Good Morning,
We will use week 07 for posts this week. Please use what we had before the break as a page to post items you have found.
Here are tonights slides minus the “In the News”: Week 09
MIS 5170-18 Topic: Operating Systems Security
MIS 5170 - Section 001 - Andrew Szajlai
Sev Shirozian says
Intel has finally redesigned its processor architecture by using partitioning. The partitioning will create an extra barrier between applications and user privileges to prevent hackers from gaining access to sensitive data processed by the processor.
These updated processors will come out in their next-generation Xeon processors (Cascade Lake) and 8th generation Intel Core processors in the second half of the year.
https://www.pcauthority.com.au/news/intel-fixes-spectre-and-meltdown-vulnerabilities-with-updates-and-new-chips-487255
– Sev Shirozian
Vince Kelly says
I wrote an example of a *very* basic, ‘El-Cheapo’ man-in-the-middle attack that leverages the Python socket library to ‘eavesdrop’ on a series of message transmissions between a ‘legitimate server’ VM and its associated ‘client’ VM. The ‘legitimate’ messages are just basic text messages and a message sequence number.
Basically, the attacking VM, called ‘Evil Server’, spins up a Python socket receive thread that ‘hoovers in’ any traffic destined for a predetermined UDP port number and then displays those messages (i.e., the messages sent by the ‘legitimate’ server that were intended only for the client).
Evil Server then spins up a send thread which basically starts infinitely broadcasting an ‘Evil Server message’ which get injected into all the other legitimate messages that are being sent by the legitimate server.
Delays where put into the evil server broadcast code so that you can see the intermingled messages that hit the client – otherwise evil server could also be used as a simple denial of service tool that would swamp both the client and the server as well.
Also posted a 5 minute demo video and a ppt deck that explains the environment – the box link is below
comments welcome.
https://www.dropbox.com/sh/myuz5kmq8llgogy/AABGN4yYKRJSn86dlkq4ziCXa?dl=0
Jason A Lindsley says
That’s really cool Vince. Nice work summarizing these technical details in simple terminology.
Matt Roberts says
https://www.cnbc.com/2018/03/16/only-13-percent-of-government-employees-take-personal-responsibility-for-cybersecurity-survey-finds.html
A recent survey was conducted of government employees which found that only 13 percent believed they had total personal responsibility for the security of their workstations. Even more troubling, 1 in 3 believe they more likely to be struck by lightning than have their data compromised. This widespread apathy is very detrimental to the public sector’s overall security posture. User education and training is extremely important for securing an organization’s information as the least secure component of any system is always the human element.
Jason A Lindsley says
This article really reinforces the need for more cyber awareness in both public and private sectors. I attended a round table this week that was focused on improving Cyber Awareness for financial institutions. There were a lot of creative ideas discussed and some programs were really impressive. We recently kicked off a Cyber Awareness Committee at my organization that is focused on promoting cyber awareness using engaging and innovative ideas. The best idea I’ve heard so far is a conference with key note speakers, from vendors and industry leaders that was extended to all employees. That’s a large investment of time and effort, but could be really impactful..
Scott Radaszkiewicz says
Good article Matt. Personnel are always the weakest link in any security plan. You could invest resources into securing your infrastructure the best that you possibly can, but there is no way to force an employee to follow what you have implemented. Just one employee who, either intentionally or unintentionally, does not follow protocols, and you’re done for.
Fred Zajac says
Matt,
Check this out…
http://www.fico.com/en/products/fico-enterprise-security-score
I wonder what these agencies “security score” is. Bad Credit.. LOL
The score is based on a few factors, but security posture and culture weighs on the number
Fraser G says
https://cyber.schillingspartners.com/mining-mimecast-brute-forcing-your-way-to-success/
MINING MIMECAST: BRUTE FORCING YOUR WAY TO SUCCESS
This was a fascinating post written by a black hat hacker who was able to to farm sensitive information from organizations across Europe. Mimecast is a European security org that focuses on email. One of their products takes links that are sent in a clients email – e.g. here is a link to that financials spreadsheet – and both scans the link and shortens / obscures it for security purposes. The author of this article was able to reverse engineer the process used to make these links. Think of bit.ly or any other url shortener, and being able to decipher what links are generated. The author was able to go so far as to figure out how urls were generated down to specific orgs. It’s definitely worth the read!
Donald Hoxhaj says
That’s a pretty interesting solution to problems of email threat Fraser. This would actually make the process of digital forensic much easier as they will be able to track IP and org. from where the emails came. However I am still sceptical if the solution can read the content of the links in the email to see if they have any suspicious external links. In the last 3 years if you see, cyber criminals have started to play around with content that forces users to click on it. It would be interesting to see how this unleashes.
Richard Mu says
Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files
A critical vulnerability was discovered in Microsoft’s Windows Remote Assistance by Trend Micro Zero Day Initiative. Currently affecting all Windows, including Windows 10, 8.1, RT 8.1, and 7, the vulnerability allows remote attackers to steal sensitive files from targeted machines. The vulnerability has been patched by Microsoft in this month’s patch Tuesday.
https://nvd.nist.gov/vuln/detail/CVE-2018-0878
https://thehackernews.com/2018/03/window-remote-assistance.html
Donald Hoxhaj says
That sounds as if Microsoft has not done enough of many frontline products. First it was the messenger issue, then the window meltdown patch issue, and now the windows remote assistance. I wonder if organization are even protected in the case when the patch does has not been released and are informed beforehand. This is a strict case of information leak from my point of view. I believe more than 30% Fortune 500 companies use remote assistance and it would be great to see in the future how Microsoft treats this a case of lapse and releases patches much earlier in time.
Zirui You says
“Pre-Installed Malware Found On 5 Million Popular Android Phones”
The team of security researchers discovered there are millions Android brand new smartphone have been pre-installed malware, call “RottenSys”, somewhere along the supply chain. Usually, this malware pretends as a Wi-Fi related service app, and does not run the malicious activities immediately on devices initially. However, aggressively display ads. and generate fraudulent ad revenues for attacker when an adware component been push to the infected devices.
https://thehackernews.com/2018/03/android-botnet-malware.html
Manogna Alahari says
This looks like Android systems are more vulnerable to malware.and other attacks. Android systems should consider running a pre-installation security check to be part of their OS, This will help detect any malware or unwanted software to be part of their Operating System. Also, comparative studies with other OS like MAC OS will help them understand why Android ‘s are more vulnerable to insecure software.
Because of the way Google Play works, Android has a “bad app” problem. Google lets any developer upload an app to the Play Store, regardless of if it works, how it looks, or whether or not it can harm users. Malware scanning happens primarily after apps are uploaded, and though Google has recently taken steps to safeguard users with its Play Protect program, you don’t have to depend on them.
Below are the few tips to prevent malware attacks in Android systems :
Tip 1: Don’t Depend on Google Play Protect
“Google Bouncer” will help identify malware in the apps within the play store
Tip 2: Review App Permissions
By minimizing app access, protect yourself from hackers obtaining an unnecessary amount of information about you. This practice also protects you from malicious agents (such as hackers) who might compromise the app to attack your device.
Tip 3: switch Off Unknown Sources
disabling “Unknown sources” won’t deactivate the third-party apps. Instead, it will prevent unauthorized installation of non-Play Store apps from outside threats scheming to attack your device.
Shi Yu Dong says
Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones that actually does not provide any WiFi services but rather takes all sensitive Android permissions to enable its malicious activity.
Ref. Link:
https://thehackernews.com/2018/03/android-botnet-malware.html
Frederic D Rohrer says
Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the attack, any funds can be stolen when plugged into a compromised device. However this would require the attacker to physically access the Ledger, or to sufficiently compromise the target’s computer, twice.
I found it interesting that Saleem chose to publish this vulnerability instead of cashing in on the security bounty.
He says that he did so “… mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
Satwika Balakrishnan says
Article: Cell Phone Porting Scams
https://www.bbb.org/en/us/article/news-releases/17019-bbb-issues-alert-about-cell-phone-porting-scams
Recently, T-Mobile has warned their customers about a phone number ‘port-out scams’. This is a type of scam where hackers gather all the personal identifiable information (PII) about you, contact your mobile provider with the information gathered and get your number transferred to another provider. Once your number is ported to a new device, then these hackers start accessing your bank accounts and other personal accounts which require an authorization code texted to your phone for verification.
The article provides the following three tips to protect yourself from such an attack:
i) Inquire with your wireless provider about port-out authorization. Most of the service providers have additional security for port-out authorization that customers can set up, like a PIN which will make it difficult for someone to port out your phone.
ii) Watch out for unexpected “Emergency Calls Only” status. Your phone switches to ‘Emergency calls only’ when your phone number has been transferred, so be on the lookout for this or something similar.
iii) Be vigilant in about communications you receive. Beware of any phishing attempts, alert messages from financial institutions, texts in response to two-factor authorization requests.
Mustafa Aydin says
AMD Acknowledges Newly Disclosed Flaws In Its Processors — Patches Coming Soon
AMD has finally acknowledged 13 critical vulnerabilities, and exploitable backdoors in its Ryzen and EPYC processors disclosed earlier this month by Israel-based CTS Labs and promised to roll out firmware patches for millions of affected devices ‘in the coming weeks.’
According to CTS-Labs researchers, critical vulnerabilities (RyzenFall, MasterKey, Fallout, and Chimera) that affect AMD’s Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account.
In a press release published by AMD on Tuesday, the company downplays the threat by saying that, “any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
Mustafa Aydin says
https://thehackernews.com/2018/03/amd-processor-hacking.html
Mustafa Aydin says
Kali on Windows
https://blogs.msdn.microsoft.com/commandline/2018/03/05/kali-linux-for-wsl/
Scott Radaszkiewicz says
https://thehackernews.com/2018/03/cryptocurrency-mining-software.html
So this is a pretty interesting article. If you are not familiar with Cryptocurrency Mining, it’s becoming more and more prevalent. Many malware applications are being written to run on unsuspecting machines that will install a Cryptocurrency Mining program. Many of these programs are processor intensive and really drain resources.
This is a new twist. Permitting CryptoCurrency Mining programs to run on your machine, in exchange for some services. A very interesting approach indeed.
This is a good article on Cryptocurrency Mining and how it works: https://www.benzinga.com/general/education/17/08/9953629/cryptocurrency-mining-what-it-is-how-it-works-and-whos-making-money-
Fred Zajac says
Windows Logging has come a long way in the new Server 2016 and Windows 10 operating systems. The ability to create a local SIEM is integrated into Server 2016 as a native service. You have the ability to create subscriptions for different types of event logs you want to monitor. You can monitor any type of event log, and even security logs. Here is how it works…
The best is a network controlled by a domain controller, but it will also work on a home network as well.
The first thing you need is a “Collector”. This will be the Server 2016 box. You will be configuring event collector and the subscriptions on this box. On the Windows 10 machines, you will be starting the event forwarding service. A few configurations and you will soon see the logs coming into the collector. I have done this and it is a great tool. It is highly talked about throughout the windows community as a great resource for local SIEM.
Here is more on the set up
https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
https://msdn.microsoft.com/en-us/library/aa964766(v=vs.85).aspx
Donald Hoxhaj says
Windows Meltdown patches open up more severe issue
http://searchsecurity.techtarget.com/news/252437810/Windows-Meltdown-patches-open-up-more-severe-issue
Microsoft recently released the Meltdown patch to fix the Intel issues, but some researchers feel that the patch has opened up possibility for further flaws. As per Ulf Frisk, ‘The patches released for Windows 7 x64 and Windows Server 2008 in January and February 2018 were successful in protecting against Meltdown but “opened up a vulnerability way worse” that could allow “any process to read the complete memory contents at gigabytes per second and write to arbitrary memory as well.’
As per Frisk, all the systems that ran the patches from January or February will be at the risk of this issue. If the systems are unpatched since December 2017, the issue won’t impact. It is said that the Microsoft patches released did not create any problems in memory read leak, but in fact introduced a misconfiguration that exposes the memory. This has primarily been said to be a big quality control issue from Microsoft. The Microsoft patches has over the period created multiple issues with its releases related to performance slowdown and unwanted system reboots.
What is more interesting to observer is that the March patches have still not rolled out. The questions that Microsoft should ponder upon is whether the patches will leak memory data for mission critical operations in organizations or not? And if yes, how soon can the new patch counter the attack.
Donald Hoxhaj says
Fauxpersky malware steals and sends passwords to an attacker’s inbox
http://www.zdnet.com/article/fauxpersky-malware-steals-sends-passwords-google-forms/
A new threat has been detected that has the potential to steal passwords. The keylogger malware named Fauxpersky is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. It essentially spreads through the USB ports of computers and infects the Windows PCs. Researchers say that ‘the malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox’.
This malware spreads on devices and monitors user behaviour. As soon as the malware is active in the computer, it keeps storing user typed information into a text file with the window’s name so that it becomes easier for the attacker to know the context of the file. The data from the file is exfiltrated from the computer to a Google Form and later the source file is deleted from the hard disk.