Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

November 15, 2017

Going Among Capitalists? Don’t Forget Your S8 USB Cable!

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 5:45 pm

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

From Forever Vulnerable (aka Microsoft) – Seventeen Years of Vulnerability

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 4:15 pm

A seventeen year old vulnerability was patched in the Microsoft Equation Editor yesterday.

For a semi-technical overview, see Office Equation Editor Security Bug Runs Malicious Code Without User Interaction by Catalin Cimpanu.

For all the details and a back story useful for finding vulnerabilities, see: Skeleton in the closet. MS Office vulnerability you didn’t know about by Embedi.

Walking through the steps in the post to “re-discover” this vulnerability is good exercise.

It’s not the fault of Microsoft that its users fail to patch/upgrade Microsoft products. That being said, CVE-2017-11882, with a seventeen year range, should be added to your evergreen list of Microsoft vulnerabilities.

Call For Cyber Weapons (Arsenal at Black Hat Asia 2018)

Filed under: Conferences,Cybersecurity,Security — Patrick Durusau @ 11:46 am

Welcome to Arsenal at Black Hat Asia 2018 – Call for Tools Open

Deadline: January 10 at 23:59 Pacific

From the webpage:

The Black Hat Arsenal team will be back in Singapore with the very same goal: give hackers & security researchers the opportunity to demo their newest and latest code.

The Arsenal tool demo area is dedicated to researchers and the open source community. The concept is quite simple: we provide the space and you bring your machine to showcase your work and answer questions from delegates attending Black Hat.

Once again, the ToolsWatch (@toolswatch) team will work in conjunction with Black Hat for the special event Black Hat Arsenal Asia 2018.

The 16th session will be held at the Marina Bay Sands in Singapore from March 22-March 23, 2018.

The same rules to consider before applying to Arsenal:

  • Bring your computer (with VGA output), adapter, your tool, your stickers
  • Avoid stodgy presentations. Folks are expecting action, so give’em action.
  • No vendor pitches or gear!
  • Be yourself, be cool, and wear a smile.
  • Hug the folks at Arsenal :)
  • Above all, have tremendous fun!!

For any questions, contact blackhatarsenal@ubm.com.

*Please note: You may use the plaint text “Upload File” section if you wish to include whitepapers or research; however, this field is optional and not required.

Not as much advance notice as you have for Balisage 2018 but surely you are building new tools on a regular basis!

As you have learned from tools written by others, come to Arsenal at Black Hat Asia 2018 and enable others to learn from you.

Terminology: I say “weapons” instead of “tools” to highlight the lack of any “us” when it comes to cybersecurity.

Governments and corporations have an interest in personal privacy and security only when it furthers their agendas and none when it doesn’t.

Making governments and corporations more secure isn’t in my interest. Is it in yours? (Governments have declared their lack of interest in your privacy and security by their actions. Nothing more need be said.)

November 14, 2017

Hackers! 90% of Federal IT Managers Aiming for Their Own Feet!

Filed under: Artificial Intelligence,Cybersecurity,Government,Machine Learning,Security — Patrick Durusau @ 2:58 pm

The Federal Cyber AI IQ Test November 14, 2017 reports:


Most Powerful Applications:

  • 90% of Feds say AI could help prepare agencies for real-world cyber attack scenarios and 87% say it would improve the efficiency of the Federal cyber security workforce
  • 91% say their agency could utilize AI to monitor human activity and deter insider threats, including detecting suspicious elements and large amounts of data being downloaded, and analyzing risky user behavior

    • (emphasis in original)

One sure conclusion from this report, 90% of Feds don’t know AIs mistake turtles for rifles, 90% of the time. The adversarial example literature is full of such cases and getting more robust by the day.

The trap federal IT managers have fallen into is a familiar one. To solve an entirely human problem, a shortage of qualified labor, they want mechanize the required task, even if it means a lower qualify end result. Human problems are solved poorly, if at all, by mechanized solutions.

Opposed by lowest common denominator AI systems, hackers will be all but running the mints as cybersecurity AI systems spread across the federal government. “Ghost” federal installations will appear on agency records for confirmation of FedEx/UPS shipments. The possibilities are endless.

If you are a state or local government or even a federal IT manager, letting hackers run wild isn’t a foregone conclusion.

You could pattern your compensation packages after West Coast start-ups, along with similar perks. Expensive but do you want an OMB type data leak on your record?

November 12, 2017

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l

Filed under: ARM,Cybersecurity,Security — Patrick Durusau @ 8:44 pm

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l by Azeria.

From the webpage:

Let me guess, you don’t want to bother with any of this and just want a ready-made Ubuntu VM with all QEMU stuff setup and ready-to-play. Very well. The first Azeria-Labs VM is ready. It’s a naked Ubuntu VM containing an emulated ARMv6l.

This VM is also for those of you who tried emulating ARM with QEMU but got stuck for inexplicable linux reasons. I understand the struggle, trust me.

It’s Sunday evening here and I have conference calls tomorrow. 🙁

Still, I wanted to pass on the news about the Azeria-Labs VM and Azeria’s pointer to “ARM” challenges at Root Me.

Enjoy!

Beginner’s Guide to Exploitation on ARM

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:25 pm

Beginner’s Guide to Exploitation on ARM by Billy Ellis.

From the website:

‘Beginner’s Guide to Exploitation on ARM’ is a beginner-friendly book aimed at individuals who are interested in learning the core concepts behind software vulnerability analysis & exploit development.

It explains everything from the basics of the ARM architecture to the various methods of exploitation used to take advantage of memory corruption vulnerabilities within modern systems today, using diagrams and example applications along the way to ensure that each chapter is easy to follow!

Judging from the rave reviews on Twitter and other forums, the time to order is now!

We’re all expecting relatives for the holiday season, at least in the US and Europe, so why not treat yourself to some reading material?

I will be posting more on this book after it arrives.

Enjoy!

WiMonitor – Hacker Arsenal, Design Suggestions

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:11 pm

WiMonitor

From the webpage:

WiMonitor makes Wi-Fi packet sniffing and network monitoring dead simple!

Once configured the device automatically scans channels 1-13 in the 2.4GHz band, captures packets and sends them to a remote IP address over Ethernet for further processing. The encapsulation is compatible with Wireshark so you can analyze Wi-Fi traffic using it.

More information on how to get started: Getting Started Guide.

Design Suggestions:

I’m not the artistic type but I do have a couple of suggestions for the housing of the WiMonitor.

Stock image from website:

Right, let’s make the case a bright white, use “Hacker Arsenal” with a bright graphic on top surface, have labels for Wan/Lan and USB (those are hard to recognize) and of course, a power light to attract attention.

Sigh. I guess it go well with your standard working shirt:

Those c-suite types won’t notice you at all. Completely invisible.

If you strive to be a little less noticeable, ask Hacker Arsenal for a little less obvious WiMonitor. Something along these lines:

First, a black case, lose the cover as well:

(Yes, I need to work on my graphic editing skills. 😉 )

Second, make an internal USB connection sufficient for 256GB USB thumb drive, battery for power and lose the power light.

Make it drop and retrieve ready.

Now that would be a hot package!

Hacking 90% of the Commercial Air Fleet

Filed under: Aviation,Cybersecurity — Patrick Durusau @ 10:52 am

Short notice for the holiday travel season but 90% of the commercial air fleet can be hacked without insider or physical access.

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says by Calvin Biesecker.

While the research is classified (making this a CTF type problem), Biesecker reports these broad hints:


“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.

The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,’” Hickey said.

Terminology for researching this issue can be found in Boeing 757 Operations Manual Volume 2, sections 5.40.1 and 5.50.1. Hardware for testing your hack can be found at one or more aircraft boneyards. Or you can always purchase new systems and advice.

No need to rush for fear of patching:

…Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Aircraft also represent different challenges for cybersecurity and traditional land-based networks, Hickey said. He said that whether it’s the U.S. Air Force or the commercial sector, there are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft.

No one checking for vulnerabilities and if discovered too expensive to fix?

Sounds like a hacker’s wet dream.

Have Orwell‘s pigs built their palaces out of straw?

PS: The meaning of “hack” when used by the DHS isn’t clear. It could mean bad temperature or location information, up to and including interference with flight control systems (highly unlikely). Interference with flight control systems is more likely to be a feature of the F-35.

Antivirus Engines Have Design Flaws?

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:24 am

Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System by Catalin Cimpanu.

Cimpanu routs the chest beating of antivirus vendors with this report on a design flaw common to Windows antivirus products. Code named AVGater by its discoverer, Florian Bogner, who also created a colorful logo for the vulnerability:

(Source: #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine by Florian Bogner)

Cimpanu gives a high level summary and Bogner more details to support further investigation of this design flaw. An incomplete list of impacted vendors: Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

So the answer is yes, antivirus engines do have design, and other, flaws.

Antivirus and other security software, increase the available attack surface for discovery of flaws and vulnerabilities.

If your antivirus or security software vendor denies increasing your attack surface, best you consider another vendor.

November 10, 2017

New Maltese Investigative News Website – Security Suggestions

Filed under: Cybersecurity,Journalism,News,Reporting — Patrick Durusau @ 11:14 am

Three Experienced Maltese Journalists Open Investigative News Website by Tim Diacono.

From the post:


“The vile execution of journalist Daphne Caruana Galizia is a wakeup call for civic action, to stop the greed and the rot and to assert the power of the pen over the might of criminals who want us to remain silent as they pile up their profits,” the journalists wrote in their first editorial. “It was nothing short of a declaration of war on our serenity and freedom to stand up to be counted.”

“We have come together to create The Shift months ago thinking that there could not have been a better time for a nonpartisan voice with a clear agenda for good governance, which speaks its truth to power respectfully but firmly, keeping a distance from economic and partisan agendas. We never could have anticipated that our country would descend into this nightmare,” they added.

“We have decided to take the plunge now because we also want to contribute to the civic awakening which followed the brutal elimination of a journalist who spoke her truths to power. We do not seek to step in Daphne Caruana Galizia’s shoes and our style and approach is very different. But we promise to honour the best part of her legacy, that of being a thorn in the side… of whoever is in power.”

To the extent The Shift can be “…a thorn in the side… of whoever is in power,” I’m all for it.

On the other hand, the organizers of The Shift should consider working with an umbrella organization that provides basic security.

The Shift organizers should retain their independence but among the more glaring flaws of their current site:

  1. http:// instead of https://
  2. No PGP key for encrypted email
  3. No secure drop box for leaks
  4. No advice on secure contacts
  5. Contact form requires name and email?
  6. … others I’m sure…

The Global Investigative Journalism Network (GIJN) maintains a great list of Digital Security resources.

Even if someone else in your organization is tasked with digital security, have a nodding acquaintance with the GIJN resources and revisit them on a regular basis.

Don’t be a passive consumer of security services.

Passive consumers of security services are also known as “victims.”

Introduction To ARM Assembly Basics [The Weakest Link?]

Filed under: ARM,Assembly,Cybersecurity,Programming — Patrick Durusau @ 10:09 am

Introduction To ARM Assembly Basics

The latest security fails by Intel and Microsoft capture media and blog headlines but ARM devices are more numerous.

ARM devices, like a Windows server in an unlocked closet, may be the weakest link in your next target.

From the webpage:

Welcome to this tutorial series on ARM assembly basics. This is the preparation for the followup tutorial series on ARM exploit development. Before we can dive into creating ARM shellcode and build ROP chains, we need to cover some ARM Assembly basics first.

The following topics will be covered step by step:

ARM Assembly Basics Tutorial Series:
Part 1: Introduction to ARM Assembly
Part 2: Data Types Registers
Part 3: ARM Instruction Set
Part 4: Memory Instructions: Loading and Storing Data
Part 5: Load and Store Multiple
Part 6: Conditional Execution and Branching
Part 7: Stack and Functions

To follow along with the examples, you will need an ARM based lab environment. If you don’t have an ARM device (like Raspberry Pi), you can set up your own lab environment in a Virtual Machine using QEMU and the Raspberry Pi distro by following this tutorial. If you are not familiar with basic debugging with GDB, you can get the basics in this tutorial. In this tutorial, the focus will be on ARM 32-bit, and the examples are compiled on an ARMv6.

Why ARM?

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.

Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Don’t forget to follow Azeria on Twitter, or her RSS Feed.

Enjoy!

PS: She recently posted an really cool cheatsheet: Assembly Basics Cheatsheet. I’m going to use it to lobby (myself) for a pair of 32″ monitors so I can enlarge it on one screen and have a non-scrolling display. (Suggestions on the monitors?)

November 9, 2017

Encouraging CS Careers – Six Backdoors in Less Than an Hour!

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:53 pm

Farmers Insurance for inspiration CS stories? If you doubt the answer is yes!, you haven’t read: “I HAD SIX BACKDOORS INTO THEIR NETWORK IN LESS THAN AN HOUR” by Jason Kersten.

From the post:

Hired hackers share real-world stories of breaking into computer systems (legally) through phishing scams and other high-tech mischief

It was a moment that would likely make any bank robber’s or computer hacker’s head spin: Joshua Crumbaugh talked his way behind the teller windows of a small bank in Maryland by posing as an IT technician working on the bank’s email system. As he installed malware designed to give him even more illegal access to the bank’s systems, he noticed the door to the vault was open. When no one was looking, he walked in. Piles of cash filled shelves, all within easy reach.

He turned around, held out his phone, and took a selfie. Later, he sent the picture to the bank’s CEO.

Fortunately, no crime had been committed. The CEO had hired Crumbaugh, a penetration tester (also known as a “pen tester”), to test the bank’s security. In his 10 years as a pen tester and CEO of PeopleSec, Crumbaugh has hacked everything from an NBA stadium to an oil rig. For the bank test, he identified the bank’s Internet Service Provider, called the bank pretending to be from the ISP’s customer service department, and set up a service appointment. “They were overly trusting,” says Crumbaugh, noting the bank’s own IT guy had also given him remote access to its systems without checking his credentials.

According to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report from the Ponemon Institute, a research center for global privacy, data and IT security issues, more than half of the 598 businesses surveyed had experienced a cyber attack in the prior year. A full half of respondents experienced data breaches involving customer and employee information. The companies surveyed spent an average of $900,000 cleaning up the mess, and many spent an additional $1 million to pay for disrupted workflow as a consequence of the security issues.

Teachers in middle or high school need only read the first story and allude to the others to have a diverse group of students clamoring to read the post.

There are boring CS careers where you squint at a lot of math but this article highlights more exciting life styles for those with CS training.

Here’s an inspiration picture to go with your pitch:

More details to go with the image: Inside the Secret Vault: $70 Billion in Gold.

Warn your students about the false claim that cybersecurity benefits everyone.

Correction: Cybersecurity benefits everyone who is happy with the current distribution of rewards and stripes.

People who are not happy with it, not so much.

Tanenbaum on Intel MINIX – Discourtesy is its Own Reward

Filed under: Cybersecurity,Security — Patrick Durusau @ 11:45 am

Andrew S. Tanenbaum has posted An Open Letter to Intel on its incorporation of a modified version of MINIX into its chips.

Tanenbaum points out Intel’s conduct in this case is clearly covered by the Berkeley license of MINIX but he has a valid point that common courtesy dictates a personal note from Intel to Tanenbaum on the widespread deployment of MINIX would have been a nice touch.

In this case, discourtesy carried its own reward because Intel adapted an older version of MINIX to lie at the heart of its chips. A version perhaps not as robust and secure as a later version. A flaw that would have been discovered following a courteous note, which was never sent by Intel.

The mother lode of resources on earlier (and current) versions of MINIX is: http://www.minix3.org/.

How widely deployed is the Intel version of MINIX? Aditya Tiwari says:


After the release of MINIX 3, it is being developed as Microkernel OS. You can find MINIX 3 running inside every Intel-powered desktop, laptop or server launched after 2015. This surely gives it the title of the most used operating system in the world. Although, you don’t use it at all.
… (What Is MINIX? Is The World’s Most Used OS A Threat?)

I haven’t located a “chips shipped with MINIX” number so if you see one, ping me with the source.

Do be courteous, even if not required by license.

Otherwise, you may “pull an Intel” as this mistake will come to be known.

Metasploit for Machine Learning: Deep-Pwning

Filed under: Cybersecurity,Machine Learning,Security — Patrick Durusau @ 8:46 am

Metasploit for Machine Learning: Deep-Pwning

From the post:

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is no where close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Metasploit for Machine Learning: Background

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

(emphasis in original)

As motivation for a deep dive into machine learning, looming reliance on machine learning to compensate for a shortage of cybersecurity defender talent is hard to beat. (Why Machine Learning will Boost Cyber Security Defenses amid Talent Shortfall)

Reducing cybersecurity to the level of machine learning is nearly as inviting as use of an older, less secure version of MINIX by Intel. If you are going to take advantage of a Berkeley software license, at least get the best stuff. Yes?

Machine learning is of growing importance, but since classifiers can be fooled into identifying a 3-D turtle as a rifle, it hasn’t reached human levels of robustness.

Or to put that differently, when was the last time you identified a turtle as a rifle?

Turtle vs. rifle is a distinction few of us would miss in language, even without additional properties, as in a topic map. But thinking of their properties or characteristics, maybe a fruitful way to understand why they can be confused.

Or even planning for their confusion and communicating that plan to others.

November 8, 2017

Responding to Bricking to Promote Upgrading

Filed under: Cybersecurity,Security — Patrick Durusau @ 11:38 am

The chagrin of Harmony Link device (Logitech) owners over the bricking of their devices on March 16, 2018 is understandable. But isn’t the “bricking to promote upgrading” strategy described in Cimpanu‘s: Logitech Will Intentionally Brick All Harmony Link Devices Next Year a dangerous one?

Dangerous because the intentional bricking will highlight:

  1. If Harmony Link devices can be remotely bricked on March 16, 2018, they can be bricked at any time prior to March 16, 2018.
  2. If Harmony Link devices can be remotely bricked, local re-installation of earlier firmware will unbrick them. (Backup your firmware today.
  3. If all smart devices can be remotely bricked, …, you knew that but hadn’t considered it operationally. Makes you wonder about other “smart” devices by Logitech can be bricked.

I can’t second Cimpanu‘s suggestion that you run to the Federal Trade Commission (FTC).

First, it would take years and several presidents for “bricking to promote upgrading” rules to be written and with loopholes that favor industry.

Second, successful enforcement of an FTC rule is akin to where Dilbert says “then their lawyers chewed my clothes off.” A long and tedious process.

Logitech’s proposed action suggests one response to this ill-advised bricking strategy.

What if other “smart” Logitech devices began bricking themselves on March 17, 2018? How would Logitech investors react? Impact management/investor relations?

March 16, 2018, Harmony Link Bricking Day (as it will be known in the future) falls on a Friday. The next business day is Monday, March 19, 2018.

Will present Logitech management survive until March 21, 2018, or be pursuing new opportunities and interests?

November 7, 2017

Built-in Keylogger – Penetration Strategy?

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:35 pm

Built-in Keylogger Found in MantisTek GK2 Keyboards—Sends Data to China by Swati Khandelwal.

From the post:


The popular 104-key Mantistek GK2 Mechanical Gaming Keyboard that costs around €49.66 has allegedly been caught silently recording everything you type on your keyboard and sending them to a server maintained by the Alibaba Group.

Serious keylogging requires more stealth than Khandelwal reports but the idea is a good one.

When renting computers or a furnished office with computers, who is going to check all the systems for keyloggers?

Or if you sponsor a “contest” where the winner gets a new keyboard?

Or upgrades at a Fortune 100 or one of the top law firms includes new keyboards?

Or computers and keyboards are donated for use in public libraries?

Phishing is easier and cheaper than a built-in keylogger for a keyboard but don’t overlook hardware approaches for particularly tough cases.

Intel MINIX – Universal Vulnerability?

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 7:03 pm

MINIX — The most popular OS in the world, thanks to Intel by Bryan Lunduke

Unless most claims of being “widespread,” the claims about MINIX, a secret OS on Intel chips, appear to be true.

From the post:


MINIX is running on “Ring -3” (that’s “negative 3”) on its own CPU. A CPU that you, the user/owner of the machine, have no access to. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. Most user applications take place in “Ring 3” (without the negative).

The second thing to make my head explode: You have zero access to “Ring -3” / MINIX. But MINIX has total and complete access to the entirety of your computer. All of it. It knows all and sees all, which presents a huge security risk — especially if MINIX, on that super-secret Ring -3 CPU, is running many services and isn’t updated regularly with security patches.

For details, see Replace your exploit-ridden firmware with a Linux kernel, by Ron Minnich, et. al. (Seventy-one (71) slides. File name: Replace UEFI with Linux.pdf. I grabbed a copy just in case this one goes away.)

Intel material on UEFI.

Unified Extensible Firmware Interface Forum, consortium website. For the latest versions of specifications see: http://www.uefi.org/specifications but as of today, see:

ACPI Specification Version 6.2 (Errata A)

ACPI can first be understood as an architecture-independent power management and configuration framework that forms a subsystem within the host OS. This framework establishes a hardware register set to define power states (sleep, hibernate, wake, etc). The hardware register set can accommodate operations on dedicated hardware and general purpose hardware. [page 1.] 1177

UEFI Specification Version 2.7 (Errata A)

T
his Unified Extensible Firmware Interface (hereafter known as UEFI) Specification describes an interface between the operating system (OS) and the platform firmware. UEFI was preceded by the Extensible Firmware Interface Specification 1.10 (EFI). As a result, some code and certain protocol names retain the EFI designation. Unless otherwise noted, EFI designations in this specification may be assumed to be part of UEFI.

The interface is in the form of data tables that contain platform-related information, and boot and runtime service calls that are available to the OS loader and the OS. Together, these provide a standard environment for booting an OS. This specification is designed as a pure interface specification. As such, the specification defines the set of interfaces and structures that platform firmware must implement. Similarly, the specification defines the set of interfaces and structures that the OS may use in booting. How either the firmware developer chooses to implement the required elements or the OS developer chooses to make use of those interfaces and structures is an implementation decision left for the developer.

Using this formal definition, a shrink-wrap OS intended to run on platforms compatible with supported processor specifications will be able to boot on a variety of system designs without further platform or OS customization. The definition will also allow for platform innovation to introduce new features and functionality that enhance platform capability without requiring new code to be written in the OS boot sequence. [page 1.] 2575

UEFI Shell Specification Version 2.2

The UEFI Shell environment provides an API, a command prompt and a rich set of commands that extend and enhance the UEFI Shell’s capability. [page 1] 258

UEFI Platform Initialization Specification Version 1.6

This specification defines the core code and services that are required for an implementation of the Pre-EFI Initialization (PEI) phase of the Platform Initialization (PI) specifications (hereafter referred to as the “PI Architecture”). This PEI core interface specification (CIS) does the following:
[vol. 1, page 1] 1627

UEFI Platform Initialization Distribution Packaging Specification Version 1.1

This specification defines the overall architecture and external interfaces that are required for distribution of UEFI/PI source and binary files. [page 1] 359

TCG EFI Platform Specification

PC Client Work Group EFI Platform Specification, Version 1.22, Revision 15

This document is about the processes that boot an Extensible Firmware Interface (EFI) platform and load an OS on that platform. Specifically, this specification contains the requirements for measuring EFI unique events into TPM PCRs and adding boot event entries into the Event Log. [page 5] 43

TCG EFI Protocol Specification

PC Client Work Group EFI Protocol Specification, Family “2.0”, Level 00, Revision 00.13

The purpose of this document is to define a standard interface to the TPM on an EFI platform. This standard interface is useful on any instantiations of an EFI platform that conforms to the EFI Specification. This EFI Protocol Specification is a pure interface specification that provides no information on “how” to construct the underlying firmware implementation. [page 9] 46

By my count, 5,585 pages from the Unified Extensible Firmware Interface Forum, consortium website alone.

Of course, then you need to integrate it with other documentation, your test results and the results of others, not to mention blogs and other sources.

Breaking this content into useful subjects would be non-trivia, but how much are universal vulnerabilities worth?

November 1, 2017

Oracle Identity Manager Sets One Black Space Password – Functional “Lazy” Hacking?

Filed under: Cybersecurity,Oracle,Security — Patrick Durusau @ 4:02 pm

Oracle Identity Manager – Default User Accounts

From the webpage:


OIMINTERNAL

This account is set to a ‘run as’ user for Message Driven Beans (MDBs) executing JMS messages. This account is created during installation and is used internally by Oracle Identity Manager.

The password of this account is set to a single space character in Oracle Identity Manager database to prevent user login through Oracle Identity Manager Design console or Oracle Identity Manager System Administration Console.

Do not change the user name or password of this account.

That’s right! Hit the space bar once and you’ve got it!

What’s more, it’s a default account!

Is this “functional hacking?” Being lazy and waiting for Oracle to hack itself?

Poor Phone Support = Fake Website?

Filed under: Cybersecurity — Patrick Durusau @ 9:15 am

Poor phone support is a sign of a fake website!

Lenny Zeltser in Ouch | November 2017 says:

Verify the website has a legitimate mailing address and a phone number for sale and support-related questions. If the site looks suspicious, call and speak to a human. If you can’t get a hold of someone to talk to, that is the first big sign you are dealing with a fake website. (emphasis added)

Even outside holiday shopping (the subject of Zeltser’s post), message only and deep phone trees merit a copy of Zeltzer’s column.

October 28, 2017

The Little Black Box That Took Over Piracy (tl;dr – Read or Watch GoT?)

Filed under: Cybersecurity,Entertainment,Security — Patrick Durusau @ 7:56 pm

The Little Black Box That Took Over Piracy by Brian Barrett.

At > 2400 words, Barrett’s report on Kodi is a real time sink.

Three links instead:

  1. TV Addons
  2. AliExpress.com
  3. HOW-TO:Install Kodi for Linux

Enjoy!

At “Enjoy” 33 words versus > 2400. Comments?

Useless List of Dark Web Bargains – NRA Math/Social Science Problems

Filed under: Cybersecurity,Dark Web,Malware,Security — Patrick Durusau @ 3:00 pm

A hacker’s toolkit, shocking what you can buy on Dark Web for a few bucks by Mark Jones.

From the post:

Ransomware

  • Sophisticated license for widespread attacks $200
  • Unsophisticated license for targeted attacks $50

Spam

  • 500 SMS (Flooding) $20
  • 500 malicious email spam $400
  • 500 phone calls (Flooding) $20
  • 1 million email spam (legal) $200

What makes this listing useless? Hmmm, did you notice the lack of URLs?

With URLs, a teacher could create realistic math problems like:

How much money would Los Vegas shooting survivors and families of the deceased victims have to raise to “flood” known NRA phone numbers during normal business hours (US Eastern time zone) for thirty consecutive days? (give the total number of phone lines and their numbers as part of your answer)

or research problems (social science/technology),

Using the current NRA 504c4 report, choose a minimum of three (3) directors of the NRA and specify what tools, Internet or Dark Web, you would use to find additional information about each director, along with the information you discovered with each tool for each director.

or advanced research problems (social science/technology),

Using any tool or method, identify a minimum of five (5) contributors to the NRA that are not identified on the NRA website or in any NRA publication. The purpose of this exercise is to discover NRA members who have not been publicly listed by the NRA itself. For each contributor, describe your process, including links and results.

Including links in posts, even lists, helps readers reuse and even re-purpose content.

It’s called the World Wide Web for a reason, hyperlinks.

October 27, 2017

0-Days vs. Human Stupidity

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:15 am

Kaspersky Lab released The Human Factor in IT Security last July (2017), which was summarized by Nikolay Pankov in The human factor: Can employees learn to not make mistakes?, saying in part:

  • 46% of incidents in the past year involved employees who compromised their company’s cybersecurity unintentionally or unwittingly;
  • Of the companies affected by malicious software, 53% said that infection could not have happened without the help of inattentive employees, and 36% blame social engineering, which means that someone intentionally tricked the employees;
  • Targeted attacks involving phishing and social engineering were successful in 28% of cases;
  • In 40% of cases, employees tried to conceal the incident after it happened, amplifying the damage and further compromising the security of the affected company;
  • Almost half of the respondents worry that their employees inadvertently disclose corporate information through the mobile devices they bring to the workplace.

If anything, human stupidity is a constant with little hope of improvement.

For example, the “Big Three” automobile manufacturers were founded in the 1920’s and now almost a century later, the National Highway Traffic Safety Administration reports in 2015 there were 6.3 million police reported automobile accidents (an increase of 3.8% over the previous year).

Or, another type of “accident” covered by the Guttmacher Institute shows for 2011:

Not to rag on users exclusively, vulnerabilities due to mis-configuration, failure to patch and vulnerabilities in security programs and programs more generally, are due to human stupidity as well.

0-Days will always capture the headlines and are a necessity against some opponents. At the same time, testing for human stupidity is certainly cheaper and often just as effective as advanced techniques.

Transparency is coming … to the USA! (Apologies to Leonard Cohen)

October 26, 2017

Democratizing CyberCrime – Messaging Apps As New Dark Web

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:36 pm

Cyber criminals use messaging apps to locate new hideouts after dark web market crackdown

Mobile messaging apps said to be the “in” place for cyber criminals, leading to these observations:


“Today’s black market is accessible more than ever, with the tap of a finger over a portable pocket-held device,” the study said. “This could prove to cause a proliferation of low-level cybercrime, that is conducted by less qualified perpetrators”.

Traditional dark web markets required would-be users to know which sites to visit and how, using a special browser, all of which required no small amount of technical sophistication.

IntSights said hackers are turning to smaller, closed networks on social media and mobile messaging apps instead of traditionally open, moderated dark web forums because such groups can be easily set up, shut down and relocated via apps.

I’m all in favor of democratization of technology but like you, I nearly choked on:

…Traditional dark web markets required would-be users to know which sites to visit and how, using a special browser, all of which required no small amount of technical sophistication….

Wow, just wow! Being able to download/install Tor and finding .onion sites is “technical sophistication?”

Messaging apps mentioned:

Discord – #1 with a bullet.

Skype – Microsoft.

Telegram

WhatsApp – Facebook.

By sacrificing an email address, you can get a copy of the dark web/mobile app report.

Test Your Qualifications To Run A Web Hidden Service

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 10:30 am

Securing a Web Hidden Service

From the post:

While browsing the darknet (Onion websites), it’s quite stunning to see the number of badly configured Hidden Services that will leak directly or indirectly the underlying clearnet IP address. Thus canceling the server anonymity protection that can offer Tor Hidden Services.

Here are a few rules you should consider following before setting up a Onion-only website. This guide covers both Apache and Nginx.
… (emphasis in original)

Presented as rules to preserve .onion anonymity, these five rules also test of your qualifications to run a web hidden service.

If you don’t understand or won’t any of these five rules, don’t run a web hidden service.

You are likely to expose yourself and others.

Just don’t.

October 25, 2017

Proton Sets A High Bar For Malware

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 9:14 pm

Malware hidden in vid app is so nasty, victims should wipe their Macs by Iain Thomson

Proton was distributed by legitimate servers and is so severe that only a clean install will rid your system of the malware.

From the post:


Proton is a remote-control trojan designed specifically for Mac systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim’s iCloud account, even if two-factor authentication is used, and went on sale in March with a $50,000 price tag.

Impressive!

Imagine a Windows trojan that requires a clean system install to disinfect your system.

Well, “disinfecting” a Windows system is a relative term.

If you are running Windows 10, you have already granted root access to Microsoft plus whoever they trust to your system.

Perhaps “disinfect within the terms and limitations of your EULA with Microsoft” is the better way to put it.

A bit verbose don’t you think?

October 24, 2017

Targeting Government Websites

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:05 pm

With only 379 days until congressional mid-terms, you should not waste time hardening or attacking seldom used or obscure government webpages.

If that sounds like a difficult question, then you don’t know about analytics.usa.gov!

This data provides a window into how people are interacting with the government online. The data comes from a unified Google Analytics account for U.S. federal government agencies known as the Digital Analytics Program. This program helps government agencies understand how people find, access, and use government services online. The program does not track individuals, and anonymizes the IP addresses of visitors.

Not every government website is represented in this data. Currently, the Digital Analytics Program collects web traffic from around 400 executive branch government domains, across about 4500 total websites, including every cabinet department. We continue to pursue and add more sites frequently; to add your site, email the Digital Analytics Program.

This open source project is in the public domain, which means that this website and its data are free for you to use without restriction. You can find the code for this website and the code behind the data collection on GitHub.

We plan to expand the data made available here. If you have any suggestions, or spot any issues or bugs, please open an issue on GitHub or contact the Digital Analytics Program.

Download the data

You can download the data here. Available in JSON and CSV format.

Whether you imagine yourself carrying out or defending against a Putin/FSB/KGB five-year cyberattack plan, analytics.usa.gov can bring some grounding to your defense/attack plans.

Sorry, but government web data won’t help with your delusions about Putin. For assistance in maintaining those, check with the Democratic National Committee and/or the New York Times.

October 22, 2017

Router Games While Waiting in Congressional Rep’s Parking Lot

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:00 pm

With the US congressional mid-term election only 381 days away (2018-11-06), I can only imagine the boredom from sitting in your representative’s branch office parking lot.

Watching for your representative and his/her visitors is a thankless task. The public always being interested in such details.

One amusing and potentially skill building exercise is described in Man-in-the-middle Router.

From the post:

Turn any linux computer into a public Wi-Fi network that silently mitms all http traffic. Runs inside a Docker container using hostapd, dnsmasq, and mitmproxy to create a open honeypot wireless network named “Public”. For added fun, change the network name to “xfinitywifi” to autoconnect anyone who has ever connected to those networks… they are everywhere.

The suggestion of using popular network names, which you can discover by cruising about with your Linux laptop, seems especially interesting.

Brush up on your cyberskills!

2018 is brimming with promise!

October 20, 2017

Not Zero-Day But Effective Hacking

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:43 pm

Catalin Cimpanu reminds us in Student Expelled for Using Hardware Keylogger to Hack School, Change Grades not every effective hacking attack uses a zero-day vulnerability.

Zero-days get most of the press, ‘Zero Days’ Documentary Exposes A Looming Threat Of The Digital Age, but capturing the keystrokes on a computer keyboard, can be just as effective for stealing logins/passwords and other data.

Cimpanu suggests that hardware keyloggers can be had on Amazon or eBay for a little as $20.

I’m not sure when he looked but a search today shows the cheapest price on Amazon is $52.59 and on eBay $29.79. Check for current pricing.

I haven’t used it but the Keyllama 4MB USB Value Keylogger has an attractive form factor (1.6″) at $55.50.

USB keyloggers (there are software keyloggers) require physical access for installation and retrieval.

You can attempt to play your favorite spy character or you can identify the cleaning service used by your target. Turnover in the cleaning business runs from 75 percent to 400 percent so finding or inserting a confederate is only a matter of time.

USB keyloggers aren’t necessary at the NSA as logins/passwords are available for the asking. (Snowden)

October 17, 2017

Tor Keeps You Off #KRACK

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 12:44 pm

You have seen the scrambling to address KRACK (Key Reinstallation Attack), a weakness in the WPA2 protocol. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more by Dan Goodin, Falling through the KRACKs by John Green, are two highly informative and amusing posts out of literally dozens on KRACK.

I won’t repeat their analysis here but wanted to point out Tor users are immune from KRACK, unpatched, etc.

A teaching moment to educate users about Tor!

October 12, 2017

Fact-Free Reporting on Kaspersky Lab – Stealing NSA Software Tip

Filed under: Cybersecurity,Journalism,News,Reporting,Security — Patrick Durusau @ 4:36 pm

I tweeted:

@thegrugq Israelis they hacked Kerspersky, saw Russians there, tell NSA, lots of he, they, we say, few facts.

[T]the grugq‏ @thegrugq responded with the best question on the Kaspersky story:

What would count as a fact here? Kaspersky publicised the hack when it happened. Does that count as a fact?

What counts as a fact is central to my claim that thus far, all we have seen is fact-free reporting on the alleged use of Kaspersky Lab software to obtain NSA tools.

Opinions are reported but not facts you could give to an expert like Bruce Schneier ask for an opinion.

What would I think of as “facts” in this case?

What did Israeli intelligence allegedly see when it hacked into Kaspersky Lab?

Not some of the data, not part of the data, but a record of all the data seen upon which they then concluded the Russians were using it to search for NSA software.

To the automatic objection this was a “secret intelligence operation,” let me point out that without that evidence, the NSA and anyone else further down the chain of distribution of the Israeli opinion, were being manipulated by that opinion in the absence of facts.

Just as the NSA wants to foist its opinion on the public, through unnamed sources, without any evidence for the public to form its own opinion based on facts.

The prevention of contrary opinions or avoiding questioning of an opinion, can only be achieved by blocking access to the alleged evidence that “supports” the opinion.

Without any “facts” to speak of, the Department of Homeland Security, is attempting to govern all federal agencies and their use of Kaspersky security software.

Stating the converse, how do you dispute claims made by unnamed sources that say the Israelis saw the Russians using Kaspersky Lab software to look for NSA software?

The obvious answer is that you can’t. There are no facts to check, no data to examine, and that, in my opinion, is intentional.

PS: If you want to steal NSA software, history says the easiest route is to become an NSA contractor. Much simpler than hacking anti-virus software, then using it to identify likely computers, then hacking identified computers. Plus, you paid vacation every year until you are caught. Who can argue with that?

« Newer PostsOlder Posts »

Powered by WordPress