Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

Quantum Computing’s Impact on Cyber Security

With more and more technological advancements every day, our vision of quantum computing is turning more into a reality than a theory. Companies like IBM and Microsoft are accelerating forward and becoming closer than ever to build the first fully functioning quantum computer. Seemingly on the edge of an almost quantum revolution, it’s important to ask questions about how integral parts of our lives like cyber security will be affected by this change.

First, let’s understand what quantum computing is. Comparing it to modern computing, which relies on discrete values of a bit being either a 0 or a 1, quantum computing would allow both of these possibilities to exist simultaneously in something called qubits, and these values only truly form when they are observed. This allows quantum computers to handle operations and equations at speeds that are exponentially higher than what we are used to in modern computers and their energy costs are far less.

How does this effect today’s security? Many of today’s security systems rely on cryptography, this is because normal computers struggle at factoring large numbers. This means that cryptography based on factoring numbers would be a safe bet against our technology today, but with the introduction of quantum computing, these practices would be useless. This isn’t the end of cryptography though because there are some approaches in use today that will be safe against the power of a quantum computer. That doesn’t mean that important companies and governments are using them though, and if quantum computing is to take off faster than anticipated they could run into some trouble. Other security strategies that are used today, like two-factor authentication, will still be just as effective after the introduction of quantum computing, due to multiple steps being taken by the person to log into a system.

Tomorrow’s security will be something almost unfathomable with quantum-based security implementations. Techniques like theoretically unbreakable cryptography, encrypting data to stop working if anyone attempts to uncover them and guaranteeing a safe passage to send data no matter what attacks are being used against it can all be potentially achieved with quantum computing. It’s not all positive though because with the power to develop secure techniques comes the power to exploit older strategies. An almost quantum arms race has begun between intelligence agencies and this is because the first agency to gain access to quantum computing power will have an incredible edge over all other counties.

Although quantum computers may never be a household item, their impact in the world will definitely be historical. While many of their advancements will benefit society and the internet infrastructure as we know it, it is still important to make sure what the world is ready for a step this large.

-Jeremy McGrath

Sources:

https://www.technative.io/how-will-quantum-computing-impact-cyber-security/

https://www.nasdaq.com/article/quantum-computing-what-it-is-and-who-the-major-players-are-cm939998

 

Fileless Malware

Malware is constantly evolving to match the level of sophistication that anti-malware programs use to prevent it. This is especially so in the type of malware called fileless malware. This malware is relatively new (first big cases seen in 2014) but becoming more common. Fileless malware tends to avoid the filesystem by operating almost entirely in memory, therefore we have also seen some attacks like this as early as in the 2000’s. It hit a milestone in 2017 of attacks by making up nearly 52% of all malware attacks that year.

This type of malware aims to avoid modifying the filesystem at all. It allows “cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users’ systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.”

So why does it matter if it avoids modifying the filesystem? That is because a big part of malware protection in anti-malware programs is scanning files to detect infected ones.

How can it be prevented? This is a process called behavioral detection. “Looking for signs associated with malicious PowerShell use (like a PowerShell session executed using an encoded command via the command line), provides security teams with the evidence they need to investigate incidents that could turn out to be instances of malicious PowerShell use.”

Sources:

https://www.technewsworld.com/story/85178.html

https://www.darkreading.com/perimeter/fileless-malware-attacks-hit-milestone-in-2017/d/d-id/1330691?

https://www.cybereason.com/blog/fileless-malware

-Dylan Arrabito

Self-Replication in Neural Nets

A recent paper from Oscar Chang and Hod Lipson, a grad student and a professor of Columbia University, respectively, has made significant progress in neural network development by successfully building and training a self-replicating neural network.

Self-replicating machines has been long theorized and applied in technological advancements such as polymers and robotics, and despite being widely recognized as a prime objective for the development of a true AI (self-replicating is viewed as a precursor step to reflection and adaptation), no serious progress had been made until 2017 with the development of HyperNetworks. This paper continues a series of meaningful advances in the improvement of AI.

While its yet to have been implemented or public acknowledged as having been implemented, these self-replicating neural networks have the potential to greatly improve the quality of neural networks designed for computer security. The ability to self-replicate and reflect upon the self-replication could allow for much more intelligent and much more resilient defense algorithms, as it may be capable of repairing itself if an adversary was able to alter it or lock itself from being able to alter itself upon a certain condition whilst still being capable of executing.

However, while the results of self-replicating neural networks do seem promising, information regarding their actual effectiveness is scarce. This does raise some personal questions regarding how well a self-replicating neural network could handle a “day 0” alteration through a malicious adversarial examples attack. Either way, the advancement is very promising.

Scott Carlton

Chang & Lipson Paper: https://arxiv.org/abs/1803.05859

HyperNetworks Paper: https://arxiv.org/abs/1609.09106

Memcached and DDOS Attacks

Memcached and DDOS Attacks
Remember the DDOS attack on Github? Yeah this has to do with that. [1] That attack and another that was detected by Arbor Networks on March 5th had to do with a new trick involving a server that implements memcached. memcached is a system that caches data from database calls to speed up subsequent database calls. The practical outcome is that pages that rely on databases load faster.

Why are attackers leveraging memcached servers?
The problem is not memcached inherently, but with a possibly weak default configuration that was being utilized improperly. [1] What attackers could do was amplify/reflect traffic off of the improperly configured memcached servers. This nifty trick not only turns every misconfigured memcached system into a tool, but also multiplied the amount of data that was being sent towards the target. Every year, the amount of data required to successfully deny service to a target service or page gets larger. [1] This trick using memcached allowed hackers to execute record breaking DDOS attacks. Arbor Networks detected a peak traffic load at 1.7 terabits per second.

What’s going on?
A reflection attack typically happens when an attacker sends traffic that looks like it was from the attacker’s target. This prompts a response that is then sent from the queried server to the target. In this case, it’s called an amplification attack because the attacker can send a very small amount of fake traffic which results in a larger response being sent to the target. [2] Attacks involving memcached were researched further after the discovery and it was found that the amplification factor could be as large as 51,200[2].This means, in theory, that for every bit sent from the attacker, there would be about 50Kb sent to the target.

What do we do about it?
Part of the problem is the default configuration. memcached is open-source, and in 2008 Facebook made the contribution that added support for UDP. There was no implementation of authentication for the UDP version of this service, so it was assumed that the administrators would properly auth and secure this [1]. Many did not. The solution is to disable the UDP support or otherwise lock down this public facing port/socket. The open-source project has already been updated so that future implementations of memcached have UDP disabled by default. Firewalls and rate limiting are also valuable tools; cloud service providers have been rate limiting the UDP port 11211(used by memcached) to minimize any abuse on their lines.

If by chance you watch over an implementation of memcached, this guide will show you how to check if your device is ready to become a reflector: https://kb.iweb.com/hc/en-us/articles/230268328-Securing-your-Memcached-Server

-Matthew J. Harris

REFERENCES:

[1]https://www.geekwire.com/2018/memcached-servers-used-launch-record-setting-ddos-attacks/
[2]https://threatpost.com/misconfigured-memcached-servers-abused-to-amplify-ddos-attacks/130150/
[3]https://www.bleepingcomputer.com/news/security/proof-of-concept-code-for-memcached-ddos-attacks-published-online/