DEF CON – “don’t worry, the elections are safe” edition

Don’t worry, elections are safe. Our Security Researcher Cameron Camp provide us highlights from the DEF CON 30 conference.

Scattered around a bevy of tables in the election hacking village here at DEF CON 30 are all the devices – opened wide – that are supposed to keep elections safe. Oh, the irony. It’s unclear how some of these devices ended up here, another unsolved mystery.

Luckily, they contain a myriad of tamper-resistant defenses, but from the looks of the tables, none of that has stopped, or hardly slowedracking them open to take a look.

Since the tamper resistance seems to be about as effective as sticking your hand out the car window is at resisting the wind, how much faith should we put in the digital circuitry inside or the software that runs on it, the real “secure” brains?

Here, equipment manufacturers have been resistant at best to security researchers, litigious at worst. During the last US presidential election cycle, even the mention of foul play was enough to attract lawsuits. That doesn’t help research.

That sentiment has cooled, if only cautiously, but it’s still unclear how close to a lawsuit you’d be by even asking about the insecurity of some of these machines.

Luckily, similar vendor dynamics have already played out in other realms like the PC, mobile, and cloud. Players in those spaces have long realized it’s better to dialog with researchers than to threaten them. Even at DEF CON, in the car hacking village, there are manufacturers willing to dialog.

Not that DEF CON is really filled with researchers – more like curious hackers-in-training looking at shiny, digital things. But some are also the next generation of defenders, so they can’t all be bad. Some will eventually be making house payments and helping to defend us all, so we need to invest in them, like by bringing a pile of voting machines to a cluster of tables and leaving them unattended, so their warrantees can be horribly violated.

At one village talk the presenter responded to how much an individual vote really matters by saying something like “Look at how hard foreign adversaries are working to change them: they wouldn’t spend that much effort if a vote didn’t matter.” Maybe she’s right in a sort of overarching sense, but a few votes flipped here and there would be devilishly hard to thwart at scale. Speaking of scale, she was here appealing to the community to help her scale the message, in ways not many outside of a DEF CON context know how to do.

Activists reaching out to the community does seem like a good move.

Even if there were perfect security, a shady bet at best, thousands of volunteers litter the backwoods, the cities, and the in-between, operating these machines in a non-perfect manner. Add to this what happens once the votes come in, get tallied and digested by all the machinery, in near real time, to create election results. For instance, it’s rare in election recounts that the results are the same to the number. Errors happen.

The US government has offered a whopping bounty of US$10 million for tips about foreign adversaries meddling with elections, but in nation-state economies, the economic advantage of a favorable trade deal from a swung election would handily eclipse that amount, so it may still be worth it to play.

In the end, the vendors here at DEF CON have to warm up and welcome researchers trying to help, even if aspiring hackers have to acknowledge some sort of “do no harm” statement they have to agree to in order to gaining entrance into the medical hacking village.

That part was useful, since a friend of mine there was able to get root on a medical device in that village. But he’s a Good Guy. That part made the medical device manufacturer much happier, if only cautiously. Once he agreed to disclose everything he did, their relief increased palpably. So, I guess his actions improved their mental health in the end?

How a spoofed email passed the SPF check and landed in my inbox

The Sender Policy Framework can’t help prevent spam and phishing if you allow billions of IP addresses to send as your domain

Twenty years ago, Paul Vixie published a Request for Comments on Repudiating MAIL FROM that helped spur the internet community to develop a new way of fighting spam with the Sender Policy Framework (SPF). The issue then, as now, was that the Simple Mail Transfer Protocol (SMTP), which is used to send email on the internet, provides no way of detecting forged sender domains.  

However, when using SPF, domain owners can publish domain name system (DNS) records that define the IP addresses authorized to use their domain name for sending email. On the receiving end, an email server can query the SPF records of the apparent sender domain to check whether the sender’s IP address is authorized to send email on behalf of that domain. 

SMTP email and SPF overview 

Readers familiar with SMTP message sending mechanisms and how SPF interacts with them might prefer to skip this section, although it is mercifully short. 

Imagine that Alice at example.com wishes to send an email message to Bob at example.org. Without SPF, Alice and Bob’s email servers would engage in an SMTP conversation something like the following, which is simplified using HELO rather than EHLO, but not in ways that significantly alter the basic constructs: 

This is how sending and receiving internet (SMTP) email has occurred since the early 1980s, but it has – at least by the standards of today’s internet – a major problem. In the diagram above, Chad at example.net could just as easily connect to the example.org SMTP server, engage in exactly the same SMTP conversation and have an email message apparently from Alice at example.com delivered to Bob at example.org. Worse still, there would be nothing indicating the deception to Bob, except perhaps IP addresses recorded alongside host names in diagnostic message headers (not shown here), but these are not easy for non-experts to check and, depending on your email client application, are often difficult to even access. 

Although not abused in the very early days of email spam, as mass spamming became an established, albeit deservingly despised, business model, such email forgery techniques were widely adopted to improve the chances of spam messages being read and even acted upon. 

Back to the hypothetical Chad at example.net sending that message “from” Alice… That would involve two levels of impersonation (or forgery) where many folks now feel that automated, technical checks can or should be made to detect and block such faked email messages. The first is at the SMTP envelope level and the second at the message header level. SPF provides checks at the SMTP envelope level, and later anti-forgery and message authentication protocols DKIM and DMARC provide checks at the message header level. 

Does SPF work? 

According to one study published in 2022, around 32% of the 1.5 billion domains investigated had SPF records. Out of these, 7.7% had invalid syntax and 1% were using the deprecated PTR record, which points IP addresses to domain names. Uptake of SPF has been slow and flawed indeed, which might lead to another question: how many domains have overly permissive SPF records?  

Recent research found that 264 organizations in Australia alone had exploitable IP addresses in their SPF records and so might unwittingly set the stage for large-scale spam and phishing campaigns. While not related to what that research found, I recently had my own brush with potentially dangerous emails that took advantage of misconfigured SPF records. 

Spoofed email in my inbox 

Recently, I received an email that claimed to be from French insurance company Prudence Créole, but had all the hallmarks of spam and spoofing: 

 

While I know that forging the From: address message header of an email is trivial, my curiosity was aroused when I inspected the full email headers and found that the domain in the SMTP envelope MAIL FROM: address [email protected] had passed the SPF check: 

So I looked up the SPF record of the domain prudencecreole.com: 

That’s a huge block of IPv4 addresses! 178.33.104.0/2 contains 25% of the IPv4 address space, ranging from 128.0.0.0 to 191.255.255.255. Over a billion IP addresses are approved senders for Prudence Creole’s domain name – a spammer’s paradise. 

Just to make sure I wasn’t kidding myself, I set up an email server at home, was assigned a random, but eligible, IP address by my internet service provider, and sent myself an email spoofing prudencecreole.com:  

Success! 

To top it all off, I checked the SPF record of a domain from another spam email in my inbox that was spoofing wildvoyager.com: 

Lo and behold, the 0.0.0.0/0 block allows the entire IPv4 address space, consisting of over four billion addresses, to pass the SPF check while posing as Wild Voyager. 

After this experiment, I notified Prudence Créole and Wild Voyager about their misconfigured SPF records. Prudence Créole updated their SPF records before the publication of this article. 

Reflections and lessons learned 

Creating an SPF record for your domain is no death stroke against spammers’ spoofing efforts. However, if securely configured, the use of SPF can frustrate many attempts like those arriving in my inbox. Perhaps the most significant hurdle standing in the way of immediate, wider use and stricter application of

Black Hat USA 2022: Burnout, a significant issue

The digital skills gap, especially in cybersecurity, is not a new phenomenon. This problematic is now exacerbate by the prevalence of burnout, which was presented at Black Hat USA 2022

Discussion of the resourcing issues within the cybersecurity sector is not a new phenomenon; according to a recent article in Fortune Education, the number of unfilled cybersecurity positions worldwide grew 350% between 2013 and 2021, from 1 million to 3.5 million. The article breaks this number down further, estimating that there are 1 million cybersecurity workers in the US and as of November 2021 around 715,000 additional, unfilled positions. These numbers tell the story of a resourcing issue; they also tell the story of an industry that is currently running on about two-thirds of the resource it needs.

A presentation in the Black Hat US 2022 schedule by Stacy Rioux, Ph. D. Clinical and Organizational/Business Psychology caught my eye –Trying to Be Everything to Everyone: Let’s Talk About Burnout. When there is such a huge shortage of talent in the cybersecurity industry, those who are on the frontline are potentially prone to suffering burnout. My assumption was that the presentation would take a deep dive into the stresses that cybersecurity teams are suffering using case studies and specific examples, and then how to recognize the existence of the issue and the steps that can help alleviate the pain someone if suffering. Unfortunately, the presentation was light on example, and was more a presentation on the issue of burnout, rather than identifying and mitigating it in cybersecurity settings.

The signs of burnout are extremely important to spot, and some of the telltale signs presented included tiredness, cynicism, not enjoying work and possibly drinking or eating too much, not necessarily to the point of addiction but as a comfort measure. Two –maybe three– of the four are probably identifiable in nearly all Black Hat attendees: tiredness due to the Vegas party culture, drinking too much, it’s Vegas, and lastly, cynicism, appears to be a job requirement in the cybersecurity industry – we are conditioned to trust nothing and to verify everything.

On a more serious note, this is an extremely important issue, and something that all companies large and small, need to be aware of and address. The definition of burnout presented by Stacy is “Occupational burnout is clinically defined as a psychological syndrome that occurs due to chronic emotional and interpersonal stressors on the job” with “interpersonal” explained as “relating to relationships or communication between people”.

Burnout identifiers covered in the presentation and that relate specifically to cybersecurity, were:

High levels of mental workload Anticipation of cyberattacks Shortages in staffing and increases in workload Struggles to find one’s place within an organization Work is often not appreciated in the organization

There are strategies that can help deal with burnout, and I recommend taking the time to research them to get a greater understanding. A competent human resources department or professional should be able to set employees on the right track or provide some sound reading material on the topic.

The issue, in my opinion, is a combination due to the lack of experienced talented people, the accelerated digital transformation we have witnessed in the past two-plus years and the never-ending barrage of cyberattacks that cybersecurity teams are required to deal with. The end to this shortage is in sight; if only that were true! Many companies require candidates to be educated to degree level, hold an industry recognized cybersecurity qualification such as CISSP and to have 3–5 years’ experience. These requirements are potentially, at least a contributor, to blame for the unfilled cybersecurity positions.

Employers need to lower their credential or education requirements for cybersecurity jobs and get some of the less experienced but interested and keen into the workplace for them to gain that experience and to become the expert talent needed to defend against the attacks of the future. It’s also imperative, in my opinion, that cybersecurity becomes baked into all curriculum topics in the education system at high school or younger. We talk about the need for cybersecurity to be considered in all parts of product design, in every part of a business process and such like, so it probably belongs in every topic taught in the classroom. Even lessons in creative talents such as art would benefit by providing an understanding of how to secure an NFT: there are very few topics that would not benefit from a cybersecurity understanding and appreciation.

Normalizing cybersecurity in this way would, hopefully, avoid the shortage of talent tomorrow,  and importantly the burnout of those who choose a career in cybersecurity.

Black Hat – Windows isn’t the only mass casualty platform anymore

Windows used to be the big talking point when it came to exploits resulting in mass casualties. Nowadays, talks turned to other massive attack platforms like #cloud and cars

In years past, a massive Windows exploit netted mass casualties, but here at Black Hat, talks turned toward other massive attack platforms like clouds and cars. Windows is no longer alone at the front of the pack, hackwise – it has company.

It makes sense. If you can find a cloud exploit like one presented here on multi-tenant cloud platform database hacks, one user can slurp up data from another company with a few commands. That’s not good.

The cloud, by nature, is multi-tenant. This means multiple clients rent a segment of a single shared resource from a cloud provider. But where the intersections exist between tenants and hardware, a single flaw can expose many tenants to badness, and how would they know? How would you know?

Cloud vendors are more anxious to publish their security efforts than their security holes. And unlike Windows, where malware has to go snooping about machine by machine with comparatively small connections between them, the cloud naturally facilitates massive exploit spreading velocity between platforms, users, and data.

While some cloud vendors have made promises to protect you against this sort of thing, they favor themselves over your data. You, on the other hand, probably feel your own data is the more important thing.

Still, there’s a perfect storm between massive-scale attack surfaces, single security implementations across those whole entire providers’ fabrics, and the potential for one security hole to spread like wildfire and gobble up many companies’ data in record time.

It’s true that the companies here at Black Hat are leaning into the problem and are more aware than more rank-and-file cloud users, but there are many more small businesses out there that don’t have the resources – they’re focusing on trying to stay in business in a tough economy.

To the large cloud providers’ credit, they tend to handle security reports relatively quickly. But when seconds count, they’ll have it fixed in days or weeks. That’s plenty of time for a single exploit to wipe out many companies.

I’m typing this from a car security session, one where someone figured out how – using cheap hardware – to hack a whole class of cars across multiple manufacturers. How would a manufacturer fix that and roll out the fix in a meaningful timeframe?

Meanwhile, this hack would allow a fleet of tow trucks could go scoop up swaths of certain families of cars and spirit them off to the chop shop, using replay attacks on key fob signals to unlock them. That also means if you pay off a parking attendant to install a listener, you can shop selectively and harvest a crop of cars of your liking.

Whether attackers focus on manipulating (jamming/replaying) signals from a key fob, or hacking key management and cryptographic algorithms: the session quoted UK Daily Mail, saying such attacks are on the rise, citing “keyless entry car technology now accounts for nearly 50% of all vehicle threats”.

It’s no longer a theoretical threat. There is even a company that started rolling out car security scorecards by model.

Windows crowded the stage for quite a long time here at Black Hat, but now there’s competition, the scary, fast-spreading kind, that can truly wreak havoc if unchecked.

The potential consequences of data breach, and romance scams – Week in security with Tony Anscombe

The NHS was victim of a potential cyberattack, which raises the question of the impact of those data breach for the public.

The post The potential consequences of data breach, and romance scams – Week in security with Tony Anscombe appeared first on WeLiveSecurity

Black Hat 2022‑ Cyberdefense in a global threats era

Our Security evangelist’s take on this first day of Black Hat 2022, where cyberdefense was on every mind.

The post Black Hat 2022‑ Cyberdefense in a global threats era appeared first on WeLiveSecurity

Safety first: how to tweak the settings on your dating apps

Tinder, Bumble or Grindr – popular dating apps depend heavily on your location, personal data, and loose privacy settings. Find out how to put yourself out there safely by following our suggested settings tweaks.

The post Safety first: how to tweak the settings on your dating apps appeared first on WeLiveSecurity

An eighties classic – Zero Trust

A deep-dive in Zero-trust, to help you navigate in a zero-trust world and further secure your organization.

Last week, at ChannelCon in Chicago, I participated on a panel titled ‘Building trust in a Zero Trust world’ with several other industry experts. The core concept of Zero Trust is ‘trust nothing, verify everything’ and for many in the cybersecurity industry this has been the mantra we have lived by for our whole careers. And, throughout my career there have been many terms and acronyms used in the information technology industry that have proved to be ‘for the moment’ or ‘fashionable’, the term Zero Trust does not fall into this group.

Long ago in a galaxy far far away, well, not that long ago really and only across the pond, I worked for several notable financial organizations where security was a paranoia topic within technology teams. In the late eighties a project I worked on stands out as an excellent example of this – the deployment of laptops to salespeople in the field, giving them access to comparative and account data ahead of an appointment with the customer. The data synchronization, for tomorrow’s appointments, was an end-of-day task utilizing a 2400 baud modem (compressed data with an effective transfer rate of 4800 baud) with hardware based DES encryption, and the user authenticated with a challenge response PIN protected token. There were additional security checks built into the underlying software to ensure the device was permitted to connect, checking unique hardware identifiers. The concept of taking mainframe hosted data, throwing it on a Novell file server, and then distributing it onto remote laptops in the field was bleeding edge technology, and it caused many sleepless nights for mainframe security teams who considered this new generation of PC pioneers as wild west cowboys; the paranoia was intense.

The lack of trust in this bleeding edge project caused a zero-trust attitude, ‘trust nothing and verify everything’, and then, when possible, ‘verify it again’. The personal computer industry evolved quickly and in many instances this mainframe ‘host’ paranoia was dampened and possibly even set aside. Yet, here we are today talking about a similar approach, albeit more defined and grown-up than my experience in the late eighties. Oh, how I miss the eighties –  my vinyl collection reminds me of those great times every day!

Zero-trust in today’s technology environment is about instilling this same paranoia with a holistic view of the entire digital enviroment, regardless of location; on-premise, remote, cloud, who owns it, who may be using it, etc. The rapid digital transformation of the last few years has forced companies to adopt, at least in part, some of the concepts that are deep routed within zero trust, such as multi-factor authentication and encryption. But this concept is less about specific technologies and more a mindset; for example – when a new employee joins a finance department, it’s easy for the busy manager to blanket approve access to all the systems the team uses. However, in the world of zero trust the manager needs to give more thought to what systems truly need to be accessed for the employee’s function, from what devices and which locations, possibly even extending to limits on access based on the time of day. This shift in thinking needs to be business wide, not just a concept that the IT security team advocate for; there needs to be endorsement from the C-level down, throughout the entire organization.

There are numerous benefits to adopting a zero-trust model, one benefit that may not be obvious is ‘simplification’. If the entire digital environment, whether owned or used as a service, is treated as having no perimeter, then the process of protecting diverse assets becomes simplified; this is also true of users, as they will all be subject to the same access policies. Overlaying this approach with data-based decisions, which are likely to be automated, takes this to the next level. In a scenario that a user is connected and complies to location, device, authentication, etc. but real-time analysis of traffic from that device shows an anomaly, then the access granted could be revoked dynamically, requiring further investigation and possible remediation of what caused the alert.

The monitoring and analysis of real-time events in this way can be achieved by using technologies such as Endpoint Detection and Response (EDR). Automation of this type brings significant benefit: it restricts the ability of potential attackers gaining significant advantage as they are hampered by dynamic real-time policy enforcement – for example, lateral movement within the network could be prohibited based on the unusual or unexpected actions the attackers are creating.

Real-time intelligence decision making was not available for the project I was involved in back in the eighties; I am certain though that had it been, the paranoid security teams attempting to control the new wild west of PC deployment would have insisted on it being used, and rightly so.

How to check if your PC has been hacked, and what to do next

Has your PC been hacked? Whatever happens, don’t panic. Read on for ten signs your PC has been hacked and handy tips on how to fix it.

Global cybercriminals make trillions of dollars each year. Much of their success comes from exploiting the mistakes that we make—by clicking on phishing links, forgetting to update critical software, and failing to use multi-factor authentication (MFA). There are many attack vectors available to them, an endless supply of stolen identity data to use, and countless cybercrime sites on which to trade stolen data, tooling, and cybercrime services.

The sooner you find out about a compromise the better. The longer it goes on, the more damage the bad guys could do and the more expensive the fallout may be. So getting on the front foot with a few proactive checks makes sense. Over 847,000 businesses and consumers reported a cybercrime to the FBI last year, with incidents costing almost $7bn. Don’t wait to take action until it’s too late.

Ten signs your PC may have been hacked

Hackers will usually not broadcast their attacks. Staying covert is the name of the game, because the longer the victim is kept in the dark, the longer attackers have to monetize network access and online accounts.

Keep an eye on these telltale signs to spot early on if you’ve unwittingly become a cybercrime victim:

You get a ransomware message

Let’s start with the most obvious. If you boot up the PC only to find a ransom message rather than the usual start-up screen, there’s a very good chance you’ve become a victim of ransomware. It will typically give a short timeframe in which to pay up, along with instructions on how to pay in digital currency. The bad news is that even if you follow these to the letter, there’s a one-in-three chance you won’t regain access to those encrypted files.

A slow-running computer

When malware — including Trojans, worms, and cryptocurrency miners — are installed on a PC, they often slow the machine down. This is especially true of cryptojacking attacks, which use excessive processing power and energy to mine for digital currency. Slow-running machines can be the result of non-malicious factors, such as poor PC hygiene, but it’s best to check to see if there’s anything untoward going on.

The webcam turns on by itself

Some spyware installed by hackers is designed not only to harvest data from your PC but also secretly switch the webcam and mic on. Doing so could enable cybercriminals to record and steal video of you and your family, potentially for use in blackmail attempts. Keep an eye on the webcam light to check if it becomes operational independently. Better still, disable it completely by sticking a Band-Aid over it.

Your friends receive unsolicited messages from your accounts

Another sure-fire indicator that your PC has been compromised is if friends and contacts start complaining of spam coming from your email or social media accounts. A classic phishing tactic is to hijack victims’ accounts and then use them to spam or phish all of their friends. This is a threat that can be easily mitigated by ensuring all accounts are protected by MFA.

There are way more pop-up ads on screen

Adware typically makes the attacker money by exposing victims to excessive ad volumes. So if your machine is being flooded with pop-up advertising, it’s a good indicator that there may be some malicious code or potentially Unwanted Software installed somewhere.

New toolbars appear on the browser

Malware may also install additional toolbars on your browser. If you spot any that you don’t recognize or can’t remember downloading, it could means your PC has been hacked. It may be necessary to restore your PC back to its factory settings in order to remove them if you are facing a malware attack by an APT group. Simple PUA may not require such a drastic approach. Deleting the app and toolbar could be sufficient in this case.

Random icons start appearing

When malware is installed on a compromised PC, new desktop icons will often appear. These can be easily spotted, as long as the desktop itself is neatly arranged into a small number of files, folders and programs. Consider doing a little light tidying up in order to better keep track of the icons on your PC.

Passwords/logins stop working

If hackers have managed to compromise your PC, they may have hijacked various online accounts, such as your email, and changed the passwords in order to lock you out. Dealing with the fallout from this can be one of the most stressful parts of any cyberattack. It will require a fair amount of back-and-forth with the various online providers whose clients, partners or employees’ accounts have been hijacked.

Data and logins are circulating on the dark web

If you ever receive a data breach notice from a company you do business with, always take it seriously and independently try to verify it. Sites like HaveIBeenPwned? provide third-party confirmation of any breaches. Dark web monitoring tools can also go searching for your data on cybercrime and other forums, to provide a more proactive way to stay informed. If you act quickly, by changing passwords and/or freezing credit cards, you can mitigate the risk before the bad guys have even been able to monetize an attack.

You get a warning from your security software

Warnings from anti-malware tools should also be taken seriously, although fake computer security software pop-ups are a persistent threat. Check the message is coming from your legitimate computer security software vendor and then follow the instructions to try to find and delete the malicious files on your PC. Don’t assume that the warning means the security software tool will automatically purge the PC of that specific threat.

What happens next?

Whatever happens, don’t panic. If your

Develop a zero‑trust environment to protect your organization – Week in security with Tony Anscombe

Learn the basics of zero-trust, and how building a zero-trust environment can protect your organization.

This week, ESET’s security evangelist Tony Anscombe participated in a panel on zero-trust architecture during ChannelCon. He explains what zero-trust means, and the basic practises any organisation should implement to protect themselves.

Watch the video to learn more.