Carbon Chemist

Tag: security

  • Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

    Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

    [ad_1]

    The 2024 US presidential election is entering its final stretch, which means state-backed hackers are slipping out of the shadows to meddle in their own special way. That includes Iran’s APT42, a hacker group affiliated with Iran’s Islamic Revolutionary Guard Corps, which Google’s Threat Analysis Group says targeted nearly a dozen people associated with Donald Trump’s and Joe Biden’s (now Kamala Harris’) campaigns.

    The rolling disaster that is the breach of data broker and background-check company National Public Data is just beginning. While the breach of the company happened months ago, the company only acknowledged it publicly on Monday after someone posted what they claimed was “2.9 billion records” of people in the US, UK, and Canada, including names, physical addresses, and Social Security numbers. Ongoing analysis of the data, however, shows the story is far messier—as are the risks.

    You can now add bicycle shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifters can be vulnerable to various radio-based attacks, which could allow someone to change a rider’s gears remotely or prevent them from changing gears at a crucial moment in a race. Meanwhile, other researchers found that it’s possible to extract the administrator keys to electronic lockers used in gyms and offices around the world, potentially giving a criminal access to every locker at a single location.

    If you use a Google Pixel phone, don’t let it out of your sight: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker the ability to gain deep access to your device. Exploiting the vulnerability may require physical access to a targeted device, but researchers at iVerify who discovered the flaw say it may also be possible through other vulnerabilities. Google says it plans to release a fix “in the coming weeks,” but that’s not good enough for data analytics firm and US military contractor Palantir, which will stop using all Android devices due to what it believes was an insufficient response from Google.

    But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    A US federal appeals court ruled last week that so-called geofence warrants violate the Fourth Amendment’s protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies such as Google turn over a list of every device that appeared at a certain location at a certain time. The US Fifth Circuit Court of Appeals ruled on August 9 that geofence warrants are “categorically prohibited by the Fourth Amendment” because “they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search.” In other words, they’re the unconstitutional fishing expedition that privacy and civil liberties advocates have long asserted they are.

    Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, vowed late last year that it was changing how it stores location data in such a way that geofence warrants may no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit decision applies only to law enforcement activity in Louisiana, Mississippi, and Texas. Plus, because of weak US privacy laws, police can simply purchase the data and skip the pesky warrant process altogether. As for the appellants in the case heard by the Fifth Circuit, well, they’re no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they obtained.

    The Committee on Foreign Investment in the US (CFIUS) fined German-owned T-Mobile a record $60 million this week for its mishandling of data during its integration with US-based Sprint following the companies’ merger in 2020. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with US companies. T-Mobile said in a statement that technical issues impacted “information shared from a small number of law enforcement information requests.” While the company claims to have acted “quickly” and “in a timely manner,” CFIUS claims T-Mobile “failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”

    The 12-year saga that is the prosecution of Kim Dotcom inched forward this week with the New Zealand justice minister approving the US’s request to extradite the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which US authorities say was used for widespread copyright infringement. The US seized Megaupload in 2012 and indicted Dotcom on charges related to racketeering, copyright infringement, and money laundering. Dotcom has denied any wrongdoing but lost an attempt to block the extradition in 2017 and has been fighting it ever since. Despite the justice minister’s decision, Dotcom vowed in a post on X to remain in the country where he’s been a legal resident since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”

    The growing scourge of deepfake pornography—explicit images that digitally “undress” people without their consent—may have finally hit a major legal roadblock. San Francisco’s chief deputy city attorney, Yvonne Meré—and the City of San Francisco by extension—has filed a lawsuit against the 16 most popular “nudification” websites. These sites and apps allow people to make explicit deepfake images of virtually anyone, but they have increasingly been used by boys to make sexual abuse material of their underage female classmates. While several states have criminalized the creation and distribution of AI-generated sexual abuse material of minors, Meré’s lawsuit effectively seeks to shut down the sites entirely.

    [ad_2]

    Source link

  • The Slow-Burn Nightmare of the National Public Data Breach

    The Slow-Burn Nightmare of the National Public Data Breach

    [ad_1]

    Data breaches are a seemingly endless scourge with no simple answer, but the breach in recent months of background check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to come into focus with National Public Data finally acknowledging the breach on Monday just as a trove of the stolen data leaked publicly online.

    In April, a hacker known for selling stolen information, known as USDoD, began hawking a trove of data on cybercriminal forums for $3.5 million that they said included 2.9 billion records and impacted “the entire population of USA, CA and UK.” As the weeks went on, samples of the data started cropping up as other actors and legitimate researchers worked to understand its source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information like names, emails, and physical addresses in various combinations.

    The data isn’t always accurate, but it seems to involve two troves of information. One that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.

    “There appears to have been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. … The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

    The company says it has been cooperating with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits over the breach.

    “We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”

    When information is stolen from a single source, like Target customer data being stolen from Target, it’s relatively straightforward to establish that source. But when information is stolen from a data broker and the company doesn’t come forward about the incident, it’s much more complicated to determine whether the information is legitimate and where it came from. Typically, people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data held their information in the first place.

    In a blog post on Wednesday about the contents and provenance of the National Public Data trove, security researcher Troy Hunt wrote, “The only parties that know the truth are the anonymous threat actors passing the data around and the data aggregator. … We’re left with 134M email addresses in public circulation and no clear origin or accountability.”

    [ad_2]

    Source link

  • Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App

    Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App

    [ad_1]

    Google’s flagship Pixel smartphone line touts security as a centerpiece feature, offering guaranteed software updates for seven years and running stock Android that’s meant to be free of third-party add-ons and bloatware. On Thursday, though, researchers from the mobile device security firm iVerify are publishing findings on an Android vulnerability that seems to have been present in every Android release for Pixel since September 2017 and could expose the devices to manipulation and takeover.

    The issue relates to a software package called “Showcase.apk” that runs at the system level and lurks invisible to users. The application was developed by the enterprise software company Smith Micro for Verizon as a mechanism for putting phones into a retail store demo mode—it is not Google software. Yet for years, it has been in each Android release for Pixel and has deep system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to download a configuration file over an unencrypted HTTP web connection that iVerify researchers say could be hijacked by an attacker to take control of the application and then the entire victim device.

    iVerify disclosed its findings to Google at the beginning of May, and the tech giant has not yet released a fix for the issue. Google spokesperson Ed Fernandez tells WIRED in a statement that Showcase “is no longer being used” by Verizon, and Android will remove Showcase from all supported Pixel devices with a software update “in the coming weeks.” He added that Google has not seen evidence of active exploitation and that the app is not present in the new Pixel 9 series devices that Google announced this week. Verizon and Smith Micro did not respond to WIRED’s requests for comment ahead of publication.

    “I’ve seen a lot of Android vulnerabilities, and this one is unique in a few ways and quite troubling,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “When Showcase.apk runs, it has the ability to take over the phone. But the code is, frankly, shoddy. It raises questions about why third-party software that runs with such high privileges so deep in the operating system was not tested more deeply. It seems to me that Google has been pushing bloatware to Pixel devices around the world.”

    iVerify researchers discovered the application after the company’s threat-detection scanner flagged an unusual Google Play Store app validation on a user’s device. The customer, big data analytics company Palantir, worked with iVerify to investigate Showcase.apk and disclose the findings to Google. Palantir chief information security officer Dane Stuckey says that the discovery and what he describes as Google’s slow, opaque response has prompted Palantir to phase out not just Pixel phones, but all Android devices across the company.

    “Google embedding third-party software in Android’s firmware and not disclosing this to vendors or users creates significant security vulnerability to anyone who relies on this ecosystem,” Stuckey tells WIRED. He added that his interactions with Google throughout the standard 90-day disclosure window “severely eroded our trust in the ecosystem. To protect our customers, we have had to make the difficult decision to move away from Android in our enterprise.”

    [ad_2]

    Source link

  • Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

    Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

    [ad_1]

    If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.

    Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.

    A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.

    In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses.

    While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think that there’s a gap for creative solutions.”

    Spilled Secrets; Vulnerable Websites

    It is relatively trivial for a developer to accidentally include their company’s secrets in software or code. Alon Schindel, the vice president of AI and threat research at the cloud security company Wiz, says there’s a huge variety of secrets that developers can inadvertently hard-code, or expose, throughout the software development pipeline. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.

    “The most acute risk of leaving secrets hard-coded is that if digital authentication credentials and secrets are exposed, they can grant adversaries unauthorized access to a company’s code bases, databases, and other sensitive digital infrastructure,” Schindel says.

    The risks are high: Exposed secrets can result in data breaches, hackers breaking into networks, and supply chain attacks, Schindel adds. Previous research in 2019 found thousands of secrets were being leaked on GitHub every day. And while various secret scanning tools exist, these largely are focused on specific targets and not the wider web, Demirkapi says.

    During his research, Demirkapi, who first found prominence for his teenage school-hacking exploits five years ago, hunted for these secret keys at scale—as opposed to selecting a company and looking specifically for its secrets. To do this, he turned to VirusTotal, the Google-owned website, which allows developers to upload files—such as apps—and have them scanned for potential malware.

    [ad_2]

    Source link

  • Flaws in Ubiquitous ATM Software Could Have Let Attackers Take Over Cash Machines

    Flaws in Ubiquitous ATM Software Could Have Let Attackers Take Over Cash Machines

    [ad_1]

    There is a grand tradition at the annual Defcon security conference in Las Vegas of hacking ATMs. Unlocking them with safecracking techniques, rigging them to steal users’ personal data and PIN numbers, crafting and refining ATM malware and, of course, hacking them to spit out all their cash. Many of these projects targeted what are known as retail ATMs, freestanding devices like those you’d find at a gas station or a bar. But on Friday, independent researcher Matt Burch is presenting findings related to the “financial” or “enterprise” ATMs used in banks and other large institutions.

    Burch is demonstrating six vulnerabilities in ATM-maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have all been patched, could be exploited by attackers to bypass an unpatched ATM’s hard drive encryption and take full control of the machine. And while there are fixes available for the bugs, Burch warns that, in practice, the patches may not be widely deployed, potentially leaving some ATMs and cash-out systems exposed.

    “Vynamic Security Suite does a number of things—it has endpoint protection, USB filtering, delegated access, and much more,” Burch tells WIRED. “But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities because I would identify a path and files to exploit, and then I would report it to Diebold, they would patch that issue, and then I would find another way to achieve the same outcome. They’re relatively simplistic attacks.”

    The vulnerabilities Burch found are all in VSS’s functionality to turn on disk encryption for ATM hard drives. Burch says that most ATM manufacturers rely on Microsoft’s BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to run an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition runs a signature integrity check to validate that the ATM hasn’t been compromised, and then boots it into Windows for normal operation.

    “The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch says. “The core deficiency that I’m exploiting is that the Linux partition was not encrypted.”

    Burch found that he could manipulate the location of critical system validation files to redirect code execution; or, in other words, grant himself control of the ATM.

    Diebold Nixdorf spokesperson Michael Jacobsen tells WIRED that Burch first disclosed the findings to them in 2022 and that the company has been in touch with Burch about his Defcon talk. The company says that the vulnerabilities Burch is presenting were all addressed with patches in 2022. Burch notes, though, that as he went back to the company with new versions of the vulnerabilities over the past couple of years, his understanding is that the company continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities on a more fundamental level in April with VSS version 4.4 that encrypts the Linux partition.

    [ad_2]

    Source link

  • ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections

    ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections

    [ad_1]

    In a background statement to WIRED, AMD emphasized the difficulty of exploiting Sinkclose: To take advantage of the vulnerability, a hacker has to already possess access to a computer’s kernel, the core of its operating system. AMD compares the Sinkhole technique to a method for accessing a bank’s safe-deposit boxes after already bypassing its alarms, the guards, and vault door.

    Nissim and Okupski respond that while exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month. They argue that sophisticated state-sponsored hackers of the kind who might take advantage of Sinkclose likely already possess techniques for exploiting those vulnerabilities, known or unknown. “People have kernel exploits right now for all these systems,” says Nissim. “They exist and they’re available for attackers. This is the next step.”

    Image may contain Computer Electronics Laptop Pc Desk Furniture Table Adult Person Computer Hardware and Hardware

    IOActive researchers Krzysztof Okupski (left) and Enrique Nissim.Photograph: Roger Kisby

    Nissim and Okupski’s Sinkclose technique works by exploiting an obscure feature of AMD chips known as TClose. (The Sinkclose name, in fact, comes from combining that TClose term with Sinkhole, the name of an earlier System Management Mode exploit found in Intel chips in 2015.) In AMD-based machines, a safeguard known as TSeg prevents the computer’s operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD’s TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it’s enabled. Nissim and Okupski found that, with only the operating system’s level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they’ve tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level.

    “I think it’s the most complex bug I’ve ever exploited,” says Okupski.

    Nissim and Okupski, both of whom specialize in the security of low-level code like processor firmware, say they first decided to investigate AMD’s architecture two years ago, simply because they felt it hadn’t gotten enough scrutiny compared to Intel, even as its market share rose. They found the critical TClose edge case that enabled Sinkclose, they say, just by reading and rereading AMD’s documentation. “I think I read the page where the vulnerability was about a thousand times,” says Nissim. “And then on one thousand and one, I noticed it.” They alerted AMD to the flaw in October of last year, they say, but have waited nearly 10 months to give AMD more time to prepare a fix.

    For users seeking to protect themselves, Nissim and Okupski say that for Windows machines—likely the vast majority of affected systems—they expect patches for Sinkclose to be integrated into updates shared by computer makers with Microsoft, who will roll them into future operating system updates. Patches for servers, embedded systems, and Linux machines may be more piecemeal and manual; for Linux machines, it will depend in part on the distribution of Linux a computer has installed.

    Nissim and Okupski say they agreed with AMD not to publish any proof-of-concept code for their Sinkclose exploit for several months to come, in order to provide more time for the problem to be fixed. But they argue that, despite any attempt by AMD or others to downplay Sinkclose as too difficult to exploit, it shouldn’t prevent users from patching as soon as possible. Sophisticated hackers may already have discovered their technique—or may figure out how to after Nissim and Okupski present their findings at Defcon.

    Even if Sinkclose requires relatively deep access, the IOActive researchers warn, the far deeper level of control it offers means that potential targets shouldn’t wait to implement any fix available. “If the foundation is broken,” says Nissim, “then the security for the whole system is broken.”

    [ad_2]

    Source link

  • How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards

    How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards

    [ad_1]

    Finally, HID says that “to its knowledge,” none of its encoder keys have leaked or been distributed publicly, and “none of these issues have been exploited at customer locations and the security of our customers has not been compromised.”

    Javadi counters that there’s no real way to know who might have secretly extracted HID’s keys, now that their method is known to be possible. “There are a lot of smart people in the world,” Javadi says. “It’s unrealistic to think we’re the only people out there who could do this.”

    Despite HID’s public advisory more than seven months ago and the software updates it released to fix the key-extraction problem, Javadi says most of the clients whose systems he’s tested in his work don’t appear to have implemented those fixes. In fact, the effects of the key extraction technique may persist until HID’s encoders, readers, and hundreds of millions of keycards are reprogrammed or replaced worldwide.

    Time to Change the Locks

    To develop their technique for extracting the HID encoders’ keys, the researchers began by deconstructing its hardware: They used an ultrasonic knife to cut away a layer of epoxy on the back of an HID reader, then heated the reader to desolder and pull off its protected SAM chip. Then they put that chip into their own socket to watch its communications with a reader. The SAM in HID’s readers and encoders are similar enough that this let them reverse engineer the SAM’s commands.

    Ultimately, that hardware hacking allowed them to develop a much cleaner, wireless attack: They wrote their own program to tell an encoder to send its SAM’s secrets to a configuration card without encrypting that sensitive data—while an RFID “sniffer” device sat between the encoder and the card, reading HID’s keys in transit.

    HID systems and other forms of RFID keycard authentication have, in fact, been cracked repeatedly, in various ways, in recent decades. But vulnerabilities like the ones set to be presented at Defcon may be particularly tough to fully protect against. “We crack it, they fix it. We crack it, they fix it,” says Michael Glasser, a security researcher and the founder of Glasser Security Group, who has discovered vulnerabilities in access control systems since as early as 2003. “But if your fix requires you to replace or reprogram every reader and every card, that’s very different from a normal software patch.”

    On the other hand, Glasser notes that preventing keycard cloning represents just one layer of security among many for any high-security facility—and practically speaking, most low-security facilities offer far easier ways to get in, such as asking an employee to hold a door open for you while you have your hands full. “Nobody says no to the guy holding two boxes of donuts and a box of coffee,” Glasser says.

    Javadi says the goal of their Defcon talk wasn’t to suggest that HID’s systems are particular vulnerable—in fact, they say they focused their years of research on HID specifically because of the challenge of cracking its relatively secure products—but rather to emphasize that no one should depend on any single technology for their physical security.

    Now that they have made clear that HID’s keys to the kingdom can be extracted, however, the company and its customers may nonetheless face a long and complicated process of securing those keys again. “Now customers and HID have to claw back control—and change the locks, so to speak,” Javadi says. “Changing the locks is possible. But it’s going to be a lot of work.”

    [ad_2]

    Source link

  • Tricky Web Timing Attacks Are Getting Easier to Use—and Abuse

    Tricky Web Timing Attacks Are Getting Easier to Use—and Abuse

    [ad_1]

    Researchers have long known that they can glean hidden information about the inner workings of a website by measuring the amount of time different requests take to be fulfilled and extrapolating information—and potential weaknesses—from slight variations. Such “web timing attacks” have been described for years, but they would often be too involved for real-world attackers to utilize in practice even if they work in theory. At the Black Hat security conference in Las Vegas this week, though, one researcher warned that web timing attacks are actually feasible and ripe for exploitation.

    James Kettle, director of research at the web application security company PortSwigger, developed a set of web timing attack techniques that can be used to expose three different categories of vulnerabilities in websites. He validated the methods using a test environment he made that compiled 30,000 real websites, all of which offer bug bounty programs. He says the goal of the work is to show that once someone has a conceptual grasp on the types of information web timing attacks can deliver, taking advantage of them becomes more feasible.

    “I’ve always kind of avoided researching timing attacks because it’s a topic with a reputation,” Kettle says. “Everyone does research into it and says their research is practical, but no one ever seems to actually use timing attacks in real life, so how practical is it? What I’m hoping this work will do is show people that this stuff does actually work these days and get them thinking about it.”

    Kettle was inspired in part by the 2020 research paper titled “Timeless Timing Attacks,” which worked toward a solution for a common issue. Known as “network jitter,” the paper’s moniker refers to time delays between when a signal is sent and received on a network. These fluctuations impact timing measurements, but they are independent of the web server processing measured for timing attacks, so they can distort readings. The 2020 research, though, pointed out that when sending requests over the ubiquitous HTTP/2 network protocol, it is possible to put two requests into a single TCP communication packet so you know that both requests arrived at the server at the same time. Then, because of how HTTP/2 is designed, the responses will come back ordered so that the one that took less time to process is first and the one that took longer is second. This gives reliable, objective information about timing on the system without requiring any extra knowledge of the target web server—hence, “timeless timing attacks.”

    Web timing attacks are part of a class of hack known as “side channels” in which the attacker gathers information about a target based on its real world, physical properties. In his new work, Kettle refined the “timeless timing attacks” technique for reducing network noise and also took steps to address similar types of issues with server-related noise so his measurements would be more accurate and reliable. He then started using timing attacks to look for otherwise invisible coding errors and flaws in websites that are usually difficult for developers or bad actors to find, but that are highlighted in the information that leaks with timing measurements.

    In addition to using timing attacks to find hidden footholds to attack, Kettle also developed effective techniques for detecting two other common types of exploitable web bugs. One, known as a server-side injection vulnerability, allows an attacker to introduce malicious code to send commands and access data that shouldn’t be available. And the other, called misconfigured reverse proxies, allows unintended access to a system.

    In his presentation at Black Hat on Wednesday, Kettle demonstrated how he could use a web timing attack to uncover a misconfiguration and ultimately bypass a target web application firewall.

    “Because you found this inverse proxy misconfiguration you just go around the firewall,” he told WIRED ahead of his talk. “It’s absolutely trivial to execute once you’ve found these remote proxies, and timing attacks are good for finding these issues.”

    Alongside his talk, Kettle released functionality for the open source vulnerability scanning tool known as Param Miner. The tool is an extension for the popular web application security assessment platform Burp Suite, which is developed by Kettle’s employer PortSwigger. Kettle hopes to raise awareness about the utility of web timing attacks, but he also wants to make sure the techniques are being utilized for defense even when people don’t grasp the underlying concepts.

    “I integrated all these new features into Param Miner so people out there who don’t know anything about this can run this tool and find some of these vulnerabilities,” Kettle says. “It’s showing people things that they would have otherwise missed.”

    [ad_2]

    Source link

  • Microsoft’s AI Can Be Turned Into an Automated Phishing Machine

    Microsoft’s AI Can Be Turned Into an Automated Phishing Machine

    [ad_1]

    Among the other attacks created by Bargury is a demonstration of how a hacker—who, again, must already have hijacked an email account—can gain access to sensitive information, such as people’s salaries, without triggering Microsoft’s protections for sensitive files. When asking for the data, Bargury’s prompt demands the system does not provide references to the files data is taken from. “A bit of bullying does help,” Bargury says.

    In other instances, he shows how an attacker—who doesn’t have access to email accounts but poisons the AI’s database by sending it a malicious email—can manipulate answers about banking information to provide their own bank details. “Every time you give AI access to data, that is a way for an attacker to get in,” Bargury says.

    Another demo shows how an external hacker could get some limited information about whether an upcoming company earnings call will be good or bad, while the final instance, Bargury says, turns Copilot into a “malicious insider” by providing users with links to phishing websites.

    Phillip Misner, head of AI incident detection and response at Microsoft, says the company appreciates Bargury identifying the vulnerability and says it has been working with him to assess the findings. “The risks of post-compromise abuse of AI are similar to other post-compromise techniques,” Misner says. “Security prevention and monitoring across environments and identities help mitigate or stop such behaviors.”

    As generative AI systems, such as OpenAI’s ChatGPT, Microsoft’s Copilot, and Google’s Gemini, have developed in the past two years, they’ve moved onto a trajectory where they may eventually be completing tasks for people, like booking meetings or online shopping. However, security researchers have consistently highlighted that allowing external data into AI systems, such as through emails or accessing content from websites, creates security risks through indirect prompt injection and poisoning attacks.

    “I think it’s not that well understood how much more effective an attacker can actually become now,” says Johann Rehberger, a security researcher and red team director, who has extensively demonstrated security weaknesses in AI systems. “What we have to be worried [about] now is actually what is the LLM producing and sending out to the user.”

    Bargury says Microsoft has put a lot of effort into protecting its Copilot system from prompt injection attacks, but he says he found ways to exploit it by unraveling how the system is built. This included extracting the internal system prompt, he says, and working out how it can access enterprise resources and the techniques it uses to do so. “You talk to Copilot and it’s a limited conversation, because Microsoft has put a lot of controls,” he says. “But once you use a few magic words, it opens up and you can do whatever you want.”

    Rehberger broadly warns that some data issues are linked to the long-standing problem of companies allowing too many employees access to files and not properly setting access permissions across their organizations. “Now imagine you put Copilot on top of that problem,” Rehberger says. He says he has used AI systems to search for common passwords, such as Password123, and it has returned results from within companies.

    Both Rehberger and Bargury say there needs to be more focus on monitoring what an AI produces and sends out to a user. “The risk is about how AI interacts with your environment, how it interacts with your data, how it performs operations on your behalf,” Bargury says. “You need to figure out what the AI agent does on a user’s behalf. And does that make sense with what the user actually asked for.”

    [ad_2]

    Source link

  • USPS Text Scammers Duped His Wife, So He Hacked Their Operation

    USPS Text Scammers Duped His Wife, So He Hacked Their Operation

    [ad_1]

    Smith trawled Reddit and other online sources to find people reporting the scam and find URLs being used, which he subsequently published. Some of the websites running the Smishing Triad’s tools were collecting thousands of people’s personal information per day, Smith says. Among other details, the websites would request people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. This level of information can allow a scammer to make purchases online with the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers still tried to use it, for instance with Uber. The researcher says he would collect data from a website and return to it a few hours later, only to find hundreds of new records.

    The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).

    Michael Martel, a national public information officer at the USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively pursuing this type of information to protect the American people, identify victims, and serve justice to the malicious actors behind it all,” Martel says, pointing to advice on spotting and reporting USPS package delivery scams.

    Initially, Smith says, he was wary about going public with his research as this kind of “hacking back” falls into a “gray area”: It may be breaking the Computer Fraud and Abuse Act, a sweeping US computer-crimes law, but he’s doing it against foreign-based criminals. Something he is definitely not the first, or last, to do.

    Multiple Prongs

    The Smishing Triad is prolific. As well as using postal services as lures their scams, the Chinese-speaking group has targeted online banking, e-commerce, and payment systems in the US, Europe, India, Pakistan, and the United Arab Emirates, according to Shawn Loveland, the chief operating officer of Resecurity, which has consistently tracked the group.

    The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity’s research. Its scam messages are sent using SMS or Apple’s iMessage, the latter is encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)

    “It’s very mature,” Loveland says of the operation. The group sells the scamming kit on Telegram for a $200-per month subscription, and this can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese communicating in the Chinese language,” Loveland says. “They do not appear to be hacking Chinese language websites or users.” (In communications with the main contact on Telegram, the individual claimed to Smith that they were a computer science student.)

    The relatively low monthly subscription cost for the smishing kit means it’s highly likely, with the number of credit card details scammers are collecting, that those using it are making significant profits. Loveland says that using text messages, which immediately send people a notification, is a more direct and more successful way of phishing, compared to sending emails with malicious links included.

    As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email that you don’t recognize; if it contains a link to click on; and wants you to do something urgently, you should be suspicious.

    [ad_2]

    Source link