Author: securepc

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

Majority Of Web Apps Found To Have Security Vulnerabilities 

How many web apps do you have on your phone?  Probably a ton.  Here’s something you likely didn’t know.  Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

  • 44 percent of the apps with vulnerabilities place the user’s personal data at risk
  • 70 percent are prone to leak critical information stored on the device
  • 96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
  • Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though.  The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline.  Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity.  Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Apple Will Officially No Longer Sell Routers

After more than two decades in the business, Apple is officially going to stop selling routers.  The writing has been on the wall for a while now, since the company’s “AirPort” family of products hasn’t received a significant update in more than five years.

When Apple first introduced its AirPort product line, wireless computing was still something of a rarity, and Apple’s offerings were ahead of their time.  In the years between then and now though, the market has changed significantly.  Unfortunately, Apple’s product line never really changed with it.

These days the competition is fierce with industry giants like Google and Linksys both offering great options for power users. With the rise of mesh networks, the AirPort product line has fallen increasingly behind the times.

The company announced that it would sell its existing AirPort product inventory and support its current user base for the time being, but after that, it would quietly fade away.  The company has simply moved on and has redirected its efforts toward other initiatives.

In looking at the broader market, it’s not a huge blow. Of course, if you own and use an AirPort product, now is the time to begin casting about for alternatives.  The clock is ticking, and once Apple sheds its existing inventory, we can expect to get an end of support date from them. This will leave any AirPort products still in operation at that point increasingly vulnerable to a variety of hacks.

Even so, given how ubiquitous wireless networking is these days, and how many powerful options are out there, finding a replacement for your AirPort product shouldn’t present too much of a challenge.  Just make sure your IT staff knows that the end is nigh, so they can get a replacement in place before the clock runs out.

Study Shows People Prefer Alternatives Over Passwords

File this one away under “confirming things we already knew.”  A recent study conducted jointly by Blink and Trusona confirmed that people just don’t like passwords very much.

Their study tracked the login behavior of 148 participants over a three-week period.  Without knowing the true purpose of the study, participants were asked to log into a gift idea generation website at least three times a week.

They were given the option of a “classic” (password-based) login, or an “easy” login option, which utilized alternative forms of authentication.

The results should surprise no one, but here are some of the statistics collected during the course of the experiment:

  • 84 percent of participants utilized the easy login at least once
  • 47 percent of participants utilized the classic login at least once
  • Those who used the easy login had successful logins 78 percent of the time
  • Those who used the classic login had successful logins 56 percent of the time

Per Robert Capps, a VP for NuData Security,

“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies.  Using a multilayered authentication framework that combined behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment.

Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the session.  Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”

Clearly, users don’t like passwords.  Unfortunately, there’s currently no technology on the market capable of the feats Mr. Capps describes.  There are several promising models and products in varying stages of development, but sadly we’re still a ways off from realizing a password-free, hyper-secure login paradigm.  That day is no doubt coming though, and not a moment too soon.

Use Caution Traveling, Hackers Now Have Keys To Hotel Rooms

Score one for the good guys, but with hesitation. Unfortunately, in today’s fast-moving digital world, even a victory doesn’t mean the end of a problem.

Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.

This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.

The security flaw is about as bad as it gets, too.  The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door.  Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.

Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw.  That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.

Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real.  If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room.  They may be more vulnerable than you realize.

Turn Cortana Off At Lock Screen To Avoid Potential Hack

Do you use Cortana?  It’s a handy virtual assistant (like Siri) built into Windows 10.  Unfortunately, as useful as she is, there’s a problem. Even if you don’t use Cortana yourself, take heed:  Microsoft has recently issued a security update based on findings by McAfee researchers.

It turns out that Cortana can be “summoned” from the lock screen of your PC and used to execute attacks by tricking the ever-helpful Cortana into indexing files from a USB drive, then executing them.

To accomplish the attack, the hacker would need physical access to the PC. Once they had that, they could easily execute Powershell scripts to reset your Windows 10 password, which would then give them unfettered access.

The vulnerability takes advantage of two things:  First, Cortana “listens” for commands, even while the PC is locked. Then, the OS indexes files constantly so that they’re ready to use at a moment’s notice.  Put those two elements together and you have the makings of a disaster.

Microsoft has rushed a patch out the door to address the issue. For now, the company is advising users to simply disable Cortana on the lock screen, so that your PC has to be unlocked in order for her to be active.  It’s probably good advice, given that not all companies update their OS as soon as patches are available, and this one is important.

To be safe, even if you don’t use Cortana, go into settings and disable the virtual assistant on the lock screen.  Then, when you’re away from your PC, at least that’s one less thing you have to worry about.

Unfortunately, this isn’t the first Cortana-related security issue we’ve seen, and it’s not likely to be the last.  As useful as the feature is, it does open the door to a number of other (potential) problems.  Stay vigilant.

T-Mobile And Sprint To Merge Companies

The on-again, off-again talks about a merger between T-Mobile and Sprint is definitely back on, with T-Mobile planning to buy Sprint for a staggering $26 billion.

The deal has been in the works since before Trump was elected President. It died quietly when it became clear that the Obama administration would not allow the deal to go forward, due to concerns that it would leave the US with only three telecom providers, which could harm consumers.

The Trump administration has made it clear that they applaud the move.  However, Trump’s Justice Department may be a significant hurdle to clear.  Nonetheless, as things stand now, the deal is steaming ahead and the combined company would have a whopping 127+ million customers, putting it not far behind AT&T’s 141.6 million and Verizon Wireless’ 150.5 million customers. T-Mobile’s CEO John Legere would lead the new, larger company.

John had this to say about the planned merger:

“This combination will create a fierce competitor with the network scale to deliver more for consumers and businesses in the form of lower prices, more innovation, and second-to-none network experience – and do it all so much faster than either company could on its own.”

The underlying argument in favor of the merger is that the US is falling behind in terms of network speed. If there is to be any hope of arriving first at a nationwide 5G network, we need bigger, stronger and more robust competitors.

As history shows us clearly though, the regulators of the previous administration have valid concerns about the monopolization of the industry.  Any time there are fewer competitors on the board, regardless of the industry, consumers invariably get hit with higher prices. There’s no reason to believe this merger will lead to a different outcome.

Regardless, it now appears that the merger is likely to happen.

Some VW and Audi Cars May Be Hacked Through WiFi

Thanks to researchers Daan Keuper and Thijs Alkemade (who work at the Dutch cyber-security firm Computest), newly produced Golf GTE and Audi A3 vehicles are a little bit safer, and a lot less vulnerable to remote hacks.

The duo found that by taking advantage of these vehicles’ WiFi connection, they could access the cars’ IVI, (in-vehicle infotainment system) and from there, gain access to other systems as well.

The researchers had this to say about their work:

“Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and conversation history.  Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.”

It gets worse though.  Once the researchers had gained access to these systems, they found they could also access the car’s braking and acceleration systems. They stopped short of performing exploits on these for fear of violating Volkswagen’s intellectual property rights.  A hacker, however, would not hesitate to do so.

Worse still, the company apparently had no idea there was a problem. In fact, when the researchers presented their findings, they discovered that the company had deployed the IVI system completely untested.

Since bringing the issue to the company’s attention, they have addressed the issue. However, the fix only applies to newly manufactured vehicles.  If you purchased either of the models listed above prior to June 2016, your vehicle has not received the fix, and will not get fixed unless you take it back to the dealership.  There’s no way for the company to remotely install it.  That means there are untold thousands of cars on the road right now that are vulnerable.

All Twitter Passwords Exposed, Change Your Password Now

Twitter shot itself in the foot recently but is working hard to get out in front of the problem.  According to a recent blog post, the company experienced an issue with its hashing routine – a process which masks user passwords, making them virtually impossible to crack.

Because of the issue, user passwords were stored as plain text on an internal log file.  The company found the bug on its own, conducted an investigation and found no evidence that anyone discovered the log file and appropriated it.  Although they gave no indication as to how many user passwords the log file contained, they nonetheless urged all of their 330+ million users to change their passwords immediately as a safety precaution.

This could have been far worse for the company, had the log been discovered by a diligent security researcher, or worse still, by a hacker.  Even so, it’s a fairly damaging bit of news that’s sure to cause at least some lost trust with its growing user base.

If you use Twitter, you should definitely take the company’s recommendation to heart and change your password immediately.  As ever, when you do, the best thing you can do to help yourself is to be sure you’re not using the same password on Twitter as you use on other websites you frequent.  That way, even if your password is compromised, the damage will be limited to your Twitter account only.

An even better solution would be to use a password safe, which securely stores the passwords of the various sites you frequent. Although even this step doesn’t provide bullet-proof protection, as password safes are by no means immune to hacking.

Diligence and vigilance are once again the keys.  Keep your passwords secure and change them often.