Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerability report
Vulnerability Vulnerability report

Meltdown and Spectre: Breakdown of The recent CPU Security Bug




Much like how Icarus flew too close to the sun.In trying to catch up with Moors law the CPU's manufacturers have left open a serious vulnerability that will haunt us for years to come.

 Whats the cause for the vulnerability ?

Almost all modern CPU's have a feature called "Speculative execution" which increases speed by predicting the path of a branch which is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed.

What is Meltdown and Spectre?

Both exploits abuse speculative execution to access "privileged memory" and allows a lower privilege user process to read them.

So why is this a big issue ?

One of the core security mechanisms is isolation of programs. Most programs run in an isolated space and they can only access their own data and information. This stops malicious programs from reading/modifying others. This vulnerability breaks this core security principle and since the vulnerability is in the hardware level any software patch is limited in capacity.

Essentially almost all the rules that protect programs in a computer from each other are now null and void.

How does this affect me ?

This would allow for any process in user memory.  For example, JavaScript running on a browser to read sensitive information in memory eg: sessions, passwords etc. This would also allow programs running in lower privileges to read kernel memory. Cloud service providers who heavily rely on isolation are also affected.

There are innumerable combinations of attacks possible due to this vulnerability. We will be seeing many more "exploits" that make use of this vulnerability for specific systems and programs in the future.
POC:







How are they different ?


Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Spectre is easier to fix than Meltdown.

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

How do I know if I am vulnerable ?

Almost all Intel processor made since 1995 are vulnerable to Meltdown.

Almost all devices Desktops,Laptops,Smartphones etc are affected by Spectre. Vulnerability has been verified on AMD, Intel and ARM processors.

How do I patch ?

Please have a look at this great list that gizmodo provides:

https://gizmodo.com/check-this-list-to-see-if-you-re-still-vulnerable-to-me-1821780843

System Admins Please have a look at:
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in (Requires powershell v5)

Verify that your AV is compatible with the patches:
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

There have been reports that the patches have cause 10 - 30% reduction in speeds of systems (Which Intel Denies). We might to wait and watch for at least a week to get clarity on this issue.


A note to the security community:

It would be easy to blame the chipset manufacturers and point fingers at them. But we really dropped the ball on this one. What should have been found much much earlier has taken decades to come to light and now it is gonna affect us for years.

Why is that ?

Have all of us been too concentrated on OS,Application,Networking and Web level vulnerabilities that we have completely forgotten to check the base they all run on ?

I think all of us (Including me) should start to looking into how we can help to identify such vulnerabilities in the future.


We should also have a serious look into disclosure time-lines and practices . Who decides how to approach disclosure of such high impact vulnerabilities ? Yes I understand the logic that the "bigger" tech companies are given first priority so that majority of users are patched. But such a long drawn out time-line (This bug was found in June 2017, 6 months ago) seriously puts the small guys at risk as it increases the chances of one rouge person exploiting such vulnerabilities silently.

While the US CERT might have been aware of this vulnerability.Were regional CERT's like CERT-IN informed ? Why not ?

From reading the first set of advisories I can see that only "WESTERN" companies seems to have been aware of this vulnerability before Jan3rd. Why is that ? Does our industry have a bias ? Think on this.

https://meltdownattack.com/#faq-advisory


This also brings in ethically gray issues like this:
https://www.businessinsider.in/intel-was-aware-of-the-chip-vulnerability-when-its-ceo-sold-off-24-million-in-company-stock/articleshow/62359605.cms

Should our CIOS , CTO's and CEO's be allowed to sell company stock once they know that there is security breach or a vulnerability ? Who watches them and ensures compliance ? Are the current laws against insider trading enough ? All such questions that need to answered sooner or later. ..


References:
https://en.wikipedia.org/wiki/Speculative_execution
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/
https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html

Read more »

Aadhaar data breach: For Rs 500 access to billion details, UIDAI denies report

The Unique Identification Authority of India (UIDAI) has denied an investigative report from the Tribune that you can access to Aadhaar database of over one billion for just Rs 500 in 10 minutes.

According to the report of The Tribune, the reporter joined a WhatsApp group, which allegedly sold all Aadhaar data available with UIDAI, he paid Rs 500 via Paytm. Later on, one of its agents gave him an ID and password, which helped him to access any Aadhaar details. With paying an additional fee of Rs 300, agents printed Aadhar card for them.

In the report, reporter Rachna Khaira says, "It took just Rs500, paid through Paytm, and 10 minutes in which an 'agent' of the group running the racket created a 'gateway' for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the Unique Identification Authority of India (UIDAI), including name, address, postal code (PIN), photo, phone number and email."

"What is more, The Tribune team paid another Rs300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual," the report says.

The UIDAI has assured that there is not any possibility of a data breach. The Aadhaar data including biometric information is fully safe and secure.

Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, accepted that this was a major lapse in the cybersecurity, told The Tribune: “Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.”

In the meantime of controversies,  UIDAI tweeted: "There has not been any data breach of a biometric database which remains fully safe & secure with the highest encryption at UIDAI and a mere display of demographic info cannot be misused without biometrics."




Read more »
Hacking.
Cyber Crime Darkweb hackers Hacking.

" Narcos " helping users to potentially curb Cybercrime




The dark web isn't only a market for illicit drugs and stolen Visa or credit card numbers but rising underneath the surface of this already uncertain market place is a growing economy flourishing on stolen identities.

There is a developing interest for favoured user logins on the dark web, and the outcomes could indeed have devastating consequences for organizations and businesses around the world.
It is as comparative as the famous Netflix original series "Narcos" which recounts the story of former drug chieftain Pablo Escobar, who in his prime made as much profit trafficking cocaine in a year than the entire total national output of Colombia. And keeping in mind that there were many components and factors that prompted and later led to the rise of Escobar, the most critical was the developing worldwide demand.

Amidst all this a simple formula is followed from consumer credit card logins to iOS administrator credentials.

The more access someone has to a system, the more valuable their identity is on the dark web.

Experts estimate that stunning revenue of $800,000 a day by AlphaBay, which was taken down in July, demonstrates that the money made on the black market can overshadow what many best and no doubt the top security organizations—who are in charge of protecting these identities—acquire every year.

Today almost 80 per cent of all cyber security breaches involve privileged login credentials according to Forrester Research.

In the wrong hands those privileged logins can wreak destruction and havoc on a business either through an arranged inward attack or by closing a framework (system) down for ransom.
In a current illustration featured in a report from BAE systems and PwC, a group called APT10 focused solely on the privileged credentials of managed IT service co-ops (MSPs) that further permitted the hacker unprecedented potential access to the intellectual property and sensitive information of those MSPs and their customers all around.

The dark web is lucrative to the point that anybody with software engineering abilities and a wayward good compass can endeavour to trade out; therefore one cannot avoid and ward off every 
attempt to break into their system.

Understanding and realising that, we must ensure that no user has full, uncontrolled and unregulated access to our networks and systems. As it turns out to be certain that the most ideal approach to avert hackers, hoping to offer your privileged credentials on the dark web is to debase them however much as could be expected.

To bring this back around to "Narcos," if cocaine clients amid Escobar's rule as a narco-trafficker all of a sudden ended up being noticeably invulnerable to the forces of the  drug, the market demand—and the fortune Pablo Escobar was hoarding—would have long dried up.


 Similarly on the off chance that we could check the straightforwardness or the ease at which culprits can utilize privileged credentials we can possibly control the cybercrime. The same is valid for offering and selling credentials and certifications alike, on the dark web.


Read more »

Intel’s Processors Security flaw forces Linux, Windows Kernels redesign

Millions of computers using Intel chips are prone to hacking because of a flaw that went unnoticed for a decade, it has emerged.

A security flaw in Intel's processors' chips has forced to redesign the millions of the computers using Linux and Windows kernels to bypass the chip-level security bug.

The flaw remained unnoticed for a decade. For past two months, Programmers were busy to patch the  Linux kernel’s virtual memory system so that the bug in the Intel CPUs could not let hackers exploit the security flaws. Through this flaw, hackers could easily security keys, passwords, and files cached from a disk.

According to the Register reports,  software updates are required for both Windows and Linux systems, and performance of a machine will be affected.

"Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products," The Register wrote (bit.ly/2CsRxkj).

“The effects are being benchmarked, however, we are looking at a ballpark figure of a five to 30 percent slowdown, depending on the task and the processor model.”

Competing chip maker AMD has confirmed that their processors are not vulnerable to this type of security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer.

Read more »

Beware. Here comes Loapi


One after another malware seems to have compounded cyber world much of the major concern for the cybersecurity experts these days. Now its Loapi to infect the cyber system.

 According to cybersecurity experts, a silent intrusion of the strong malware mine cryptocurrency of a smartphone which would result in DDoS attacks.

The software is no less harmful to the phones which put the battery on the heat within a couple of hours. 

But how? Here in lies the answer. After the infection, the phone cover is deformed and distorted as a result of the overload of the mining module and the traffic thereof.

The malware can easily infect the phone as soon as a user clicks on an ad of adult interest. Same can take place in the case of fake anti-virus software.

The cybersecurity experts maintain that the user of a phone finally falls in line after repeated notification and requests by Loapi on the screen.

Once the malware sets in for refusing the administrative rights, the window setting shuts down and the screen remains locked leaving the user in a deep dilemma. The moment the user starts downloading the anti-virus software the malware remains unmoved.

But how to get rid of it? The experts fighting the malware suggest the users download an app from the official stores and not to endorse any app from unreliable source.
Read more »

Two Romanians held for US police CCTV hack

Two Romanian nationals have been charged with hacking police computers linked to surveillance cameras in Washington, DC in January after US prosecutors uncovered evidence of a suspected ransomware campaign. 

Some 123 of the city’s 187 outdoor surveillance cameras were accessed in the hack which took place between January 9-12, just days before the inauguration of president Donald Trump on January 20. The accused, Mihai Alexandru Iscanva, 25, and Eveline Cismaru, 28, were arrested at Bucharest Otopeni airport December 15.

According to the US statement, Isvanca is currently in custody in Romania, whereas and Cismaru is currently under house arrest pending further legal proceedings. An affidavit filed by US Secret Service agent James Graham outlines how investigators identified two types of “malicious computer code” on police computers, one known as “cerber” and the other known as “dharma.”
The US Department of Justice said the case was "of the highest priority" because of the security surrounding the presidential inauguration.

“This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,” the Justice Department said in a statement cited by Reuters.

The perpetrators intended to use the camera computers to send ransomware to more than 179,600 email addresses and extort money from victims, the justice department said in the statement.

“Both defendants are charged with conspiracy to commit wire fraud and conspiracy to commit various forms of computer fraud,” said the US Department of Justice (DoJ).

There was no evidence that the alleged hackers had physically harmed or threatened anyone, the US statement added.

US officials say they linked email accounts accessed on the compromised computers to Isvanca and Cismaru. The pair is accused of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison.

If proven, this will not be the first time that criminal gangs have targetted and utilised CCTV systems for ransomware or DDoS attacks.
Read more »

Google chrome takes down extension for mining cryptocurrency

Leading internet browser, Google Chrome, has taken down a Chrome browser extension which was reported to be secretly mining cryptocurrency using the CPU power of the users.

The extension hijacks a user’s CPU and mines for Monero without asking for any permissions till Chrome is running.

In several reviews since the beginning of December, users had complained that the extension, Archive Poster was indulging in cyptojacking. The browser extension was developed by qplus.io and had over 1.05 lakh users. The extension allowed Tumblr users to “reblog, queue, draft and like posts directly from another blog’s archive.”
The process to secretly mine cryptocurrencies using user's resources is popularly known as cryptojacking. Mining cryptocurrency – performing tasks to earn such digital currencies – requires very powerful hardware, and miners often use multiple computer systems to achieve this.

A user has no way to turn this off but to uninstall the extension or close the website executing the process. 

Users in the review section of the extension had blasted the inclusion of the infamous Coinhive in-browser miner’s JavaScript code in the extension. Coinhive is the same miner which was used by The Pirate Bay to mine cryptocurrency using user’s CPUs.

After technology websites reported on the poor reviews and complaints last week, the extension now no longer appears on its link.

Facebook’s Messenger was also recently attacked with a new cryptocurrency-mining bot called “Digimine” to mine Monero. The bot only affects Facebook Messenger's desktop or web browser version. As per a previous report, it sends a file which if opened on other platforms, does not work as intended. It cryptojacks a user’s browser and also installs a registry autostart mechanism as well as system infection marker. It launches Chrome on its own to install a malicious browser extension that it retrieves from a command-and-control (C&C) server.
Read more »
Technology News
Hacking. Mobile Security Technology News

Sensors existing in smartphones themselves present a gateway to hackers.

According to a study led by an Indian-origin scientist Shivam Bhasin, NTU Senior Research, data from your smartphone sensors can reveal PINs and passwords to hackers and allow them to unlock your mobile devices. Researchers from Nanyang Technological University (NTU) in Singapore used sensors in a smart phone to model which number had been pressed by its users, based on how the phone was tilted and how much light is blocked by the thumb or fingers.

Instruments in smart phones such as the gyroscope and proximity sensors represent potential security vulnerability, said researchers.

Utilizing machine learning calculations  and algorithms and a combination of data gathered from six different sensors found in smartphones, the researchers accomplished in unlocking Android smart phones with 99.5 per cent precision in just three tries, while tackling a phone that had one of the 50 most basic and common PIN numbers.

The team of specialists took Android phones and installed a custom application which gathered information from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.

"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9," said Bhasin.

Albeit every individual enters the security PIN on their phone in a different way, the researchers demonstrated that as information from more individuals is fed to the algorithm after some time, the success rates improved.

So while a vindictive application will most likely be unable to effectively figure a PIN  instantly after installation, but by using machine learning, it could gather information from a huge number of users over time from each of their phones to take in their PIN entry pattern and then dispatch an attack later when the success rate is substantially higher.

The study demonstrates how gadgets with apparently strong security can be attacked using a side-channel, as sensor information could be redirected by vindictive applications to keep an eye on the user behaviour and help to access the PIN  and password data, said Professor Gan Chee Lip from NTU.

To keep Mobile phones secure, Dr Bhasin encourages users to have PINs with more than four digits, combined with other validation techniques like one-time passwords, two-factor confirmations, and unique finger impression or facial recognition.
Read more »

What else You expect from Apple? Apple Slowing iPhones Because of Old Batteries

Apple has publically apologized to its customers for slowing older iPhones in order to keep up with declining battery life. After all this fiasco, the company has said that they would reduce the price of batteries of the affected phones to from $79 to $29.
In their initial apology letter, the firm said that the batteries would be available in late January, but an updated apology says the batteries will be available now. 

The company told The Verge in a statement that “we expected to need more time to be ready, but we are happy to offer our customers the lower pricing right away.” 

“Initial supplies of some replacement batteries may be limited.” They will soon update the details on Apple.com.

In a rare public apology on its website on Thursday, Apple clarified that the reason behind slowing down the software  was to protect phones with older batteries from sudden crashdown and customers can now replace their batteries at the reduced price.
Read more »
Ripple
Bitcoin cryptocurrency Ethereum Ripple

Ripple passes Ethereum to become World’s Second-Largest Cryptocurrency

Ripple has overtaken Ethereum as world’s second-largest cryptocurrency. Its XRP token climbed more than 50% on Saturday.

In just 24 hours, Ripple rose to as much as $2.20.

Ripple has had one of the biggest growth amongst digital tokens this year, going from less than a cent ($0.006523) in January, to $2.24 on Saturday, which represents a surge of almost 350 times in value.

This could be because of the increase in interest by speculators, as is the case of most cryptocurrencies, but various experts claim that Ripple is worth looking into.

The advantage of ripple, according to its backers, is that it is not just a cryptocurrency but is also used as a digital protocol that acts as a bridge to other currencies and doesn’t discriminate against peers, whether they are using digital money, fiat currencies, or even mobile minutes.

Unlike bitcoin and other cryptocurrencies, Ripple follows a centralised system and its owners are known.
Read more »

Romanian hackers charged for infiltrating 65% of Washington's outdoor surveillance cameras

 Two Romanian hackers are allegedly charged with infiltrating over two-thirds of the outdoor surveillance cameras in Washington, DC, days before  President Trump’s inauguration, according to the Department of Justice. 

Mihai Alexandru Isvanca and Eveline Cismaru were the two hackers, who infiltrated 65% of the outdoor surveillance cameras as a part of ransom scheme. The attack affected 123 of the  D.C. police department’s 187 outdoor surveillance cameras, as a result, the cameras were not functioning for several days. 

On 15 December, both of them were arrested along with other three Romanian hackers in Romania and will face prosecution in Europe. 

 “This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,” Bill Miller, a spokesman for U.S. Attorney Jessie K. Liu, said in a statement.



According to court filings, prosecutors are planning for the extradition of Isvanca and Cismaru. They both might face up to 20 years in prison if convicted.
Read more »
Subscribe to: Comments (Atom)