thewayne: (Default)
A proof of concept of this was revealed some months ago when a Burger King TV commercial said "Siri, tell me about the Whopper". Maybe it was Hey Google, I don't remember. Anyway, it was rapidly blocked, then BK came out with another commercial and they had a little war back and forth. And BBC apparently tries it with "Hey Siri, remind me to watch Doctor Who on BBC America." I was particularly amused at "Hey Siri, remind me to watch Broadchurch on BBC America" during the final episode of the series. I burst out laughing when that ad aired and had to explain it to the spousal unit. And as Sam Clemens said, or is alleged to have said, 'Analyzing humor is like dissecting a frog: you can do it, but the frog isn't good for much afterwards.'

Well, the Chinese have found another way: pitch the audio above the range of human hearing. The microphones can still catch it, and the command works. Now, I don't have voice-activated Siri on my iPhone, I have to hold down the button because I find that, for me, for the most part Siri is garbage. I don't think it's my enunciation, but maybe it is.

Makes me wonder if they'll put in a filter to cap mic input to 18-20 kHz or so to prevent this sort of abuse.

I read about this last week, perhaps on the day that I went down to help out that medical practice with their ransomware attack. The clinic was handling their last patients of the day, and the office manager was running the front desk, and was using his iPhone with Siri voice commands. He looked a little shocked when I told him about this attack.

Here's the Slashdot summary:

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.
thewayne: (Default)
Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.


I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.
thewayne: (Cyranose)
This is interesting, and I hadn't considered it. I would have thought that, while I am typing this email, that nothing gets sent across my WiFi connection until I hit Send. But obviously email programs, if they're web-based, save draft copies. In the case of email, I think it would be negated by using a PC-based email client, but I'm not certain about that as email server internals are terra incognita for me.

Obviously a Cat 5 cable from your computer to your internet router should defeat this, but how many people do that on a regular basis. We use laptops because of their convenience, my laptop isn't wired because the router is in the living room and my desktop is in the far corner of the kitchen. I could get a router to allow me to hard-cable, then a second router to connect to my main router, and set up a wireless bridge between them, but that seems like a lot of work (and expensive) to try to thwart an attack that is unlikely to be used against me.

There has been tech to sniff the signal from wireless keyboard and mice forever, very few such devices encrypt the signal. I've heard Apple does, but I haven't seen independent information on that. And there's tech to allow sniffing your screen display, though it has limited range. Add them all together and you can get a heck of a read as to what some people do online.

From Bruce Schneier's blog:
Keystroke Recognition from Wi-Fi Distortion

This is interesting research: "Keystroke Recognition Using WiFi Signals." Basically, the user's hand positions as they type distorts the Wi-Fi signal in predictable ways.

Abstract: Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.
thewayne: (Cyranose)
First, Apple. An exploit was found and weaponized that can root an iPhone or, apparently, also an iPad. You need to update your devices RIGHT NOW is you're running iOS 9. It will update your devices to 9.3.5. It's a small patch, less than 40 meg, so a fairly quick and painless update.

Windows 10 also has a big problem that is currently not patched, so it requires a registry edit to close the hole.

To update the registry, do the following steps:
Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
Name this new value "WpadOverride"
Double click the new "WpadOverride" value to edit it
In the "Value data" field, replace the "0" with a "1", then click "OK"
Reboot the computer

Obviously this is not a trivial thing to do and messing with the wrong keys and values can brick your computer. I'm not sure if this is also a problem in earlier editions of Windows, so you should do a bit of research before doing something like this. It's already been fixed in most Linux distributions and also in MacOS.
thewayne: (Cyranose)
Mac users are familiar with Spotlight. Most users might be familiar with web bugs, they're an invisible 1 pixel square graphic in an email that loads from a server that identifies you as a user and your ISP's IP address when you open an email (that's how you get email messages pleading 'Please don't go away!' from companies). In a nutshell, apparently there's a weakness that can be exploited to let someone search all of your Apple Mail emails remotely.

Solution? Two come to mind. First, go in to Preferences/Spotlight and turn off the ability for Spotlight to search your mail. Second, don't use Apple Mail. And it's always a good idea to have a firewall between you and the internet, but that's not an easy proposition to manage.

Google translation from the German site
thewayne: (Cyranose)
This is more of a problem for Internet Explorer 6 users and sadly there are still some of them out there. This is a client attack, not a server attack. This exploits an SSL v3 connection and can happen if you're on a public WiFi network. Recent versions of Windows, i.e. 7 and 8 and probably Vista should be fine.
thewayne: (Cyranose)
Snapchat is a picture message service with a difference: once viewed, the message is deleted, never to be seen again. Great for teens to sext each other, right? Wrong. Someone wanted persistence and set up a server to archive these pix. And that server got compromised. So now there are a huge number of what amounts to kiddie porn floating around the interwebs since the biggest demographic of Snapchat users are from the ages of 13 and 17.

Google Translation of original German site:

You might have to dig down for the link to The Snappening, the Google URL seems to be linking to the top of the site.
thewayne: (Cyranose)
A couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.

It's now in the wild, and criminals are experimenting to see what they can do with it.

A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.

Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.

It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.

Oh, and credit card readers? Those are USB devices usually.
thewayne: (Cyranose)
This is a little complicated. In Unix and Linux systems, there is an underlying interface called The Shell. Some systems use Bash, the Bourne-Again Shell, others use slightly different ones, some Linux systems can have multiple shells installed at the same time for the convenience of programmers and administrators. The shell is comparable to a command line prompt on Windows or the Terminal interface on a Mac. In fact, I just noticed that my Mac runs Bash in its terminal window, there's no word yet as to whether or not Macs are affected. There's also a big question about what to do with Linux-based internet devices such as SANs or security DVRs or stuff like that, those are notorious in sometimes being difficult to update.

Well, it has a bug. And it has the potential to be as big or bigger than the Heartworm SSL problem. The only good thing about it is that it is easy to patch, one large provider said they'd patched 95% of their servers in about ten minutes.
thewayne: (Cyranose)
The Blackhat security conference is coming up very soon, and with it, advanced information about all sorts of wonderful problems. In this case, two new ways to compromise smartphones.

First up, a report on a tool that's built in to all smartphones: Androids, Blackberrys, iPhones sold by Sprint. They haven't tested Windows phones yet. It's a management tool that allows the cell providers to update firmware in the phone through over the air updates, and the security implementation isn't very good.

Granted, this is a team of advanced security researchers, but they were able to get in and totally pwn the phones they were working with. They've notified the maker of the management tool and the cell companies, so a fix should be distributed over the next few months that will make this more secure. Also, no evidence of this being exploited in the wild.

Next up, an iPhone, if connected to a compromised Windows PC, can potentially be turned in to a botnet! This is interesting stuff as it has falsely been assumed that Apple had pretty tight security on its iPhones, which is broadly true, but they're also kinda slow pushing updates. I assume that the exploit would also be effective against iPads that also have cellular radios built-in.
thewayne: (Cyranose)
Yes, USB devices can carry malware, we all know that. This is new and different. Basically, it is not difficult to hack the hardware that controls the USB device, be it memory stick, external hard drive, or possibly smart phone or tablet. Malware injected in to the controller is pretty much undetectable, and if it can't be detected, it can't be removed.

I haven't seen reports of this problem being found in the wild, but if security researchers have found it and exploited it, there's no reason to think that bad actors such as criminals or government agencies haven't done it.

Solution? There isn't one at this time, it's too low-level of a problem like malware in hypervisors, all but impossible to detect. The best posited solution would be to apply checksums against all USB firmware, which would entail replacing all USB devices. At least you'd know if a device had been altered and was therefore untrustworthy, the question at that point would be whether the device could be remediated or should be destroyed.
thewayne: (Cyranose)
The German security site,, published a report of a compromised cell phone being able to see the reflection of your entering your unlock codes and passwords FROM YOUR GLASSES. They also say that the back camera, being higher resolution, can actually read fingerprints, which will be a big threat for biometric security.

(translated via Google from German)

The easy solution, if you're not in to taking selfies, would be to cover the front camera with tape. The case that I use covers the back camera unless I'm specifically taking photos, which is a rare thing, so that's useless if my phone were compromised.

There was a Mythbusters episode a few years ago where they were testing hi-tech security systems, including fingerprint readers. They lifted a fingerprint from a glass, using laser printer black toner to make the print visible. They scanned it, printed it on a hi-res laser, copied it on to a melted gummy bear fake finger, and it was rejected by the scanner. So they printed it again greatly enlarged, perhaps to an 8x10", then fixed disconnected lines with a black Sharpie pen. Scanned it again, reduced the size, repeated printing it, and it worked. It was amazing to see.

What was also cool was they got past an ultrasonic sensor, it might also have been infrared, I don't remember, by carrying a huge piece of shag carpeting in front of them. It absorbed the ultrasonics so they didn't reflect back, and they made it past that stage.

The new iPhone 5 fingerprint scanner is a different beast: it doesn't just read your fingerprint, it reads the capillary pattern beneath your skin. So it shouldn't be fooled by the Mythbusters trick. And I understand the newer generation of fingerprint scanners require a 98f heat source behind them, so you can't chop off someone's finger to get in. So the Mythbusers trick will hopefully have a short life.
thewayne: (Cyranose)
There's a concept called a man in the middle attack, you can think of it as someone listening in on your phone call so they here both sides of the conversation. In the way the internet works, it's doable, but not as easily. Well, this bug makes it kind of easy.

If you're able to position yourself between two computers that are both using certain versions of OpenSSL for encryption and privacy, then the middle man has the ability to intercept the encrypted packets when they're trying to establish the secure session and tell both hosts, silently, to switch to a weaker form of crypto. A form that presumably the middle man knows how to break.

So if you updated your OpenSSL software for Heartbleed, now you get to update it again.

OpenSSL is used a lot, but is not universal on the internet. One place where it is used heavily: Android smartphones and presumably tablets.
thewayne: (Cyranose)
VMWare servers, Nest thermostats, lots of home routers and firewalls, MyCloud servers, HP printers, videoconferencing systems, etc.

One positive thing in this article is that not all implementations of OpenSSL are vulnerable: older implementations are not vulnerable, and the version that has the bug apparently that segment of code is not mandatory and is not always implemented.
thewayne: (Cyranose)
Initially it was suspected that Heartbleed was only an attack on servers, it turns out that this is not the case. Heartbleed is an exploit of some bad code in a package called OpenSSL, which is normally run on servers and Linux machines. If a machine is running the compromised version of OpenSSL AND has been hacked so that it can be controlled remotely by ne'er-do-wells, then it is possible for them to do a reverse-Heartbleed attack against personal computers, tablets, smartphones, etc.

As an example, Facebook and Yahoo Mail look up URLs to grab a partial screen capture to link with your message. If you control the remote URL being looked up, it's possible to leverage an attack.

Meanwhile, a Canadian teen has been arrested by the RCMP for exploiting Heartbleed against the Canadian revenue service. As a result of his attack, the Canadians stopped accepting online tax return submission and extended the deadline.

The shutdown of online returns:

And it appears that the NSA has known about the exploit and been using it for their own ends.
thewayne: (Cyranose)
Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

thewayne: (Default)
Scientists have been working on ways to hack car security systems. Increasingly, lots of things in new cars tie in to a central bus: engine control unit, anti-lock brakes, air bags, transmission, door locks. And the car stereo. The scientists have found a way to create a specially-crafted MP3 which, if played on certain models, lets them take control of the car, potentially by bluetooth or the car's celllular system.

Older cars without centralized buses would be immune, as would installing your own stereo. The sad thing is that car makers do not seem to be doing much to create a reasonably secure system, you'd think they'd learn with the news of all the systems being exploited out in the world.

(Speaking of which, my favorite recent hack is HB Gary Federal going against Anonymous: they totally pwnd their CEO, up to and including remote-wiping the guy's iPad!)
thewayne: (You're a Dick)
Let's say you use your laptop to access the internet at Starbuck's, though why you'd pay to use their service I don't know. The SSID (name) of all of their access points are called T-Mobile after their provider. Your laptop remembers the SSID, and the next time you start it up, it tries to associate with it.

So here's the hack. I create an access point named T-Mobile. Your computer boots and says "Look! There's T-Mobile! I wonder if it will be my friend?" Your laptop is now associated with my access point and is now a little bit on the vulnerable side.

First solution: firewall. Don't use the Window's firewall, get something like Zone Alarm Pro. Second, NEVER associate to ad hoc networks. Always have your card to only associate with infrastructure networks. Apparently new laptops that have built-in wireless have a button to turn the card off. They recommend using said card when networking is not in use.

Anyway, Here's The Fine Article on Slashdot that includes a link to the source story.

Important stuff if you're a Windows user who does wireless networking!
thewayne: (Headbanger)

Microsoft publicly announced last week -- after security firms had already scooped the software maker -- yet another Windows vulnerability for which the company has yet to release security patches. But this bug is a lot more lethal than your typical buffer overflow.

Redmond acknowledges that attackers can gain complete control of your PC using a layer of Windows the company designed more than a decade ago. According to a company statement, Microsoft will release an update Jan. 10 to protect your PC, but between now and then you're potentially vulnerable if you're running virtually any version of Windows, from 98 to XP.

However, there are proactive steps you can take so that a black-hat hacker does not take complete control of your PC while you're waiting for the patch.
What is the vulnerability?

There is a flaw in the way that Windows processes Microsoft Windows Meta File, or WMF, images. Attackers can craft special image files that, if viewed, give them carte blanche to access and control your PC.

Attackers are already taking advantage of the vulnerability in a number of ways, including spamming out e-mail messages that contain links to malicious websites that exploit the bug. Many legitimate websites have also been hacked and comprised to deliver the attack, according to Websense Security Labs, which was first to warn of the vulnerability. Websense says the WMF code also is being exploited through third-party banner ads on mainstream websites. And, like traditional Windows threats, the bug can always be exploited by a malicious e-mail attachment.
Did Microsoft design this vulnerability on purpose?

Microsoft first allowed .wmf file extensions to carry executable code at least as far back as Windows 3.0, Websense says. This was to enable Windows to cancel print jobs using the file format, and the developers in that simpler era apparently didn't imagine it would be used for anything more malicious.

A layer of backward compatibility folded into modern Windows kept the security hole alive below the surface of the operating system. Now anyone can use WMF files to do anything they want to your system, such as copying or destroying data, or installing backdoors to allow re-entry later. They can also cancel your print jobs.
What steps can be taken to protect your PC?

You can stop accessing the internet until Jan. 10, when Microsoft says it will have security updates. More realistically, there are some measures you can take to protect your system now.

Firstly, follow the IT department mantra of never opening an attachment or clicking on a web link in an e-mail from an unknown user (or an odd or unexpected e-mail from a friend). Microsoft says updated versions of antivirus software from Symantec, Computer Associates, McAfee and others also can block exploitation of this vulnerability.

But your best bet may be a nifty unofficial patch created by programmer Ilfak Guilfanov and available for download from The SANS Institute.

To see if your PC has already been infected, Microsoft's Windows AntiSpyware beta works reasonably well.
Can't I neutralize the exploit using Windows commands?

Microsoft and numerous security websites suggest a workaround that prevents Windows Picture and Fax Viewer from opening image files, including the vulnerable WMF format. This reduces your exposure, but doesn't fix the underlying vulnerability.

Under Windows XP, access the Run command and type "regsvr32 -u %windir%\system32\shimgvw.dll." Then click OK.

For maximum effect, SANS suggests a double-fisted approach of implementing this workaround and installing Guilfanov's patch until Microsoft comes out with an official fix.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 202122 23


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 24th, 2017 11:03 pm
Powered by Dreamwidth Studios