Category Archives: Exploits

Automattic vs. Steiner, Putting a lid on fraudulent DMCA claims

In December of last year, Automattic, the company that runs WordPress, was awarded over $25,000 in damages against Nick Steiner, a member of the group Straight Pride UK. Normally in cases that involve the DMCA, liability for damages is a given, and the one who initiated the suit is normally the one to be awarded the money. However, what makes this case unique is the substantial of money awarded and the fact that it was awarded to the defendant.

In this case in question, a blogger requested information from Steiner, and included parts from the press release given to him in a negative report about the group. Steiner retaliated with a DMCA claim against WordPress, and Automattic responded by filing suit. They won the case and with the new precedent that they set, sent a message to others who may abuse DMCA claims. Alongside that, small businesses who may be victims to claims such as these may have found an ally in WordPress, who plans to battle DMCA abuses. With such a big player retaliating and winning, fraudsters may now have to seriously consider the risks of making fraudulent claims, and if they’re willing to take the risks of making such a claim.

Now, DMCA claims aren’t anything new and there’s plenty of claims that have merit in existing. However, in recent years, the number of DMCA claims has gone up dramatically, and according to Google’s transparency report, a large number of those claims are baseless or used for malicious purposes. According to Google, about ⅓ or 37% of the claims made were not valid claims, and 57% of claims were made by businesses against their competitors. DMCA claims are easy to abuse, with little risk for the accuser and large rewards. In a system that doles out punishment without any real due process, lots of abuse is going to occur.  


-Written by Anthony Cuzzi on September 14, 2019

Sources

Article Source

Google Transparency Report

iOS Group FaceTime Oversight Bypasses Access to Contact Information

With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.

The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:

  • Call the target device.
  • Tap the FaceTime icon on the call screen to have it routed through there instead.
  • Go to add contacts once the call begins.
  • If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.

As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.

Source
Post by Allan Sun

A New Form of Cold Boot Attacks

By Robert Gray:

Security researchers at F-Secure have developed a new method to extract encryption keys or other sensitive data in memory from a laptop in sleep mode if an attacker can gain physical access to it.

A quick explanation of how this type of cold boot attack works.

A “cold reboot” occurs when a computer is improperly shut down.  When that happens, the contents of the system RAM briefly remain after power is lost and might be readable when the system boots back up.  In response to this security issue, computer manufacturers programmed the BIOS to overwrite the RAM early in the boot process.  This new issue comes in how this fix was implemented.  The BIOS stores a value in flash storage to determine whether it needs to wipe the RAM on the next boot, but that value can be set by the operating system or through hardware tweaking.  An attacker can then boot the system from a USB drive and read the contents of memory.

This attack is theoretically possible against any Windows-based computer or any Apple computer released prior to 2018 that an attacker can gain physical access to.  Microsoft’s current recommendation is for anyone using encryption to use Hibernate mode instead of Suspend mode for keeping a laptop in sleep, as Hibernate wipes any encryption keys from RAM.  A more complete fix will require hardware and BIOS changes and likely will not be available for a while.

Sources:
https://blog.f-secure.com/cold-boot-attacks/
https://arstechnica.com/gadgets/2018/09/cold-boot-attacks-given-new-life-with-firmware-attack/

Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan

Sources: