Tag: data exfiltration

Cars: The broken cybersecurity

November 11, 2021 /

Several months ago, I had to make a trip over the weekend to a city sitting 160km far from Burgas. I decided to take the more direct route, which goes through Stara Planina, one of the mountains located in Bulgaria. There were many trucks on the road. Other car drivers and I were driving behind them without a clear opportunity to overtake. I wanted to check something on my smartphone, and I misclicked on the WIFi network indicator. To my surprise, the list showed one item – a WiFi network with a mobile phone number as its name. 

And then it clicked in my mind that the two cars in front of me, trying to overtake the truck for the last twenty minutes, were most probably a company traveling together, and the owner of one of the cars was sharing his/her hot spot with the passengers. He/She had most likely decided to name his/her WiFi network with his/her mobile phone number. 

The defensive cybersecurity expert in me started clicking with his tongue in disapproval because I now had the driver’s phone number and his/her car registration plate. Additionally, I had the knowledge that someone in the cars in front of me was using the listed WiFi network. With all that information, a motivated attacker could do the following exciting things:

On the diagram, you can see a typical remote attack on a vehicle. The attacker usually uses another vehicle to get data and use it for attacking the target
  • Find the driver of the car: With some search in the dark web, a motivated attacker could find illegal databases with phone numbers and vehicle registration plates mapped to their owners. Additionally, if the phone number owner had posted an online ad for something using that number, it usually got indexed by most search engines.
  • Get the metadata of the WiFi users: The WiFi search protocol is quite leaky in terms of metadata sharing. For example, your WiFi client usually broadcasts all the network SSIDs your device was connected to for the last couple of days. Using this weakness, we could collect that data for every device connected to the hot spot and use that data for malicious activities. One such activity is finding the places where the owner of any of the connected devices was. Especially if the owner of the devices regularly connects to public WiFi networks in hotels, cafes, etc. There are many databases in the dark and on the regular web with such mappings betweens WiFi SSIDs and GPS coordinates.
  • Enforce the WiFi client to connect to a malicious endpoint: With the proper equipment, the attacker could enforce all the WiFi clients to connect to his/her malicious WiFi endpoint and sniff all the data coming from the devices. Modern smartphones software usually comes with proper protection, but bugs happen, and the attacker could keep the collected data and decrypt it offline or in the future.
  • Social engineer the owner of the car: A motivated attacker could call the owner of the vehicle and present himself/herself as a police officer asking the owner where the car is at the moment and that someone made a complaint about the vehicle parked not correctly. To make the lie ever more truthful, the attacker could tell the driver that he/she and his/her colleague must go and check the car personally. If this attack is performed after work hours, the victim will probably give his/her an address near his/her home.

In conclusion, the car driver in front of me had a bit of good luck that I was driving behind them, but not a criminal. In another case, all of these attack vectors could happen. Unfortunately or fortunately, cars have become more and more intelligent. But with becoming more intelligent, more and more security holes have become open for attack. We should be concerned, especially with the increasing adoption of electric vehicles in our lives. They are, in fact, computers on wheels. And these computers have and will have more and more security vulnerabilities.

Attack of the cables

September 23, 2021 /

In last week’s article, I spent some time discussing the disadvantages of penetration testing. The main limiting factor for every red team is the client’s engagement policy. Usually, it is not comparable to a real-life attack. However, at the same time, some of the latest developments in the field are pretty disturbing and could be used by hackers for malicious activities.

One such gadget manufactured by Hak5 looks like an ordinary USB charging/data cable, but it comes equipped with the latest keylogging capabilities. Additionally, the cable supports the following features – Keystroke Injection with DuckyScript™, Keylogging (650,000 key storage), USB-C Smartphone & Tablet Keystroke Injection, Remote Access by WiFi, Customizable Self-Destruct, Multiple storage slots for large payloads, On-Boot payloads, Remote Trigger by WiFi (Geofencing), Long Range WiFi Trigger (2 KM+), Control from any Web Browser and Scriptable WebSocket. In short, that cable is a fully working micro-computer with remote access capabilities for loading payloads and executing them without the victim’s knowledge. As a bonus, it looks exactly like the standard USB to USB-C cable. They either offer versions for Macs.

A creative attacker can think of many uses of these cables. For example, they could ask you to lend them your cable and switch it with the malicious one. They can break into your home/office and swap the cables. They can load the whole supply of a computer shop with these cables and sell you one. The options are almost limitless. With that gadget, you virtually can not trust any cable or flash drive you buy from your hardware equipment supplier, neither your friends nor your family’s equipment.

On the diagram, you can see a sample diagram of how the cable works. It simply cheats the computer using it that it is an ordinary cable. Meanwhile, the hacker sends the payload using Wi-Fi and activates it

We could imagine that the next step for companies such as Hak5 is to embed a fully blown ADB build into the cable and enable remote penetration attacks versus smartphone devices. Such cable will be quite an exciting gadget and could encourage even more attack scenarios.

I have wondered why such equipment is not treated the same way as weapons for a long time. The relative easiness of manufacture and use of such gadgets make them more and more dangerous. Without regulations or even government-based permissions, more and more people will have access to them. What is the guarantee that they will not end in the hands of black hat hackers or criminals? Not to mention that every white or gray hat hacker could potentially go rogue and become a black one. What is the guarantee that such gadgets will not be used for malicious purposes even by licensed professionals?

In conclusion, penetration testing’s land space has become more and more concerning. Without a good set of regulations, we could soon see many people using military-grade hacking gadgets, turning the defensive part of cybersecurity into a terrible nightmare. In any case, many defenders will not be fascinated by the idea of wrapping their USB cables and flash drives with aluminum tape[1] every time they buy new hardware. Sure, it is a cheap way of blocking radio waves, but the aesthetics will not be on a high level.

[1] – https://emfacademy.com/aluminum-foil-emf-radiation/

Cybersecurity tactics for small teams – Hardware Device Security – part 1

September 1, 2021 /

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here

Must companies be afraid of internal cyber attacks?

July 15, 2021 /

One of the biggest cybersecurity threats for companies is internal attacks. To function correctly, companies need trust. You could have the best access control level system in the World, but this will not help you if your system administrator is compromised. Yes, multi-factor authentication and secret key split algorithms can help you mitigate part of these threats. However, they are not widely used. Most SMEs do not have the resources and knowledge to implement a proper access control system and thus are pretty vulnerable to inside attacks.

On the diagram, you can see the different use cases companies can use cryptography. Modern access control frameworks use cryptography heavily to ensure access to data is more restricted than ever. 

Following are some of the internal security attack vectors through which attackers can gain access to information;

  • Information leakage: One of the most common and frequently used methods by cyber attackers is a simple leakage of information. Or, in other words, industrial espionage. Many employees could use this approach to avenge themselves.
  • Illegal activities: A company must be aware of any illegal activities going in their system. Some organization members could use this approach to frame the company or use it as a proxy when hacking.
  • Downloading malicious internet content: Most of the time, employees do not intentionally download malicious content; however, this happens. In both cases, a proper access control mechanism will mitigate or at least reduce the damage.
  • Social engineering: One of the most common ways for attackers to gain access to a network is by exploiting the trusting nature of the company’s employees. An information awareness course could quickly mitigate this attack. 
  • Malicious cyberattacks: Technically proficient employees can use their system access to open back doors into computer systems or leave programs on the network to steal information and wreak havoc. The best protection against this sort of attack is monitoring employees closely and being alert for disgruntled employees who might abuse their positions. In addition, experts advise immediately canceling network access and passwords when employees leave the company to avoid remote access to the network in the future.

In conclusion, unfortunately, because of the enormous rift in the trust between employees and employers, internal attacks can become the new trend. Companies must be aware of that and do their best to implement proper access control systems. Access to resources must be given appropriately and audited for every organization member, no matter whether CEO or a utility person.

Are law firms high value target for hackers?

May 20, 2021 /

New York-based law firm fell victim to a cyber attack. That wasn’t only unfortunate for the firm alone, but for the countless celebrity clients, they represent. Their client list comprises many A-level celebrities.

All these people fell victim to hackers.

The hacker group that carried out the attack remained unnamed. It got dubbed REvil because that’s the ransomware used by the group.

The cybercriminals targeted the law firm’s internal data systems. They managed to get away with 756 gigabytes of data, which they deemed was worth $21 million in ransom. When the law firm stated they had no intention of paying a dime in ransom, the criminals released a statement that they’re doubling their ransom request to the staggering $42 million.

After the firm refused to comply with the ransom demand, the hackers released an astonishing 2.4 gigabyte batch of data. It included private files and all sorts of sensitive information: contracts, non-disclosure agreements, promotional agreements, and expense sheets, among others.

The data dump wasn’t the only bombshell the cybercriminals dropped. They claimed to have an ace up their sleeve. They had private documents belonging to the American President. The law firm was quick to deny having any business dealings with the President. They only claimed that his name only got mentioned in some of their documents connected to their other clients.

Due to the hack’s success and the massive breach of privacy, the FBI got involved. They advised against paying the ransom as, in most such cases, payment doesn’t do much besides cost the victim money.

If you’re a victim of cybercriminals, you’re in a lose-lose situation. If you refuse to pay them, they can release the information they stole if that’s what they wish, and the victims get left to deal with the consequences. To pay the ransom they demand means you’re accepting their promise to destroy the data they stole.

You can see a standard distribution for malware types on the diagram and how the malware authors target their victims. In the case of organizations, the main approaches for crime making are data steal and ransomware

Can you trust the word of hackers? No, you can’t. However, it is essential to know that if the criminals do not hold their word, no one will pay the ransom to have this final option. Unfortunately, paying the ransom usually motivates more and more criminal groups to execute such operations.

This hack wasn’t their first attempt to score big. The attackers carried an attack on a foreign currency dealer as well. However, the ransom demand they went with paled compared to the $42, or even $21, million they demanded from the law firm. In this case, they asked for $6 million under threat to delete customer data. After a few weeks of having their services kept offline, the dealer caved and coughed up $2.3 million as payment.

Especially with COVID-19, more and more law and financial companies can become a target to attackers. It is essential to understand that blind fate into your cloud provider is only part of the equation. Every organization must take care of its defenses and upgrade them as much as it can. Only doing this can make attackers’ life harder.

The rise of data leaks

April 8, 2021 /

We are living in internet-reliant times. Everyone outsources and shifts aspects of their lives to online sources like social media, dating apps, and online workplaces and educational websites. With COVID-19 forcing us to emphasize online activities, the possibilities for data leaks are ever-growing.

Data leakage incidents are not always intentional, though most of the time, they are. Phishing attacks or malware sent via email and links are just some common examples. Both have high success rates, and once the malware is successfully installed on a device, leaking data is very easy. Private user information, including addresses, phone numbers, and more sensitive data like credit card numbers or passwords, are worth millions of dollars on the market.

845 GB of Data Leaked!

Recent examples showing the extent of leaked data in 2020 alone seem astonishing. Just a few weeks ago, nine dating apps leaked 845 GB of data. It may not sound a lot, but in fact, the leakage comprised private information of a few hundred thousand users. The leak includes explicit photos and messages that people would likely have instead kept confidential.

 Independent security researchers discovered the security breach for all affected websites.

The most shocking part of their discovery is that not a hacker was responsible for the leak but the companies themselves due to their careless configuration of the apps.

A standard workflow of data exfiltration. The hacker finds a way to infiltrate into the company infrastructure and after that uses other already hacked infrastructure to exfiltrate the data.

These websites and apps are mostly unknown, but data leaks can also happen to popular websites with millions of user account information leaked and stolen.

Big or Small – You’re Not Safe From Leaks

In 2014, a prominent commercial website’s entire user account list was leaked, with 145 million people affected. Users had to change their passwords as a consequence.

In 2012, a big social media website became a target, and 165 million business professionals’ data was readily available for sale. All users changed their passwords as well.

Other cases did not proceed as mildly. Big design software company in 2013 asked to pay their users 1.1 million dollars in compensation after credit card records and password leakage.

In 2021, the risk of data leakage is higher than at any time before; there have been numerous data breaches already, including major companies, universities, and cybersecurity providers. 

In October 2020 alone, there were 117 data breaches, the highest number recorded for a single month. Fortunately, only about 18 million user information leaked, less than the yearly running total of compromised data records of 19.5 billion. The most breached sectors were healthcare and health science, education, and the public sector.

All of these numbers show that the protection of one’s data in a time where everyone has an online presence is crucial. With COVID-19 inevitably shifting our lives towards online resources, it is up to us to take the necessary measures to protect our private information.