Search the Community

NEXT TIME YOU’RE about to toss a cigarette butt on the ground, consider this freaky fact: It takes less than a nanogram (or less than one billionth of the mass of a penny) of your dried saliva for scientists to construct a digital portrait that bears an uncanny resemblance to your very own face. For proof look to Hong Kong, where a recent ad campaign takes advantage of phenotyping, the prediction of physical appearance based on bits of DNA, to publicly shame people who have littered. If you walk around the city, you’ll notice portraits of people who look both scarily realistic and yet totally fake. These techno-futuristic most-wanted signs are the work of ad agency Ogilvy for nonprofit Hong Kong Cleanup, which is attempting to curb Hong Kong’s trash problem with the threat of high-tech scarlet lettering. It’s an awful lot like the Stranger Visions project from artist Heather Dewey-Hagborg, who used a similar technique a couple years back to construct sculptural faces as a way to provoke conversation around what we should be using these biological tools for. In the case of Hong Kong’s Face Of Litter campaign, the creative team teamed up with Parabon Nanolabs, a company out of Virginia that has developed a method to construct digital portraits from small traces of DNA. Parabon began developing this technology more than five years ago in tandem with the Department of Defense, mostly to use as a tool in criminal investigations. Parabon’s technique draws on the growing wealth of information we have about the human genome. By analyzing saliva or blood, the company is able to make an educated prediction of what you might look like. Most forensic work uses DNA to create a fingerprint, or a series of data points that will give a two-dimensional look at an individual that can be matched to pre-existing DNA samples. “We’re interested in using DNA as a blueprint,” explains Steven Armentrout, founder of Parabon. “We read the genetic code.” The DNA found on the Hong Kong trash is taken to a genotyping lab, where a massive data set on the litterbug is produced. This data, when processed with Parabon’s machine-learning algorithms, begins to form a rough snapshot of certain phenotypes, or traits. Parabon focuses on what it describes as highly heritable traits—or traits that have the least amount of environmental variability involved. Things like eye color, hair color, skin color, freckling, and face shape are far easier to determine than height, age, and even hair morphology (straight, wavy, or curly). The Ogilvy team says it accounted for age by studying market research on the types of litter it processed. For example, people ages 18-34 are more likely to chew gum, so any gum samples were automatically given an average age in that range. Whereas the portraits of cigarette litterers, more common among the 45-plus group, were depicted as slightly older. It’s an imperfect science in some regards, and yet, the capabilities are astounding—and more than a little scary. Ogilvy says it received permission from every person whose trash they picked up, so in that way, it’s not a true case of unsolicited public shaming. And Parabon itself says its services are only available for criminal investigations (and, apparently, ad campaigns). But the message is still chilling. A project like The Face of Litter should serve as a provocation to talk critically about privacy, consent, and ethics surrounding the unsanctioned appropriation of someone’s DNA. So for now, the next time you drop that empty bag of Doritos onto the ground, you’re in the clear. But in the future? Just know it’s totally possible that you might be seeing your likeness plastered onto the subway walls. Source

DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application. And now it’s come to Apple’s Mac OS X. This week at the CanSecWest conference in Vancouver, Synack director of research Patrick Wardle is expected to deliver a talk during which he’ll explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation. “DLL hijacking has haunted Windows for a while; it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack,” Wardle told Threatpost. “I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows.” Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack. Running his Python script against his own OS X machine, Wardle was able to find 144 binaries vulnerable to different flavors of his dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins. “Windows is vulnerable to DLL hijacking, and now OS X is similarly vulnerable to dylib hijacking,” Wardle said. With DLL and dylib attacks, the concept is essentially the same: an attacker must find a way to get a malicious library into a directory that is loaded by the operating system. Wardle explained one facet of his attack where he was able to find a vulnerable Apply binary in its Photostream Agent that automatically started with iCloud. “It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.” In another attack, Wardle said he was able to gain automatic and persistent code execution via a process injection against Xcode, Apple’s integrated developer environment. “My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code,” Wardle said. “It’s an anonymous propagation vector.” Wardle was also able to remotely bypass Apple’s Gatekeeper security product that limits what software can be downloaded onto an Apple machine and from where, in addition to providing antimalware protection. His malicious dylib code, he said, would be implanted in a download that should be blocked by Gatekeeper because it’s not signed from the Apple App Store. Gatekeeper, however, will load the malicious file remotely giving the attacker code execution, Wardle said. “Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said. Wardle is expected to demonstrate an attack that combines all of these components, including the Gatekeeper bypass that when executed uses the dylib hijacking to gain persistence, grabs users’ files and exfiltrates that data to iCloud, and can also sent remote commands to the vulnerable machine. Most worrisome, he said, is that his malware went undetected by most antivirus packages, and Apple barely acknowledged his bug reports starting in January other than an automated response, and a thank you and congratulations on his talk being accepted at CanSecWest. “I think things are broken. This abuses legitimate functionality of OS X and it’s not patched,” Wardle said. “These attacks are powerful and stealthy, and do a lot of malicious things.” Source

The shoddy state of SSL certificate validation on the Internet again floated to the surface, this time by the Superfish mess, which continues to get worse. The Electronic Frontier Foundation on Wednesday released a report based on data scoured from the Decentralized SSL Observatory which it maintains shows the number of certificates that were improperly validated by the Komodia library at the core of the Superfish fiasco has climbed to over 1,600. While it’s impossible to determine, EFF researchers say it’s probable that Komodia software did enable some real-world man-in-the-middle attacks. The Komodia software, which was built into the Superfish adware pre-installed on Lenovo computers, contains a vulnerability that breaks HTTPS connections and allows an attacker to pull off man-in-the-middle attacks. EFF staff technologists Jeremy Gillula and Joseph Bonneau said that some of the domains affected by Komodia include Google’s mail domain, Yahoo log-in domains, Bing, Windows Live Mail, Amazon, eBay checkout and Superfish.com among many others. “While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did,” Gillula and Bonneau wrote in their report. “Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.” Komodia’s behavior of adding a new root certificate and dubious alterations to a computer’s network stack, validates certificates that should otherwise raise a browser warning. “This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted,” they wrote. Gillula told Threatpost that contextually the situation is not surprising given that the certificate system has been teetering on disaster for some time, a situation that’s complicated by the sheer number of Certificate Authorities at work on the Internet, many of which could also be interdicted by law enforcement or repressive government. “The most egregious thing is the idea that companies think it’s OK to interfere with people’s encrypted traffic even on their own machines,” Gillula said. “That they think it’s OK to install a root cert and go to town on it.” Gillula said he was compelled by reports related to Superfish that pointed out that an attacker would have a relatively easy time sliding an invalid certificate into legitimate traffic by inserting the domain they wanted to use in a man-in-the-middle attack into the Subject Alternative Name field. “It would go right on through,” Gillula said. Searching for that scenario in the Decentralized SSL Observatory was also relatively simple, Gillula said. It required a query that searched for certificates that contained a unique string called verify_fail[domain name] in the Subject Alternative Name field used by one of the software applications identified as running the Komodia SSL Digester proxy. “Lo and behold, we discovered that a lot of these certs when they hit the proxy are invalid, but Komodia changes them and because of the alternative name, ended up being valid when they hit the browser,” Gillula said, adding that Komodia wipes away any traces of a potential man-in-the-middle attack making it impossible to determine whether an attack occurred or a merely a misconfigured certificate popped up in the search. The real problem, however, are the practices of third-party vendors such as adware purveyors like Superfish who build tools to intercept traffic and manipulate certificate validation, moving it outside the browser. “The lesson for vendors is that they should stop trying to man-in-the-middle SSL connections on customer machines,” Gillula said. “Unless they’re willing to put in a lot of significant engineering effort to verify they are doing things correctly, chances are there’s going to be a bug and it’s a dangerous thing to do.” Source

Spoiler alert: Those who haven’t yet seen the film, but plan to, please skip to the summary. Hollywood has tried to depict cyberwarfare and “hacking” many times. Hackers and The Net are just a couple of examples. Blackhat, a Michael Mann directed film, debuted in wide theatrical release on January 16th. Chris Hemsworth plays Nicholas Hathaway, a man who was serving time in prison for some sort of computer related crime. Viola Davis plays FBI Agent Carol Barrett. Leehom Wang plays Captain Dawai Chen, an officer of China’s cyberwarfare unit. Wei Tang plays his sister, Lien Chen. Lien’s character is central to the movie, she helps with the investigation and (spoiler alert!) falls in love with Nicholas. Here’s a quick synopsis. A nuclear power plant in Chai Wan, Hong Kong is attacked with a remote access tool (RAT.) Through the RAT, the plant’s programmable logic controllers are tampered with, causing the coolant pumps to overheat and explode. People within a ten kilometer radius of the plant are evacuated. Captain Dawai Chen has to find the culprit. He discovers, through his sister Lien and FBI Agent Carol Barrett, that the RAT contains code he wrote himself years ago, collaborating with Nicholas Hathaway. Nicholas was in prison, and Agent Barrett helped to release him, because of course, Nick’s help is crucial to the investigation. Coincidentally, the Mercantile Trade Exchange in Chicago is attacked with the same RAT, and soy prices skyrocket. It’s a commodities trading disaster! That incident makes the Chinese and American officials willing to collaborate. Our characters spend time in the US, travel to various locations in China, and eventually they travel to Malaysia and Indonesia as well. There’s lots of explosions, lots of super intense gunfire, one of the main characters is murdered while in his car, and of course, that explodes as well. I went into the movie theater with very low expectations for the film’s technical accuracy. Actually, Hollywood has done much worse when it comes to depicting cyberwarfare and information security attacks in general. There were highlights and lowlights. First, I’ll explain what I think the film got right. Accuracies It was quite correct to state that a RAT can be used to wreak havoc, such as causing a nuclear disaster. And malware has attacked nuclear facilities before, such as when Stuxnet hit Iran. Some of the GNU/Linux BASH shell commands were accurate. I saw a “sudo” here and there. It’s possible for the Chicago Mercantile Exchange to be attacked through a RAT. Yes, IPSes and firewalls are indeed network security devices. Kudos! Correct usage of the right kind of proxy servers can make tracing a blackhat’s activity a lot more difficult. What really impressed me was that at one point, someone filebound a keylogger to a PDF in order to acquire a password. The PDF was for the user to review their organization’s password policy when he was instructed to change his password. This was the very first time in American film and television that I’ve seen filebinding and software keylogging used properly, and the social engineering it may require to be successful. In NCIS and Hackers, they make it seem like “hacking” requires ultra fast typing. Supposedly, the way to “hack” or defend against a “hack” is to type at 327 words per minute! The faster the typing, the more hackerific the hacking! I didn’t see any of that BS in Blackhat. Very good. Now, here’s where Blackhat errs. Inaccuracies In the first scene that Chris Hemsworth’s Nicholas Hathaway appears in, he’s interrogated in prison about something he did. The interrogater says, “You used this to open a command line?” As if opening a command line on a machine is some super impressive, devious feat. Notice that he didn’t say “acquire root access.” Just “open a command line.” Groan… Although this has nothing to do with information security, I noticed that Hong Kong and the Chinese cities in the movie were completely devoid of air pollution. Beijing and other Chinese cities are notorious for having horrific air quality, to the extent that it even interferes with landings and departures at Beijing’s international airport. Absolutely all of the code displayed in the movie was hexidecimal. Or random combinations of letters and numbers, sometimes it was difficult to tell. I highly doubt that the coders in the movie work purely in assembly. Especially when they develop applications like RATs. An NSA information security professional was extremely perplexed that his data center was penetrated, because they have firewalls and IPSes. Those things are bulletproof, don’t ya know? Likewise, checking physical security amounted to verifying that the door to the server room was protected by a fingerprint scanner, and that’s it. A monitoring device was put on Nick for his release. Fair enough. It was controlled by an Android app. One of the settings was for how frequently the app checked the geolocation of Nick’s monitoring device. Nick was able to grab the Android phone at one point and change its settings so that it checked his location a lot less frequently. Why would the backend of a convict’s monitoring device be so insecure, physically and otherwise? Apparently, you can do a “whois” on both usernames and IP addresses. That’s news to me. On a related note, once you’ve found an IP address, you’ve definitely got someone! It’s not like dynamic IP addresses and IP address spoofing exist, or anything like that. Also, that contradicts how the movie shows that proxy server use can make attackers more difficult to find. In one scene, Nick and Lien eat at a Korean restaurant that’s somewhere in the United States. Hangul (Korean) characters can be seen here and there, but for some reason, there are Chinese characters to be seen as well. All that funny Asian writing is all the same, isn’t it? Anyway, at some point, Nick goes to the restaurant’s backroom, where there’s a PC with a couple of monitors. I could tell that Nick didn’t boot an OS from a USB stick or DVD. He didn’t use any external media, so he couldn’t have loaded applications from them either. A restaurant’s PC will typically have standard OS applications, financial software, and some sort of POS backend, without much else. I’d be surprised to find something like Wireshark or Nessus on a restaurant’s PC. Nonetheless, within mere seconds of acquiring physical access to the PC, Nick runs some pretty heavy duty network penetration tools. Black Widow is a fictional Nessus/OpenVAS-like program. Or perhaps it’s something like Kali Linux. It’s a super secret tool that only the FBI is supposed to have access to! As if these sorts of things are only developed by and used by the FBI! At one point, Nick and Lien are in the middle of a rural part of Malaysia. It’s really, really rural. There’s just a very tiny village there, and that’s it. Somehow, Lien is able to whip out her laptop and enjoy instant network connectivity. Maybe she’s using satellite technology, but that’s doubtful. FBI Agent Carol Barrett assures her colleagues that the Chinese can be trusted because “they’ve been cooperative so far.” I’ve written about Chinese cyber attacks on the United States before. Such incidents have been very frequent, and very recent. The movie takes place in March 2015. There was Operation Aurora in late 2009 that targeted Google and Adobe. The Office of the National Counterintelligence Executive reported Chinese cyber attacks on American military servers to Congress in November 2011. Backdoors have been found in devices sold to the United States and manufactured by Huawei and ZTE, both of which are closely tied to the Chinese government. That’s just the tip of the iceberg. The FBI should be well aware that collaborating with the Chinese to investigate cyberwarfare is a bad idea. There are probably intelligence types who laughed while watching this movie. Summary It’s obvious to me that some effort was made to make Blackhat technically accurate. But clearly, there were still blunders. As far as the American and Chinese collaboration in the film is concerned, I think that can be explained with three words: International box office. More and more, major Hollywood studios are relying on it to make movies that cost $70 to 150 million profitable. For instance, by Hollywood blockbuster standards, Pacific Rim didn’t do very well in the United States. But it ended up making a lot of money anyway, largely from Chinese moviegoers. Hollywood looks at China with dollar signs in her eyes. So, it was an absolute must that the Chinese government was depicted positively in the movie. Compared to previous attempts, Blackhat is an improvement in how information security and computer technology is portrayed in fiction. But it’s only a minor improvement. Source