MENTIS

Week of December 28, 2018

MENTIS
news

Week of December 28, 2018

Attackers Use Google Cloud To Target US, UK Banks*:

  • A malicious email campaign has been found abusing a Google Cloud Storage service to host a payload sent to employees of financial services organizations, Menlo Labs researchers report.
  • The threat appears to have been active in the US and UK since August 2018.
  • Victims receive emails containing links to archive files; researchers say all instances in this particular campaign have been .zip or .gz files.
  • All cases involve a payload hosted on storage.googleapis.com, which appears to be related to Google's cloud storage service but is, in fact, a malicious link.
  • Attackers often use this domain to host payloads because it's trusted and likely to bypass security controls in commercial threat detection products.
  • These actors may have chosen bad links in lieu of malicious attachments because many email security products are designed to detect files and only pick up on malicious URLs if they're already in their threat repositories.
  • The use of a link resembling Google's cloud storage service is a form of "reputation jacking," a tactic in which attackers abuse well-known hosting services to evade detection.
  • It's a growing trend, researchers say: In its annual analysis of the top 100,000 domains as ranked by Alexa, Menlo Labs found 4,600 phishing sites that used legitimate hosting services.

*Source: Dark Reading, December 26, 2018

Hackers Defeat Vein Authentication By Making A Fake Hand*:

  • Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication.
  • Unfortunately, hackers have already figured out a way to crack that, too.
  • According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.
  • Vein authentication typically uses a computer system to scan the shape, size and location of a person's veins in their hand.
  • Those patterns have to be identified each time the system scans the person's hand.
  • In order to fool that security check, the researchers took 2,500 photos of a hand using a modified SLR camera that had the infrared filter removed to better highlight veins under the skin.
  • They then took those photos and created a wax hand with the details of the person's veins sculpted right in.
  • That wax mock-up was enough to bypass the vein authentication system.
  • To be clear, the method used by the security researchers isn't one that the average person could easily replicate.
  • While the researchers said photos from as far away as five meters (about 16 feet) are good enough, snapping enough to make a reliable model would be a challenge without lots of access to the hand in question.
  • It's a more intensive cracking process than, say, fingerprint ID that could potentially be hacked simply by lifting a person's fingerprint from an object they have touched.
  • It still presents a concern that security systems can be manipulated with cheap and readily available materials.

*Source: EnGadget, December 28, 2018

https://www.engadget.com/2018/12/28/hackers-defeat-vein-authentication-by-making-a-fake-hand/

The Rise Of Self Concealing Steganography*:

  • Steganography is the practice of hiding messages or information in plain sight, especially inside other data or images.
  • And a new toolset, which debuted earlier this month at the Black Hat Europe conference in London, suggests steganography is going to get much more difficult to spot in the future.
  • Digital steganography has already been put to use by bad actors.
  • In 2013, for example, Russian security firm Kaspersky Lab and Budapest-based CrySyS Lab discovered an online espionage campaign that used attack code called MiniDuke, which looked to specified Twitter accounts to retrieve command-and-control instructions.
  • More recently, security firm Trend Micro reported finding an attack campaign that used a meme drawn from the 1999 science fiction film "The Matrix" to send remote-control instructions for PCs infected with Berbomthum malware.
  • Steganography, however, has also been used to help people operating in repressive regimes to more safely transport sensitive information; to protect journalists and their sources; to safeguard against industrial espionage when crossing borders; and for intelligence agencies undertaking deep-cover operations.
  • Speaking earlier this month at Black Hat Europe in London, Dominic Schaub, a researcher at a Canadian firm called Discrete Integration, noted that many types of digital steganography may be revealed if investigators look at a PC on which such tools are installed and find encryption tools.
  • Regardless of intentions, it looks like steganography is going to get more difficult to spot in the future.
  • That's thanks to Schaub building a new approach to digital steganography, in the form of a "fast, stable and functional" toolset that he says functions as "a self-concealing, perfectly deniable encryption/steganography suite."
  • Russian Doll Steganography:
    • The suite of tools he built creates a hidden, encrypted partition on a disk, while leaving no digital forensic traces, thus making so-called Russian doll steganography - hiding something inside something that looks whole - much easier.
    • "Deniable encryption and steganography nominally safeguard sensitive information against forced password disclosure by concealing its very existence," Schaub says in an overview of his research.
    • "However, while the presence of sensitive information may be 'plausibly' denied, the possession of steganographic software - e.g. suspiciously configured VeraCrypt - is readily detected and regarded as a 'smoking gun' that invalidates such deniability."
    • VeraCrypt, for example, includes the ability to create hidden volumes with their own operating system.
    • But Schaub says there's a way to address that shortcoming, via what he calls self-concealing steganography, as The Daily Swig first reported.
    • "In this new paradigm, steganographic tools hide themselves in a self-recursive manner that renders them forensically invisible, Moreover, upon cryptographic activation by an authorized user, these hidden tools can bootstrap themselves into existence without generating any incriminating forensic evidence. Provided that requisite cryptographic conditions are met, such steganography can be considered 'perfectly deniable.'"
    • A bootstrap is the program that initializes an operating system during its startup.
  • ‘Bit-For-Bit’ Normal Linux
    • Schaub says that his approach enables the creation of a decoy system that "appears bit-for-bit as a normal Linux system" that has been created using entirely out-of-the-box, default Ubuntu parameters.
    • Schaub says his tool spans about 30,000 lines of code, including a "main kernel module, user space utilities - for installation, diagnostics, etc. - and various components of [the] bootstrap system."
    • Although the tool remains in development, he's also tested that it works well on various combinations of Arch and Ubuntu, and has confirmed that VirtualBox for Windows - a free, open source hypervisor - "works very well" on the hidden system.
  • The rise of digital steganographic tools that are tougher to spot is good news for people operating in repressive regimes, or others attempting to safeguard themselves against bad actors.
  • But of course, tools built for good often get repurposed for illicit purposes, and digital steganography looks set to make life more difficult for law enforcement agencies.
  • "Perfectly deniable steganographic disk encryption is going to be a nightmare when it comes to gathering digital evidence," says Alan Woodward, a professor of computer science at the University of Surrey, via Twitter.

*Source: Bank Info Security, December 28, 2018

https://www.bankinfosecurity.com/rise-self-concealing-steganography-a-11902

Amazon’s Guardzilla Found To Have A Critical Vulnerability*:

  • Amazon’s highly acclaimed Security System Guardzilla has recently been in news for all the wrong reasons.
  • The E-Commerce giant’s proprietary product Guardzilla, an indoor smart security camera’s recordings have been discovered to be affected by a hardcoded credential vulnerability.
  • According to reports, these can be accessed by third parties.
  • The security camera uploads the recorded videos onto Amazon’s cloud storage system.
  • Guardzilla is an indoor vigilance camera based IoT device.
  • Hardcoding seems to be the root cause for this vulnerability.
  • Such archaic practices make it convenient for a hacker to break into the systems using a hardcoded password, the vulnerability has been given CVE-2018-5560. and has been rated with an 8.6 CVSS score.
  • According to reports, Researcher Tod Beardsley claims to have attempted to get in touch with the E-Commerce giant about this issue.
  • Unfortunately, Amazon did not address the concerns put forth by Rapid7’s research director.
  • Since Amazon has not taken any measures to fix the issue, the only immediate solution for Guardzilla users is to refrain from storing their videos on Amazon’s cloud storage.
  • IoT concerns have become quite common, despite Government Agencies constantly working towards ensuring cyber security in this zone.
  • By 2020, the IoT regulations in California will begin to restrict the circulation of IoT devices that fail to provide adequate data security and protect the privacy of its users.
  • That leaves manufacturers with no choice except to either improve their product or to withdraw it from the market.

*Source: Latest Hacking News, December 29, 2018

https://latesthackingnews.com/2018/12/29/amazons-guardzilla-found-to-have-a-critical-vulnerability/

Consumer Privacy Made Losers Of Us All This Year*:

  • It was a rough year to be a customer of Marriott, Facebook, Reddit, Google+, Quora, British Airways, Cathay Pacific, Orbitz, Ticketfly, Under Armour, OnePlus or any of the other numerous companies which were revealed this year to have cumulatively lost hundreds of millions of users' personal details.
  • Compounding the data breaches of years past -- Twitch, Yahoo, Twitter, LinkedIn, Equifax, Uber, Target -- it's clear that if you're a human who uses the internet regularly, you're affected.
  • The FBI says it's safe to assume that every American's information has been leaked somewhere.
  • On the dark web, social-security numbers of a specific person reportedly sell for $3, credit-card numbers for as little as $7 and bank accounts for a few thousand dollars depending on the balance.
  • This situation makes losers of us all. Yet like climate-change debates or toxic politics, we seem to have reached saturation point, where each revelation loses its power to shock, and we feel disempowered to meaningfully change the situation at all.
  • Every year, we give up more intimate data and eventually lose it to businesses that mine data for profit.
  • There is no magic bullet, but there may be a few rays of hope: the most comprehensive data privacy legislation yet in the EU's General Data Protection Regulation (or GDPR), a groundswell of movements for greater tech policy and ethics.
  • One repeated but perhaps unfamiliar avenue will hopefully come into focus in 2019: the right to data portability.
  • Never mentioned in pre-GDPR data-privacy laws, portability allows for you to move the data you've given to online companies to another service, ideally without needing to download and re-upload it yourself.
  • It's a simple idea that quickly lowers the barriers to entry for any company that wants to compete with user-rich businesses like Facebook or Twitter.
  • Instead of having to convince users to start from scratch rebuilding their networks, they could simply import every post and contact.
  • The history you've built up with one dominant company won't keep you tethered to them forever.
  • An often-cited comparison is the fact that you can switch your cell-phone number from one carrier to another without penalty.
  • Data portability enshrines the idea that your data belongs to you, to give to companies and take away from them if you please.
  • It means businesses can fear being stripped of the resource they've been extracting (and subsequently losing to hackers) for years.
  • Today, you can download your data in hefty zip files from services like Google.
  • Yet we're a long way from true interoperability, which would transfer user data straight to a competitor seamlessly.
  • An eventual possibility is the universal digital profile that would unite every account we have online under a standardized format.
  • The Data Transfer Project is a nearly step towards a common interface that will let customers move their information between Google, Microsoft, Facebook and Twitter.
  • While it's still in development and limited to only a few large services, it's a hint at where portability could be headed.
  • Yet there are open questions with how this system will be adapted.
  • The right to transmit data from one service directly to another is only granted "where technically feasible" in the GDPR, and it remains to be seen how companies and enforcement agencies might interpret that.
  • A truly interoperable system of data transfer is a hope among advocates, not a right -- as is the hope that companies will apply GDPR standards globally, not just in the EU where they're obligated.
  • Moreover, as companies increasingly allow data to escape their walled gardens, it may increase the risk of breaches or misuse.
  • Developing a fluid, interoperable system is as much about finding secure ways to move data from one service to another as it is about getting APIs to match up.
  • A world of true data portability would not stop foreign spies or committed hackers per se.
  • Neither would it necessarily prevent data barons from handing our information to the next Cambridge Analytica.
  • But it would give consumers a little more leverage and a little more freedom of movement.
  • It would mean that the next time companies misuse their customers' data, users aren't just helplessly frustrated but can walk away and not look back.

*Source: EnGadget, December 19, 2018

https://www.engadget.com/2018/12/19/consumer-privacy-year-in-review-loser/

6 Ways To Anger Attackers on Your Network*:

  • When you see an attacker on your network, it's understandable to want to give them a taste of their own medicine.
  • But how can you effectively anger intruders when "hacking back" is illegal?
  • In fact, the biggest legal risks are violations of the Computer Fraud and Abuse Act (CFAA), says Jason Straight, senior vice president and chief privacy officer at UnitedLex.
  • And while businesses are dabbling in illegal activity, he advises against it.
  • "Make no mistake: It is happening. Companies are hacking back," he explains, and much of their activity is arguably in violation of the CFAA.
  • That said, he isn't aware of any prosecutions under CFAA against organizations engaged in what is often called "active defense activities."
  • Legal trouble aside, getting into a back-and-forth with attackers is dangerous, Straight cautions.
  • "Even if you're really, really good and know what you're doing, the best in the business … will tell you it's very hard to avoid causing collateral damage," he explains.
  • Chances are good your adversaries will see your "hack back" and launch a more dangerous attack in response.
  • The worst thing you can do is go after the wrong party, the wrong network, or the wrong machines, he continues.
  • Most hackers aren't using their own equipment when they attack.
  • "There are times when I have really wanted to strike back, but you can't and you don't," says Gene Fredriksen, chief information security strategy for PCSU.
  • You can shut them off, blacklist their IP addresses, and do things to slow them down if your team uses a SIEM system.
  • There are several steps you can take to anger attackers without actively targeting them in response.
  • The idea is to get the bad guy to think twice, he explains, and let them know you're serious.
  • Here, security experts cite the most effective ways they've found to frustrate, deceive, and annoy attackers without risking legal consequences.

*Source: Dark Reading, December 26, 2018

https://www.darkreading.com/perimeter/6-ways-to-anger-attackers-on-your-network/d/d-id/1333550

Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

Image CAPTCHA
scroll top