Tuesday, February 11, 2025
Follow us On Linkedin
Home Blog Page 836

A7 Missing Function Level Access Control

By
Gurubaran
-
A7 Missing Function Level Access Control

Function Level Access Control can be exploited easily, if there is an missing access control on resource control, exploiting the risk is simple as plugging the URL in browser. Privelance is very common, whereas the detect-ability ratio is Average and impact is Moderate.

access-control-copy

Let’s imagine this user is Authenticated as admin, so he making an Authenticated request to the server, and once the server responds this user will have a navigation link in browser for admin. Now if the attacker requested the admin, unfortunately sometimes websites itself return the admin page.

So why it’s the missing function of access level, this is the specific case OWASP talks about. Within the presentation layer only security trimming in place, however the resource behind the link have no access controls.

Understanding missing function Level access controls
  • Does the UI show navigation to unauthorized functions?
  • Are server side Authentication or authorization tokens missing?
  • Are the server side check done solely rely on information provided by the attacker?
  • A system or diagnostics resources accessible without proper authorization?
  • Will forced browsing disclose unsecured resources?
Common Defenses
  • Define a clear authorization model, centrally and consistently.
  • Use roles and then apply memberships.
  • Check for default framework and resources.
  • Check forced browsing with Automated scanners.
  • Capture and replay privileged requests.
  • Include post request and Async calls.

Another ransomware in a Week | Cerber 5.0

By
Gurubaran
-
Another ransomware in a Week | Cerber 5.0

Ransomware is a computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects system, which prevents or limits users from accessing their system, and demands a ransom payment to decrypt it or not to publish it.

Security researchers from Checkpoint identified a new variant of Cerber ransomware. The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected.

CERBER

It was first spotted on March and from that point it’s evolving rapidly.

Cerber 2.0 was spotted in August (Encrypt files).

Cerber 4.0 Spotted in October (which kills database process MYSQL,MSSQL,ORACLE).

Cerber 4.1.6 Spotted in November 23rd (Encrypting Databses).

Cerber 5.0 Spotted in November 24 (Consist of Vb script as additional feature which implements Communication channel).

Cerber 5.0 and New Range of IP’S

On (November 23rd, 2016) Cerber 4.1.6 was released, within 24 hours Cerber 5.0 released, which is the one we are going to see in this article. As an noticeable change Cerber 5.0 consist of new IP ranges used in Command and control communications.

Following are the IP ranges

194.165.17.0/24

194.165.18.0/24

194.165.19.0/24

15.93.12.0/27

63.55.11.0/27

The old IP range still in use:

194.165.16.0/24

Where as in Previous  version’s Cerber broadcasts IP address to all ranges via UDP(User Datagram Protocol).

cerber

Cerber is currently distributed through Spam Email campaigns, specifically Rig-V Exploit Kit. Encrypted files will generate a random 4 digit number as like in previous Cerber versions. As like version Cerber 4.0, it uses to focus on databases and files associated with that. In addition it also informs users which version of Ransomware they are encrypted with.

cerber

Cerber’s new version presents new IP ranges together with an old IP range. However, most other features remain the same.

Locky Ransomware

Ever changing ransomware released a new variant with new techniques to evade security vendor’s Counter measures. As we know locky is being downloaded as a dll file using JavaScript based down-loader. The new variant acts just as the same, the JavaScript downloader pulls disguised .TDB file which turns to be a PE file.

With all the recent releases locky ransomware turns it file extension to .ZZZ. With Cerber 5.0, another noticeable change, is the varying ransom payment from 0.5 to 3 bitcoints. The payment amount may vary according to the victim’s characteristics, especially number of encrypted files.

cerber
SYNOPSIS

As the Cerber and locky creators use to adapt new techniques to evade security vendor’s Counter measures, Cerber 5.0 and Locky .zzz are the most recent one’s. Security Vendors should stay ahead.

This is the Israeli company that can hack any iPhone and Android smartphone

By
Balaji
-
This is the Israeli company that can hack any iPhone and Android smartphone

If Cellebrite sounds familiar, that’s because the name of this Israeli company came up during Apple’s standoff with the FBI over breaking iPhone encryption. The agency managed to crack the San Bernardino iPhone with the help of an undisclosed company.

Many people believe it was Cellebrite that came to the rescue. Meanwhile, the company revealed that it could hack just about any modern smartphone, but refused to say whether its expertise is used by the police forces of repressive regimes.

Cellebrite talked to the BBC about its technology, including equipment and software.

“I was given a demo using a Samsung phone supplied by the company,” BBC’s Rory Cellan-Jones said. “It was running quite an old version of Android – 4.2 – but I was allowed to take it away for half an hour, put a password on it, and use it to take photos and send a text message.”

Upon his return, Yuval Ben-Moshe from Cellebrite took the phone, plugged it into a “chunky tablet computer, and disabled the lock code.

“We can pretty much pull up any of the data that resides on the phone,” he said and downloaded all the photos taken with the device.

When asked whether this kind of hack applies to other devices, Ben-Moshe said that his company could access data on “the largest number of devices that are out there in the industry.” Even the iPhone 7.

“We can definitely extract data from an iPhone 7 as well – the question is what data.”

The security expert said that even data from encrypted services such as WhatsApp can be accessed hinting that not all communication is totally secure.

The iPhone may be hackable to some extent, but that doesn’t mean that Cellebrite cracked the iPhone 5c that belonged to one of the San Bernardino shooters. Or at least, the company would not comment on any of its customers.

Top 5 Most Costly Viruses of All Time

By
Balaji
-
Top 5 Most Costly Viruses of All Time
1. MyDoom ($38.5 Billion)
The most expensive virus in the world in terms of monetary damage was MyDoom. MyDoom did an estimated $38.5 billion USD in economic damage.MyDoom came in January of 2006, and as of January 2004, it was the fastest spreading virus ever created. MyDoom is believed to have originated in Russia, but the author is still unknown.

It’s believed that MyDoom is a variant of MiMail. Mainly transmitted by e-mail, appearing as an error similar to what a user would get if their mail failed to send.

The user would unwittingly open the attachment in the e-mail and the worm would re-send itself to every address it could find.

The original version contained a payload that did two things: it opened a backdoor into your computer, allowing remote control of your computer, the other, was to perpetrate a DDOS(Direct Denial Of Service) against SCO group’s website.

The other version, MyDoom.B along with the above payload, also contained malicious software that blocked access to Microsoft and Antivirus websites to prevent the user from attempting to remove the virus.

To this Day, MDdoom is still in an active state, re-appearing in 2005 and recently in the 2009 DDOS attacks in South Korea and the United States.

#2. SoBig ($37.1 Billion)

In August of 2003, SoBig appeared, infections millions of computers across the world. SoBig evolved several times, making it hard to catch.

It is a worm that replicates itself, but also is a Trojan, as it disguises itself as something other than malware. It caused an estimated $37.1 billion dollars worth of damage across the globe.

The SoBig viruses infected a host computer via e-mail attachment, using their own SMTP agent to gather e-mail addresses and spread itself.

It was programmed to contact several IP addresses on August 26th 2003 and update itself. There is no clear reason why it was created. And, it even deactivated after only a month of operation. Its author is still unknown.

#3. ILOVEYOU ($15 Billion)

In 2000, ILOVEYOU, also known as the “Love Bug,” exploited human nature by disguising itself as a love letter and tricking recipients into opening it. It was only a matter of hours before computer systems across the world were tied up by this virus.

It has stunned experts with its fast and wide reach. Similar to the Melissa Worm in 1999, ILOVEYOU spread via e-mail with the subject line I Love You, and when the user opened the attached file, it sent copies of itself to the user’s entire address book.

It would look for attachment extensions like .jpeg, .mp3, .css and .hta, overwriting these with its own form and changing the extension to .vbs or .vbe.

This virus affected companies as well as individuals, including the Dow Jones Newswires and the Asian Wall Street Journal. Companies had to close down e-mail systems to help stop the spread. In Australia, a reported 80% of the companies were hit.

#4. Conficker ($9.1 Billion)
Conficker is, to date, the most sophisticated computer worm ever created. It is also among the most recent in viral threats, causing an estimated 9.2 Billion dollars in damage.
Discovered in 2008, conficker used a combination of advanced malware techniques to infect and spread itself. Unlike other malware and viruses, however, the Conficker worm was designed to defend itself from being either detected or removed. Using a fault in networks, it spread rapidly over the internet, using Networks to gain access to large LANs, removable devices and network shares.
Infecting an estimated 9-15 million computers worldwide, it used the infected network to push and pull executable payloads and update itself. It is difficult to detect and remove, as it resets system restore points in windows and disables a number of administrative services in windows.
Using a predefined list of antivirus services, it matched processes in the computer memory to that list, and stopped them from running. It was responsible for installing malware like spyprotect2009 and Waledec, as spambot.
#5. Code Red ($2 Billion)
Code Red, in 2001, is said to be the most expensive virus in history. Self-replicating code exploited vulnerabilities in the Microsoft IIS servers, it spread rapidly as it only needed a network connection to do so; no human interaction or authority was needed.
Code Red II was a more malicious version that appeared later on. Code Red II exploited a vulnerability of the indexing service shipped with Microsoft Windows NT 4.0 and Windows 2000 operating systems. Results were website defacement and severe performance degradation.
Worse, it would strike multiple times on the same system. It affected organizations like Microsoft and Qwest and even media giant Associated Press. According to research, it caused damage upwards of $2 billion dollars.
Microsoft did release a patch to prevent this almost a month before the outbreak. Unfortunately, most operators failed to install it, allowing Code Red and Code Red II to take hold.

Globally a Quarter of Wi-Fi Hotspots Are Unsecured – Kaspersky Lab

By
Balaji
-
Globally a Quarter of Wi-Fi Hotspots Are Unsecured – Kaspersky Lab

Over a quarter of Wi-Fi hotspots around the world are unsecured and pose a major risk to users’ data, according to new research from Kaspersky Lab.

The Russian AV vendor analyzed info on over 31 million such hotspots worldwide and discovered that 25% have no encryption or password protection of any kind – leaving them wide open to abuse by cyber-criminals.

Statistics  of global WIFI Network:

Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users.

wifi

Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all. This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in.

Fortunately, modern online banking systems and messengers do not transfer unencrypted data. But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point.

The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points.

The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it. From a data security point of view, using WEP is not much different from using open networks.

This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use.

Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family. The protocols from this family are currently the most secure. The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner.

It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization.

When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner.

It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average. If the encryption key is strong, it will take years to hack it. Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal.

Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure. In particular, they allow brute-force and dictionary attacks.

There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals.

Geography of Unsecured Wi-Fi Access Points:

Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country)

wifi_eng_2

We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list.

Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption.

Share of Wi-Fi hotspots that use WPA/WPA2 (by country)

wifi_eng_3
Recommendations for Users:

There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places.

  • Do not trust networks that are not password-protected.
  • Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment.
  • To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too.
  • If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere.
  • To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. It is recommended to enable this option when visiting any websites you think may lack the necessary protection.
  • If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them.
  • And, of course, you should use dedicated security solutions. They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat.

ImageGate attack – Malware through poisoned .JPG

By
Gurubaran
-
ImageGate attack – Malware through poisoned .JPG

ImageGate attack : Security people from Check Point Software Technologies identified a new malware  campaign through Facebook. Crooks leverage an image obfuscation trick, dubbed ImageGate, to spread the Locky ransomware via Facebook. Experts highlighted that the image obfuscation trick is able to bypass Facebook’s security checks.

As per the research, the attackers have built a new capability to embed malicious code into an image file and then successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to purposely force their victims to download the image file.

This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.The technique is not considered insidious for tech-savvy users, anyway, it represents a serious threat for users that could be tricked into downloading and running unknown executables.

Researchers from checkpoint uncovered the attack vector which affects major websites and social networks worldwide, including Facebook and LinkedIn. Check Point updated Facebook & LinkedIn of the attack vector early in September.

A detailed video demonstration over here..

https://www.youtube.com/watch?v=sGlrLFo43pY&feature=youtu.be

As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms. To protect users against the most advanced threats, Check Point strives to identify where attackers will strike next.

Preventive Measures

Check Point recommends the following preventive measures:

  1. If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
  2. Don’t open any image file with unusual extension (such as SVG, JS or HTA).

We are expecting an detailed attack vector report from Check Point only after the remediation of the vulnerability in the major affected websites.For more details and source.

You can Take Mirai Botnet of 400,000 Bots for Rental

By
Gurubaran
-
You can Take Mirai Botnet of 400,000 Bots for Rental

DDoS distributed denial-of-service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.

Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.

Mirai Botnet

For our reader who are unfamiliar with Mirai: Mirai is malware which turns computer systems running Linux into remotely controlled “bots”, that can be used as part of a botnet in large-scale network attacks.

It primarily targets online consumer devices such as remote cameras and home routers.The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks.

DDOS Mirai botnets available for Hire from Two hackers, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest. Recent High profiled DDOS attack’s with (kerbs,DNS service provider Dyn).

Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.

mirai

Advertising 400k Mirai Botnet

In a spam campaign carried out via XMPP/Jabber started yesterday, both hackers have begun advertising their own DDoS-for-hire service, built on the Mirai malware.The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn’t 100% verify it’s the same botnet observed by 2sec4u and MalwareTech.

  • Rent from Biggest Mirai Botnet (400k+ devices)
  • We use 0day exploits to get devices – not only telnet and ssh scanner.
  • Anti ddos mitigation techniques for tcp/udp.
  • Limited spots – Minimum 2 week spot.
  • Flexible plans and limits.
  • Free short test attacks, if we have time to show.

How mirai having control over this Huge DDOS Attack

Conventional Botnets

Conventional botnets are made by leveraging methods such as malicious spam, exploits, executable infection, and social engineering to infect desktop computers.it’s a fact that the AV industry has put a significant dent in botnets and general malware propagation over the past decade. Nowadays hackers have to spend large amounts of time and money constantly modify their malware to evade AV detection, and although botnets still exist

Profitability – At current the maintenance cost of  desktop botnets has exceeded the revenue from DDoS attacks for most. Cheap anti-DDoS services make DDoS protection more affordable that paying ransoms to attackers, resulting in DDoS for hire or DDoS ransom based botnets slowly dying out.

Noise – As we saw with Mirai, DDoS attacks are noisy and draw a lot of attention. Mirai, which was mostly ignored due to its unsophisticated telnet bruteforcing attacks.

Overblown Statistics – The few large desktop botnets which do perform DDoS usually end up being sinkholed; however, sinkholes often measure botnets by unique IPs over a few month period (keep in mind lots of infections will have dynamic IPs which change daily), resulting in infection numbers being hugely over-inflated.

Conclusion

It’s likely that significant DDoS attacks will become more common as hackers find more and new vulnerable IoT devices, or was to infect those vulnerable devices hidden behind NAT.

Also Read:

  1. Does Anna-Senpai, the Mirai Worm Author?

  2. Top 10 Cities | Countries in the World for Total Bot Population

  3. DDoS attack prevention method on your enterprise’s systems – A Detailed Report

NTP patch for Dos exploit released

By
Gurubaran
-
NTP patch for Dos exploit released

NTP can be exploited to generate huge volumes of junk traffic which leads to DOS attack. Update your NTP service to ntp-4.2.8p9 which patches this Vulnerability.

What is NTP?

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.  NTP is one of the oldest Internet protocols in current use.

NTP users are strongly recommended to take immediate action to ensure that their NTP servers are not being vulnerable DDoS (distributed denial-of-service) attacks.

ntpdoz
NTF’s NTP Project -4.2.8p9, addresses:
  • 1 HIGH severity vulnerability that only affects Windows
  • 2 MEDIUM severity vulnerabilities
  • 2 MEDIUM/LOW severity vulnerabilities
  • 5 LOW severity vulnerabilities

For more details on Vulnerability Announcement refer NTP security advisory.NTP.org’s ntpd prior to version 4.2.8p9 contains multiple denial of service vulnerabilities.

CWE-476: NULL Pointer Dereference – CVE-2016-9311
CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) – CVE-2016-9310
CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) – CVE-2016-7427
CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) – CVE-2016-7428
CWE-410: Insufficient Resource Pool – CVE-2016-9312
CWE-20: Improper Input Validation – CVE-2016-7431
CWE-20: Improper Input Validation – CVE-2016-7434
CWE-605: Multiple Binds to the Same Port – CVE-2016-7429
CWE-410: Insufficient Resource Pool – CVE-2016-7426
CWE-682: Incorrect Calculation – CVE-2016-7433

For more information, please see NTP.org’s security advisory.The CVSS score below is based on CVE-2016-9312.

Impact

A remote unauthenticated attacker may be able to perform a denial of service on ntpd.

Solution

Implement BCP-38

Use “restrict default noquery …” in your ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.

Apply an update

Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.

Monitor ntpd

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Hackers Are Using MailChimp to Spread Malware

By
Balaji
-
Hackers Are Using MailChimp to Spread Malware

You probably know MailChimp either as an email newsletter service, or the company that seems to have adverts on every single podcast you’ve ever listened to. Hackers recently jumped on that popularity, and managed to send out emails containing malicious links to subscribers of various different companies.

The incident shows that hackers will likely use whatever distribution channels they can in an attempt to spread their malware and turn a profit.

Here’s your invoice! We appreciate your prompt payment,” one email sent by news site Business News Australia reads, and claims to be affiliated with accounting software Quickbooks.

Troy Hunt, an Australian security researcher and owner of breach notification site Have I Been Pwned?, sent Motherboard a copy of the email that he had received from a source. According to the email, it was sent by an administrator account at the news website.

The “View Invoice” button leads to a .zip file, which, according to scans on malware analysis site Virus Total, is malicious.

Companies and websites sometimes outsource their newsletter distribution to another company, to handle the infrastructure and headaches of firing out tens or hundreds of thousands of emails at a time. In this case, that was MailChimp, according to another apparent email from Business News Australia.

“This morning our MailChimp subscriber database was hacked and a fake invoice (Inoice 00317) [sic] was sent to our list,” the email reads, according to a screenshot tweeted by Hunt.

“Please disregard and delete this email. You have not been charged,” it adds. Camilla Jansen, managing editor of Business News Australia, told Motherboard in an email “We’re waiting to find out more.”

But it seems other companies have been affected too. One Twitter user uploaded an apparent screenshot of a near identical email sent to subscribers of the Sit Down Comedy Club in Brisbane’s mailing list.

Motherboard sent an email to The Sit Down Comedy Club, asking for comment, and immediately received the following, perhaps automated, reply.

“IF YOU RECEIVE AN EMAIL WITH THE TITLE – Inoice 00317 from Sit Down Comedy Club Pty Ltd – PLEASE DELETE the email you received, we do not use Quickbooks. It is SPAM and do not open it,” the email reads.

“We are trying to get to the bottom of this at the moment,” it adds.

Another Twitter user uploaded a screenshot of an apparent email from Jim’s Building Inspections, also an Australia-based company. The firm blamed the issue, without any evidence, on a “known cyber terrorist.”

MailChimp told Motherboard in a statement that “Early this morning MailChimp’s normal compliance processes identified and disabled a small number of individual accounts sending fake invoices. We have investigated the situation and have found no evidence that MailChimp has been breached. The affected accounts have been disabled, and fraudulent activity has stopped.”

The company would not say what the exact issue was, but MailChimp’s statement also strong encouraged users to setup two-factor authentication, implying that the problem might have been password reuse.

Update: This article has been updated to include MailChimp’s statement, which was sent to Motherboard after publication.

 
 

Your Headphones can act as a spyware

By
Gurubaran
-
Your Headphones can act as a spyware

To listen a Audio we need headphones, whereas to record we need Microphones. But Security researchers at Israel’s Ben Gurion University have created a proof-of-concept exploit that lets them turn headphones into microphones to secretly record conversations.

Malware that turn Headphone as Microphone

In earlier days Headphones was also used as Microphones  because Speakers and microphones employ similar components to process electrical signals and sound in very similar ways.

But Researchers manages to switch the output sound channel as an input one , where intelligible audio can be acquired through earphones and can then be transmitted distances up to several meters away.

The experimental malware instead re-purposes the speakers in earbuds or headphones to use them as microphones, converting the vibrations in air into electromagnetic signals to clearly capture audio from across a room.

“People don’t think about this privacy vulnerability,” says Mordechai Guri, the research lead of Ben Gurion’s Cyber Security Research Labs. “Even if you remove your computer’s microphone, if you use headphones you can be recorded.”

head

The speakers in headphones can turn electromagnetic signals into sound waves through a membrane’s vibrations, those membranes can also work in reverse, picking up sound vibrations and converting them back to electromagnetic signals. (Plug a pair of mic-less headphones into an audio input jack on your computer to try it.)

But how this hack possible?

Ben Gurion researchers took that hack a step further. Their malware uses a little-known feature of RealTek audio codec chips to silently “retask” the computer’s output channel as an input channel.

This allows malware to record audio even when the headphones remain connected into an output-only jack and don’t even have a microphone channel on their plug. The researchers say the RealTek chips are so common that the attack works on practically any desktop computer, whether it runs Windows or MacOS, and most laptops, too.

“This is the real vulnerability,” says Guri. “It’s what makes almost every computer today vulnerable to this type of attack.”

To be fair, the eavesdropping attack should only matter to those who have already gone a few steps down the rabbit-hole of obsessive counter-intelligence measures. But in the modern age of cybersecurity, fears of having your computer’s mic surreptitiously activated by stealthy malware are increasingly mainstream.

In this tests, the researchers tried the audio hack with a pair of Sennheiser headphones. They found that they could record from as far as 20 feet away—and even compress the resulting recording and send it over the internet.

Countermeasures

Hardware:

In highly secure facilities it is common practice to forbid the use of any speakers, headphones, or earphones in order to create so-called audio gap separation. Less restrictive policies prohibit the use of microphones but allow loudspeakers, however because speakers can be reversed and used as microphones, only active one way speakers are allowed.

Software:

Software countermeasures may include disabling the audio hardware in the UEFI/BIOS settings. This can prevent a malware from accessing the audio codec from the operating system.

However, such a configuration eliminates the use of the audio hardware (e.g., for music playing, Skype chats, etc.), and hence may not be feasible in all scenarios. Another option is to use the HD audio kernel driver to prevent rejacking or to enforce a strict rejacking policy.

1...835836837838Page 836 of 838

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved