MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security

Ric Ford

MacInTouch
What could possibly go wrong with intelligent assistants constantly listening to you?

Sophos said:
Getting an Amazon Echo app to silently eavesdrop on you

In news that will surely be a surprise to nobody, apps that run on Amazon’s home assistant, Echo, can be turned into silent eavesdroppers: no fancy hacking required, no new Echo vulnerability pried open.

Or at least they could, until Amazon fixed it.

Researchers at information security firm Checkmarx demonstrated what we probably all suspected was possible but hoped wasn’t by tweaking options in Alexa’s software development kit (SDK) – the kit that’s used to develop software, known as skills, for the Echo.

The voice-activated skills are the equivalent of the apps on your phone: discreet bits of software that add capabilities to the device. There are skills for finding open restaurants near you, getting Starbucks started on your coffee order, checking your bank balance, hearing the latest news and turning on the Christmas lights.

And on somebody’s desk at Checkmarx, there’s one for eavesdropping on you. It silently captures transcripts of what you’re saying and sends them to an external log accessible to the researchers who rigged the trap.
Wired said:
Turning an Echo Into a Spy Device Only Took Some Clever Coding
"We actually did not hack anything, we did not change anything, we just used the features that are given to developers," says Erez Yalon, the head of research at Checkmarx. "We had a few challenges that we had to overcome, but step by step it happened."

In fact, the researchers used an attack technique more common in mobile devices to carry off their eavesdropping. Whereas on a smartphone you might download a malicious app that snuck into, say, the Google Play Store, the researchers instead created a malicious Alexa applet—known as a "skill"—that could be uploaded to Amazon's Skill Store. Specifically, the researchers designed a skill that acts as a calculator, but has a lot more going on behind the scenes. (The Checkmarx team did not actually make their skill available to the general public.)
 
Last edited:





An interesting article. In the comments section, some lament the loss of beginning-to-end control of the supply chain and lambaste companies for moving their production facilities overseas. This view, in my opinion, does not take into account most Americans' lust for the "lowest price guarantee" of the Walmarts, etc. Many, many folks don't want to pay more than the absolute minimum for their purchases, yet want to receive good wages from their employers. Paying high wages while selling products at minimum prices is not possible, which helps explain why production moved out of the USA.
 
Last edited by a moderator:


Perhaps hardware and software back doors are passé. How in the world do you combat these silent (to humans anyway) back door equivalents?

Alexa and Siri Can Hear This Hidden Command. You Can’t.
A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website.
This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.
 


Ars Technica said:
Chrome and Firefox leaks let sites steal visitors’ Facebook names, profile pics
For more than a year, Mozilla Firefox and Google Chrome may have leaked users’ Facebook usernames, profile pictures, and likes if the users’ browsers visited malicious websites that employed a cutting-edge hack, researchers said Thursday.

The data could be extracted through what’s known as a side-channel vulnerability in the browsers’ implementation of new standards for cascading style sheets introduced in 2016. One of the new features known as the “mix-blend-mode” leaked visual content hosted on Facebook to websites that included an iframe linking to it and some clever code to capture the data. ...

Weißer said Internet Explorer and Edge weren’t affected because they didn’t implement mix-blend-mode. He said Safari was also unaffected, but he wasn’t sure why. While this bug is fixed and probably didn’t affect many sites beyond Facebook, similar browser flaws that have yet to be publicly disclosed likely affect other properties.

“We have only demonstrated the attack potential against Facebook,” Habalov wrote in a blog post that explains the side-channel exploit in detail. “However, throughout the Web, there are tons of other sensitive resources which could be affected by attacks like this in a similar fashion. Unfortunately, we anticipate more and more of such vulnerabilities to be discovered over the years to come.”
 


Ric Ford

MacInTouch
Here's a good summary of phishing threats:
Palo Alto Networks said:
Phishing in a Nutshell: January – March 2018
Phishing remains one of the most dangerous threat vectors of cyberattacks.
...
In addition to the generic phishing templates, there were 1404 URLs with phishing spoof pages targeting Adobe customers, 155 URLs targeting DropBox customers, 18 URLs targeting Facebook users, 442 URLs targeting Google Doc users, 108 URLs targeting Google Drive users and 20 URLs targeting Office 365 customers.
 


Ric Ford

MacInTouch
More malware tricks to beware:
Threatpost said:
DanaBot Trojan Targets Bank Customers In Phishing Scam
The recently-discovered DanaBot banking trojan is making the rounds in a phishing campaign that targets potential victims with fake invoices from software company MYOB.

The emails purport to be invoices from MYOB, an Australian multinational corporation that provides tax, accounting and other business services software for SMBs. But in reality, the missives contain a dropper file that downloads the DanaBot banking trojan, which once downloaded steals private and sensitive information, and sends screenshots of the machine’s system and desktop to the Command and Control server.
 



Ric Ford

MacInTouch
Thus far, the DanaBot banking trojan is only known to impact Windows systems.
That's good to know, but it doesn't seem like a stretch to think that the same malware mechanisms could be used against Macs, since both FTP and JavaScript work across platforms, though apparently a new payload would be needed for macOS:
Threatpost said:
DanaBot Trojan Targets Bank Customers In Phishing Scam
“In clicking this ‘View Invoice’ button a zip archive is pulled down from what we believe is a compromised FTP server of an Australian company,” researchers said. “FTP credentials are supplied in the FTP link that is embedded in the ‘View Invoice’ button.”

Sigler told Threatpost that the use of FTP is an “odd choice” and not something researchers usually see. “It seems likely that the criminals compromised the FTP server of an Australian company and are using it to spread the malware,” he said. “It’s probably just a matter of convenience and using what was available to them at the time.”

From the FTP server a .Zip archive is downloaded. Contained inside the .Zip archive is a JavaScript downloader that when executed downloads the DanaBot trojan.
 


That's good to know, but it doesn't seem like a stretch to think that the same malware mechanisms could be used against Macs, since both FTP and JavaScript work across platforms, though apparently a new payload would be needed for macOS:
That's correct and it has happened, though infrequently in the past, that a payload has been reconfigured for macOS.
 


I've been quipping for over a decade that some critical life-support equipment would get hacked. I'm not happy I was correct. Let's hope no lives are lost before Medtronic decides to fix this and roll-out the fix.
Ars Technica said:
Hack causes pacemakers to deliver life-threatening shocks
Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.
 



Fascinating and frightening news. I had been a paramedic a very long time ago and now wonder if malware detection will be part of first responder medic protocols. How bizarre.
I'm wondering how long it will be before someone is actually attacked in this fashion. So far, we've seen an article pointing out that it is possible, and I've seen a few fictional TV shows where someone was murdered this way, but I haven't heard of it actually happening in real life.

If this starts happening for real, I think there will be some very real lawsuits against the manufacturers. Especially given the fact that they have been publicly warned on multiple occasions.
 


Ric Ford

MacInTouch
We've been talking about DNS issues lately. Here's a dangerous DNS vulnerability that's virtually invisible to the victim even if you reinstall your operating system, change computers or do anything else, other than address a hidden vulnerability in the router:
Dan Goodin/Ars Technica said:
In-the-wild router exploit sends unwitting users to fake banking site
Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday.

The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.

... Radware researcher Pascal Geenens wrote:
The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.
 


Ric Ford

MacInTouch
Sophos Naked Security said:
How one man could have hacked every Mac developer (73% of them, anyway)

... Longstoryshort, Holmes was able to copy this API token, paste it into his own web requests, and get read-and-write access to much of Homebrew’s GitHub content.

As he explains in his post, he could have hacked pretty much any Homebrew package, thereby infecting any and every Mac user who installed or updated that package – or, of course, any other package that depended on it.

And, as Holmes wryly pointed out, the most downloaded package in the last 30 days at Homebrew is itself all about cybersecurity: openssl, with more than half-a-million installs last month.
 


Ric Ford

MacInTouch
BBC said:
This rigged charger can hijack your new laptop
One researcher, who goes by the name MG, showed me how a Macbook charger could be booby-trapped. Modified in such a way it was possible to hijack a user's computer, without them having any idea it was happening.

It’s the kind of hack that gives security professionals the chills. The ubiquitous white, square chargers for MacBooks are seen in the offices and coffee shops of the world. They are borrowed, lost and replaced on a regular basis.
 


Ric Ford

MacInTouch
This very dangerous type of attack is being seen in a variety of scenarios:
Engadget said:
Police expose SIM card hijacking ring

There's a good chance you've had to ask your carrier for a SIM swap, whether it's to replace a faulty card or to switch to another size (say, from micro SIM to nano SIM). Crooks, however, are increasingly abusing those swaps to steal from unsuspecting cellphone users. Florida police have arrested Ricky Handschumacher on grand theft, money laundering and unauthorized computer access charges after law enforcement across the country discovered evidence of a fraud ring that relied on SIM hijacking.

Handschumacher and "at least" eight others would make phony SIM card swap requests, sometimes in collusion with carrier store employees, to tie service to a new phone that the intruders controlled. That, in turn, made it easy to rob a victim's virtual wallet -- if an account required two-factor authentication using text messages, the ring members could see the necessary code in time to use it.
Brian Krebs said:
T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account

T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.

Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked. Rosenzweig had previously adopted T-Mobile’s advice to customers about blocking mobile number port-out scams, an increasingly common scheme in which identity thieves armed with a fake ID in the name of a targeted customer show up at a retail store run by a different wireless provider and ask that the number to be transferred to the competing mobile company’s network.
Brian Krebs said:
Florida Man Arrested in SIM Swap Conspiracy

All four major U.S. mobile phone companies allow customers to set personal identification numbers (PINs) on their accounts to help combat SIM swaps, as well as another type of phone hijacking known as a number port-out scam. But these precautions may serve as little protection against crooked insiders working at mobile phone retail locations. On May 18, KrebsOnSecurity published a story about a Boston man who had his three-letter Instagram username hijacked after attackers executed a SIM swap against his T-Mobile account. According to T-Mobile, that attack was carried out with the help of a rogue company employee.

SIM swap scams illustrate a crucial weak point of multi-factor authentication methods that rely on a one-time code sent either via text message or an automated phone call. If an online account that you value offers more robust forms of multi-factor authentication — such as one-time codes generated by an app, or better yet hardware-based security keys — please consider taking full advantage of those options.

If, however, SMS-based authentication is the only option available, this is still far better than simply relying on a username and password to protect the account. If you haven’t done so lately, head on over to twofactorauth.org, which maintains probably the most comprehensive list of which sites support multi-factor authentication, indexing each by type of site (email, gaming, finance, etc) and the type of added authentication offered (SMS, phone call, software/hardware token, etc.).
 


Ric Ford

MacInTouch
Sophos Naked Security said:
Feds indict 12 for allegedly buying iPhones on other people’s dimes
The Feds have indicted a dozen people for allegedly using hacked cell phone accounts to “upgrade” to nice, shiny new iPhones and other pricey gadgets, waltzing into stores to pay the small upgrade fees, sticking victims with the rest of the costs, selling the loot for full purchase price, and pocketing the profit. The US Department of Justice (DOJ) announced the indictments on Thursday.
...
According to the indictment, defendants allegedly traveled to 30 states to get the phones, then often brought them back to the Bronx to sell through fencing operations. The cellphone carriers absorbed the financial losses, but the victims suffered the theft of their identities and/or had their accounts accessed without authorization.

Besides charging the vast majority of the devices’ fees to existing customers’ accounts, the fraudsters sometimes created new, bogus accounts, the indictment says. Over time, they changed tactics to stay ahead of law enforcement.
 


After reading the USB-C power attack discussion, I googled 'USB-C power' and read some articles and topics about the USB-C DC power specs. Used for power, USB-C provides several DC voltages, each with its own current limit.

Assuming that the Apple Supply Chain of USB-C power bricks hasn't been physically breached, your biggest problem would be public USB-C charging stations, and your second biggest problem would be counterfeit USB-C bricks.

In either case, an electronically skilled hardware hacker could readily build a cheap little data filter that would pass DC and not much higher in bandwidth through a USB-C power cable connection. That same hardware hacker could likely also build a data activity detector to allow public charge stations to be tested for sketchy behavior. In any case, my take away is to avoid public USB-C chargers in the absence of a data filter, and don't buy knockoff USB-C bricks without same.
 



More scary news about critical life-support equipment.
BleepingComputer said:
Hackers Can Falsify Patient Vitals
Hackers can falsify patients' vitals by emulating data sent from medical equipment clients to central monitoring systems, a McAfee security researcher revealed over the weekend at the DEF CON 26 security conference.

The research, available here, takes advantage of a weak communications protocol used by some patient monitoring equipment to send data to a central monitoring station.
 


A quick check using Mactracker showed that Skylake processors first appeared in 2015 iMacs and in 2016 MacBooks.
Ars Technica said:
Speculative execution claims another scalp, scuppers Intel SGX
Another day, another speculative execution-based attack. Data protected by Intel's SGX—data that's meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.
...
SGX, standing for Software Guard eXtensions, is a new feature that Intel introduced with its Skylake processors that enables the creation of Trusted Execution Environments (TEEs).
...
As with many of the other speculative execution issues, a large part of the fix comes in the form of microcode updates, and in this case, the microcode updates are already released and in the wild and have been for some weeks.
... These cases don't, however, completely eliminate the risks, especially when hyperthreading is used. ...
 



The Verge said:
How an international hacker network turned stolen press releases into $100 million
Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts.
...
“Just about every organization that compiles financial data that could be useful for traders has, at some point, been hacked,” says Scott Borg, director of the US Cyber Consequences Unit, a nonprofit research institute that does consulting for the US government. “All the bureaus of economic analysis from major countries in the world have almost certainly been hacked.”
 


BleepingComputer said:
OCR Software Dev Exposes 200,000 Customer Documents
A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files.

Independent security researcher Bob Diachenko discovered the database on August 19 hosted on the Amazon Web Services (AWS) cloud platform. It was 142GB in size and it allowed access without the need to log in.

The sizeable database included scanned documents of the sensitive kind: contracts, non-disclosure agreements, internal letters, and memos. Included were more than 200,000 files from Abbyy customers who scanned the data and kept it at the ready in the cloud.
... The duration of the exposure is unclear, but it is not far-fetched to assume that data has already been accessed by unauthorized individuals. Such a finding could be worth a lot of money.
... Data exposure and leak incidents involving an insufficiently secured MongoDB server are not new, some of them impacting millions of individuals, and ending in ransom demands.
 


BBC News said:
Air Canada app data breach involves passport numbers

Air Canada's app has suffered a data breach resulting in the suspected loss of thousands of its customers' personal details.

The airline has warned that users who had entered their passport details into the product may have had that data stolen.

Experts warn that the theft of such information would pose a serious ID fraud risk.

The firm has also been criticised for its relatively weak password system.

Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada's website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts