Security Bytes - Issue 19
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
I decided I would once again try to keep this short and sweet. But, alas, the news cycle was far too generous. I did not include the dozens of high-profile ransomware attacks this week, or organizations like the UK’s royal mail getting massively impacted, or perhaps the use of drones armed with taser proposed for school security, or the FBI “hacking” cybercrime group the HIVE, or maybe just the little stuff, like the UK’s National Cyber Security Center warning companies of espionage campaigns from Russian and Iranian-linked groups. We’ll just try to keep it light and interesting today.
Lizard Brain
When I read this – as with all things: from a security perspective – my first questions was, “Why?” Speech-to-text (and speech recognition) is a great utility used from Seri and Alexa to helping the elderly and the vision impaired. But what about Text-to-Speech? Microsoft is working on just such a solution that can replicate a person’s voice, and even human and emotional tones, with three seconds of sample material, which highlighted in a recently published paper including a link to code on GitHub. Called Vall-E, the AI was trained using 60,000 hours of English speech across 7,000 unique speakers, and, as you would rightly assume, that’s nothing but a drop in the ocean of available training material. I want to leave you with this. In a world where the Nigerian Prince scam, which is actually based on a con from the 1800’s called the Spanish Prisoner, as with thousands of other “advance-fee” based scams, still makes roughly $700,000 per year as part of a larger $2 billion con-based frauds reported by the FBI since 2020, there’s no hope for people not falling victim to a voice-based attack. People are easily exploited with text messages and spear phishing, much less getting a call from your loved one speaking to you in real time because the bad guys have tied it into the ChatGPT natural language tool. You can see where this is going, and it’s nowhere good.
Research paper - https://arxiv.org/pdf/2301.02111.pdf
Article - https://www.theregister.com/2023/01/12/microsoft_valle_ai/
Spanish Prisoner - https://en.wikipedia.org/wiki/Spanish_Prisoner
Advance-Fee scam - https://en.wikipedia.org/wiki/Advance-fee_scam
Wi-Fi X-Ray Vision
This week scientists at Carnegie Mellon University demonstrate how to use Wi-Fi routers to sense humans through walls. They took advantage of deep neural network called DensePose that maps Wi-Fi signals developed by researchers at Imperial College London, Facebook AI, and University College London. The thing about this is I can only see nefarious uses of this technology (pun intended). It makes me think of the mobile phone-based sonar “machine” from the film, “The Dark Knight” used to locate the Joker. Granted, in the paper and article it speaks to using to monitor the well-being of elderly people, which makes total sense. But if one can tap into public wi-fi systems throughout a city or in a home, it would be trivial to track all movement that is within the monitorable triangulated area. Adding to the issue, there is ample technology to identify people based on gate, bio-geometry, and movement patterns, so one could see the ability to monitor individuals across vast spaces and time – just say’n. If you’re the least bit curious, scan the research paper linked below because they included some interesting imagery.
Article - https://www.zdnet.com/article/scientists-use-wi-fi-routers-to-see-humans-through-walls/
Research paper - https://arxiv.org/pdf/2301.00250.pdf
MSG Hates Lawyers
Facial recognition being used at scale is not new. In fact, many people are unaware that facial recognition was used secretly in Tampa Bay, Florida (my old stomping grounds) at Super Bowl XXXV on Jan 28, 2001 to inspect every fan that streamed into the stadium. Actually, it looked at everyone throughout the area, not just people walking in. Yes, that’s 22 years ago, and pre-911. Moreover, it was used plenty of times well before then. Technology is an interesting thing and can have many unintended applications. Madison Square Gardens (MSG), an icon sports and entertainment arena in the heart of New York City, is under intense scrutiny for using facial recognition to block valid ticketholders. First, people were surprised the technology is being used, but upon learning of it assumed the purpose was to catch bad people. However, it was being reported that non-criminals we’re being barred… and they had one thing in common… they are all lawyers. In fact, they’re lawyers that are involved in current litigations against MSG. Needless to say MSG is in hot water and this has everyone rethinking the use of technology in a very 1984 way.
CBS report - https://www.cbsnews.com/news/madison-square-garden-face-recognition-illegal-new-york-attorney-general-letitia-james/
NY’s AG investigates - https://pix11.com/news/local-news/new-yorks-ag-questions-madison-square-gardens-use-of-facial-recognition-technology/
Super Bowl in Tampa - https://www.vice.com/en/article/kb78de/that-time-the-super-bowl-secretly-used-facial-recognition-software-on-fans
It's That Easy
Technology is great, isn’t it? This week a Swiss hacker, going by the name of maia arson crimew remotely accessed a computer housing the US’s no-fly list on a system operated by CommuteAir airline in Ohio. Ms. Crimew reportedly said she did it because she was bored and could have could have canceled and delayed flights and developed physical credentials for airline employees. The TSA has understandably initiated an investigation, but it looks like the computer in question was accessible from the Internet. This has bad all over it and some of the comments in the news is not helping matters. Of course, the US Congress’s House Homeland Security Committee is investigating as well, which is expected concerning the recent wave of exposure of seeming classified information. This is a classic “partner and third-party” risk scenario. The FAA and the DHS certainly needs to provide such an important list to airlines around the world, especially domestic airlines – aka partners in this analogy, but do so while ensuring the confidentiality of the information on networks and systems you do not control. Of course, there are standards and audits, but we all know… compliance does not equal security. The hacker also wrote about the attack in a blog post titled “How to Completely Own an Airline in 3 Easy Steps.” You can google and get to the site, but I would advise against doing so.
Initial report - https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/
Article - https://www.cnn.com/2023/01/20/politics/tsa-no-fly-list-data-cybersecurity/index.html
Denied! No, wait...
Last year Microsoft finally, and presumably for the last time, made MS Office products disable macros by default. Macros are pretty old school but are still used extensively to this day. However, allowing a macro to run without user intervention is like handing out copies of your house key with your address engraved on them to everyone in the subway. Here’s the interesting part. The proof that enabling macros is bad for security is that within just a few months cybercriminals rushed into developing new methods and tools to get back into your computers. In a strange twist, by shutting down macros by default Microsoft has unwittingly created potentially dozens of new alternatives. It’s like finally putting a lock on your backdoor the baddies have been using for years and in response they chainsaw ten holes in your wall. I applaud MS. It’s not easy being everything to everyone. I can assure you that making that changed caused a lot of customer issues. But, wow… this definitely falls into “no good deed goes unpunished” column.
MS Turns off macros - https://techcrunch.com/2022/07/22/microsoft-office-macros-blocked-default/
Article - https://www.theregister.com/2023/01/23/threat_groups_malicious_lnk/
Stopping XLL - https://www.theregister.com/2023/01/25/microsoft_excel_xll_closed/
Master Key - A long read admittedly...
I’ve been a fan of password managers for a very long time. I exclusively used PasswordSafe from the day it came out in 2002. Originally designed by Bruce Schneier, a great guy and former colleague, ran local on the system, multi-platform, and thanks to things like Google Drive and the like, I was able to access from anywhere. My main reason for using password managers of any kind really was the ability to generate exceedingly long and complex passwords, store them, and, importantly, change them often without fear of forgetting. The key here is two parts: 1) used to generate complex passwords, which also provides the ability to change often, and 2) the ability to be in control and secure that database in ways that added a degree of confidence. I took the time to secure that database and was willing to put in that effort, getting close to the technology. Yes, it wasn’t super streamline and pretty, but it worked exceptionally well. Then came cloud-based password managers. Very attractive, especially because of the level of integration, seamless usability, and price points. However, one tiny sticking point… you’re not in control. All your passwords are stored in, presumably, a secured system in the ether.
There’s been an interesting chain of events over the last several months. Let’s touch on a simple one because it clearly demonstrates that while the news is filled with one-off attacks, very few are not connected in the tree of hacks. In August of last year, it was reported that LastPass was hacked and their source code was stolen. At the time it was reported that the baddies didn’t take the important bits. Fast forward to last month where the CEO announced that apparently due to the previous hack, unauthorized users were able to steal customer account information as well as “vault data “ – aka, passwords. This is an important story for two very different reasons. First, be mindful of what you’re actually providing to a company. Second, while this chain is short and obvious (hacker steals code, then hacker gets into system and steals everyone’s data) it’s important to recognize that when there is a hack, there are always downstream implications, and most are never reported.
Of course, I’ve already commented on Okta’s hack. I’ll end with the glaring news concerning Norton LifeLock customers centered around attacks against the Norton Password Manager, which can be included as part of your Lifelock subscription. Last point… if you’re a user of these services, I think it goes without saying, change all your passwords. Actually, if you use passwords – and you do – go change them anyway.
Lastpass second hack - https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/
5-things you should do article - https://www.cnet.com/tech/services-and-software/5-things-lastpass-customers-need-to-do-after-the-latest-breach/
Norton article - https://therecord.media/norton-lifelock-says-925000-accounts-targeted-by-credential-stuffing-attacks/
LastPass article from Aug - https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/
Hackers in their network for days - https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/
Okta - https://therecord.media/okta-says-two-customers-breached-during-january-security-incident/