Suramya's Blog : Welcome to my crazy life…

January 22, 2022

Malware can now Intercept and fake an iPhone reboot

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 1:50 AM

Rebooting the system has always been a good way to clean start your system (phone or computer). Some of the phone malware specifically don’t have the ability to persist so can be removed just by rebooting the phone (Especially on the iPhone). Now, researchers from the ZecOps Research Team have figured out how to fake a reboot on an iPhone. Which allows malware/surveillance software to spoof the shutdown / reboot of a phone. As you can imagine, this has massive security impact. The first problem is that we can’t be sure that the phone has been rebooted so malware can’t be removed. Secondly, some of the folks shutdown their phones while discussing sensitive information. Using this technique the attackers can pretend that the phone is switched off, while it is still on and eavesdrop using the phone’s camera and mic.

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown.” There is no user-interface or any button feedback until the user turns the phone back “on.”

The problem is exacerbated due to there not being any physical method of powering the device off. Earlier phone models had removable batteries which allowed a user to physically remove the battery when they wanted to secure the device. Now the battery is built in and there is no way to remove it without dismantling the device and voiding your warranty in the process. I have discussed this with various folks over the years that it is impossible to ensure a device is powered off when we shut it down because we can’t remove the battery.

A silver lining around this is that it looks like hard reboots are harder to spoof so if you want to be sure that your phone is actually off, you can shut it down using a hard-reboot. Another solution is to carry a Faraday bag with you and put your phone inside when you need to be off-grid.

Source: Schneier’s Blog: Faking an iPhone Reboot

– Suramya

January 20, 2022

Impact of Google Hacking and Data Collection using Search Engines on CyberSecurity

Filed under: Article Releases,Computer Security,My Thoughts,Tech Related — Suramya @ 1:58 AM

The modern search engines scan most of the public sites on a regular basis and unlike the legacy search engines also have the capability of finding and indexing data or files that are not linked to from any other sources. This allows the search engine to index data/files that could have sensitive data or details on vulnerabilities. Using publicly available information attackers can perform searches for such information without touching the target system directly leaving little trace for the defenders to watch for to be alerted. Most organizations are not aware of the information being leaked by such means and how it is compromising their cyber security. The availability of the Google Hacking Database allows even minimally skilled attackers to search for information quickly and efficiently.
This poses a high risk to the organizations leaking sensitive data. There are no sure shot solutions to this problem and even the most careful organizations will expose data that when combined with other sources allow attackers a look at the organizations digital assets and systems.

The popular image of a hacker involves an attacker sitting in a dark room typing commands in a terminal to gain access and usually is completed in a very short period of time. In real life attackers spend a lot of time performing reconnaissance on the target before even engaging with the target system. One of the popular ways of performing reconnaissance is to use search engines like Google to find data, this technique is called Google Hacking and was introduced to public in 2004 by Johnny Long. He defined it as “the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security” (Johnny, 2004). Attackers use Google Hacking to uncover sensitive information about a company or uncover potential security vulnerabilities.

The modern search engines scan most of the public sites on a regular basis and unlike the legacy search engines also have the capability of finding and indexing data or files that are not linked to from any other sources. This allows the search engine to index data/files that could have sensitive data or details on vulnerabilities.

The Google Hacking Database (GHDB) is a consolidated database of queries that have been collected over the years thanks to contributions by researchers, hackers and general public that can be used to find sensitive data on websites such as files containing passwords, configurations, sensitive data, financial information, error messages, firewall logs and other such data. (Google Hacking Database, 2021) The database is in an easy to consume format and allows users to search for queries that will return specific types of data.

This database gives attackers the queries to be used to specific types of data, leveraging the indexing powers of Google for finding information that should not have been exposed to the public.

How Google Hacking Works

Google allows a user to search for information using search keywords and a combination of search operators to limit the search results. With the information available in the Google Hacking Database an attacker can search for specific information and limit the search to a given target domain. There are multiple kinds of queries available that target specific kinds of information. Some of the categories of information available using this are:

  • Advisories and vulnerabilities: Queries that allow us to locate vulnerable servers based on product or version-specific setups with known vulnerabilities..
  • Sensitive directories: Allow us to find directories with files that contain sensitive information
  • Files containing passwords: Locate files containing passwords.
  • Pages containing login portals: Locate login pages for various services
  • Error messages: Find files with errors messages that may contain details about the system.

Below are examples of the various queries that are available and the kind of data they expose.

Searching for passwords stored in files

Users sometimes store passwords in plain text files or excel databases that are accidentally uploaded to a public site. These are then indexed by Google (or other search engines) and can be found using specific queries. For example:

allintext:"*.@gmail.com" OR "password" OR "username" filetype:xlsx

searches for all Excel files that have gmail.com in the text along with “password”. This will find all files containing any of the search terms provided. If required we can limit the search to a specific site using the “site:” search parameter.

Search for Log files

Log files contain a lot of sensitive information if exposed to public. Error logs, access logs can expose information such as PHP version you are running, CMS version details, Operating system details etc. If firewall logs or system logs are exposed it can reveal information such as usernames, firewall version and configuration details etc. Similarly SQL logs can expose sensitive data as well. This information combined with other information can give an attacker a foothold in the system. For example:

allintext:username filetype:log

This query will give results that include the text username inside all *.log files and the following query will return all directories where logfiles are publicly accessible:

intitle:"index of" errors.log

SSH private keys

SSH private keys are used to encrypt/decrypt data exchanged during SSH connections. They also allow users to authenticate to servers without the use of passwords. If they are exposed anyone can impersonate that user and if passwordless login’s are enabled the key will allow the attacker to login to the server without a password. The following query will return all directories with publicly accessible private key:

intitle:index.of id_rsa -id_rsa.pub

Login Portals

A lot of times organizations expose their development or staging systems to the internet for testing and depend on the obscurity of the system for protection. These systems are vulnerable because development systems often don’t have the same protections and controls applied on them as production systems do. In addition, there are often systems that were not meant to be pubic such as router login pages, CMS admin sections etc that increase the attack surface of the organization. A sample query to find login pages for CISCO email security appliance is listed below:

intitle:"Cisco Email Security Virtual Appliance" inurl:csrfkey=

SQL dumps

Sometimes sites require SQL datadumps to be made for backup or restoration purposes and these dumps often have a lot of sensitive data in them. Using a search query similar to the one listed below attackers can find these dumps and explore the data:

ext:sql | ext:txt intext:"-- phpMyAdmin SQL Dump --" + intext:"admin"

There are many more queries that are available in the database to search for specific data and more are added everyday.

Famous attacks that used Google Hacking/Google Dorks
Attacks using Google Hacking/Google Dorks are difficult to identify due to the passive nature of the attacks. However, even with that restriction there have been a few cases of note where the attacker’s used this technique to attack an organization’s system and some of them are listed below.

N.Y. Dam attack from Iran, 2013

Between 2011 and 2013, Hamid Firoozi from Iran gained access to the Bowman Avenue Dam in Rye Brook, New York by finding an unprotected computer that controlled the dam’s sluice gates using Google Searches. (Matthews, 2016). The issue is rampant enough that the Department of Homeland Security and FBI jointly released a warning about Google dorking. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities,” (FBI, 2014)

Detection of Google Hacking Attacks

Detection of these attacks is difficult due to the passive nature of the attack. However, one of the technique that is quite successful is to use a Honey Pot approach. Organizations can store files with fake information that looks authentic and important such as username and password combinations or SSH private keys that belong to non-existent accounts. Because these accounts do not exist no one should be attempting to log in to them for legitimate purposes so when a login attempt is made to these accounts or when the files are accessed we know that a Google Hacking attack is in progress and the IP address etc can be flagged for followup or blocking. We can also lure the system into a fake network which is monitored to identify what information they are looking for in the network.

Using that information, we can take further preventive measures to protect the system.

Prevention Techniques for Google Hacking attacks

There are a few steps that we can take to avoid leaking sensitive data to attackers using Google Dorks as listed below:

  • Protect sensitive data with authentication for private information
  • Don’t expose development systems to internet, if that is not possible restrict access using IP based restriction.
  • Run regular vulnerability scans on your website/domain. A lot of the scanners now incorporate checks for popular Google Dork queries
  • Run manual dork queries against your site to locate leaks before attackers do
  • Add checks to your servers to find sensitive files in public directories such as any file with an extension other than a php/asp/html. These can we potential leaks
  • If you find sensitive content exposed, you can request its removal by using the Google Search Console.

Conclusion

Google Hacking allows an attacker to perform reconnaissance against your organization in a passive way allowing them to collect information that can then be combined with other sources to give them a foot hold. Preventing such information leaks is a good way to protect the organizational systems and the techniques listed above can help with that. We can also subscribe to services that perform these checks on your behalf.

We covered some of the techniques available to detect and prevent Google Hacking attacks in the paper and while the techniques discussed will not protect against all attacks, they will reduce the attack surface and protect you against most attackers.

Note: This was originally written as a paper for one of my classes at EC-Council University in Q2 2021, which is why the tone is a lot more formal than my regular posts.

August 7, 2021

Bypass of Facial Recognition made possible by creating Master faces that impersonate 40% of population

Filed under: Computer Security,Emerging Tech,My Thoughts,Tech Related — Suramya @ 9:00 PM

Over the years, there has been a lot of push for Image recognition systems and more and more companies are entering the field each with their own claims of supernatural accuracy. Plus, with all the amazing ‘tech’ being showcased in the movies and on TV people are primed to expect that level of accuracy. Unfortunately, reality is a lot more weird and based on research its pretty simple to fool image recognition systems. In the past people have tricked systems to misidentifying a banana as a toaster by modifying parts of the image. There was another recent event where the Tesla self navigation system kept thinking the moon was a Yellow light and insisted on slowing down. There are so many of these ‘edge’ cases that it is not even funny.

A specific use case for image recognition is Facial recognition and that is a similar mess. I have personally used a photo of an authorized user to get a recognition system to unlock a door during testing. We have cases where wearing glasses confuses the system that it locks you out. Now according to research conducted by the Blavatnik School of Computer Science and the school of Electrical Engineering it is possible to create a ‘master’ face that can be used to impersonate multiple ID’s. In their study they found that the 9 faces created by the StyleGAN Generative Adversarial Network (GAN) could impersonate 40% of the population. Testing against the University of Massachusetts’ Labeled Faces in the Wild (LFW) open source database they were able to impersonate 20% of the identities in the database with a single photo.

Basically, they are exploiting the fact that most facial recognition systems use broad sets of markers to identify specific individuals and StyleGAN creates a template containing multiple such markers which can then be used to fool the recognition systems.

Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. We optimize these faces, by using an evolutionary algorithm in the latent embedding space of the StyleGAN face generator. Multiple evolutionary strategies are compared, and we propose a novel approach that employs a neural network in order to direct the search in the direction of promising samples, without adding fitness evaluations. The results we present demonstrate that it is possible to obtain a high coverage of the population (over 40%) with less than 10 master faces, for three leading deep face recognition systems.

Their paper has been published and is available for download here: Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.

With more and more companies pushing for AI based recognition systems as fool proof systems (looking at you Apple, with your latest nonsense about protecting kids by scanning personal photos) it is imperative that more such research is conducted before these systems are pushed into production based on the claims in their marketing brochures.

Thanks to Schneier on Security: Using “Master Faces” to Bypass Face-Recognition Authenticating Systems

– Suramya

June 8, 2021

Great book on Military Crypto analytics by Lambros Callimahos released to public

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 9:58 PM

I find Cryptography and code breaking to be very interesting as there are huge implications on Cyber security. The current world is based on the presumption that cryptographic algorithms are secure, it is what ensures that we can use the internet, bank online, find love online and even work online. Cryptography historically has been a field working under heavy classification and there are multiple folks we don’t know about because their existence and work was classified.

Lambros Callimahos was one such Cryptologist, he was good enough that two of his books on Military Cryptanalytics covering code breaking (published in 1977) were blocked from public release till 1992. The third and last volume in the series was blocked from release till December 2020. It is now finally available for download as a PDF file so you can check it out.

The book covers how code breaking can be used to solve “impossible puzzles” and one of the key parts of the book is it’s explanation of how to use cryptodiagnosis to decrypt data that has been encrypted using an unknown algorithm. It has a whole bunch of examples and walks you through the process which is quite fascinating. I am going to try getting through it over the next few weeks if I can.

Check it out if you like to learn more about cryptography.

– Suramya

May 20, 2021

Thoughts on NVIDIA crippling cryptocurrency mining on some of its cards

Filed under: Computer Security,Computer Software,My Thoughts,Tech Related — Suramya @ 8:11 PM

You might have heard the news that NVIDIA has added code to it’s GPUs that make them less attractive for cryptocurrency mining by reducing the efficiency of such computations using a software patch. On one side this is great news because it means that GPUs will be less attractive for mining and be available for gamers and others to use in their setup. However, I feel that this is a bad precedent being set by a company. In effect they are deciding to control what you do with the card after you have bought it. A similar case would be a restriction in your car purchase to stop you from using it on non-highway roads. Or to stop you from carrying potatoes in the trunk.

This all comes back to the old story about DRM and how it is being used to restrict us from actually owning a device. With DRM you are essentially renting the device and if you do anything that the owner corporation doesn’t agree with then you are in for a fun time at the local jail. DRM/DMCA is already being used to block farmers from fixing their farm equipment, medical professionals from fixing their health equipment and a whole lot more.

Cory Doctorow has a fantastic writeup on how DRM works and the problems caused by it. DRM does not support innovation, it actually forces status-quo because it is illegal to bypass it.

I have an old X-Box sitting in my closet collecting dust, I want to run Linux on it but that requires me to break the law because I would need to bypass the DRM protections in order to install a new OS. Today we are ok when they are blocking cryptocurrency, what if tomorrow the company gets into a fight with a gaming company and decides that they will degrade the game performance because they didn’t pay the fees for full performance. What if tomorrow they decide, to charge a subscription fee to get the full performance from the device? What is to stop them from degrading or crippling any other activity they don’t agree with whenever they feel like? The law is in their favor because of DRM, laws like DMCA (and other such laws) make it illegal to bypass the protections they have placed around it.

This is a slippery slope and we can’t trust the corporations to have our best interest at heart when there is money to be made.

There is more discussion on this happening over at HackerNews. Check it out.

– Suramya

May 9, 2021

Teaching Cyber Security basics to kids

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 8:04 PM

There is an ongoing effort over at Australia to teach cyber-security to five-year-old kids. I am sure that it will be no surprise to anyone who knows me that I think that this is a brilliant idea. Security is a mindset and the earlier we can teach kids about the pitfalls and dangers online, the safer they will be online.

Our generation grew up with the internet and still I see that most people are not that serious about security. I had a long argument/discussion with Jani on why she had to have a passcode for her phone and why she couldn’t use the same password for everything. Now she understands what I was talking about and uses a password manager with unique password for each account. But that is not the same with my parents, I still have not managed to convince them to use a password manager. 🙁

A little while ago I was talking to mom and she commented that my nephew Vir doesn’t share his account passwords with anyone and when my mom is typing her password he looks away. I credit Vinit for teaching him this and am really happy about it. This is what you get when a kid is taught about security from the get go. Instead of learning it later as an add on. Another year or so and I will have him start using a password manager as well.

Habits learnt as a kid are really hard to unlearn and that is why I think it is really important that we get to kids as early as possible and teach them about cyber security. I mean we already teach them regular security and safety so why not cyber security and safety? Remember, they are spending a lot more time on the computer and the internet than we ever did and they need to be taught how to be careful online.

Well this is all for now. Will post more later.

– Suramya

March 25, 2021

Fools deleting company data after being fired and how to protect against this threat

Filed under: Computer Security,My Thoughts,Tech Related — Suramya @ 4:34 PM

Over the past few years I have seen multiple news articles and stories about idiots who were unhappy with their job or were fired and decided to take revenge by deleting data, accounts or destroying company property. The common factor in all the stories was the fact that the person was subsequently arrested and jailed. The most recent story I saw was this one, where a genius decided to delete 1200 Microsoft Office accounts after being fired and ended up in jail for his troubles.

Destroying company property when you leave is a good way to ensure you are never hired again by any company. I mean if I was interviewing a candidate and I found out that the candidate had deleted critical data when they left the company I would probably never hire them. End of the day if you have demonstrated that you are not mature enough to deal with a loss but rather delete data/information then you are not a fit to work in my team. I know a lot of people will come and say that people should be given a second chance and what not but this is a serious issue. There would be a major lack of trust in play here and with that the person’s efficiency would be horrible and multiple other folks would have to keep monitoring what this person was doing on the servers which is an overhead I wouldn’t need.

So, now looking at this from the company’s side. How do you prevent something like this from happening? The basic step is to ensure that the access rights of the person are terminated as soon as they are let go. Secondly, they should not be allowed to access their system after they are fired. In one of my previous companies, the physical security team would escort a person off-premises without allowing them to log on to their computer or anything. By the time the person was off premises their accounts were already de-activated. They should also be removed from any company related mailing lists, chat rooms, telephone trees etc immediately. Any commonly known account passwords should be changed immediately and if the person had admin access a check should be made for any unauthorized accounts with admin access and for any backdoor’s being installed.

In the case of a threat where the person hasn’t been fired yet you need to have systems in place to perform regular audits of all admin/root activity. There are a lot of other steps that can be taken and out of scope for this blog post. SANS has a great paper on Protecting Against Insider Attacks and RSA has a list of best practices that you can check out as well.

If you need help securing your network/system please reach out and we can discuss in more detail.

– Suramya

October 1, 2020

Windows XP and Server 2003 successfully compiled from leaked source code

Filed under: Computer Security,Computer Software,Tech Related — Suramya @ 9:39 AM

Last week in a major leak the source code for Windows XP & Windows Server 2003 was leaked on the Internet via the 4chan website. Post which it propagated like wildfire across the internet via torrents & mirrors. There were some doubts cast about the authenticity of the leak but knowledgeable folks who reviewed the code claimed that the leak looked authentic.

Now a developer who goes by the name NTDEV successfully compiled Windows XP from the leaked source code. Unfortunately it looks like the XP source code is missing some important files due to which they were unable to compile critical files such as Winlogon.exe. Which makes it impossible to install the compiled Windows XP to try it out. Fortunately they had better luck with the Windows Server 2003 source code and were able to install the compiled copy on a VM successfully.

NTDEV posted a 22 min video showcasing their journey and you can check it out here if you are interested. Their Twitter feed has more information and screenshots of their process & proof.

You can probably expect a lot more information & details on the source to be published over the next few weeks as people go over the code and then start publishing their findings.

– Suramya

September 17, 2020

How HTTPS Works? Explained in a comic!

Filed under: Computer Security,Security Tutorials,Tech Related — Suramya @ 10:41 AM

Found a fantastic explanation of HTTPS works, what is SSL/TLS & why you should care about any of it in a easy to understand comic format. I love seeing comics like this that aim to show concepts in simple ways.

Have you ever wondered why a green lock icon appears on your browser URL bar? And why is it important? We did too, and this comic is for you!
Follow the adventures of Certificat, Browserbird, and Compugter as they explain why HTTPS is crucial for the future of the web and how it all works together.
Don’t let the bad crabs get you (you’ll know what we mean in the comic). Get to know HTTPS and why it is essential to your privacy.

Check it out at: howhttps.works

– Suramya

August 25, 2020

Using Bioacoustic signatures for Identification & Authentication

Filed under: Computer Security,Computer Software,Emerging Tech,My Thoughts,Tech Related — Suramya @ 9:35 PM

We have all heard about Biometric scanners that identify folks using their fingerprints, or Iris scan or even the shape of their ear. Then we have lower accuracy authenticating systems like Face recognition, voice recognition etc. Individually they might not be 100% accurate but combine one or more of these and we have the ability to create systems that are harder to fool. This is not to say that these systems are fool proof because there are ways around each of the examples I mentioned above, our photos are everywhere and given a pic of high enough quality it is possible to create a replica of the face or iris or even finger prints.

Due to the above mentioned shortcomings, scientists are always on lookout for more ways to authenticate and identify people. Researchers from South Korean have found that the signature created when sound waves pass through humans are unique enough to be used to identify individuals. Their work, described in a study published on 4 October in the IEEE Transactions on Cybernetics, suggests this technique can identify a person with 97 percent accuracy.

“Modeling allowed us to infer what structures or material features of the human body actually differentiated people,” explains Joo Yong Sim, one of the ETRI researchers who conducted the study. “For example, we could see how the structure, size, and weight of the bones, as well as the stiffness of the joints, affect the bioacoustics spectrum.”

[…]

Notably, the researchers were concerned that the accuracy of this approach could diminish with time, since the human body constantly changes its cells, matrices, and fluid content. To account for this, they acquired the acoustic data of participants at three separate intervals, each 30 days apart.

“We were very surprised that people’s bioacoustics spectral pattern maintained well over time, despite the concern that the pattern would change greatly,” says Sim. “These results suggest that the bioacoustics signature reflects more anatomical features than changes in water, body temperature, or biomolecule concentration in blood that change from day to day.”

Interestingly, while the setup is not as accurate as Fingerprints or Iris scans it is still accurate enough to differentiate between two fingers of the same hand. If the waves required to generate the Bioacoustic signatures are validated to be safe for humans over long term use, then it is possible that we will soon see a broader implementation of this technology in places like airports, buses, public area’s etc to identify people automatically without having to do anything. If it can be made portable then it could be used to monitor protests, rallies, etc which would make it a privacy risk.

The problem with this tech is that it would be harder to fool without taking steps that would make you stand out like wearing a vest filled with liquid that changes your acoustic signature. Which is great when we are just talking about authentication/identification for access control but becomes a nightmare when we consider the surveillance aspect of usage.

Source: The Bioacoustic Signatures of Our Bodies Can Reveal Our Identities

– Suramya

« Newer PostsOlder Posts »

Powered by WordPress