thewayne: (Cyranose)
This is interesting, and I hadn't considered it. I would have thought that, while I am typing this email, that nothing gets sent across my WiFi connection until I hit Send. But obviously email programs, if they're web-based, save draft copies. In the case of email, I think it would be negated by using a PC-based email client, but I'm not certain about that as email server internals are terra incognita for me.

Obviously a Cat 5 cable from your computer to your internet router should defeat this, but how many people do that on a regular basis. We use laptops because of their convenience, my laptop isn't wired because the router is in the living room and my desktop is in the far corner of the kitchen. I could get a router to allow me to hard-cable, then a second router to connect to my main router, and set up a wireless bridge between them, but that seems like a lot of work (and expensive) to try to thwart an attack that is unlikely to be used against me.

There has been tech to sniff the signal from wireless keyboard and mice forever, very few such devices encrypt the signal. I've heard Apple does, but I haven't seen independent information on that. And there's tech to allow sniffing your screen display, though it has limited range. Add them all together and you can get a heck of a read as to what some people do online.

From Bruce Schneier's blog:
Keystroke Recognition from Wi-Fi Distortion

This is interesting research: "Keystroke Recognition Using WiFi Signals." Basically, the user's hand positions as they type distorts the Wi-Fi signal in predictable ways.

Abstract: Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.
thewayne: (Cyranose)
First, Apple. An exploit was found and weaponized that can root an iPhone or, apparently, also an iPad. You need to update your devices RIGHT NOW is you're running iOS 9. It will update your devices to 9.3.5. It's a small patch, less than 40 meg, so a fairly quick and painless update.

Windows 10 also has a big problem that is currently not patched, so it requires a registry edit to close the hole.

To update the registry, do the following steps:
Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
Name this new value "WpadOverride"
Double click the new "WpadOverride" value to edit it
In the "Value data" field, replace the "0" with a "1", then click "OK"
Reboot the computer

Obviously this is not a trivial thing to do and messing with the wrong keys and values can brick your computer. I'm not sure if this is also a problem in earlier editions of Windows, so you should do a bit of research before doing something like this. It's already been fixed in most Linux distributions and also in MacOS.
thewayne: (Cyranose)
Mac users are familiar with Spotlight. Most users might be familiar with web bugs, they're an invisible 1 pixel square graphic in an email that loads from a server that identifies you as a user and your ISP's IP address when you open an email (that's how you get email messages pleading 'Please don't go away!' from companies). In a nutshell, apparently there's a weakness that can be exploited to let someone search all of your Apple Mail emails remotely.

Solution? Two come to mind. First, go in to Preferences/Spotlight and turn off the ability for Spotlight to search your mail. Second, don't use Apple Mail. And it's always a good idea to have a firewall between you and the internet, but that's not an easy proposition to manage.

Google translation from the German site
thewayne: (Cyranose)
This is more of a problem for Internet Explorer 6 users and sadly there are still some of them out there. This is a client attack, not a server attack. This exploits an SSL v3 connection and can happen if you're on a public WiFi network. Recent versions of Windows, i.e. 7 and 8 and probably Vista should be fine.
thewayne: (Cyranose)
Snapchat is a picture message service with a difference: once viewed, the message is deleted, never to be seen again. Great for teens to sext each other, right? Wrong. Someone wanted persistence and set up a server to archive these pix. And that server got compromised. So now there are a huge number of what amounts to kiddie porn floating around the interwebs since the biggest demographic of Snapchat users are from the ages of 13 and 17.

Google Translation of original German site:

You might have to dig down for the link to The Snappening, the Google URL seems to be linking to the top of the site.
thewayne: (Cyranose)
A couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.

It's now in the wild, and criminals are experimenting to see what they can do with it.

A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.

Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.

It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.

Oh, and credit card readers? Those are USB devices usually.
thewayne: (Cyranose)
This is a little complicated. In Unix and Linux systems, there is an underlying interface called The Shell. Some systems use Bash, the Bourne-Again Shell, others use slightly different ones, some Linux systems can have multiple shells installed at the same time for the convenience of programmers and administrators. The shell is comparable to a command line prompt on Windows or the Terminal interface on a Mac. In fact, I just noticed that my Mac runs Bash in its terminal window, there's no word yet as to whether or not Macs are affected. There's also a big question about what to do with Linux-based internet devices such as SANs or security DVRs or stuff like that, those are notorious in sometimes being difficult to update.

Well, it has a bug. And it has the potential to be as big or bigger than the Heartworm SSL problem. The only good thing about it is that it is easy to patch, one large provider said they'd patched 95% of their servers in about ten minutes.
thewayne: (Cyranose)
The Blackhat security conference is coming up very soon, and with it, advanced information about all sorts of wonderful problems. In this case, two new ways to compromise smartphones.

First up, a report on a tool that's built in to all smartphones: Androids, Blackberrys, iPhones sold by Sprint. They haven't tested Windows phones yet. It's a management tool that allows the cell providers to update firmware in the phone through over the air updates, and the security implementation isn't very good.

Granted, this is a team of advanced security researchers, but they were able to get in and totally pwn the phones they were working with. They've notified the maker of the management tool and the cell companies, so a fix should be distributed over the next few months that will make this more secure. Also, no evidence of this being exploited in the wild.

Next up, an iPhone, if connected to a compromised Windows PC, can potentially be turned in to a botnet! This is interesting stuff as it has falsely been assumed that Apple had pretty tight security on its iPhones, which is broadly true, but they're also kinda slow pushing updates. I assume that the exploit would also be effective against iPads that also have cellular radios built-in.
thewayne: (Cyranose)
Yes, USB devices can carry malware, we all know that. This is new and different. Basically, it is not difficult to hack the hardware that controls the USB device, be it memory stick, external hard drive, or possibly smart phone or tablet. Malware injected in to the controller is pretty much undetectable, and if it can't be detected, it can't be removed.

I haven't seen reports of this problem being found in the wild, but if security researchers have found it and exploited it, there's no reason to think that bad actors such as criminals or government agencies haven't done it.

Solution? There isn't one at this time, it's too low-level of a problem like malware in hypervisors, all but impossible to detect. The best posited solution would be to apply checksums against all USB firmware, which would entail replacing all USB devices. At least you'd know if a device had been altered and was therefore untrustworthy, the question at that point would be whether the device could be remediated or should be destroyed.
thewayne: (Cyranose)
The German security site,, published a report of a compromised cell phone being able to see the reflection of your entering your unlock codes and passwords FROM YOUR GLASSES. They also say that the back camera, being higher resolution, can actually read fingerprints, which will be a big threat for biometric security.

(translated via Google from German)

The easy solution, if you're not in to taking selfies, would be to cover the front camera with tape. The case that I use covers the back camera unless I'm specifically taking photos, which is a rare thing, so that's useless if my phone were compromised.

There was a Mythbusters episode a few years ago where they were testing hi-tech security systems, including fingerprint readers. They lifted a fingerprint from a glass, using laser printer black toner to make the print visible. They scanned it, printed it on a hi-res laser, copied it on to a melted gummy bear fake finger, and it was rejected by the scanner. So they printed it again greatly enlarged, perhaps to an 8x10", then fixed disconnected lines with a black Sharpie pen. Scanned it again, reduced the size, repeated printing it, and it worked. It was amazing to see.

What was also cool was they got past an ultrasonic sensor, it might also have been infrared, I don't remember, by carrying a huge piece of shag carpeting in front of them. It absorbed the ultrasonics so they didn't reflect back, and they made it past that stage.

The new iPhone 5 fingerprint scanner is a different beast: it doesn't just read your fingerprint, it reads the capillary pattern beneath your skin. So it shouldn't be fooled by the Mythbusters trick. And I understand the newer generation of fingerprint scanners require a 98f heat source behind them, so you can't chop off someone's finger to get in. So the Mythbusers trick will hopefully have a short life.
thewayne: (Cyranose)
There's a concept called a man in the middle attack, you can think of it as someone listening in on your phone call so they here both sides of the conversation. In the way the internet works, it's doable, but not as easily. Well, this bug makes it kind of easy.

If you're able to position yourself between two computers that are both using certain versions of OpenSSL for encryption and privacy, then the middle man has the ability to intercept the encrypted packets when they're trying to establish the secure session and tell both hosts, silently, to switch to a weaker form of crypto. A form that presumably the middle man knows how to break.

So if you updated your OpenSSL software for Heartbleed, now you get to update it again.

OpenSSL is used a lot, but is not universal on the internet. One place where it is used heavily: Android smartphones and presumably tablets.
thewayne: (Cyranose)
VMWare servers, Nest thermostats, lots of home routers and firewalls, MyCloud servers, HP printers, videoconferencing systems, etc.

One positive thing in this article is that not all implementations of OpenSSL are vulnerable: older implementations are not vulnerable, and the version that has the bug apparently that segment of code is not mandatory and is not always implemented.
thewayne: (Cyranose)
Initially it was suspected that Heartbleed was only an attack on servers, it turns out that this is not the case. Heartbleed is an exploit of some bad code in a package called OpenSSL, which is normally run on servers and Linux machines. If a machine is running the compromised version of OpenSSL AND has been hacked so that it can be controlled remotely by ne'er-do-wells, then it is possible for them to do a reverse-Heartbleed attack against personal computers, tablets, smartphones, etc.

As an example, Facebook and Yahoo Mail look up URLs to grab a partial screen capture to link with your message. If you control the remote URL being looked up, it's possible to leverage an attack.

Meanwhile, a Canadian teen has been arrested by the RCMP for exploiting Heartbleed against the Canadian revenue service. As a result of his attack, the Canadians stopped accepting online tax return submission and extended the deadline.

The shutdown of online returns:

And it appears that the NSA has known about the exploit and been using it for their own ends.
thewayne: (Cyranose)
Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

thewayne: (Default)
Scientists have been working on ways to hack car security systems. Increasingly, lots of things in new cars tie in to a central bus: engine control unit, anti-lock brakes, air bags, transmission, door locks. And the car stereo. The scientists have found a way to create a specially-crafted MP3 which, if played on certain models, lets them take control of the car, potentially by bluetooth or the car's celllular system.

Older cars without centralized buses would be immune, as would installing your own stereo. The sad thing is that car makers do not seem to be doing much to create a reasonably secure system, you'd think they'd learn with the news of all the systems being exploited out in the world.

(Speaking of which, my favorite recent hack is HB Gary Federal going against Anonymous: they totally pwnd their CEO, up to and including remote-wiping the guy's iPad!)
thewayne: (You're a Dick)
Let's say you use your laptop to access the internet at Starbuck's, though why you'd pay to use their service I don't know. The SSID (name) of all of their access points are called T-Mobile after their provider. Your laptop remembers the SSID, and the next time you start it up, it tries to associate with it.

So here's the hack. I create an access point named T-Mobile. Your computer boots and says "Look! There's T-Mobile! I wonder if it will be my friend?" Your laptop is now associated with my access point and is now a little bit on the vulnerable side.

First solution: firewall. Don't use the Window's firewall, get something like Zone Alarm Pro. Second, NEVER associate to ad hoc networks. Always have your card to only associate with infrastructure networks. Apparently new laptops that have built-in wireless have a button to turn the card off. They recommend using said card when networking is not in use.

Anyway, Here's The Fine Article on Slashdot that includes a link to the source story.

Important stuff if you're a Windows user who does wireless networking!
thewayne: (Headbanger)

Microsoft publicly announced last week -- after security firms had already scooped the software maker -- yet another Windows vulnerability for which the company has yet to release security patches. But this bug is a lot more lethal than your typical buffer overflow.

Redmond acknowledges that attackers can gain complete control of your PC using a layer of Windows the company designed more than a decade ago. According to a company statement, Microsoft will release an update Jan. 10 to protect your PC, but between now and then you're potentially vulnerable if you're running virtually any version of Windows, from 98 to XP.

However, there are proactive steps you can take so that a black-hat hacker does not take complete control of your PC while you're waiting for the patch.
What is the vulnerability?

There is a flaw in the way that Windows processes Microsoft Windows Meta File, or WMF, images. Attackers can craft special image files that, if viewed, give them carte blanche to access and control your PC.

Attackers are already taking advantage of the vulnerability in a number of ways, including spamming out e-mail messages that contain links to malicious websites that exploit the bug. Many legitimate websites have also been hacked and comprised to deliver the attack, according to Websense Security Labs, which was first to warn of the vulnerability. Websense says the WMF code also is being exploited through third-party banner ads on mainstream websites. And, like traditional Windows threats, the bug can always be exploited by a malicious e-mail attachment.
Did Microsoft design this vulnerability on purpose?

Microsoft first allowed .wmf file extensions to carry executable code at least as far back as Windows 3.0, Websense says. This was to enable Windows to cancel print jobs using the file format, and the developers in that simpler era apparently didn't imagine it would be used for anything more malicious.

A layer of backward compatibility folded into modern Windows kept the security hole alive below the surface of the operating system. Now anyone can use WMF files to do anything they want to your system, such as copying or destroying data, or installing backdoors to allow re-entry later. They can also cancel your print jobs.
What steps can be taken to protect your PC?

You can stop accessing the internet until Jan. 10, when Microsoft says it will have security updates. More realistically, there are some measures you can take to protect your system now.

Firstly, follow the IT department mantra of never opening an attachment or clicking on a web link in an e-mail from an unknown user (or an odd or unexpected e-mail from a friend). Microsoft says updated versions of antivirus software from Symantec, Computer Associates, McAfee and others also can block exploitation of this vulnerability.

But your best bet may be a nifty unofficial patch created by programmer Ilfak Guilfanov and available for download from The SANS Institute.

To see if your PC has already been infected, Microsoft's Windows AntiSpyware beta works reasonably well.
Can't I neutralize the exploit using Windows commands?

Microsoft and numerous security websites suggest a workaround that prevents Windows Picture and Fax Viewer from opening image files, including the vulnerable WMF format. This reduces your exposure, but doesn't fix the underlying vulnerability.

Under Windows XP, access the Run command and type "regsvr32 -u %windir%\system32\shimgvw.dll." Then click OK.

For maximum effect, SANS suggests a double-fisted approach of implementing this workaround and installing Guilfanov's patch until Microsoft comes out with an official fix.

July 2017

23 4567 8
910 11 1213 14 15
16 17 18 19 202122


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 23rd, 2017 04:45 pm
Powered by Dreamwidth Studios