Week 07: NetCat and HellCat

Programmers step up

Post-election, things have finally started to change. Nabanita De attended a hackathon at Princeton University and, with three fellow programmers, developed an algorithm that authenticates what is real and what is fake on Facebook. They call this tool FiB.

This algorithm soon turned into a Google Chrome Extension that scans through your Facebook feed, in real time, and this is what I found on their website.

Our algorithm is twofold, as follows:

Content-consumption: Our chrome-extension goes through your Facebook feed in real time as you browse it and verifies the authenticity of posts. These posts can be status updates, images or links. Our back-end AI checks the facts within these posts and verifies them using image recognition, keyword extraction, and source verification and a twitter search to verify if a screenshot of a twitter update posted is authentic. The posts then are visually tagged on the top right corner in accordance with their trust score. If a post is found to be false, the AI tries to find the truth and shows it to you.

Content-creation: Each time a user posts/shares content, our chat bot uses a webhook to get a call. This chat bot then uses the same backend AI as content consumption to determine if the new post by the user contains any unverified information. If so, the user is notified and can choose to either take it down or let it exist.

https://devpost.com/software/fib

Fake news is everywhere. Should the tech world help stop the spread?

We’ve discussed the need to cover up a webcam with tape for fear of those being compromised during VoIP sessions. This new vulnerability only needs to be able to hear a conversation to figure out what you are typing. The researchers were given the information on what keyboard and some information on typing style of the end user. From there, they were able to get 91.7% accuracy in figuring out what was being typed on the keyboard. This can happen during a regular Skype call without the need to plant any malware to compromise your target’s computer. Skype and other voice messengers are often left on for long periods of time since unlike phones VoIP doesn’t charge by the minute so there is no need to hang up. Multi-taskers may enter passwords or fill out forms while staying on Skype.

There are a few ways around this, such as using push to talk, a method which only sends audio when you hold a certain key down, preventing unnecessary sounds. Touch screen keys do not make the familiar keyboard sounds so those are safe from this method as well. I think using an external microphone as well, one not situated near the keyboard will lower the chances of this attack in general. Without a profile on the end user, the accuracy only drops to 42%, but I wouldn’t rely on this as it may eventually be possible to compare sounds against multiple profiles and pick the most accurate.

 

 

https://www.onthewire.io/recording-keystroke-sounds-over-skype-to-steal-user-data/

 

Steve Ranger, a member of ZDNet’s global editorial board, writes “Serious security: Three changes that could turn the tide on hackers” in an effort to echo the urgency of initial steps that must be taken to combat the rapidly increase of hacking. One of the shocking things that I learn reading this article is that $75 billion was spent on tech security last year; however, that didn’t prevent many people and organizations to overlook cyber security. For example, Steve state that,” It’s become so bad that it’s already generated a mirthless cliché — that there are only two types of companies: the ones that have been hacked and the ones that don’t yet know they’ve been hacked.”

Especially nowadays, cyber security should not be considered as an afterthought by anyone and Steve offers three suggestions as starting points:

• The general public or consumers should start taking I.T. security more seriously in order for companies to do the same.
• Organizations should design security as a fundamental part of the services for clients rather than a nice-to-have addition.
• It is definitely time for strong encryption to be the standard as opposed to an exception.

 You may read the full article via the link below.

http://www.zdnet.com/article/serious-security-three-changes-that-could-turn-the-tide-on-hackers/

Recently, many organizations that struggled to deliver strong protection under the pressure of the app economy, decided to compromise on security to get apps released faster. This would be a great risk to both companies and their customers or app users. Since the app economy is bringing new cyber security challenges, companies should increase the complexity of their security practice to better protect customer’s information against attacks, instead of cutting corners. Customers also expect rapid and secure experiences. If they think that app is not secure, they would switch to an alternative app immediately. One way the article mentioned to respond to the new challenges of app economy is identity-centric security. The identity-centric approach uses behavioral analytics and predictive strategies to verify identities and mange identity-related activities without sacrificing the customer experience. In addition, the security team must work together with app development team in every phase of the development process to ensure security is integrated into the app.

Security is usually the greatest concern on e-commerce and e-banking. Even though the company is under intense pressure due to fierce competition in the market and the rising demand of customers. It is obviously not a wise decision to compromise on security for faster release. This compromise will cause serious risks to the company. The app will be vulnerable to hacking or malicious attacks, and hackers may steal customers’ information or credentials for financial purpose or illegal use. Therefore, the company may involve into litigations. Their reputation may be damaged and customers will switch to other apps since there are so many similar apps available in the market. The risk of loss outweighs the benefit of faster release.

 

Link: http://www.darkreading.com/application-security/businesses-sacrifice-security-to-get-apps-released-faster/d/d-id/1327151

Socat, a more feature-rich version of netcat has a serious security flaw. The program uses the Diffie-Hellman method to establish a key, but it uses a non-prime parameter when it should use a prime. This flaw coupled with the relatively short nature of socat cryptography keys makes the encryption suspiciously easy to crack. There are theories that the non-prime was deliberately built in as a backdoor. The primary suspect is a guy named Zhigang Wang. The article also mentions a backdoor in NetScreen Firewalls that allowed the coders who made the program to be able to access data encrypted by VPN.

Both of these stories drive home the ‘nothing is ever really secure’ argument. Also, the idea of back doors is something to consider. If the programmers who make your privacy applications have nefarious intentions, your data is not safe. However, the flaw being identified so quickly drives home a point that we were learning about in 5209 which was that open source is better than proprietary programs when it comes to encryption because weaknesses are often found more quickly due to the variety of eyes scrutinizing the code.

Read the article here

This article talks about how users of Spotify’s free service have noticed that many advertisements automatically open their web browser, without them clicking on the advertisement. These websites contain virus and malware, and can contaminate the device without the user taking any action in it. Not only are the users directed to malicious sites, but malware can automatically be downloaded from these sites in attacks known as “drive-by-attacks”. These “malvertising” campaigns are the results of scripts being hidden in advertisements, which does everything automatically. What worries me, a lot of times advertisements are not thoroughly screened before being accepted. It wouldn’t surprise me if we start seeing more of these types of attacks.

Link: http://www.securityweek.com/spotify-falls-victim-malvertising-attack

Many organizations no longer view cybersecurity as a barrier to change, nor as an IT cost. PwC conducted an information security survey 2017 that found there is a distinct shift in how organizations view cybersecurity. According to the survey, 59% of respondents said they have increased cybersecurity spending as a result of digitization of their business ecosystem. In this process, organizations not only create products, but also deliver complementary software-based services for products that extend opportunities for customer engagement and growth.

The survey also found that the majority of organizations run IT services in the cloud. Could models gain more trust and usage at present. Organizations are also embracing both managed security services and open-source software to enhance cybersecurity capabilities. More than half (53%) of respondent employ open-source software and 62% of respondents say they use managed security services for cybersecurity and privacy.

Link: http://www.infosecurity-magazine.com/news/pwc-security-is-no-longer-an-it/

National researchers in Australia developed a hack proof computer code called microkernel. It is the barest bone of an operating system. By keeping an operating system as simple as possible, the harder it is to crack because you eliminate vulnerabilities in the system. We are now in the Internet of Things age where most of the devices we have connects to the internet, making them susceptible to hacking. Recently in the news we seen how hackers were able to take control of cars, could you imagine how dangerous that could be if someone was driving on a highway at 65mph and someone hacked into their car and took control of the vehicles acceleration and braking. Better yet an Airplane with hundreds of people on board. The more we introduce technology into our everyday lives we increase the risk of vulnerabilities that someone can exploit. If these researchers could develop a hack proof code they will change the world of technology as we know it.

http://www.aol.com/article/news/2016/10/05/this-hack-proof-code-could-change-the-cybersecurity-game/21575179/