zafirt

The Real Problem With Facebook Privacy Issues

We can easily read the latest news on Facebook’s transgression of not protecting privacy of 50 million users on the CNN website , on 2015 this ‘hack’ supposedly happened and Facebook ‘let’ it happen.

I guess the media and the rest of the world was not paying attention, as in 2009 Dark Reading story: “Private Facebook Info exposed By Simple Hack”

Apparently a blog called FBHive was able to view supposedly private information .

How about this:

In 2008 a Sophos video about how to view everyone’s birthdate on Facebook, even if it claims to be “secure”.

So all one needs to do is hack Facebook. So what do I mean by that? Well, all one has to do is to play around with the URL settings of Facebook.

I.e. https://www.facebook.com/<FirstInitialLastname> for main account lookup, but then you need security username and password.

If you use https://www.facebook.com/photo.php?fbid=

Then use a set of numbers, which you can modify to look at other people’s information. What all these hackers found out is that Facebook has some settings that are public no matter what Facebook Privacy settings are. (we are not going to ‘hack’ Facebook on this post) .

So, what to do? The only thing one can do is to have a sufficient red team and make many tests from outside Facebook. It is obvious that Facebook does not have the capability to review its own security flaws.

So if one is a programmer then one can create quick programs to cycle through all numbers and place them in your own database, thus creating your own database of all the Facebook userbase.

There are more problems, one programmer was able to delete other user’s photo albums. The specific details are at zerohacks.com “Deleting any photo albums – How I hacked Your Facebook Photos”

Needless to say the enterprising programmer was able to delete another photo album and received $12.5k from Facebook’s bug bounty program. (He released to Facebook first not to the criminal hackers).

A serious Cybersecurity Audit must be performed by known attackers, call the ethical hackers or certified Information Systems Auditors (CISA). The price for this audit is cheap compared to the damage being done to Facebook today (many billion$ in stock price and reputation). The estimates are that Facebook has over 2 Billion monthly active users (Zephoria Digital marketing).

Even as some younger users disconnect due to shifting moods, there are still quite a few users on Facebook. I suspect this is only a beginning of the blowback to the Facebook reputation. As this latest election related snafu has created quite a big spotlight.

The point of this post is to be careful what you post, as if you post, it is public no matter the safeguards. Hackers are always out there probing for weaknesses, and it is better to find them yourself rather than have the criminals tell you after a defining Cybersecurity event for your company. TonyZ says: “Do not post anything that you are embarrassed for the world to know!”

Replace your Wi-Fi Router if 2yr+ old

Insignary had some research and created a report that looked into the binary code of most of the routers on the market. Technewsworld has a story…

And Business Insider has a story

The short story is that many router companies do not update their devices which would mean customers would have to upgrade firmware, which is also doubtful, but at least it is possible to update and secure your router. Many people do not update because it is difficult or time consuming, and the router upgrades require a technical skill missing in most home users anyway. It seems that all of the vulnerabilities of the routers:

WPA2(KRACK) – Key reinstallation attack

ffmpeg – DoS attack

openssl – DoS attack, and remote code exec

Samba – remote code exec

OSS components have weaknesses which are also open source.

New components that are secure have been created but have not been created to coexist with the Wi-Fi devices (within their firmware). If they would have been created you would have to download the firmware and then you would have to update this firmware. So the process of updating firmware in Wi-Fi routers differs with each manufacturer, I would go to your manufacturer website and try to find out if a new firmware has been released.

But as a safety precaution (with security in mind) it is probably best just to buy a new Wi-Fi router (which has software that does not have these old vulnerabilities.

So it depends on your level of risk and what you are protecting. Myself I always like to update my computers and wifi devices every year or every two years anyway. If you are in the habit of doing this as a standard way of doing business you will not be affected by these vulnerabilities.

Attack Life Cycle Changed By Cloud

Great video from BSides Columbus Ohio 2018 :

“Zero to Owned in 1 Hour”

That is an interesting review of how the new potential weaknesses are in the Cloud itself.

Human Access to the cloud can be a weak point.

AWS (Amazon Web Services)

Does Multi-factor Authentication work with multiple people running things?

Service Provider (cloud company) – has a main login, here is where the hacker can get the keys to the kingdom. what if the hacker can figure out to get the main account login somehow? we are so busy locking down all the desktops and more, it is the easy items that we seem to fall down on.

The comparison with the old life cycle is interesting, as we were so focused on denying system access last year (or pre-cloud).

Today if the main account somehow is taken over the hacker does not need to escalate privileges or keep access in the network since the main control account can do all of that and more.

So due to the big beacon of if you capture this item then you have keys to kingdom, what can we do to prevent this?

You have to review how the system administration and ownership of the cloud account is handled.

How many people are managing the main account
How is the password/authentication performed?
Who is reviewing the security of this important account?

I.e. who should be at fault if there is a security problem? The Cloud company (or service provider) or our own IT people? At first blush, you would think it depends on the problem, but the interesting thing about this is that some cloud companies want to push that responsibility to the client. Check this post by CSOonline.com :

12 top cloud Security threats “Treacherous 12”

Data Breaches
Insufficient Identity, credential and access management
Insecure interfaces and application programming interfaces (APIs)
System vulnerabilities
Account hijacking
Malicious Insiders
Advanced Persistent Threats (APTs)
Data loss
Insufficient Due Diligence
Abuse and nefarious use of cloud services
Denial of Service (DoS)
Shared Technology vulnerabilities

This is a nice list, so which threats could be classified “service provider”, and which would be more the client fault?

All of them could be both or either , except for System vulnerabilities which is just Service provider. Denial of Service ought to be service provider as well.

The problem is that the client can affect almost all of them as the client drives the applications and thus the technological trail. Or the client really controls most of the issue like account hijacking (main account)

As usual someone has to review and check (technical Audit) to make sure that the technology is doing what it is supposed to be doing “securely”.

Contact to discuss

CyberAttacks More Sophisticated

The attackers are getting better, they are not sitting still.

If you are hoping no one will notice you in your personal world … not likely, everyone is a target.

In this post lets connect a few dots:

SCmagazine story:“Social Media and Engineering Used to spread tempted cedar spyware”

So a fake Facebook profile method is infecting unsuspecting Facebook users (also called social engineering) using a fake app called kik. This app is actually designed to steal information from unsuspecting users that click on links or download the app.

So what do the criminals actually want? In the articles about this particular spyware is that the targets were in the middle east. So the criminals are looking for information – which can be used to make money with other information that they already have. I.e. if for example they stole a database with partial information, then would want to fill in the blanks.

(Image from hackread.com)

As the phones get more powerful with more apps and capabilities we have more information stored everywhere. So it should not be a surprise as health data will be more important (here is a picture of the new Samsung S9 unveiled in Spain Mobile World Congress 2018):

How about when you go to major newspaper like Los Angeles Times? Did you ever wonder if you could get hacked just by going to a website? Yes it can happen. Apparently cryptojacking code was found on the website by a security researcher. The cryptominer was based off Monero Cryptocurrency, which is an open source Cryptocurrency.

This hack at LA times was more sophisticated (than some others) as they kept the miner from taxing the visitor phones(sometimes can be set to use 100% of resources) so as to stay unnoticed.

Apparently the LA Times had a misconfigured website setting allowing anybody to upload code to a section of their cloud account on Amazon Web Services (AWS). So why not upload some crypto mining code and make some extra Monero’s when you can, that is what the criminal said?

So, now there are fake Facebook profiles, just like fake Twitter accounts. When you go to some websites it may unknowing to you download some software that uses your CPU, the idea is to find information about certain individuals so as to make more sophisticated attacks.

Notice the IRS hacks have become more sophisticated: KrebsOnSecurity has a story “IRS Scam Leverages hacked Tax preparers, Client bank accounts”.

So if you have a specific profile that the criminal is looking for, then there are a variety of ways that the criminal can get to you to make more and more money.

Here is a unique attack scenario:

“We’re having customers getting refunds they have not applied for,” Dodd said, noting that the transfers were traced back to a local tax preparer who’d apparently gotten phished or hacked. Those banks are now working with affected customers to close the accounts and open new ones, Dodd said. “If the crooks have breached a tax preparer and can send money to the client, they can sure enough pull money out of those accounts, too.”

Tax preparers and accountants are going to be targeted by criminals, especially in the next couple of months (March-April 2018). If your security is not up to par, then you will get a visit from a criminal in ways you have not thought of – including social media ‘friends’ videos and links to click on.

There are also Fake IRS websites that criminals have set up and if you find yourself on them, enter any of your personal data now the criminals can create your tax return and take your money.

Remember some of these attacks can be put together to target somebody that criminals want (accountant at a prominent company for example). We must prepare ourselves mentally and in other ways.

How about this – If you are wanting services from a tax preparer have they done the security audits to ensure as much as possible to reduce chances of hackers succeeding?

Ask them when doing your taxes – have them contact us.

Artificial Intelligence Cybersecurity

We as Cybersecurity practitioners must use the best tools we can find. So if AI(Artificial Intelligence) can help us we need to use them.

Of course we have to use real AI tools, not old tools renamed “AI” to sell more software for a little bit of time.

What is the definition of AI ? a machine software (i.e. no human modification) that imitates human behavior. Or a branch of computer science dealing with simulation of intelligent behavior in computers.

So a true AI Cybersecurity is a program running attack or defense for the network or computer without human interaction.

What in today’s environment shows small views of intelligence? Bots and viruses of course.

It is also my opinion that future AI will first come as more sophisticated “Bots” or infectious software:

SCMagazine story: “Cryptominer campaign leveraging Oracle bug spreads worldwide via multiple infection tactics”

Again this affected entities that did not patch their PeopleSoft HR and Oracle E-business Suite software.

NIST explanation of CVE-2017-10271:

What makes this vulnerability bad is that it is a remote execution vulnerability. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.” (from NIST link).

So if an AI program can program itself to infect and take over other machines to both infect other machines and perform other goals (like mine crypto currencies the latest actions in this exploit for example) then it is easily done when people find ways not to patch their software.

Image example of CVE-2017-10271 as it was found

The key is to patch your machines, and we have to develop “Blue team” AI first in this coming “AI war”

To be a bit clearer (as mud I am sure) As someone programs an attack program to do the 3 things mentioned:

Find vulnerability
Exploit vulnerability and make money with cryptocurrencies on your machines.
Propagate the program as much as possible

So the future in AI (the real scary part) is when a truly non-human fully automated attack program does all 3 items and improves. The danger in how it will act is still not fully realized yet. I.e. we are not sure how bad it will get.

The important piece of this puzzle is the exponential level of improvement a fully electronic AI could do.

Some people have talked about the ‘singularity’ moment when an AI will have more capabilities than a human brain(supposedly sometime in 2020s).

What about a Cybersecurity ‘singularity’ moment? When a improving attack program starts to improve so fast that it morphs into something that is difficult to stop.

Contact me to discuss