Week 06: Sniffers

Sniffing wireless traffic is shockingly simple if you use anything less than WPA2 to secure your network. It basically involves a client associated with your access point in promiscuous mode. This allows programs like Wireshark to see all packets broadcast on the network – he/she must of course have your wifi decryption keys but WEP is practically insecure to someone with very basic tools. To make such an attack more efficient, the attacker would usually issue an APR (ARP Poison Routing) attack on the network. This involves the attacker announcing that he/she is your router and any data you have bound for the gateway then goes via the attacker. This makes the attacker much more likely to see your data. Once the attacker has created this foundation it is a matter of waiting and watching. A script on the attacker’s machine can check the packets coming through until you do something over HTTP, the unencrypted transfer protocol which will enable sniffing of your cookies and passwords.

Now, the article is actually old but some of them are still true. it not only talks about packet sniffing but also other techniques.

https://www.securityweek.com/how-logging-starbucks-can-compromise-your-corporate-security

A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password.
The security vulnerability, tracked as CVE-2018-10933, is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years.

According to a security advisory published Tuesday, all an attacker needs to do is sending an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

https://thehackernews.com/2018/10/libssh-ssh-protocol-library.html

https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack

 

No one is really sure who to believe after Businessweek’s bombshell story on an alleged Chinese supply chain attack against Apple, Amazon, and others.

A new approach to phishing has become popular wherein the attackers sent spam along with PDF attachments. These PDF documents were disguised as documents of a law firm based out of Denver. The email had a download button with a link and when the users clicked on the button, they are were directed to an HTML page which looked similar to the Office 365 form stored in the Microsoft Azure Blob storage solution. The address is a valid Blob address and the site is also marked as secure. The SSL Certificate carried a signature issue by Microsoft IT TLS CA 5.

https://threatpost.com/innovative-phishing-tactic-makes-inroads-using-azure-blob/138183/

Wombat Security published its second annual User Risk Report that revealed personal cybersecurity habits of working adults around the world.

There are a few key findings from the report:

• 44% of global respondents do not password-protect their home WiFi networks, and 66% have not changed the default password on their WiFi routers.
• 55% of workers who use employer-issued devices at home allow family members to use them for things like shopping online and playing games.
• 67% believe using antivirus software and keeping it up to date will stop cyber attacks from affecting their computer.
• Among working adults who do not use a password manager, more than 60% admitted to reusing passwords across multiple online accounts.

https://www.wombatsecurity.com/blog/user-risk-report-reveals-poor-cybersecurity-habits-of-global-workers

 

Interesting article that Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the messaging app.
The vulnerability is a memory heap overflow issue which is triggered when a user receives a specially crafted malformed RTP packet via a video call request, which results in the corruption error and crashing the WhatsApp mobile app.
Since the vulnerability affect RTP (Real-time Transport Protocol) implementation of Whatsapp, the flaw affects Android and iOS apps, but not WhatsApp Web that relies on WebRTC for video calls.

 

https://thehackernews.com/2018/10/hack-whatsapp-account-chats.html

https://medium.com/@kahunalu/under-the-hood-airbnb-9aceb8954f8a

Apps such as AirBnB collect a plethora of data, some of which is completely useless to the company itself. For example, the app detects the direction that the device is facing, gathered from the magnetic sensor. This information is then sent server-side. Other information is collected by third party providers through their app integration. Services such as the facebook login option gather this data, whether you use the Facebook login or not.

One way to protect yourself is to block these server’s DNS queries. You can do that by installing a DNS sinkhole in your network. These can be small devices such as a pi-hole (https://pi-hole.net/) or a virtualized option. You then just point your DNS server to the new device.

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

– Wang Wei

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

The attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone’s passcode and access users the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lock screen.

Please refer to the video attached in the article for the iPhone passcode bypass hack.

Reference: https://thehackernews.com/2018/10/iphone-passcode-bypass-hack.html

Article:  https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/

Every software design should strictly adhere to cyber principles. On top of that, I strongly believe any software that is being developed should be “secured from design”. Securing the software right from the design phase off the application , should be the primary design checklist.

Below are few what I can think off additionally from what is posted in the above article.
1. SECURE FROM DESIGN – think about security right from the application design phase.
2. LOAD TESTING – DNS servers should have been tested with a high load in their lower environments (performance), to ensure they can manage heavy traffic.
3. DNS servers on CLOUD – cloud has capabilities of autoscaling when the traffic exceeds the threshold additional servers automatically spin up.
4. FAULT TOLERANCE- DNS servers should also think about fault tolerance. Automatically diverting faulty traffic or vice versa

I have always found this new era of cyber warfare very fascinating because it is harder than ever to tie attackers to the governments that employ them. Often, attackers are operating out of private corporations or even independently. When fingers get pointed at governments, they claim that these actors are acting on their own and that the government has no control over them. This is the first instance in my experience of the actual hackers being ousted in public – and their relationship with an actual government documented. Intrusion truth has only targeted Chinese hackers, but this could set a precedent for the future. Many believe that Intrusion Truth represents victims of Chinese corporate espionage. Groups like this can surface in the future to respond to threats originating from elsewhere as well.

https://motherboard.vice.com/en_us/article/wjka84/intrusion-truth-group-doxing-hackers-chinese-intelligence