPF: a list of reading material by Quentin Monnet.

From the post:

BPF, as in Berkeley Packet Filter, was initially conceived in 1992 so as to provide a way to filter packets and to avoid useless packet copies from kernel to userspace. It initially consisted in a simple bytecode that is injected from userspace into the kernel, where it is checked by a verifier—to prevent kernel crashes or security issues—and attached to a socket, then run on each received packet. It was ported to Linux a couple of years later, and used for a small number of applications (tcpdump for example). The simplicity of the language as well as the existence of an in-kernel Just-In-Time (JIT) compiling machine for BPF were factors for the excellent performances of this tool.

Then in 2013, Alexei Starovoitov completely reshaped it, started to add new functionalities and to improve the performances of BPF. This new version is designated as eBPF (for “extended BPF”), while the former becomes cBPF (“classic” BPF). New features such as maps and tail calls appeared. The JIT machines were rewritten. The new language is even closer to native machine language than cBPF was. And also, new attach points in the kernel have been created.

Thanks to those new hooks, eBPF programs can be designed for a variety of use cases, that divide into two fields of applications. One of them is the domain of kernel tracing and event monitoring. BPF programs can be attached to kprobes and they compare with other tracing methods, with many advantages (and sometimes some drawbacks).

The other application domain remains network programming. In addition to socket filter, eBPF programs can be attached to tc (Linux traffic control tool) ingress or egress interfaces and perform a variety of packet processing tasks, in an efficient way. This opens new perspectives in the domain.

And eBPF performances are further leveraged through the technologies developed for the IO Visor project: new hooks have also been added for XDP (“eXpress Data Path”), a new fast path recently added to the kernel. XDP works in conjunction with the Linux stack, and relies on BPF to perform very fast packet processing.

Even some projects such as P4, Open vSwitch, consider or started to approach BPF. Some others, such as CETH, Cilium, are entirely based on it. BPF is buzzing, so we can expect a lot of tools and projects to orbit around it soon…

I haven’t even thought about the Berkeley Packet Filter in more than a decade.

But such a wonderful reading list merits mention in its own right. What a great model for reading lists on other topics!

And one or more members of your team may want to get closer to the metal on packet traffic.

PS: I don’t subscribe to the only governments can build nation state level tooling for hacks. Loose confederations of people built the Internet. Something to keep in mind while sharing code and hacks.

February 3, 2018

IDA v7.0 Released as Freeware – Comparison to The IDA Pro Book?

Filed under: Cybersecurity,Hacking,Programming — Patrick Durusau @ 9:04 am

IDA v7.0 Released as Freeware

From the download page:

The freeware version of IDA v7.0 has the following limitations:

  • no commercial use is allowed
  • lacks all features introduced in IDA > v7.0
  • lacks support for many processors, file formats, debugging etc…
  • comes without technical support

Copious amounts of documentation are online.

I haven’t seen The IDA Pro Book by Chris Eagle, but it was published in 2011. Do you know anyone who has compared The IDA Pro Book to version 7.0?

Two promising pages: IDA Support Overview and IDA Support: Links (external).

February 2, 2018

How To Secure Sex Toys – End to End (so to speak)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 1:40 pm

Thursday began innocently enough and then I encountered:

The tumult of articles started (I think) with: Internet of Dildos: A Long Way to a Vibrant Future – From IoT to IoD, covering security flaws in Vibratissimo PantyBuster, MagicMotion Flamingo, and Realov Lydia, reads in part:


The results are the foundations for a Master thesis written by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten. The first available results can be found in the following chapters of this blog post.

The sex toys of the “Vibratissimo” product line and their cloud platform, both manufactured and operated by the German company Amor Gummiwaren GmbH, were affected by severe security vulnerabilities. The information we present is not only relevant from a technological perspective, but also from a data protection and privacy perspective. The database containing all the customer data (explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc.) was basically readable for everyone on the internet. Moreover, an attacker was able to remotely pleasure individuals without their consent. This could be possible if an attacker is nearby a victim (within Bluetooth range), or even over the internet. Furthermore, the enumeration of explicit images of all users is possible because of predictable numbers and missing authorization checks.

Other coverage of the vulnerability includes:

Vibratissimo product line (includes the PantyBuster).

The cited coverage doesn’t answer how to incentivize end-to-end encrypted sex toys?

Here’s one suggestion: Buy the PantyBuster or other “smart” sex toys in bulk. Re-ship these sex toys, after duly noting their serial numbers and other access information, to your government representatives, sports or TV figures, judges, military officers, etc. People whose privacy matters to the government.

If someone were to post a list of such devices, well, you can imagine the speed with sex toys will be required to be encrypted in your market.

Some people see vulnerabilities and see problems.

I see the same vulnerabilities and see endless possibilities.

Weird Machines, exploitability, and proven unexploitability – Video

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 10:32 am

Thomas Dullien/Halvar Flake’s presentation Weird Machines, exploitability, and proven unexploitability won’t embed but you can watch it on Vimeo.

Great presentation of the paper I mentioned at: Weird machines, exploitability, and provable unexploitability.

Includes this image of a “MitiGator:”

Views “software as an emulator for the finite state machine I would like to have.” (rough paraphrase)

Another gem, attackers don’t distinguish between data and programming:

OK, one more gem and you have to go watch the video:

Proof of unexploitability:

Mostly rote exhaustion of the possible weird state transitions.

The example used is “several orders of magnitude” less complicated than most software. Possible to prove but difficult even with simple examples.

Definitely a “watch this space” field of computer science.

Appendices with code: http://www.dullien.net/thomas/weird-machines-exploitability.pdf

« Newer PostsOlder Posts »

Powered by WordPress