Tag: Security

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

Majority Of Web Apps Found To Have Security Vulnerabilities 

How many web apps do you have on your phone?  Probably a ton.  Here’s something you likely didn’t know.  Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

  • 44 percent of the apps with vulnerabilities place the user’s personal data at risk
  • 70 percent are prone to leak critical information stored on the device
  • 96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
  • Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though.  The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline.  Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity.  Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Study Shows People Prefer Alternatives Over Passwords

File this one away under “confirming things we already knew.”  A recent study conducted jointly by Blink and Trusona confirmed that people just don’t like passwords very much.

Their study tracked the login behavior of 148 participants over a three-week period.  Without knowing the true purpose of the study, participants were asked to log into a gift idea generation website at least three times a week.

They were given the option of a “classic” (password-based) login, or an “easy” login option, which utilized alternative forms of authentication.

The results should surprise no one, but here are some of the statistics collected during the course of the experiment:

  • 84 percent of participants utilized the easy login at least once
  • 47 percent of participants utilized the classic login at least once
  • Those who used the easy login had successful logins 78 percent of the time
  • Those who used the classic login had successful logins 56 percent of the time

Per Robert Capps, a VP for NuData Security,

“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies.  Using a multilayered authentication framework that combined behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment.

Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the session.  Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”

Clearly, users don’t like passwords.  Unfortunately, there’s currently no technology on the market capable of the feats Mr. Capps describes.  There are several promising models and products in varying stages of development, but sadly we’re still a ways off from realizing a password-free, hyper-secure login paradigm.  That day is no doubt coming though, and not a moment too soon.

Use Caution Traveling, Hackers Now Have Keys To Hotel Rooms

Score one for the good guys, but with hesitation. Unfortunately, in today’s fast-moving digital world, even a victory doesn’t mean the end of a problem.

Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.

This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.

The security flaw is about as bad as it gets, too.  The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door.  Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.

Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw.  That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.

Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real.  If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room.  They may be more vulnerable than you realize.

Turn Cortana Off At Lock Screen To Avoid Potential Hack

Do you use Cortana?  It’s a handy virtual assistant (like Siri) built into Windows 10.  Unfortunately, as useful as she is, there’s a problem. Even if you don’t use Cortana yourself, take heed:  Microsoft has recently issued a security update based on findings by McAfee researchers.

It turns out that Cortana can be “summoned” from the lock screen of your PC and used to execute attacks by tricking the ever-helpful Cortana into indexing files from a USB drive, then executing them.

To accomplish the attack, the hacker would need physical access to the PC. Once they had that, they could easily execute Powershell scripts to reset your Windows 10 password, which would then give them unfettered access.

The vulnerability takes advantage of two things:  First, Cortana “listens” for commands, even while the PC is locked. Then, the OS indexes files constantly so that they’re ready to use at a moment’s notice.  Put those two elements together and you have the makings of a disaster.

Microsoft has rushed a patch out the door to address the issue. For now, the company is advising users to simply disable Cortana on the lock screen, so that your PC has to be unlocked in order for her to be active.  It’s probably good advice, given that not all companies update their OS as soon as patches are available, and this one is important.

To be safe, even if you don’t use Cortana, go into settings and disable the virtual assistant on the lock screen.  Then, when you’re away from your PC, at least that’s one less thing you have to worry about.

Unfortunately, this isn’t the first Cortana-related security issue we’ve seen, and it’s not likely to be the last.  As useful as the feature is, it does open the door to a number of other (potential) problems.  Stay vigilant.

Some VW and Audi Cars May Be Hacked Through WiFi

Thanks to researchers Daan Keuper and Thijs Alkemade (who work at the Dutch cyber-security firm Computest), newly produced Golf GTE and Audi A3 vehicles are a little bit safer, and a lot less vulnerable to remote hacks.

The duo found that by taking advantage of these vehicles’ WiFi connection, they could access the cars’ IVI, (in-vehicle infotainment system) and from there, gain access to other systems as well.

The researchers had this to say about their work:

“Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and conversation history.  Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.”

It gets worse though.  Once the researchers had gained access to these systems, they found they could also access the car’s braking and acceleration systems. They stopped short of performing exploits on these for fear of violating Volkswagen’s intellectual property rights.  A hacker, however, would not hesitate to do so.

Worse still, the company apparently had no idea there was a problem. In fact, when the researchers presented their findings, they discovered that the company had deployed the IVI system completely untested.

Since bringing the issue to the company’s attention, they have addressed the issue. However, the fix only applies to newly manufactured vehicles.  If you purchased either of the models listed above prior to June 2016, your vehicle has not received the fix, and will not get fixed unless you take it back to the dealership.  There’s no way for the company to remotely install it.  That means there are untold thousands of cars on the road right now that are vulnerable.

All Twitter Passwords Exposed, Change Your Password Now

Twitter shot itself in the foot recently but is working hard to get out in front of the problem.  According to a recent blog post, the company experienced an issue with its hashing routine – a process which masks user passwords, making them virtually impossible to crack.

Because of the issue, user passwords were stored as plain text on an internal log file.  The company found the bug on its own, conducted an investigation and found no evidence that anyone discovered the log file and appropriated it.  Although they gave no indication as to how many user passwords the log file contained, they nonetheless urged all of their 330+ million users to change their passwords immediately as a safety precaution.

This could have been far worse for the company, had the log been discovered by a diligent security researcher, or worse still, by a hacker.  Even so, it’s a fairly damaging bit of news that’s sure to cause at least some lost trust with its growing user base.

If you use Twitter, you should definitely take the company’s recommendation to heart and change your password immediately.  As ever, when you do, the best thing you can do to help yourself is to be sure you’re not using the same password on Twitter as you use on other websites you frequent.  That way, even if your password is compromised, the damage will be limited to your Twitter account only.

An even better solution would be to use a password safe, which securely stores the passwords of the various sites you frequent. Although even this step doesn’t provide bullet-proof protection, as password safes are by no means immune to hacking.

Diligence and vigilance are once again the keys.  Keep your passwords secure and change them often.

Vulnerability In Mac OS Went Unnoticed For Years

Researchers at Okta Security have stumbled across something big.  Recently, they discovered a flaw in Apple’s OS that would have allowed hackers to completely undermine Apple’s code signing process.

While at first glance that doesn’t sound so bad, the implications are terrifying.  In a nutshell, code signing uses cryptographic “signatures” to verify and validate code.  If code bears the digital signature, it is considered trusted.  If it’s trusted, then it’s given an automatic free pass, straight into the heart of any system.

Unfortunately, this flaw in Apple’s code signing process dates back more than a decade. It was only recently discovered, and purely by chance at that.

An extensive forensic analysis has turned up no evidence suggesting that this exploit was ever used for nefarious purposes, which is the one silver lining in all of this.

Upon discovering the flaw, Okta personnel reached out to Apple and other vendors who could have been impacted by the flaw, including tech giants like Google, Facebook and also smaller players like VirusTotal, Objective Development, Yelp, and Carbon Black.

Apple moved swiftly and has since fixed the issue, so this one can be considered a bullet dodged.

Josh Pitts, an Okta engineer, sums the issue up:

“Different types of tools and products use code signing to implement actionable security; this includes whitelisting, antivirus, incident response and threat hunting products.  To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security operations.”

A completely fair assessment.  Thankfully (at least in this particular case), although the issue was hiding in plain sight, it does not appear to have been exploited before being fixed.  We won’t always be so lucky.

Watch Out For Rise In Microsoft Office Attacks 

Menlo Security has recently published a new report that will probably dismay you if you’re a business owner.

Microsoft Office has been named as the attack vector of choice for hackers around the world. The most common form of the attack is a malicious Word document or other office document attached to an innocent looking email.

There are, of course, plenty of other ways to take advantage of various security weaknesses in MS Office and Office 365.  These include the use of remotely hosted malicious components embedded within documents that deliver zero-day exploits when the document is opened.

The reason MS Office is such a wildly popular choice isn’t because it has an unusual number of security loopholes that can be exploited (although it’s certainly got its share).  Rather, it has everything to do with the overwhelming popularity of the office suite.  Simply put, lots of people use it on a regular basis, and that means the pool of potential victims is enormous.

As the report explains:

“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage applications and operating system vulnerabilities, both old and new.

With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer.  By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises…Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits.”

All true, and beyond troubling.  If your business uses Microsoft Office or Office 365 (and odds are excellent that it does), continued vigilance is the key.