Thursday, January 22, 2015

Justification for Your Paranoia

So, if December is the busiest month of the year for cyber-security, January may be the quietest. Yes, there are new exploits being discovered daily and the usual regulatory nightmares (like the U.S. Congress trying to block the FCC from reclassifying broadband under Title II), but all the big breaches are assumed to have happened during peak shopping time and all the post-Christmas pranks on gaming networks have died off.

So, it's been a few weeks, but here is your first dose of security and technology ranting for 2015.

1) Games that play themselves...and games that hack their own hardware...
Despite being a child of the 80's and early 90's, I never owned any of the early nintendo game consoles, but, of course, everyone else did. So I always went over to my friends' houses to play Super Mario Brothers. Everyone who grew up with these games are now adults, and nostalgic adults + advanced education = new AI for old games.
At the recent competition for the Association for the Advancement of Artificial Intelligence, some researchers developed a Mario that can answer questions, be fed information, learn from his environment, and make plans based on artificial emotional states (and that uses hilarious voice synthesis). The most amusing bits is Mario's expression of learning the results of certain actions. For instance "If I jump on Goomba, then it certainly dies". Check out the video:
This is a pretty neat take, using voice commands to "teach" Mario, but letting the AI handle all of the actual playing of the classic 2D platformer. It is, however, far from the first attempt to make Mario smarter. In fact, the Mario AI Championship is a thing that exists--a competition dedicated entirely to giving Mario artificial intelligence.
And if classic Mario having feelings doesn't strike you as weird enough, at last year's Awesome Games Done Quick, a team of developers not only scripted a bot that could not only play Pokemon Red super-fast, but also hijacked the hardware it was playing on (a Super Game Boy and then, from there, a Super NES) and started streaming IRC chat directly from the console. That's right, they got an IRC channel, running inside a copy of Pokemon Red, running inside a Super Game Boy, running on a SNES. 
Arstechnica has a great article which goes into the technical details regarding the buffer overflow exploits they used to gain control of the various pieces of hardware, and the bot they wrote to write directly to the system memory using only standard controller inputs (but at a super-fast rate of 30 to 60 inputs per second).
2) Google vs. Microsoft
Some of the biggest news this month has centered around a showdown between Google and Microsoft over Google's "Project Zero" and it's policy of making details of vulnerabilities public after 90 days. This policy normally is not a problem, and has not been a problem for every other company for whom they have discovered bugs, but Microsoft...

is...

a little...

slow...

to patch things. So Google publicly disclosed a privilege escalation vulnerability in Windows 8.1 in late December.
And another one on January 13th.
And ANOTHER on January 16th.
Microsoft says "they're working on it" and asked for extensions, and published a lengthy complaint, but  really...with the staff Microsoft has, 90 days to turn-around a bug-fix should not be that hard. Nobody should be in the business of providing ‘secure’ software that can't turn around bugs quickly. That's the entire reason "Agile Methodologies" for software development exist.
Of course, it doesn't help that Windows' patching process is flaky, if not down-right disruptive.
 3) Cheap, Easy, Wireless Keylogger...
One of the classic ways to steal people's passwords and other credentials via malware is keystroke logging. Once you can detect and log every key that is pressed on a keyboard you can pretty much do what you want. Normally, this requires some malicious software to be installed on the machine. Unless, of course, your keyboard has to broadcast all your keystrokes anyways, like Microsoft wireless keyboard, having something installed is not really necessary.
Enter Keysweeper. Which is basically just a mini arduino and a radio frequency chip disguised to look like a wall-plugin USB charger, but is capable of sniffing all communication from Microsoft wireless keyboards. This also works on keyboards from other manufacturers.
Now, the communication between your keyboard and your machine are encrypted, but this is not really a problem for any moderately determined hacker. Keystrokes are encoded with the XOR algorithm using the keyboard MAC address as the key. Since the chip can read the MAC address, it automatically has the key, and poof...no more security for you. And it's all nicely packaged in a cheap, stealthy, always-on device that you can easily and surreptitiously plant within range of your target, making it a nice companion for similar tools like CreepyDOL.
How to protect yourself against devices like this? Easy. Use a wired keyboard or a wireless keyboard that uses Bluetooth.
4) Siri might be helping the hackers...
I'll dispense with the obligatory Apple-bashing and just jump into this one. A new paper has come out describing how to use the iOS voice-controlled personal assistant "Siri" to stealthily exfiltrate data from your device. Based on the idea of steganography (the practice of hiding information), the attack method has been dubbed iStegSiri. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the attacker.
An iStegSiri attack takes place in three phases. In the first phase, the secret message is converted into an audio sequence based on voice and silence alternation. Then, the sound pattern is provided to Siri as input through the internal microphone. Finally, the recipient of the secret message inspects the traffic going to Apple’s servers and extracts the information based on a decoding scheme. Secret messages are highlighted by a specific set of features.
The iStegSiri attack can be effective because it doesn’t require the installation of additional software components and it doesn’t need the device’s alteration. On the other hand attackers somehow need to be able to intercept the modified Siri traffic...
5) For the tech-savvy only...
So, back in December, I talked about how recent Snowden leaks showed that the NSA had no problem breaking common encryption including SSH, SSL, and IPSec, but that certain other open-sourced protocols gave them headaches.
For those of you using OpenSSH, it supports a variety of different algorithms and authentication methods, not just the easily-breachable default. For those of you who are a little paranoid and a lot technically competent, here are instructions for setting up SSH on your systems to use more secure options.