Forget the One-Day Exploit, Beware the One-Hour Exploit

A recent report by the United States Government Accountability Office (GAO) details how one of the largest personal information hacks in history was designed. The hack described was the one on Equifax, a credit reporting agency (CRA) that exposed the PII (personally identifiable information) of more than half of all adult Americans. Why should you care? Well, if you have a business or organization of any size, you could be vulnerable to the same type of hack that brought down Equifax. It is a hack that could have been performed by anyone with a rudimentary knowledge of hacking.

The report explains how a few small oversights left the company vulnerable. These are mistakes that numerous firms and organizations make every day. Here’s how it happened.

When Cisco found a serious vulnerability in the Apache Struts web application framework, they notified their customers. In a blog post, they emphasized that “it is highly recommended that you upgrade immediately.” But, apparently, almost as soon as they announced the vulnerability, it was being exploited. What this meant was that any enterprise that did not update its servers at once, were in danger of being attacked. The quick use of a newly announced vulnerability is often termed a one-day exploit; however, this one could have been measured in hours.

When Equifax received the news of the security flaw and the recommendation to update their system, they sent out notices to all system server administrators, just like they were supposed to do. Unfortunately, the list of system administrators was out of date. It did not include the address for the system administrator for its dispute portal servers. Thus, this administrator did not get the notice and the update was not installed. This left the servers for this department vulnerable to attacks.

Two days later, “unidentified individuals” discovered the unpatched server. Using software designed to make use of this vulnerability, the hackers accessed the server and tested their software. No data was taken. It wasn’t until May that the actual attack on the server began. Maybe the attackers just needed time to develop an attack framework based on their initial reconnaissance. In any event, when they re-entered the system, they were able to hide their activities as they worked their way around the Equifax network, stole data, and methodically sent it back to their C&C (command and control center). By making their actions on the network look like normal network traffic, they were able to remain undetected for 76 days (May 13, 2017 to July 29, 2017). Here is a diagram of the breach from the report.

equifax diagram

Why didn’t Equifax discover this breach sooner? Normally, security architecture would be alerted if it saw encrypted traffic running through its network. Unfortunately, such detection software did not work because the certificate it needed to operate had expired 10 months before the attack. The attackers, therefore, were more or less free to do whatever they wanted because they would not be detected. It is unclear whether they realized this before they began the attack. The dispute portal servers were taken offline as soon as the breach was discovered.

For enterprises who want to protect themselves from such attacks, it is important to mention two more lapses that made the attack so successful. According to the report, the databases should have been segmented. This means that the databases were in some way connected so that the attackers with access to one database could access others. Another blunder was that Equifax kept usernames and passwords to these databases in an unencrypted file. Imagine the excitement on the part of the hackers when they discovered this.

Equifax has subsequently updated its security architecture in predictable ways. Some of its improvements seem more cosmetic than anything else; for example, creating a new position, Chief Information Security Officer, which will, purportedly, improve communication between IT and management. Yeah, ok.

It took a while for Equifax to figure out how many people were affected by the hack, but they finally settled on 145.5 million. They then set up a website where people could find out if they were among those affected. Those interested in finding whether they were victims of the hack, can go to this page and click the “Am I impacted” button.

equifax impact

You will need to give your name and the last 6 digits of your social security number. If you live outside the U.S., you will need to use a VPN. Interestingly, Equifax accidentally sent people to the wrong site, an approach often associated with phishing attacks.

equifax phish

The repercussions of this breach went beyond Equifax. For example, both the IRS and SSA had to take actions to guard against a possible increase in identity fraud. These and other government agencies used Equifax to validate certain transactions. Surprisingly, no government agencies were made aware of the attack until it was publicly announced, making them vulnerable to a variety of attacks in the interim. Equifax refused any help from the Department of Homeland Security.

After the hack, the company’s share prices fell 33%. They have since recovered most of these losses. In fact, the company is expected to make record profits next year. As of this writing, Equifax faced no penalties for the breach although one lawsuit is pending. Some evidence of this hack has purportedly been found on the deep web. Most of the data taken has probably been combined with other available personal information troves to make ‘fullz’, a term that refers to full information and, at a minimum, includes “the victim’s full name and billing address; credit card number, expiration date and card security code; as well as their Social Security number and birth date.” Fullz simply sell at a higher price on the deep web.

Although Equifax may seem to have escaped relatively unscathed by the breach, politicians are pushing for more penalties to be paid by companies who are breached due to their own ineptitude. However, ineptitude is not easy to delineate. For example, in a large organization, it is often very difficult to perform all updates as soon as information on a vulnerability is released. Sometimes, this is because of practical considerations, such as the update interfering with normal work flow. At other times, updates simply take a long time because of the size of the network.

Hackers have been known to begin their attacks on holidays or weekends when they believe that most of the IT staff will be away. Can this be classified as ineptitude on the part of the company? It’s not a question with an easy answer. However, with these points in mind, I would suggest that most small to medium-sized enterprises would be more vulnerable on weekends and holidays, while large companies and organizations would be more vulnerable during peak working hours.

So what can companies and organizations learn from the Equifax hack? First of all, don’t wait to perform important security updates because the hackers certainly won’t. Implement a certificate checking program that alerts administrators when a certificate is about to expire. Keep important databases separate and encrypt all stored usernames and passwords.

Several executives, including CEO Richard Smith, ‘resigned’ after the breach. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said as he sadly pocketed a $90 million goodbye package. A number of states took action against Equifax which resulted in Equifax promising to implement security measures that it had already put in place. In the end, Equifax paid out about $250 million in security updates that they would have paid for anyway. In fact, the whole breach could be looked at like one, giant, well-designed penetration test. As such, it was a bargain for everyone except those who lost all of their personal data.

Posted in Uncategorized | Tagged , , | Leave a comment

GMail Confidential Really Isn’t, But It Has Its Uses

Many of you reading this have had your Gmail account updated. The update contains a few extra features and a new look, but I would like to focus on one feature that may have escaped your attention. This is the confidential option available when sending an email. This option allows you to control how the email you sent is used.

 For years, I have thought that such a feature should exist. There simply seem to be times when you reluctantly have to email a copy of an important document to someone you may not know. For example, if you are applying for some job overseas, you may have to send a copy of your passport information page. I’m always uncomfortable doing this because I have no idea how the recipient will guard my privacy. Will they leave the document open on their computer? Will they make and distribute a copy of it? Will they forward it to other people? With each of their actions, I risk being compromised.

 But Gmail has come up with a solution to this problem. Using their confidential option, you can make a sensitive document self-destruct at a designated time. It will also prevent downloads, copying, printing and forwarding of such emails and their attachments. There are positive and negative aspects to this, but before discussing them, here is some basic information about using this feature.

 First of all, you have to know where to find this feature. To be honest, I didn’t even notice where it was. For me, the icon associated with this feature does not clearly relate to its purpose. Here is where to find this feature when you compose an email.

 google confidential

 Clicking on the icon brings up this interface.

 google confidential details

 You can see that you can choose to send a code by SMS if you know the person’s phone number. The recipient will receive an email that looks like this.

 google confidential recipient

 They will then be sent to a page where they can read the email and which will give information as to when the email will expire. If you change your mind about allowing access to a confidential email, you can remove the recipient’s access at any time, even before the email gets opened. To do this, open your ‘Sent’ folder, open the confidential message and click the ‘Remove Access” button. The recipient will no longer be able to read the email. This could be a good tool to use for those impulsive, angry emails you may send and then later regret. You can also renew access in the same way.

 The tool does offer some good features, but Google admits that anyone can take a screenshot of the email or attachment. It is true that the copy function is disabled; however, I found that going into developer tools to access the page code enabled me to find and copy the message. In the following example, I sent the message, “This is only a test.” You can see it here. It can then be copied.

 google confidential code

 One positive aspect of the confidential feature is that you can set the expiration date from one day to five years. This will come in handy if the recipient’s email is hacked and the hackers harvest all available sensitive data and any documents that have been sitting around for years. People often allow old emails and attachments to build up in their folders so this tool gets around that. Setting an expiration date removes old emails that could harm the sender or the sender’s company if they happen to be stolen.

 Some members of the cybersecurity community have criticized Google for using the term, ‘confidential mode’. They feel this is a misnomer because this mode does not offer true confidentiality. True confidentiality can only exist in some form of end-to-end encryption.

 Besides the security shortcomings mentioned above, using the confidential mode also does not mean that Google cannot save copies of your email and attachments. They can still use the information you supply in such emails to target you for ads or sell this information to internet marketing firms. If you decide to send the recipient an SMS code, you are also supplying information on your recipient, their phone number, which Google can monetize or otherwise use.

 Such criticisms aside, the confidentiality feature at least gives the sender more control over a message or document than they previously had. Sure, a recipient can subvert this using a number of techniques, but I’m not sure many would actually consider this. Most would simply retrieve the information that was sent during the allowed access time and that would be the end of it. The exception to this would be attachments. Google gives you the right to preview the attachment, but you cannot save or print it. Yes, right clicking on the attachment will show a print option, but printing will give you nothing. In such cases, the recipient would be inclined to make a screenshot and save that.

 In the end, don’t expect true secrecy when sending anything in this mode. Using it will alert the recipient that something important has been sent and may, thereby, prompt quick action on the recipient’s part. On the other hand, if you are sending something like a job application and the recipient doesn’t open the email quickly enough, they may never be able to access your application. In other words, make sure you give the recipient enough time to open your email when you set the expiration date. Also, expect that any attachments, like a resume/cv, will not be printable or savable, which makes it inconvenient for the recipient. In some cases, such an inconvenience could make them ignore your email.

Remember also that some recipients may take the fact that you sent them a self-destructing email as a sign of distrust. It may imply that you don’t expect them to handle your sensitive documents with care. What would this say about your character if they were to consider you as a future employee or business partner? In these cases, some sort of explanation or apology may be necessary in the cover letter. On the positive side, it could show that you are interested in maintaining security and at least have a passing knowledge of what that entails.

 In the end, the Gmail confidentiality feature should be considered as a useful tool. If you want real safety you’ll need to send an encrypted email. You could also password protect a document. These methods, however, take more time to organize and can create problems for both sender and receiver. If, for example, you send a password protected document, you’ll need some way to inform the recipient of the password. If you know the recipient, you can give them a phone call or reference a shared association e.g. the town we met in last year. If you have no association with a person, such as when applying for a job and attaching your resume/cv, you probably don’t want to make things too difficult for the recipient, in such cases, the Gmail confidentiality feature may be your best choice. So use it, but keep in mind its limitations.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The Recent DNC Hack that Wasn’t… Or Was It?

Penetration testing, or pentesting, can be a useful strategy for an enterprise to use to tighten security on its network. Paying an ethical hacker to find holes in a company’s cybersecurity architecture can help a company avoid a major breach. Of course, this comes with some risks. What if the pentester is not so ethical and uses the vulnerabilities found to hack the corporate network they are hired to protect? What if they sell this information to unethical hackers? In other words, a company or organization must be careful who it allows into its network.

This is why there are organizations that certify pentesters. However, many so-called pentesters aren’t certified. Let’s call them, ‘unsolicited pentesters’. These are people who may test a company’s cybersecurity on their own initiative, find a vulnerability, and then ask the company to pay them for their work. It’s a hit or miss scenario. The company may just give the unsolicited pentester a pat on the back and nothing more. Other companies offer official payments for those who find bugs in their networks or products. They offer clearly defined bug bounties to bug bounty hunters. For the most part, any unsolicited individual who hacks into an enterprise’s network must be considered a hacker unless they clearly state that they want no money or other compensation for what they find.

That’s what makes the recent cybersecurity incident at the DNC so interesting. It was initially reported that the DNC thwarted a cyber attack designed to get login information from spearphished employees. Someone had made a fake sign-in page that emulated NGP VAN’s Votebuilder, a database used by the Democratic Party. The DNC’s chief security officer, Bob Lord, wasted no time contacting the FBI and CNN to report the  “sophisticated attempt to hack into our voter file”. In his report to CNN, Lord tried to make political hay of the attempt by claiming, that “we need the (Trump) administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks.” There were clear insinuations in the CNN story that Russia may have been behind the attack.

However, just as this incident was to become a major news story, it was found that the hack wasn’t a hack at all. According to the DNC, the Michigan Democratic Party had asked NGP VAN to do a “simulated phishing test” on the DNC and no one thought it might be a good idea to tell the DNC about it. But, according to a statement given to CNN by Brandon Dillon, the chair of the Michigan Democratic Party, it was all Donald Trump’s fault. “We have taken heightened steps to fortify our cybersecurity — especially as the Trump Administration refuses to crack down on foreign interference in our elections.” Dillon referred to the blunder as “a misstep”.

Misstep or not, this qualifies as a hack, since the DNC did not authorize itself to be pentested. However, it is not clear what the Michigan Democratic Party wanted with  Votebuilder login information even if they got it. Did they simply want to learn which people in the DNC would be stupid enough to fall for a phishing attack? Wouldn’t this be the job of the DNC security team? Did they want access to part of the database they did not normally have access to? I’m perplexed. In fact, the Washington Post reported that it may not have been the Michigan Democratic Party at all, but an unidentified “web contractor” hired by them. This group was identified by the Wall Street Journal as the recently formed, DigiDems, a largely volunteer group of tech people with a strongly left wing agenda: “DigiDems is a team of innovators passionately committed to supporting the progressive movement through the use of technology.”

This is not the first time that NGP VAN has caused trouble for the DNC. Back in December of 2015, NGP VAN temporarily left its database open which allowed members of the Bernie Sanders campaign to access Hillary Clinton’s strategy. This resulted in the firing of one member of Bernie Sanders’ IT team, Josh Uretsky, and the banning of the Sanders’ campaign from accessing the Votebuilder database. Why NGP VAN agreed to go along with this is still open to debate, since it occurred just before the New Hampshire primary and banning the Sanders campaign from using the database would tilt the primary in Clinton’s favor. Sanders subsequently sued the DNC.

The whole incident spawned a number of conspiracy theories. The cybersecurity firm, CrowdStrike, was asked to look into the Sanders’ breach and, after studying the situation for four months, concluded, in April, 2016, that the Sanders team really didn’t do much with the information they accessed. Sanders subsequently dropped his lawsuit. However, just as CrowdStrike was finalizing its findings, the DNC discovered that they had been hacked. Coincidentally, CrowdStrike was still on board and they were experts in Russian hacking. Coincidentally, they found, within minutes, that Russia had hacked the DNC. Interestingly, they found no indication of this while they had had access to the servers for four months. This has led conspiracy theorists to conclude that “the Russian hacking that’s caused so much division and turmoil at home and abroad never really happened. It was all a ruse concocted by CrowdStrike.” This is not a minor accusation as the entire Robert Mueller investigation of the Trump campaign’s involvement with Russia hinges on CrowdStrike’s conclusions.

The problem here is that the Russians don’t need to hack the DNC to get voter records. Voter registration records are available to anyone, free of charge. Each state also maintains voter records that are openly available. Some are free and searchable online while others must be purchased. Firms like NGP VAN simply compile these databases and organize them to make them searchable by various criteria. As such, they would be a tempting target for certain hackers as they contain a wealth of personal information. Here is a list of the information available in these databases (from Wikipedia).

voter information

The problem with this list is that it doesn’t go far enough. NGP VAN boasts, “before, only Facebook, Twitter, and LinkedIn profiles were matched to an individual’s contact record.  Now, 97 different social networks are matched daily  (highlight NGP VAN), and also provide social media biographies to be integrated into a contact record. Additionally, an individual’s photo will be automatically synced from their profiles when available. You can find your supporters with a particular network with our updated search functionality, and when on that contact’s record, you’ll see a lot more information.” NGP VAN gives the following example to show just what they can do.

ngp voter

In other words, being able to hack into this organized database would be any hacker’s dream, Russian or not.

I’m not saying this happened, but if I were a Russian hacker (or any bad actor) I would certainly consider setting up a fake login page to NGP VAN, just like the contractor for the Michigan Democratic Party purportedly did. In fact, if I were a hacker employed by the Russian government, I would probably volunteer for a firm like DigiDems and use their connection with NGP VAN and Votebuilder. I would then send spearphishing emails to key DNC employees, telling them, for whatever reason, to sign into NGP VAN. I would have a link for them to follow to the spoofed login page and hope they would not look too closely at the URL address. Once they entered their login information I would have access to the full NGP VAN Votebuilder database and, with such access, I really could influence the outcome of any election.

I’m not really sure what the Michigan Democratic Party was up to and maybe they didn’t really know what their overly enthusiastic contractor, DigiDems was doing. I’m not really sure why CSO, Bob Lord, was so quick to contact the FBI, unless he was overly paranoid about Russian meddling. For the same reason, or for pushing a political agenda, he may have contacted CNN. This would give the DNC, with CNN’s help, ammunition to use against the Russians that could substantiate the current investigations into their supposed meddling in the 2016 election. In the end, such an angle could damage the Republicans and Trump in particular.

This strategy may have worked if the scenario didn’t fall apart the next day. In the end, Lord threw a punch which ended up with the DNC getting a black eye.

DNC Chairman, Tom Perez, tried to put a positive spin on the blunder in a quote he gave to CNN.

“We are at war right now — it’s a cyberwar and unfortunately the commander in chief of the cyberwar is asleep at the switch because he benefits and has benefited from the cyberwar. We’re not waiting for help, we’re not waiting for the cavalry from the White House. We’re working with our partners in the cyber-ecosystem and that is in part how we were able to address this, what turned out to be a false alarm.”

Well, you obviously didn’t work that closely with your partners or you would have been informed that they were performing a pentest or hack on your organization. Yes, the DNC could use the angle that it was being proactive in quickly reporting a suspected breach. Then again, they could also be accused of desperately grasping at straws in order to connect all suspected breaches with Russia.

There is something just not right here. Bob Lord stated that this ‘test’ “was not authorized by the DNC, VoteBuilder nor any of our vendors.” So are you saying NGP VAN did not agree to have DigiDems make a fake copy of its Votebuilder login page? You can’t have it both ways.

My problem is with DigiDems. It’s a newly formed enterprise with a poorly designed web page. I’ve seen many fake websites in my days, and this certainly looks like one. You’d think an organization that prided itself on its technical expertise would come up with something better than this pre-packaged web design. For example, the photograph used on its homepage is taken from one used on a number of websites. Ok, I understand. The organization just formed in March and they had to put something together quickly before the 2018 midterms.

So why would the Michigan Democratic Party allow a fly-by-night organization to undertake a pentest of the Democratic National Party? Why would they trust them with such a sensitive task? My guess is that they didn’t. My guess is that they knew nothing at all about what someone on Digidems was doing. They only found out when the hack was traced back to them. That’s when damage control kicked in.

What do you do when it looks like you dropped the ball? You act as if it was planned all along. An actual hack on the DNC, especially by Russians, would make them look pretty inept. The DNC was reluctant to report the 2016 hack because they feared it would negatively impact donations. People don’t want to give personal details to an organization that can’t protect them. This could be a similar case of damage control and the damage was done by Lord when he publicly reported the breach without considering the implications. When the possible financial repercussions of reporting yet another DNC hack was realized, they tried to back off the report by claiming it to be a planned attack.

I would have to agree with the observation by Joseph Carson, chief security scientist at Thycotic, in his statement to Security Week. “I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test.” As I stated previously, an unauthorized pentest is a hack and should be investigated as one. My prediction is that we will never hear anything about this attack again and, in the near future, Bob Lord will be replaced as DNC CSO.

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Deepfake Videos: When All News Becomes Fake News

Most people can tell whether a video is fake or not. It may be a very good fake but something about it just looks, well, unnatural. We may not be able to express why a fake video leaves us with this feeling, but we simply know it from our interactions with real people. If we comprehensibly analyzed why people determined a video to be fake, we would see that it came down to something as simple as a strange blink or an unusual movement of the head.

But what if we could eliminate all uncharacteristic movements from a fake video by directly linking it to every minor movement performed by an actual human subject? This can be done by using a neural net which can be ‘taught’ to learn certain natural, predictable, and idiosyncratic patterns of a targeted person’s movements from a video. The teaching video will serve to train the neural net on how a certain targeted person normally behaves. After the neural net learns how a certain individual behaves, an actor can then make a separate video. This is called the, ‘source video’ and this is what would be sent to the neural net. The neural net translates the actions on the source video to make a fake or target video. Thus, an actor in a source video can make a target do whatever they want them to do. Having been already trained on the natural movements of the target, the neural net ‘predicts’ how the targeted person would act and makes the fake video accordingly.  Here is a visual depiction of the process from the paper, Deep Video Portraits by Kim et al. which shows how an actor transfers his movements to a fake video of Barrack Obama.

deep fake source obama

To keep this from being too technical, information from the source video (upper row) is interpreted by the neural net to produce the target video (lower row). in this way, the actor makes the target act in the way that he wants it to.

Take particular note of how the background corresponds with realistic head movements. This marks a major accomplishment in these fake videos.

The researchers made a number of such ‘fake’ videos and then asked people to determine whether they were watching a real or fake video. Interestingly, about 80% of people thought the real videos were actually fake. About 50% of people correctly identified the fake video. It should be kept in mind that these people knew in advance that they would likely be ‘tricked’ into thinking a fake video might be real and, in consequence, were probably hyper critical. Both percentages would be much higher for unprepared viewers. The researchers admit that sudden, unusual head movements or quick changes in facial expressions in the source video may produce results that would appear to be unrealistic or fake. Would you be able to tell which is the source and which is the target, or fake video, in the sample below?

 

Yeah, I couldn’t either. The fake is on the right.

All of this about creating a perfect fake video is well and good, but this only takes into account the video portion of a fake video. What about reproducing voices? Most often, this tends to be the weak point in these videos. People can tell if a voice sounds ‘robotic’ even when they may be fooled by a video. That said, there have been some major advances in this area. Last year, a new startup, Lyrebird, produced this audio clip of Donald Trump, Barrack Obama, and Hillary Clinton talking about their firm. The overall vocal characteristics aren’t bad, but the stress, emphasis, and pacing make the track easily identifiable as a fake. Take a listen.

Of course, with more training, these voices have improved. The latest samples are better but they are still a little muddy and not altogether convincing.

That said, we are rapidly closing in on the day when a video will appear which will fool us all. We simply won’t be able to tell whether it is real or not. The first videos to do this will contain little or no speaking. Only by looking at fine details will anyone be able to determine whether what we see happening is really happening. Later, the videos will be so good that even a forensic examination could leave us with some degree of doubt.

Of course, there will be those who try to benefit from these realistic but fake videos. If the surrounding circumstances seem believable, viewers could be persuaded that the video is, in fact, real. These could be videos of politicians saying outrageous things or simply behaving badly. Even if the videos are discounted as probably fake, they could, nonetheless, instill doubt and will tend to tarnish the targeted person’s character. If, as will probably be the case, the videos are made to discredit a politician, those who want to believe the content of these videos probably will.

But fake videos open up a two-way street. Politicians who actually are caught behaving improperly on videos could claim that the video is fake. Again, those who want to believe it is fake, probably will.

The Defense Department has been working on programs that will determine whether a video is fake or not. They were initially successful in determining that the people in fake videos did not blink. Unfortunately, this is no longer true. The new techniques are far too advanced to make such mistakes. In fact, every time a program learns a video is fake, it helps the neural net. This is simply how neural nets learn. The neural net computers that now routinely beat chess grandmasters are able to do so because they learned from playing and losing to them. In other words, losing is winning for a neural net. This is why fake videos are destined to become indistinguishable from real videos.

So what does this all mean? At some point, no one will be sure which videos are fake and which are real. All news programs showing compromising videos will come with the disclaimer that they could not authenticate them. Eventually, that won’t even matter. All news, all truth will become muddied. Viewers will believe what they want to believe and will choose the media outlet that matches those views. Media outlets will pander to their bases by choosing videos, fake or not, which support certain political viewpoints. In the end, all news will be fake news.

 

 

Posted in Uncategorized | Leave a comment

Hacking Your Face

Okay, so that’s a bit of an ambiguous title. I don’t mean using tricks to make yourself look better or hitting yourself in the face with a meat cleaver. What I’m referring to is a new form of malware that actually uses your computer or device’s camera to look at you and identify you before it begins to hack you. It’s a pretty scary scenario that has now become reality. Welcome to the new era of hacking.

As the cyber world evolves into the artificial intelligence (AI) realm, so too does hacking. For now, such AI-assisted malware is in the infancy stage; however, a proof-of-concept AI malware package called, DeepLocker, has been developed by IBM researchers. DeepLocker is malware which does not deploy until it finds a specific victim. The identification of this victim relies on AI, neural net properties. The use of a neural network by malware would, according to the researchers, make the malware’s detection more difficult.

Defense against most malware is based on analyzing its composition and matching that against known patterns. Malware, therefore, tries to find ways to hide these patterns to avoid detection. Well-designed malware will not deploy unless it detects a safe environment. For example, malware will scan a network it has infiltrated to see if there is any indication of a sandbox or if it has been lured into a honeypot. If the malware finds something suspicious, it won’t deploy. Once deployed, however, the malware gives away information about its design, after which, anti-malware architecture is updated.

As an example, notice how the famous Stuxnet worm inspected the network before it determined what to do next. (Stages 2 and 3 below)

stuxnet-diagram

DeepLocker hides itself in normal-looking software. The software may act normally unless certain trigger conditions are present. These triggers can be any number of things, such as matching GPS locations or voice recognition, but, for the purpose of this article, I’ll focus on facial recognition.

Neural networks are pattern recognizers. They can be trained to identify certain patterns, such as faces. If the neural network integrated with the malware was pre-trained to recognize a particular face, it would only trigger the associated malware to deploy when that pattern, that face, was recognized. To do this, the malware would need to have access to the device’s camera. Thus, any software that required the use of a camera, such as video calling/conferencing software, would be an ideal package for this type of malware.

The problem comes with trying to defend against this type of malware. The only ones who know the raison d’etre of the neural net pattern associated with the malware are those who created the malware. It cannot be back-engineered by the attacked network. Even the connection of the trigger to the malware can be encrypted or otherwise obfuscated. In short, it would be very difficult to conclude that an attack was underway or that one even took place. Here is a diagram showing the concealment such malware can use.

deeplocker hide

If malware like DeepLocker wanted to target you, it would first need to get you to download and install a specific type of software that would enable it to have access to the pattern it was designed to look for. It could, theoretically, do this through a fake update of software that is already installed on your device. The attacker could, if advanced enough, scan your system or network to see what software avenues are available. It could then develop a recognition pattern that would make use of the previously installed software. It could, for instance, develop a voice or facial recognition neural net pattern that used your pre-installed video chat program and use that program to target you.

The best way to develop such malware would be to train the neural net through direct communication with the victim. This would enable the attacker to record the interaction and, thus, obtain sufficient data to train the net for a future attack. That said, few people would accept a video call from a stranger. Malware that takes control of a device’s camera and microphone is readily available, but this could be detected by security architecture. The only way to train the neural net without infiltrating the network or device is to use publicly available videos and photos. Thus, the greater online presence you have, the more susceptible you would be to such an attack.

It should be noted that no such attacks have been detected in the wild. That said, how would they be detected? The malware would only be vulnerable to defense strategies in the earliest stages of an attack. However, those who would design such a targeted attack would be those who had access to multiple cyber attack resources and were in a position to obfuscate all stages of such an attack. That’s right. Most of these attacks would tend to come from nation states because the resources and knowledge it would take to develop them would be beyond that of most unaffiliated hackers.

So, if these attacks were developed, they would not be widely distributed, at least at the beginning. Only high profile targets who had a substantial online presence would be victimized. A substantial online presence would be necessary to develop a training set for the neural net. The target would need to possess valuable information or data that would be worth all the time it would take to design the attack. So if you fit this profile you may want to begin your defense by at least putting some tape over the camera lens on your laptop and disabling your microphone.

It would not surprise me if intelligence agencies already possessed such malware, but if they don’t, they soon will. Low profile, highly secured but valuable targets may still get hacked using such malware but this would require advanced attack techniques. For example, the time is not far off when someone could call a target using voice simulation software that makes them appear to be someone the target knows. This could be a way to gather voice samples from the target that they could then use to train a neural net for a future attack. As is often the case, the cybersecurity community has been put on the back foot by this new attack vector. At least for a while, the defense against AI attacks, like DeepLocker will be more reactive than proactive. Efforts are being made to decode neural nets before they deploy, but major attacks using this vector will succeed long before such defenses are developed. For those in the cybersecurity community, there are some hard times ahead.

Posted in Uncategorized | Tagged , , | Leave a comment

Why an Attack on a Taiwanese Chipmaker May Affect You

Most people have probably never heard of Taiwan Semiconductor Manufacturing Co. (TSMC). Most people would be surprised to learn that it is the seventh biggest tech firm in the world, placing just below Apple. In fact, according to Bloomberg, TMSC is the “sole maker of the iPhone’s main processor” and is currently preparing to begin producing chips for Apple’s next iPhone. Indeed, Apple accounts for 21% of TMSC’s income. So you’d have to figure that an attack that shut down three of its factories had to have some negative effects.

As of this writing, TMSC is giving few details about what exactly caused the closure of its factories. The Wall Street Journal claims that the company was attacked by a computer virus which was “a modified version of the WannaCry virus”. But calling it “a computer virus” is simply a way to obscure the facts. And, to add to the mystery, the company also claimed that the virus was not introduced by an outsider. The latest company statement on the problem states that the disruption was caused by a “mistake made during software installation that then spread through its network.” That was some mistake.

Without more details, it’s impossible to know what exactly they are talking about. How does a bad software installation shut down three factories? Since they referred to a “computer virus”, does this mean that malware was pre-installed on some important software that masked itself as an update? How long ago was this installation performed? Was this virus or malware on the network for a long time or did its installation instantly shut down the factories?

According to an update of the original Bloomberg article, “no confidential information was compromised in the virus attack”. So it now termed an “attack”, not just a problem caused by incompatible software. This conclusion seems confirmed by a statement from Chief Financial Officer, Lora Ho, who said, “TSMC has taken actions to close this security gap and further strengthen security measures.”

Okay, so what precisely was the security gap that needed closing? Because it now appears that the network was breached by someone either looking to disrupt operations or steal information. You don’t take the time to compromise the supply chain just for fun. In either case, it must have been a major business competitor or a hostile nation state that could benefit from such a disruption or benefit from some secret information it may be able to get its hands on.

This being the case, would anyone be surprised if China was behind this attack? Probably not. According to one source, Taiwan’s government networks are attacked by China at a rate of up to 40 million a month. China would like nothing more than to give one of Taiwan’s biggest tech companies a black eye. Doing so would make competing Chinese companies look better, by comparison. Maybe they could persuade Apple to depend less on TSMC for its chips and start using Chinese semiconductor producers.

Then again, maybe they wanted to steal information on the new iPhone chips. TMSC claims that no confidential information was accessed by the attackers. However, what would you expect them to say? In every major attack I have written on, the attacked company always initially downplays the attack. Over time, they release more details. The company has only stated that deliveries of new iPhones may be delayed and that TMSC may see a temporary 3% decrease in profits which will amount to a loss of about $250 million.

We may find out the truth if a Chinese smartphone maker suddenly comes out with a phone that is surprisingly similar to the new upcoming iPhone 9. But maybe the attacker’s plans were simply to sully the image of the iPhone by using malware that would change the manufacturing parameters on machinery used in iPhone chip production. Such actions would then result in the production of underperforming iPhones. These imperfect phones would have to be recalled and, in so doing, Apple’s reputation would suffer. We also cannot dismiss the possibility that the hacker wanted to put some sort of backdoor into the chips.

If this attack was engineered through contaminating software from a supplier, it would most definitely have to be the work of a nation state. Such an approach is simply far too sophisticated for a bedroom hacker. Connecting this malware to the WannaCry virus seems a bit of a stretch, but it is possible that it had some similarities. For me, it seems closer to a variation on the Stuxnet malware, similar to the Triton malware that shut down Saudi Aramco last year. Interestingly, when that particular attack was reported, Saudi Aramco claimed there had been no attack at all.

If we assume that China was behind this attack, we’d have to speculate on how they compromised the supplier. Without knowing who the supplier was, we can only assume attack strategies that have been identified by the United States Office of the National Counterintelligence Executive in their 2018 report. Besides normal cyber attack methods, China uses the following routes to get the information it needs to support its tech industries.

chinese hacking

We would have to know the infected supplier to reach any conclusions as to how the malware may have been placed in the software without it being detected before distribution. It should be noted, however, that TMSC has a semiconductor fabrication plant (fab) in Shanghai. Just saying.

China is no newcomer to the ICS/ SCADA (Industrial Control System/ Supervisory Control and Data Acquisition) attack arena. These refer to the control system architecture of machinery or other infrastructure that sets production parameters. If tampering with machine control systems was, in fact, the attack vector China used against TMSC, no one would be surprised. China is the leader in this type of attack. In 2013, Trend Micro set up some honeypots that looked like valid SCADA networks. They wanted to see if they would be attacked and by whom. In short, they were quickly and robustly attacked. And who were the main attackers? The chart below will give you that answer.

china scada

Yes, China led the way with 35% of the attacks being attributed to them.

While we await details on this attack, we can only speculate on the consequences. The attackers may leak information on what they found out about the new iPhone to take away some of its thunder. Well, what a coincidence! Yesterday, August 8th, a Chinese publication called, Economic Daily News, leaked details of the new series of iPhones. The information was reportedly from a Foxconn employee, but who knows?

iphone 9

The debut of the new phones is expected in September, but that may be delayed. If a delay occurs, it may not only be because production was shut down for three days. If the malware was in the system for longer than the company admits, they may have to check to see if new chips and phones that may have already been produced possess faults. If the delay is longer than just a couple of weeks, the hack may have been more successful than the company has claimed.

At the very least, the attack may cast doubt on the reliability of the iPhone. Most hardcore iPhone users may not be phased. However, those contemplating a change to another brand may see this as the last straw and make a move to another maker. This will be especially true if, by sheer coincidence, a Chinese smartphone producer comes up with a phone that is almost a clone of the new iPhone. I guess we’ll just have to wait and see.

Posted in Uncategorized | Tagged , , , | Leave a comment

Why Not Get Google Results with a Private, Non-Tracking Search Engines?

I like Google. I think it gives better search results than any mainstream search engine. That said, I know it’s following me. It keeps records of what I search for, what sites I visit, and what I like to build a profile of me. It then offers me targeted ads and targeted search results. Sometimes that can be good. It saves me search time. Unfortunately, there are other times that I might not want Google to know so much about me.

If, for example, the government ever needs to find information about me, I’m sure they will stop at Google for a little help. And, make no mistake about it, Google will be only all too happy to comply. Here is the most recent data from Google showing requests for customer data within the U.S.

google data requests

But requests for data are one thing and actually coughing up that data is another. So what percentage of these requests were acceded to? Here’s the chart that gives this information.

google percent data requests honored

In other words, Google agrees to most of the data requests it receives (82%).

What data does it have on you? Quite a bit. You can get a copy of all the data Google has on you here. You can choose what information to look at. I chose the following, which comprised over 2GB of data.

google data

But there is more to privacy than this. Google knows in advance what you are probably searching for. If you type in the first letter of a search, it will suggest frequently visited sites that begin with that letter. This can be convenient. It could also cause you problems.

Imagine, for example, your wife wants to look for a bread recipe, types in a ‘b’ and sees that ‘babes in bikinis’ is suggested. Busted! Sure, you can delete your history, but how many of us actually do that after each browsing session. Besides, Google will still keep your browsing information no matter what privacy steps you decide to take. They need it for advertising. But I understand. Google is a business and they need to make money. At this point in cyber history, selling personal information is the best way to get rich.

But what if you can use a non-tracking browser that uses the Google search engine? What if Google never knew who was browsing or what they were browsing for? That would certainly give the user much more privacy. Well, those search engines are here, and, in this post, I’ll suggest a few.

There are a number of private search engines. Most privacy-concerned individuals have heard about DuckDuckGo, which is used by the Tor browser. DuckDuckGo leverages Yahoo search, and I don’t really find the results from Yahoo to be as good as those from Google. Besides, Yahoo has the worst privacy policy available and they have been known to collude with the NSA. Therefore, I will only focus on private search engines that use actual Google results or results from a combination of search engines that includes Google.

Private search engines protect your privacy by acting as an intermediary. You type your search terms into their search page and they go to Google for you. Google only sees the search engine address as the searcher. They don’t know the real person behind it.

As Google builds its profile about you, their algorithm begins to send you targeted search results. In short, they filter out any results they think you would not be interested in. This leads to the formation of what is called, a ‘filter bubble’. You will be isolated from results that conflict with your viewpoint. It is a strategy which, no doubt, can help magnify divisions within a culture. Private search engines will not do this. When they leverage Google, Google has no profile of you personally, so they must present all viewpoints in their search results.

For this post, I will look at three search engines which base their results on Google or Google and other search results (not including Yahoo) and which have high privacy features. These search engines are StartPage, Gibiru, and SearX.

StartPage

startpage

Startpage uses Google search results. It does not offer suggestions as you type, but you have the option of turning this feature on in the settings menu. However, keep in mind that the suggestions will be Google’s suggestions so they could be biased.

You can browse for images and videos and videos will be shown in thumbnails. If you click on the thumbnail you will receive this message.

Some may also worry about using Startpage with servers in the U.S. because they worry that these servers could be compromised by law enforcement. Yes, that does happen. However, Startpage gives you the option of using only EU servers, not that these can be guaranteed to be safer, but they could be. Then again, there’s no guarantee that Startpage or any other private search engine will not keep logs that connect to your IP address, you simply have to trust that they won’t.

Startpage uses ads to make money. They appear at the top of the search result and are not as obvious as they are on some search engine results.

Gibiru

gibiru

“Gibiru is the preferred Search Engine for Patriots.” At least that’s how the founder and CEO of Gibiru, Steve Marshal, markets it. It is a bare-bones search engine that uses Google results. It was designed by a former Google employee who became disenchanted with the way Google was manipulating personal information to make big profits. “Just as Google was forced by China to only show negative results for the web search Dali Lama and Tibet in an agreement that would allow Google to operate business in China, the same system of censorship and secret policing of citizens is developing now. Would you trust the government’s mainstream media to tell you the truth?” Some may call it paranoia, others may call it being cautious.

Gibiru uses featured ads to make money. They also seem to use your IP address to target you with these ads. In other words, they seem to, at least temporarily, store this information. They recommend incorporating their search engine into the Firefox browser for enhanced anonymity.

SearX

searx
SearX is the most malleable of all private search engines. It is a metasearch engine, meaning that it aggregates search results from a number of search engines. The selling point of SearX is that you can choose which search engines you want to use. There are a number of other settings that you can use to personalize SearX.

By default, SearX does not autocomplete your search results; however, you can enable this feature and even choose which search engine you want to do the autocomplete function. All custom settings are saved in your browser, not on the SearX website. You can also filter search results in a variety of ways not offered by other private search engines. SearX is based on open source code so it does not give you any ads. It does, however, ask for donations. Nonetheless, you could make a good argument for SearX being the best search engine available anywhere, encrypted or not.

Other Notable Private Search Engines

Search Encrypt is often mentioned when people write about private search engines. It has the advantage of encrypting your search terms before it searches, thus, adding another layer of anonymity to your searching. On the other hand, it is not configurable. You get the search results it wants to give you, and, in my opinion, these are often lacking. Search Encrypt can be integrated with your browser (Chrome and Firefox), but users complain that it interferes with search results more than it helps. Some claim it acts more like malware, but this may be because it predetermines which sites are free of tracking and will not suggest them. It is supported by ads in the search results.

Qwant is a French-based private search engine which seems to be growing in popularity. Those who want to avoid U.S.-based servers may find it attractive. The search results are fair, but a multiple of filters can be applied. It does use autocomplete, but it is impossible to tell if this is biased, because it cuts out early when typing in a search phrase. It does offer paid ads mixed in among the search results and they are not all that obvious.

Final Remarks

All of the private search engines mentioned in this post will protect your search results from being used to build a profile of you that can subsequently be sold to advertisers. Some simply offer more features than others. Just like a VPN, there is no way to ensure that they keep their end of the bargain, but if you find you are being targeted with ads through your searches, be suspicious. Keep in mind that once you click on a website in the search, you are on your own. The search engines only protect your searches from being monetized and nothing more. Add a VPN and even Tor browser into the mix if you are looking for the best privacy you can get. However, keep in mind that absolute privacy may still be unattainable.

Posted in Uncategorized | Tagged , , | Leave a comment