September 6, 2019
Published by Kalpit Veerwal
In the coming future, protection of sensitive information such as passwords, credit card numbers will require less computational work. Scientists at Max Planck Institute for Software Systems in Kaiserslautern and Saarbrücken have developed a new technology known as ERIM for isolating software components from one another. With the help of this, sensitive data can be protected from hackers when it is processed in online transactions. This technique has nearly three to five times less computational overhead than the last isolation technology. As a result, it is more suitable for use in online transactions. For this, the researchers were awarded the Internet Defense Prize 2019 by USENIX and Facebook.
Different types of security technologies such as firewalls help in protecting the computer programs from malicious softwares. Even a small security lapse can lead to hackers accessing the components of a software. It can also go as far as hackers accessing the financial details of the users’ accounts and making credit card transactions with them. As an example, the Heartbleed bug in the OpenSSL encryption software made the usernames and passwords of different online services vulnerable to hackers.
For preventing these attacks, developers can isolate different software components similar to the walls of a fortress preventing access to its central area even if attackers manage to overcome the external obstacles. The current isolation methods often require upto 30 percent more CPU power and many servers running simultaneously which increase the infrastructure costs. Deepak Garg, a leading researcher at Max Planck Institute said that many services do not believe in the justification of the greater costs and hence do not use the isolation methods. He added that their isolation technique uses only five percent more time for computation which makes it attractive to the companies. This is the reason they have been awarded the lucrative 100,000 USD prize by USENIX and Facebook.
A team led by Deepak Garg and Peter Druschel, director at Max Planck Institute for Software Systems combined a hardware feature which was introduced by Intel in their microprocessors with software for building the isolation method. The new hardware feature is known as MPK or Memory Protection Keys.
MPK on its own cannot isolate the components as it can still be exploited by clever attackers. MPK was used with another method known as instruction rewriting. Peter Druschel said that the code of a software can be written in such a manner that an attacker cannot exploit the “walls” of the components. This is done keeping the purpose of the software intact. Both these methods can be used to divide the memory of software with very less computational work thus isolating the parts from one another. Remaining isolation technologies access the kernel of the operating system for this purpose thereby using more computational effort. With increase in the pace of software development, the practicality of data protection has to be maintained. This often involves unconventional approaches.
September 1, 2019 (updated September 1, 2019)
Published by Sai Teja
Google security researchers said that they have detected several malicious websites which when visited would hack into the iPhone of the visitor without any alert. This is possible by the exploitation of a number of security flaws in the software which were previously not disclosed.
Google’s Project Zero said that these harmful websites were visited several thousands of times per week by visitors who had no idea of what was going on. Ian Beer, Project Zero’s security researcher said that for the device to be exploited it was enough to visit the malicious website which would then install a monitoring implant if it was successful. The hacking of the iPhones continued for a minimum period of two years.
Five unique exploit chains were detected that involved a total of twelve separate security flaws. Seven of these flaws involved Safari which is the default browser on iPhones. An attacker managed to get root access( the highest access level) to the iPhone with the help of the other five exploit chains. As a result, all the features could be accessed by the attackers including those which were not accessed even by the users. This helped them in installing applications or other malware in their devices with no knowledge of the users.
According to an analysis of Google, the personal photos, messages of the users along with their live location could be stolen due to these vulnerabilities. It would also provide access to the saved passwords in the devices. iOS versions 10 to 12 were affected by these vulnerabilities.
They were privately disclosed by Google to Apple in the month of February where it was provided only a week for fixing the flaws and roll out the updates to the users. Since the security flaws were of such a severe nature, very less time period was provided to the developers. After six days, Apple rolled out security patches for iOS 12.1.4 for iPhone 5s, iPad Air and other later models.
Beer said that it might be possible there are other hacking campaigns which are currently operating. Apple has a good reputation in handling security-related issues. It also increased the bug bounty payment to a maximum of a million dollars if security researchers can detect the flaws which allow the intruders to get root-level access to the device without any interaction from the user side. Under Apple’s new bounty rules — set to go into effect later this year — Google would’ve been eligible for several million dollars in bounties.
June 22, 2019
Published by Kalpit Veerwal
A Florida city has agreed to pay a sum of 600,000 USD as a ransom to the hackers who breached its computer system. This is one of the many attacks worldwide meant to extort money from businesses and governments.
The Riviera Beach City Council voted unanimously for meeting the demands of the hackers as the suburb had no other option left if it wanted its records back which were encrypted by the hackers. Before this, the council had voted to spend a million dollars in buying new computers after the hackers took over the hardware system.
The hackers managed to get access to the system after an employee clicked on an email which resulted in uploading of malware. Besides the records being encrypted, there were several other problems such as a disabled email system, payments being made in cheque rather than direct deposits and 911 dispatchers not being able to enter calls in computers.
Spokeswoman Rose Anne Brown told that the 35000 residents of the city were working with security consultants outside who recommended that the ransom be paid. However, she also added that there is no certainty that the records will be obtained back on the payment of money. Although the FBI mentions that it does not support payment to hackers but it is done by several businesses and government agencies. The city is relying on the word of the consultants. The payment will be made in the form of bitcoins. The tracing of payments can be done in case of bitcoins but the accounts of the owners cannot be identified with certainty, thus it is often used in such types of attacks.
Hacking attempts have affected several corporations and governments in the United States and also in other nations. Last year, the Government of United States indicted two Iranians for allegedly unleashing ransomware attacks against the cities of Atlanta and Newark, New Jersey. Federal prosecutors declared that the hackers received a payment of 6 million USD for it which caused damages worth of 30 million USD. A North Korean programmer was accused last year of the WannaCry attack which affected banks, factories and hospital systems in 150 nations. It is presumed that he stole 81 million USD from a bank in Bangladesh.
Attacks of such kinds often occur outside the United States which makes it difficult to prosecute the hackers. Employees of organizations have to be taught security measures such as not clicking on suspicious links or emails.
In most cases, the machines are decrypted after payment although in WannaCry attack, even after receiving money, data was not released.
April 16, 2019 (updated April 16, 2019)
Published by Kalpit Veerwal
The Wi-Fi Protected Access protocol which released about 15 months ago was considered by important architects as the most resistant to the password-theft attacks which were rampant in the earlier protocols. But then this did not remain true for a long time, as researchers revealed that there were many serious design gaps in the WPA3, which destroyed its notion to be most secure till now. It led to serious questions regarding what the future of wireless security holds and also regarding the protection of cheap Internet-of-things devices.
There was a big improvement in the recent release over the previous weak models, but the current WPA2 protocol which has been in use since the 2000s has a very grave design flaw which has been known for a very long time. The four way handshake method – a cryptographic process which is used by the WPA2 to validate many devices such as computers, mobile phones, tablets to an access point and also vice versa stores the network password in a hashed form. Anyone who is in the range of the electronic device can record this handshake. After that, the devices are very vulnerable to digital thefts as the passwords which are short or those which are not random can be very easily cracked in a matter of a few seconds.
It was widely promoted that one of the major changes in the WPA3 was the use of Dragonfly which is a fully revamped handshake technique in which the four way handshake key is augmented with a Pairwise Master Key, as a result of which it possesses more entropy than the network passwords. In the world of WiFi this is known as the Simultaneous Authentication of Equals handshake or just SAE in short. A very crucial feature provided by SAE is that it protects the past sessions against any future attacks on the passwords. This is also known as forward secrecy.
The research paper titled “Dragonblood: A Security Analysis of WPA3’s SAE Handshake” reveals the many vulnerabilities which are present in WPA3, that make the users open to many of the attacks which threatened the users of WPA2. Researchers have warned that many of the faults can persist in the low-cost devices for years. The process of WPA3 being formalized by the WiFi Alliance industry group has also been criticized by the experts.
Experts have agreed on the conclusion that if the alliance agreed to the recommendation to move from the hash-to-group password format to hash-to-curve password encoding, then most of the exploits against the Dragonblood would not have worked.