Posts Tagged

security

Razer Mouse Driver Causes Breach

Elizabeth Technology January 19, 2022

Peripherals

Peripherals. Your keyboard, mouse, drawing pad, Apple Pen, game controller, and more are considered peripherals. Peripherals, by their nature, don’t have much computer power inside them – generally, they have just enough to do their job and not more. In terms of hacking, they aren’t quite as vulnerable as IoT items because they’ve been in the computer world for much longer.

That doesn’t mean that it’s impossible, it just means that other targets are often easier – and other methods, such as hiding a hacking device in a corded mouse’s plug in a la the Juice Jacker are easier than trying to get in on a device’s protected Bluetooth connection.

However, some peripheral devices require things like drivers. Drivers are programs that give the computer instructions for how the device is supposed to work. A computer won’t know how a specific drawing tablet works until that drawing tablet is hooked up and the drivers downloaded, and a Dell won’t understand the Apple Pen without it’s related software. However, most mice and most keyboards don’t take any drivers because they’re so common that computer manufacturers assume they’re a given, and so the instructions for how the computer is meant to interpret the commands are already programmed in. It’s why you can just plug and go for most Bluetooth mice.

In this case, Razer’s mouse was so complicated that it took a driver to use to its fullest extent. It could change the color of its internal LEDs, and the computer didn’t have the built-in instructions to understand those commands. Downloading that driver is what presents the vulnerability!

The Flaw

Razer’s mouse doesn’t magically make the user an admin just by plugging it in – the end user still has to know what they’re looking at. The way Razer peripherals work, plugging one in downloads the drivers that specific device needs. To do so, it opens up a Wizard, and if you catch it when it asks you where you want to save the file, you can (or could) left-click and open PowerShell. Now you have access to PowerShell, one of Microsoft’s automation and task frameworks, without needing to get the administrator’s permission first. And PowerShell has admin privileges by its nature! Now that it’s been opened up, even previously limited or restricted profiles can access and change settings within the computer as though it were an admin, something it couldn’t have done without Razer’s Wizard.

This is a pretty big flaw.

The issue is that the file’s set-up is asking the user where they want to put their file, instead of stuffing it in the drive in its own folder or on the desktop by default, like many programs do. Or, alternatively, the computer shouldn’t have allowed the driver + Wizard download without admin permission in the first place!  

This is a big flaw. However – it also means that any malicious user would still have to get access to the computer, either physically or remotely, so while it’s a vulnerability if the person with the driver is in the physical location of an unlocked, open computer (or manages to scam their way into remote control of one), it’s not necessarily time to toss the Razer mice.

Razer

Razer peripherals are generally marketed towards gamers, but they can be used as regular device peripherals too. They’re sort of expensive to buy as just a mouse, and their especially great precision is designed for games, not Excel sheets, so many people (and many businesses) would prefer to use something lighter and cheaper for their office computers. Why bring an 18-wheeler to something if a simpler pickup truck will do the trick, right? The same goes for their gaming chairs, computers, keyboards, etc. – if something is perfectly designed for gaming, it can also do office stuff, but that would look and feel sort of ridiculous.

Razer’s whole image is the scorpions and snakes, green and black, Matrix, high-tech imagery. They may occasionally sell multipurpose stuff, but their marketing is overwhelmingly towards gamers, promising them the top-of-the-line peripherals with accuracy and speed that plain Dell or third-party peripherals can’t always deliver.  

The company knows this. Razer, understanding that their main function is ease-of-use and not security, may overlook basic security flaws every once and a while, and I don’t really blame them for missing something like this while testing – after all, Windows itself should have protested the download, too, right?

Sources:

https://www.razer.com/?gclid=Cj0KCQjwg7KJBhDyARIsAHrAXaHQ4v_RWuKn-7YKiB_B-QzTgur_Bg_GEZmcuBTCEreQ8P_JlWMp1a4aAoO2EALw_wcB

https://lifehacker.com/you-can-gain-admin-privileges-to-any-windows-machine-by-1847537634

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

The EA Hack

Elizabeth Uncategorized November 19, 2021

The EA hack isn’t a special case. Not anymore. Hack, after hack, after hack, data leak after data leak, stolen game engine and asset, one after another. Game companies are being targeted deliberately for IP and code theft because it’s one of the few things that hackers can still steal with relative ease.

EA’s Track Record

This hack was due to a mix of authentication fraud and social engineering – it also seems to be their first major hack, if the lack of news about anything else is any evidence. Even Wikipedia doesn’t have much to say about past security instances. The one chance hackers had to get customer data was sealed off back in 2019, when a white-hat hacker group discovered the vulnerabilities and then alerted them that a sufficiently capable team would be able to get in, and then steal all of their customers’ payment data. EA’s record is cleaner than the industry average.

EA has a good track record with overarching security – many companies in the same worth bracket, including other game companies, can’t say that! Fellow gaming company Capcom got dinged with Ragnar ransomware, and while it “only” lost about 350,000 people’s worth of account data, it also lost its internal logs and couldn’t tell if they also lost credit card data. Blizzard, another big company with a good track record, suffers from persistent bot plagues that they’re unable to clear out. Human players then lose their data to particularly conniving bots and data thieves directly, no middleman hacked server necessary.

This Particular Hack

This hack was especially devious. A hacker used authentication cookies (cookies that “remember” the device or browser being authenticated with a code) to get into an EA slack channel, and then socially engineered their way past IT into the company’s internal network.

From there, downloading stuff was easy.

More than 780 GB of data (most of it source code) was captured, but the hacker group states that they couldn’t find a buyer. Source code is often trademarked, after all, and the consequences of buying another company’s coding aren’t worth having it. Many hackers would much rather have payment personal info than code. They then tried to extort EA by promising to release it, and uploading a little bit of the next FIFA game as proof that they were capable. After EA refused to pay the ransom, they released the remainder of the code as promised. Once again, using another company’s source code just doesn’t make sense in the long run, so it’s unclear what the long-term consequences will be for the company. However, they’re not the first ones to get extorted in this way: CD Projekt Red’s failed ransom should have served as a warning!

The CD Projekt Red Hack

CD Projekt Red, the game studio that created such classics as CyberPunk 2077 and Witcher 3, was hacked early last year. At that time, the hacker group responsible stole their game engine, and not much else – their customers were surprisingly uncompromised after the incident. The hacking team seemed to have a personal grudge against Projekt Red, so I can only assume the customer information was better-secured than the game engines themselves: who wouldn’t steal customer data if they were trying to completely trash a company’s reputation?

EA similarly partitioned customer data away. This is a good thing! Sort of like in a cruise  ship, separating data means that the entire company isn’t compromised as long as a gate somewhere stops the water from getting into other rooms.

And Other Examples

A Blizzard hack snatched emails (but not the unscrambled passwords) of an estimated 12 million players in 2012. This was easy to recover from – resetting the password was good enough for most accounts, but having those emails made the players unfortunately vulnerable to password stuffing attacks in the long run.

In 2011, an even bigger attack on Sony’s Playstation Network compromised the details of approximately 77 million users. This one stands out because both encrypted and unencrypted data was taken – credit card information that was encrypted wasn’t theoretically unscramble-able, but Sony, even with a week-long delay, couldn’t determine how much a hacker could actually squeeze from that data. Unencrypted data, which was basically all of the other personal details that could be attached to a player, was useable as soon as the hackers obtained it. Events like these served as warning for Blizzard, who encrypted much more, and then eventually for Xbox, Microsoft, CD Projekt Red, etc. as hacks became more prevalent.

Sources:

https://therecord.media/hackers-leak-full-ea-data-after-failed-extortion-attempt/

https://www.newsweek.com/electronic-arts-ea-origin-account-takeover-hacking-cybercrime-check-point-cyberint-1445976

https://www.ea.com/security

SQL Injections

Elizabeth Uncategorized October 13, 2021

Sanitize your Inputs.

If you’ve been following cyber security news over the past few months, you’ve probably seen ‘SQL Injection’ somewhere. It’s usually in reference to a security failure – maybe a breach happened, and you saw it written in the post-mortem of the attack. What is it?

SQL

What is SQL? SQL stands for ‘Structured Query Language’. It’s widely considered the language of databases! Essentially, SQL is really good at handling structural data, which is data that keeps the relationships between variables coherent. SQL is more like an umbrella term than a thing in and of itself: language for controlling data, language for relating data, language for defining data, etc. all fall under the scope of SQL. Different vendors also have different methods of implementing SQL, so even SQL that does the same thing across websites may look different. It’s basically everywhere!

Especially on the back-end side of websites. Passwords and login info have to be stored somewhere, and preferably somewhere where they are A) secure and B) accessible. That’s not as simple as it sounds. If a website stores its data in a simple table, with no hiding, hashing, or scrambling of the credentials, it’s only a matter of time before some malicious party comes for it. Hashing is mandatory nowadays, and in fact, hashing and hiding data is often the only thing turning major breaches into minor events. See Blizzard’s hack, for instance – having the data somewhere else and scrambled saved them. Proper SQL usage saved them.

Retrieving that information is also important, and SQL does that too. SQL specializes in uniting all of these tasks. However, it’s widespread use doesn’t mean it’s invulnerable, and mistakes while putting it together for a site can render it a dangerous weapon.

SQL Injection

An SQL injection is an attempt to interfere with the requests the SQL is sending to the database. If a hacker can deliver a little bit of code to that otherwise impossible-to-reach database, they may be able to grant themselves access to it, or damage it, among other things. For example: a new user signs up. They put their name and password in. SQL directs that information to the database with the instructions “Store this (USERNAME)”. However, in an injection attack, the username actually contains code, which then leads to the SQL misreading the instructions as “Store this (AND DELETE ALL DATA)”.

These are so incredibly simple to execute that it would be foolish not to try at least a couple of times. It’s as simple as figuring out what kind of inputs the data field will allow (i.e are semicolons allowed in passwords? Can I use @ in my username? Are brackets included, or not?) and then trying to abuse that as hard as possible to get results.

Even big websites are susceptible. Why? The process to prevent it is separate from the process of putting SQL into the website in the first place. Picture trying to drive a car with no automatic headlights at night. Eventually, you may forget to turn them on manually – and that may cause an accident even if you’re an otherwise excellent driver. Turning the headlights on, or sanitizing the inputs, is the safest way to prevent harm from coming to that database behind the scenes, but it’s easy to forget.

Sanitizing Inputs (Or Making Them Unreadable)

This method of hacking doesn’t work if the program doesn’t see the code. Now, there is some contention as to what sanitizing actually means specifically – generally, it means make computer not read input wrong, which can be achieved in a number of ways with coding.

There’s telling the database to convert data, which may produce undesired results in the database.

There’s telling the code that’s taking the input to split the query used to ask for data and the resulting data itself apart, which prevents that data from being misinterpreted as a command.

And then there’s simply not allowing certain things to be used in the input fields, which is kind of sanitizing by elimination.

If the database never gets anything it doesn’t expect, then it can’t do things that its programmers weren’t expecting, thereby making it safer. Validating the inputs is equally as important to prevent attacks! You’d never see letters in a phone number or brackets in a name, anyway, so this is also good for the data itself.

Sanitizing, validating, or otherwise controlling inputs, no matter how a business decides to approach it, is good for database security. However, it’s often difficult to do right if the website is assembled by the business owner themselves. Luckily, Wix, Squarespace, and other big DIY-website places do this automatically. The folks in the most danger are people and companies with just enough expertise to make a public-facing webpage from the ground-up, without enough expertise to secure it ground-up.

Dangerous, Even Now

Technology improves, and some things get better.

And then there’s things like sanitizing inputs. The code may be cutting edge, the machines themselves may be top of the line, but forgetting to include some verification for data is just like forgetting to put out a candle before leaving your house for the day. The action is insignificant… the consequences are not. And, just like candles, there isn’t really tech that turns that off. Either you blew out the candle, or you didn’t. If you’re lucky, nothing happens while it’s unattended.

SQL injections have compromised tens of millions of files of legal and healthcare data around the world because they’re so simple! It’s easy to automate, and often overlooked. It’s painfully easy to introduce weaknesses via plug-ins as well – WordPress has over 50,000 plug-ins, and many are outdated or obsolete when it comes to SQL security, so using a DIY website designer is no guarantee of safety if the customer strays too far outside the presets.

SQL injections are a big threat that’s easy to avoid… if the website creator knows to look for it. Free resources for fixing vulnerabilities scatter the web, but nothing beats expertise. (Don’t just slap something into a site willy-nilly – go to an expert!)

Sources: https://www.veracode.com/security/sql-injection

What Is SQL And How Does it Work? Everything You Need to Know About it

https://kevinsmith.io/sanitize-your-inputs/

Sanitizing Inputs: Avoiding Security and Usability Disasters

https://www.smashingmagazine.com/2011/01/keeping-web-users-safe-by-sanitizing-input-data/

Smishing

Elizabeth Uncategorized September 27, 2021

Do you get strange solicitations for all sorts of things in your messages? Are you getting texts from email accounts, or massive group-texts to you and everyone within a couple of digits of your number?

That’s Smishing.

Phishing

Phishing is the process of sending emails with dangerous, annoying links in them hoping that someone on the other end will click them. These emails can be broadly targeted or narrow, well written or not – it all depends on the person on the other end of the line. Broadly targeted emails with many people on the receiving end tend to be poorly written to weed out people who would flake out halfway through. Narrowly targeted emails aimed at individuals or specific companies tend to be much better, because they’re willing to invest the time needed to get them.

Phishing happens via email, but it comes in a variety of flavors, and setting rules such as ‘don’t click links’ and ‘don’t look at ads for services you didn’t sign up for’ can wipe a lot of the problems out. Phishing is still incredibly common, and many people (including the elderly, people who are reading in a different language than their native tongue, younger kids with email addresses, etc.) still fall for them… but where tech innovation goes, scams soon follow!

Improvement to the Tech 

There was a time when sending mass texts in hopes of securing some personal data was time consuming and expensive. There was a time when you couldn’t just send emails to a phone number or vice versa. Nowadays, all of these things have become possible. Everyone worth scamming has a smartphone. Very few plans ask users to pay per text, instead of per gig (or meg).

VOIP and assorted messaging apps all blur the lines between email, phone calls, text messages, app-based messaging services, and more. Of course, the market has encouraged this. If users have to trade apps to stay in touch with friends on a different app, they’ll generally do so. It’s in every app’s best interest to work with eachother, and most will enable users to send and receive messages with minimal issues. There aren’t a ton, but the handful in existence is plenty. Plus, Google and Outlook will allow you to direct-message phone numbers now, as long as you have the full ten digits.

Smishing

Smishing, just like phishing, involves sending messages trying to get people to click sketchy links inside or engage further with the scammers. Sometimes it happens with one number sending directly to one number, or one number to many, and sometimes an email address is able to send you messages directly.

Shot-gun blast smishing, just like regular phishing, is targeting people who don’t know better than to click on strange links or respond to “adult links” texts with incoherent rage. Now that many delivery services use text messages, unsolicited texts about a meal or package delivered to the target’s house may cause them to click the link in the message without pausing for a second to think about all of the other messages they should have received beforehand. The phone is new territory, and they hope you’ll fall for it because it’s new and blends in a little better.  

There is a more dangerous version of smishing – if they know who they’re texting, and they can text coherently, getting info or clicks out of the target becomes much easier because they can custom-fit those texts to said target. If someone uses your name, you’ll assume you know them from somewhere – and a text is already so personal, it’s hard to blame people who fall for it. Shotgun blast smishing only gets the folks who were vulnerable, but a good, targeted attack could fool many more. This obviously also applies to regular phishing, but because phone numbers all look the same, and phones can be misplaced while desktops can’t really be, bluffing your way into getting ‘emergency information’ from someone is just a smidge less difficult.

Viruses are still a potential problem for phones. The only issue is that they have to be custom-made for the phone type the end user has, or else they won’t be able to successfully infect that device. While many people use their phones for their internet browsing, a great many more use their desktop for everything, and so the scammers of the past would just use the desktop virus and hope they caught something.

Smishing introduces a new angle – phone numbers will generally lead to phones, meaning that they can use that custom-made phone virus and almost guarantee themselves a win as long as the target actually clicks the link.

Epidemic

Unfortunately, unlike phishing calls or emails, smishing is easier to spam with and doesn’t usually require a list of preexisting emails. Think about it: a phone number has a set number of digits with ten possible placements, 0-9. An email not only has the entire alphabet on top of all of the numbers, the length varies from the shortest possible username to the longest one. You can’t simply BS your way into a working email the way you can with a phone number, you’d have to buy a list and plug it into the spam machine to send messages.

Enforcement, too, is easier to evade. If a smisher’s email gets banned, they can simply make another one by the same mechanism that makes spamming emails without a list difficult, and continue to spam phone numbers. As emails and phone numbers get blocked out, online services allows them to continue messaging. If those services get complaints about the spam? Simply make a new account there, too. Easy, fast communication is vital to many people, businesses, and services today, so all of this is easy and accessible by design.

Sources:

https://www.androidauthority.com/apps-send-text-sms-pc-ways-740669/

https://www.techrepublic.com/blog/microsoft-office/use-outlook-to-send-e-mail-to-a-cell-phone/

Avoiding Doxxing

Elizabeth Cyber Security July 1, 2021

 

On TikTok, posting personal details and Facebook profiles of feuding personalities is becoming normal, frighteningly fast. Doxxing is becoming a real problem. How do you avoid it?

 

Don’t use the same username for every website.

 

When every website you go to uses xXxCatLover93xXx as your handle, eventually, people are going to start searching for that name. Maybe you got into an argument over whether Ragamuffins are better than Ragdoll cats – and now someone is googling your username to see what other wrong opinions you have. If your TikTok account had that username and a real picture of you, then they know what you look like. If you posted that same picture to Facebook once you migrated from MySpace, and they reverse-image search, suddenly they’ve stumbled upon your profile. Use different usernames! Don’t link anonymous and non-anonymous accounts with the same username, that defeats the purpose!  

Additionally, under those usernames, it’s a good idea to regularly purge your post history or delete the account, particularly for sites like Reddit where post history is public. People reveal more than they think they do in comments, especially if they don’t realize something’s a local landmark. Citing a particular statue or feature of a town may be just familiar enough for someone to recognize it. They then know you’re there, and by scrolling down the post history, they may be able to identify you.

Not everyone is malicious, and if people identify that you live in their town, it’s probably not going to lead to someone murdering you (although cases like that exist!). It’s just uncomfortable to spill secrets to strangers who may or may not be able to recognize you IRL. The bigger concern should be people you don’t like identifying you and learning more about you via that profile’s history!

 

Don’t Post Details (or post them ‘wrong’)

 

Birthdate, gender, and zipcode can narrow your exact identity down to one or two people within that zipcode. With your name or initials, bingo! You’re the only one who matches! Now, other people may be able to identify that you only have one dog, one roommate, and no security door via information you’ve posted in the past.

How do you prevent that? Don’t post any of those details. Post them wrong if someone asks – flip numbers around in the zipcode, and birthday. Insinuate you have several dogs. Flip your gender or refuse to disclose it. If someone is asking you for something as specific as your zipcode, you should read that as a red flag! City, state, whatever – that’s one thing. Zipcodes can get really specific, down to two or three neighborhoods. You may have overshared elsewhere, and the other side is one small step from being able to doxx you.

 

Non-Text Related – Don’t post your face or identifying locations

 

When I was growing up, it was suggested that you should never post your face online, as someone could find you off of that alone. In middle school, we were told a horror story of a little girl who went missing, because she was conversing with a ‘friend’ online. That friend was really a pedophile posing as another 10-year-old, and he asked her for a picture of herself, spotted her school’s logo on her backpack in the background of that picture, and then snatched her and murdered her based off of that. Information in the background is just as valuable as a face pic.

That still holds true! You shouldn’t post pictures of the outside of your house, because if Google Street View has seen it, it’s not impossible to reverse-search. If a malicious party knows you live in that state, then they may be able to narrow down your neighborhood just by building style. Your face, your school, your work – any unique building or feature could be used against you.

You also shouldn’t post pics of receipts, as store numbers contain a lot of information. When you do post pictures, black out information like time and place! It’s also a really good idea to check your phone’s settings. EXIF data is data the phone stores about the picture – things like time, date, and device specs are stored in each picture you take. If you don’t have it set to ‘off’, EXIF data also frequently has geotagging information attached to it. Turn that off in settings!

 

TikTok Crisis

 

TikTok is a terrifying place. Users regularly show their entire face, cons that they’ve attended, and personal stories with too much detail to their audience. Distinctive, unique tattoos get shown off to thousands of people, as well as the view from their front yard and what stores they can walk to. Some of the TikToks that came out of the pandemic were about remote learning, with the teacher visible on the screen. This is a problem because many schools post pics of their teachers on their staff page. Bad actors are using this to find the school to show them the TikTok and find the person who posted it.

The worst part? It doesn’t have to happen immediately. Kids posting a video of themselves violating school rules weeks later can still be found via that video further down in the feed. Ticked off a more anonymous user? You’ll never know how the school found out. Videos of dance trends that they wouldn’t want their parents seeing are getting sent to their parents based off of information gathered over weeks or months of posts. All of it’s online. Video is an incredibly information-rich format, and when each video is under a minute long, any one person could look through them all.

It’s no surprise people are getting their own details shoved in their face when they’re posting this much about themselves!

The easy solution? Just don’t. Don’t download the app, and don’t download videos. Of course, this isn’t going to happen, so the second-best option is to always film indoors away from windows, or in generic buildings like Targets or chain grocery stores. Don’t film yourself in a distinctive school uniform or in an identifying area of said school, because sometimes all it takes is specific colors. In Las Vegas, many of the school buildings look the same, but the colors are totally distinct to each school. Blue and orange belong to Bishop Gorman, so if a kid has posted about living in Vegas before, those colors narrow down their location dramatically.

Shia LeBeouf’s flag, and 9Gag’s ‘meme hieroglyph’

 

It’s dangerous to attract too much attention from certain forums. 4Chan in particular is notorious for finding the unfindable, triangulating exact locations based off of things like truck honks and light positioning. See the saga of Shia LeBeouf’s flag project, where the flag was found over and over until he was forced to put it in a featureless white room.

9Gag put a limestone pillar covered in ‘hieroglyphs’ (which were really just old memes carved into the surface) underground for future archeologists to find. 4Chan and other forums found it by cross-referencing information in the background (Spanish writing on a truck) with available limestone mines and open fields in Spanish-speaking countries and found its exact coordinates based off of that little information. They couldn’t do much about it, because it was a 24-ton piece of limestone, but they found it.

 

Crimes

 

If you post things online, someone may be able to find you given time and determination. The best thing you can do to avoid that determination is fade into the background, as hard as you can, and don’t post crimes or social misconducts to TikTok or social media. Even if you’re not planning on committing crimes, you should set accounts to private, don’t overshare, and don’t do things that get you online attention for the wrong reasons. Once again, TikTok is terrifying because small accounts may think they’re only sharing with their friends, only to end up trending unintentionally!

Maskless groups of friends posting videos at the beginning of the pandemic were scolded for being maskless, and because interaction makes videos more likely to appear on the ‘For You’ page, those maskless videos were getting thousands of people’s worth of harassment. Post something dumb? Algorithm catches it juuuust right? Previously anonymous posts then get a glance from hundreds to thousands of people! Suddenly, it matters a lot if you’ve ever posted videos that looked bad with no context.

 

And More Crimes

 

If you’ve seen posts that said “help me find her!” with some sob story about a missed connection, this is one way of finding people who don’t necessarily want to be found. Sure, it might be legit. It might also be a particularly clever stalker using a sad story about ‘I was out of swipes on Tinder!’ to get unsuspecting ‘good Samaritans’ to help him chase some woman’s Facebook profile down. Missed Connections on Craigslist is one thing – that’s pretty anonymous. Posting a missed connection to thousands of people on Reddit or TikTok is an entirely different thing. It’s effectively setting a mob after that person to get them to respond to the poster. The same goes for Missing Persons posts – if the number is anything but a police department’s number, you should be wary of trying to help.

 

Sources: https://www.dhs.gov/sites/default/files/publications/How%20to%20Prevent%20Online%20Harrassment%20From%20Doxxing.pdf

https://dataprivacylab.org/projects/identifiability/paper1.pdf

 

Adobe Flash: Left Behind

Elizabeth Uncategorized June 1, 2021

 

Adobe Flash Player was a familiar sight in the early 2000s. Most browser games used it, many interactive features on company websites used it. But it was slow. And it was being outpaced by better engines.

Adobe recently announced that they’d stop supporting their flash player. While this doesn’t sound like a big deal, it is – a lot of the ‘old’ internet relied on Flash.

 

What Did Flash Actually Do?

 

Flash was one of a host of plugins that allowed users to view ‘rich’ content. Everything from Flash games to autoplay audio to vector graphics to dynamic menus… if the website had visuals besides plaintext on it, there was a solid chance Flash was used somewhere. Adobe Flash Player sorted to the front of the pack because it was free, and played well with the browsers that supported it. It allowed a whole new world of interactive content. Since most browsers had a version of Flash, most websites were able to use Flash content – notable exceptions included Apple products. Even then, Safari could view it.

 

Why Drop?

 

Adobe Flash and Flash Player had problems. They always had problems. But the benefits of dynamic content and nice, quickly-loading visuals outweighed the issues Adobe Flash had. Most of the time, Flash was used on a stationary device that didn’t need to worry about battery, like a home computer. Laptops were in there too, but they were bulky, and often prioritized battery life over size. Flash could afford to be a little inefficient to get the content moving on screen faster.

Then the first iPhone came out. Safari users could access Flash content, but most webpages weren’t optimized for mobile yet, so the iPhone was using excessive battery on websites anyway. The next gen of smartphone owners, who also had Android or Microsoft devices, noticed that Flash ate battery life even though the website was designed with mobile in mind. That was more of a problem now that smartphones were popular, but vendors hoped they would improve on their own. After all, Flash was always updating to keep up with browsers and plug-ins.

Windows 8 came with Flash Player bundled in, and it was better, but it still wasn’t the picture of perfect efficiency. What was Windows going to do, reinvent the wheel, and then ask everybody to switch to their version of Flash, for greater efficiency? No. Adobe’s products were fine, and fine doesn’t have to be perfect. They filled a gap, and they enabled a lot of creativity via those browser games, which eventually became Flash’s number one usage for users aged 10-20. Interactive content needed Flash.

Adobe’s advantages far outweigh their negatives at this point. However, that was about to change.

 

Security

 

Having a tool that can run rich content all by itself was great. However, Adobe was about to get into a slog of zero-day attacks and malware fixes that would have ruined anybody’s reputation, in 2013. Flash’s widespread use meant that hackers could assume Flash Player was on a targeted device. By creating online ads that contained specially designed malware, hackers could get into any device where Flash content could play. It was as good as an open door if the virus could trick the browser into thinking it was also Flash content that needed to be downloaded to view the page. Suddenly, a Trojan Horse is on the device!

Antiviruses of the time could stop the clumsy attempts before they became a real problem, but undefended people were often unpleasantly surprised by a Flash malware getting into their system and downloading things. 2013 onwards saw a constant uphill grind against hacker organizations who had access to real tools and real skill.

Apple then releases a memo clarifying that they won’t be using Flash because of these security issues. A malware known as Flashback infects about 600,000 devices, and Apple is unhappy – users were duped into downloading a fake Flash update that was indistinguishable from a real Flash update notice. ‘Don’t download things from a third-party website’ is common advice now, but because Flash was always pushing to keep users as patched up and flawless as possible, they often pushed these ‘update Flash’ notifications to other websites that were hosting Flash content. You might remember the gray screen and plug warning when trying to play a flash game – Flash did that so often it got kids as well as adults.

 

The Outdated

 

Flash did a lot of things, but they were all things that could be done better if web developers had better tools. HTML5 was released in 2014 and was extremely lightweight compared to Flash. It used web browsers to its advantage, by using a tagging system that the browser (which was updated for the new tech) could interpret. Since less data needed to be shared over the user’s internet connection, the content loaded faster – all the browser needed was those tags.

There were issues with this, in the early days of HTML5, different browsers could interpret the same tag differently, and sometimes older versions couldn’t interpret a new tag at all, but it was so much easier to work with and so much faster that minor issues were overlooked. Another bonus was less malware!

HTML5 and WebAssembly both step in to take some of the weight off of Flash after it’s first major security event, and people notice that loading times have gone down. Apple’s departure from Flash also slashed it’s popularity, and Flash starts it’s downhill decline.

 

Support

 

Adobe announced it was planning for Flash’s End-Of-Life a whole three years before the end-date to give developers time to remove it. Still, for older sites that couldn’t switch, an open-source project called ‘Ruffle’ hopes to fill the gaps and keep Flash games running a bit longer. Ruffle behaves a lot like Flash, but it’s third-party. The website itself has to support Ruffle’s use, so if all the Flash stuff was abandoned because the website itself was abandoned, Ruffle isn’t going to be much help. At least there is an option, though, as limited as it may be.

Ironically, Flash was so deeply embedded in the fabric of the internet that fake Flash updates are still getting people. Remember, if a pop-up says you should update something on your device, whether it’s Minecraft or Excel, you should always go to the home site and verify it there. It’s really easy to copy an application’s layout nowadays!

 

Sources:

https://www.adobe.com/products/flashplayer/end-of-life.html

https://www.infosecurity-magazine.com/news-features/flash-post-support/

https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/

https://www.forbes.com/sites/barrycollins/2020/06/22/adobe-flash-cut-off-will-kill-millions-of-websites/?sh=413027e3d718

https://www.intego.com/mac-security-blog/the-history-of-adobe-flash-player-from-multimedia-to-malware/

https://blog.trendmicro.com/history-of-flash-zero-day-and-other-vulnerabilities/

https://www.educba.com/html5-vs-flash/

 

 

Risks to Your Machine In Public

Elizabeth Cyber Security May 28, 2021

 

1) Public Wifi

If you’ve been online in the past few years, you’ve likely seen this warning already from VPN ads and security experts: don’t connect straight to public WiFi if you can help it, and if you do, don’t do your online banking on it. If the hacker gains special access to the WiFi network without the actual owners knowing, they can see the data that travels to and from the systems attached to it.

 

2) Juice Jacking

 

There was a period of time between the phone security we see today and teeny-tiny tech found in things like micro-cameras where hackers could connect chips to public USB plug-ins and steal data. This happened either directly through the port or by downloading malware designed to send that info after a certain amount of time. Things like pictures, app passwords, saved files and audio recordings , anything you wouldn’t want to share over USB. Luckily, a security conference revealed a lot of these issues before they became an epidemic, and between Android updating with a white-list system and Apple updating with security patches, juice jacking is less and less common. If you’re still worried, there are a number of ways that don’t rely on programming, like using the cable/adaptor that came with your device or using a cable with no data cord.

 

3) Illegitimately Named HotSpots

 

In this case, the hacker renames a WiFi source (which could be a phone hotspot or something similar) to something that you’re looking for. Maybe it’s the free WiFi for the hotel, and you don’t notice that there’s two of them before you go through the effort of logging in with your room’s key and the password they gave you – which the hacker doesn’t need, but it gives an air of legitimacy to the fake network. Now the hacker can see your online traffic, whether it be to apps on your phone or to websites on your laptop. Private information is no longer private.

This is different than the previously mentioned public WiFi: in this method, the hacker owns the fake network, where on public WiFi, they don’t. The legitimate admin on a WiFi channel that the hacker doesn’t own might eventually notice and kick them from it, but the WiFi source the hacker owns would need to be shut down to keep people off of it since the hacker is the source.

Renaming networks to get phones to auto-connect can also be a problem, but if it’s not done right unseen data alerts the phone that HomeNetwork1 isn’t really the network it is supposed to auto-connect to. This means that this hack is more complicated than the method listed above; most people would probably pause for a second if their phone was asking for permission to connect to their home network from miles away, without a password. Social engineering a connection to a network the device is unfamiliar with anyway is an easier, more efficient way to steal data.

Be sure to turn off WiFi seeking features until you’re ready to connect to a specific network of your choosing, which removes this possibility altogether.

 

4) Over the Shoulder

 

The simplest method of gaining illegitimate access to your accounts is via Social Engineering. Now, it’s not easy – if you’ve ever tried before out of curiosity, you’ll know that most people type too fast for your eyes to actually follow, and that’s not including hitting the shift key and adding in numbers or punctuation, etc. so it’s simple – not easy. But difficult is not impossible, and if your password is especially simple, or they watch you glance at a sticky note you’ve stuck somewhere to remember the password, the chance that they’ll successfully remember or find your password goes up. Remember, the best passwords are long and decently complicated!

 

Sources:

https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/

https://us.norton.com/internetsecurity-mobile-what-is-juice-jacking.html

https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/

https://www.androidpolice.com/2013/02/12/new-android-4-2-2-feature-usb-debug-whitelist-prevents-adb-savvy-thieves-from-stealing-your-data-in-some-situations/

https://www.consumerreports.org/digital-security/is-using-public-wifi-still-a-bad-idea/

 

Blizzard Entertainment’s 2012 Hack: An Example of How to Do It Right

Elizabeth Cyber Security, History, Technology, Video Game Technology April 28, 2021

In 2012, game developers were beginning to experiment with a principle known as “always on”. “Always on” had many potential benefits, but the downsides keep the majority of games from ever attempting it. Many of the notable standouts are games that require team play, like Fall Guys or Overwatch. Others without main-campaign team play tend to fall behind, like Diablo 3 and some of the Assassin’s Creed games. Lag, insecurities, perpetual updating, etc. are all very annoying to the end user, so they’ll only tolerate it where it’s needed, like those team games. It’s hard to say that this hack wouldn’t have happened if Blizzard hadn’t switched to an “always on” system… but some of their users only had Battle.net accounts because of the always-on.

Blizzard’s account system was designed with their larger, team games in mind. It was forwards facing, and internet speeds were getting better by the day. Users were just going to have to put up with it, they thought. Users grumbled about it, but ultimately Blizzard was keeping data in good hands at the time. You wouldn’t expect Battle.net accounts created purely to play Diablo 3 to lose less data than the user profiles in the Equifax breach, right? Blizzard didn’t drop the ball here! What did Blizzard do right to prevent a mass-meltdown?

Hacker’s Lament

 

The long and the short of it was that Blizzard’s stuff had multiple redundancies in place to A) keep hackers out and B) make the info useless even if it did end up in the wrong hands. Millions of people had lost data in similar events before, and security experts were more and more crucial to keeping entertainment data safe. Blizzard was preparing for the worst and hoping for the best, so even when the worst struck here, they were prepared.

The actual hack was defined by Blizzard as ‘illegal access to our internal servers’. It released the listed emails of players (excluding China), the answers to security questions, and other essential identifying information about accounts into the wild. However, due to Blizzard’s long-distance password protocol, the passwords themselves were scrambled so much that the hackers might as well have been starting from scratch. This is still a problem, but it’s not a world-ending, ‘everyone has your credit card’ problem. Changing the password on the account and enabling 2FA was considered enough to shore up security.

 

Potential Issues

 

Lost email addresses aren’t as big of a problem as lost passwords, but they can still present an issue. Now that the hacker knows an email address was used on a particular site, it’s possible to perform a dictionary attack, or regular brute forcing! This strategy will eventually work, but the longer and more complicated the password is, the less likely it is to succeed on your account in particular.

A secondary problem is the lost security questions. Those are a form of 2FA. Depending on the question asked, guessing something that works or brute forcing it again is dangerously easy. Sparky, Rover, and Spot are very popular names for American dogs, for example. If the hacker is able to identify that the player’s American, and then guess the name of their first dog, they’re in! They can change the password to keep the legitimate player out. (Part of Blizzard’s response is forcing users to change their security questions for this reason). 2FA that uses email or mobile is generally preferred.

Battle.net acted as an overarching account for all the games, and made the stakes higher for an account breach. All the online Blizzard games went through Battle.net. Losing access could mean losing access to hundreds of hours of game progress. Or worse: credit card data and personal info.

 

Online, Always, Forever

 

The event provided ammo for anti-always-on arguments. There was no option to not have a Battle.net account if you wanted to just play Diablo’s latest game. Some users were only vulnerable as a result of the always-online system. If they’d simply been allowed to play it offline, with no special account to maintain that always-online standard, there wouldn’t have been anything to hack! Previous Blizzard games didn’t require Battle.net. People who stopped at Diablo 2 seem to have gotten off scot-free during the hack. This is annoying to many users who only wanted to play Diablo 3. They might not find value in anything else about the Battle.net system. Why bother making users go through all this work to be less secure?

When discussing always online, there’s good arguments to be made for both sides. Generally, always on is better for the company, where offline gaming is better for the consumer. Always on helps prevent pirating, and it gives live data. Companies need data on bugs or player drop-off times, which can help them plan their resources better and organize fixes without disrupting the player experience.

On the other hand, consumers with poor internet are left out, as lag and bugs caused by poor connection destroy their gaming experience. As games move more and more to pure digital, buying a ‘used game’ only gets more difficult for the consumer. Companies treat purchased games as a ticket to a destination, rather than an object the consumer buys. Games used to be objects, where anybody could play the game on the disc even though save data stayed on the console. Buying access to Diablo 3 via Battle.net means that there’s no way to share that access without also allowing other people to access the Battle.net account, which stores the save data. It’s the equivalent of sharing the console, not just the disc.

 

Handling

 

The response to the stolen, scrambled passwords was for Blizzard to force-reset player passwords and security questions, just in case the hackers somehow managed to unscramble them.

2FA is always a good idea, and Blizzard strongly recommended it too. 2FA will do a better job of alerting you than the default email warning  ‘your password has been changed’ will after the fact. After you’ve received that email, the hacker is already in. Depending on when you noticed, they could have already harvested all the data and rare skins they wanted by the time you get your support ticket filed! Setting up 2FA first means that you’re notified before that happens.

All in all, Blizzard handled this particular incident well! Companies are required to inform their users about potential online breaches, but some companies do this with less tact than others. Formally issuing an apology for the breach isn’t part of their legal requirements, for example. What made this response possible in the first place was Blizzard’s competent security team, alongside a set of policies that were strictly followed. Logs and audits in the system ensured that Blizzard knew who accessed what and when, which is critical when forming a response. Blizzard was able to determine the extent of the problem and act on it quickly, the ultimate goal of any IT response.

 

 

Sources:

https://us.battle.net/support/en/article/12060

https://us.battle.net/support/en/article/9852

https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account-information-stolen/?sh=2ecadbc955d1

https://comsecglobal.com/blizzards-gaming-server-has-been-hacked/

https://medium.com/@fyde/when-too-much-access-leads-to-data-breaches-and-risks-2e575288e774

https://www.bbc.com/news/technology-19207276

The Former CEO of LifeLock: “Mistakes Were Made”.

Elizabeth Technology, Uncategorized January 29, 2021

If you were looking for better identity protection following a string of massive data breach events in the early 2000s, you might have seen the ads for LifeLock. Lifelock is a company that – while still in business today– was forced to pay 100 million dollars in a class action lawsuit for misleading advertising. Most people will likely remember something else about Lifelock, though. The CEO plastered his SSI on a billboard and then had his identity stolen.

A joke about Lifelock posting his SSN on a billboard.

What’s so Dark About the Dark Web?

The Dark Web is called the Dark Web because the pages are ‘dark’ to search engines. There’s no way for someone to Google an online bank and get the user dashboard without signing in – you may be able to use a link to get to it if you’ve already been there (and it will likely take you to a “Not Found” page if you’re not signed in), but Google doesn’t have access to it directly. The same goes for the vast majority of pages that are only accessible with a user account: they would be literally unusable if certain pages were visible and interact-able to the public.What’s the use of a public shopping cart, and a public payment portal? It’s non-functional.

As such, they remain inaccessible to Google’s search engine. These pages are effectively invisible, and any company that’s smart would like to keep it that way. That’s not the only way to stay off the radar, though, as sometimes things are invisible to Google because the webpage wasn’t indexed. What this all boils down to is that the Dark Web is many things, but first it’s a state of being, rather than a place. This doesn’t mean nothing shady ever happens on un-indexed pages, but it’s really not the majority of what is considered ‘dark’ to Google or Bing.

The Data LifeLock’s Scanning

Part of the appeal of un-indexable pages to criminals is that searching through them is a nightmare. LifeLock claimed to scan through a trillion data points a day – which sounds like a lot because it is. It also claims to patrol the dark web for your data. Since the results of the class action suit are what I’m basing this article on, this feature apparently functions at least as well as they advertise it currently, not back then. But the dark web is huge, and disjointed.

Searching through all that info for just LifeLock customers is difficult. After all, if it were easy, Google would have probably jumped at the opportunity to sell something just like LifeLock: “The World’s Number One Search Engine Can Now Find Your Stolen Data Anywhere”. Even back then, Google was a behemoth. You would need to have access to pages that are legally unfindable by Google, one of the most powerful tech companies in existence, to find stolen data before it becomes a problem. They would need to be digging into some obscure places to get to that data.

However, this wasn’t LifeLock’s only method of defense against criminals. They monitored (and continue to monitor) credit and bank withdrawals with user-set alarms – on their website, they also advertise alerting for address changes on certain accounts. However, I’m not sure how old that feature is, given that part of their suit was based around the alert system. These are things that banks themselves have taken over in recent times, and the thrice-annual free credit report acts as a canary for identity theft, so LifeLock’s exclusive features are no longer such a draw.

Former LifeLock CEO Todd Davis: Broken Promises

LifeLock’s methods make a couple of assumptions. One: the fraud is caught immediately as a result of LifeLock’s monitoring, and it doesn’t do significant damage to the customer’s life. Two: the information was used or sold somewhere that LifeLock would recognize it. As said before, the dark web is just un-indexed pages. That’s a huge number of pages. There’s a huge number of businesses that only need an SSN and a name to make an account. This will come back to haunt their marketing team later in the story.

Someone wanted to prove to all the naysayers that LifeLock was effective even if everybody had his full name and SSN. Nobody could ding his credit as long as LifeLock was watching his back. Setting up an account with AT&T, with stolen info? Not today! Former LifeLock CEO Todd Davis was confident in his product.

He slapped his SSN and full name up on a billboard. LifeLock Would Protect Him.

It was brazen. It was a tactic used by bulletproof glass manufacturers proving their faith in their product. So, what could have gone wrong, you may ask? What could have costed LifeLock it’s brand identity?

Thieves stole his identity. Not once. Not twice. Thirteen separate times. The number of times his identity was successfully protected don’t really matter when the CEO of LIFELOCK has had his identity successfully stolen thirteen times.

Davis said, “We were trying to make the point that … all it takes is one data breach. The point of that campaign was to take proactive steps to protect your identity.” Take proactive steps. Right. This is obviously a damage control statement! As you can see in the picture above, he is not saying ‘theft could still ruin your life even with LifeLock’. He is inviting people to try to take the data.

LifeLock later settled that class-action lawsuit  from before because of problems with LifeLock’s automated alert system. Civil suits take time – this wasn’t filed as a result of their CEO accidentally proving LifeLock could be overwhelmed or evaded – but it didn’t help their public image.

Well, Former LifeLock CEO Todd Davis, you proved a point. Not even the best of identity-monitoring programs can keep your data out of the hands of thieves… when you tell those thieves that you’re untouchable.

Sources kept as links for convenience:

https://www.ftc.gov/system/files/documents/foia_requests/pages_from_first_partial_release_ll_part4.pdf

https://www.wired.com/2010/05/lifelock-identity-theft/

https://www.consumer.ftc.gov/blog/2015/12/lifelock-agrees-pay-100-million-allegedly-violating-ftc-order

https://www.consumerreports.org/money/No-longer-trust-LifeLock/

https://www.doughroller.net/credit/is-lifelock-worth-it/

https://www.forbes.com/sites/quora/2019/09/11/how-do-criminals-use-stolen-data/?sh=21bfa7ca7551

Don’t Plug In Found USB Sticks

Elizabeth Cyber Security, IT Support, Technology December 9, 2020

Don’t Plug In Found USB Sticks

Did you find a seemingly normal USB stick on the ground outside your work? How about in the lobby, where the public can come and go as they please? Did you find something that doesn’t seem to be your company’s preferred brand of USB stick, or even not branded at all? Is it strangely heavy for a typical USB stick?

DON’T plug it in. Here are some reasons why.

Ransomware

As it’s now 2020 and WannaCry has made the news more than once, you’ve probably heard of ransomware, a type of malware that encrypts files, and threatens to destroy them if money is not sent to the hacker.

USB sticks are one of many ways this virus finds itself into your most important files, pictures, and documents, and it’s notoriously difficult to get rid of. In the time it takes to discover it and attempt to neutralize it, the hacker can simply *poof* the files away if they realize you’re not going to pay.

And deleting them isn’t the only way they can cause pain. Copying the files somewhere and then releasing them online can be disastrous for certain industries and businesses, even worse than just destroying the files, and the hackers know that.

Do NOT plug strange USB sticks into your device. Even if it looks like someone from your office might have dropped it, if you don’t recognize it? Don’t plug it in. Keep it on your desk or turn it in to the IT department and wait for them to come looking for it.

Broad Malware

If the ultimate goal of the USB isn’t money, malware is another widely used way to completely wreck a computer. Sometimes malware is aiming to destroy a business’s computer network, or looking to steal secrets without ransom, or infect other computers on the network and eventually break them all at once. This is where something like AI-driven antivirus comes in handy: if something is propagating very quickly across all the devices on a network, and it’s not officially licensed, and it’s bringing a bunch of .exe stuff with it – antiviruses designed around behavior and not fingerprinting will take notice. They aren’t impenetrable, but it takes more to get around them than it does to get around a classic antivirus.

Again, don’t fall victim to Social Engineering and plug in a USB you found on the floor.

USB Killers

If you thought your anti-virus was enough to stop something nasty from creeping in on a USB, you’d be wrong. There’s more than one way to go about breaking a machine.

A USB killer is a device meant to cause harm to the device’s hardware. Essentially, it takes charge from the computer with a capacitor and then redirects it back. “How much damage could the power flowing to the USB port actually cause?”, you may ask. USB killers aren’t simply redirecting the energy back into the computer at a one-unit-in one-unit-out basis. Instead, they use a capacitor. A capacitor behaves kind of like a balloon rubbed on a carpet: it stores charge in a ‘field’ (the balloon in that example) passively. It doesn’t really matter how much power is leaving the USB port, as long as there is power – when the capacitor gets to its limit, it discharges back into the computer, like the static shock you’d get from the doorknob after scooting across the carpet in socks, but many times larger. Up to 215 volts larger, according to Hackaday.

USB killers are becoming rarer, but they aren’t extinct.

But Why?

So why would someone want to use a USB killer or destructive malware, instead of using ransomware or straight file-stealing?

There are a lot of answers.

Some people just want to break expensive things, and don’t care what that is. Some people are looking to slow down business opponents or gauge weaknesses within the organization. Sometimes something expensive or hard to replace is stored on the computer, and the hacker wants it gone. Sometimes it can even boil down into terrorism, depending on the industry.

The long and the short of it is that you shouldn’t plug in a USB if you don’t definitely recognize it as yours.

Sources: https://resources.infosecinstitute.com/topic/usb-killer-how-to-protect-your-devices/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/russian-computer-researcher-creates-usb-killer-thumb-drive-will-fry-your-computer-seconds-a6696511.html

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf

‹  Older posts Newer posts  ›