Web Injects Used to Steal Bitcoin Money

With the increased use of cryptocurrency, hackers have started employing the use of Web injects to intercept payments and acquire user information.  Of course when it comes to hacking there are many ways, but this report is intended to inform readers of how Web injects work and why they can be hard to identify.  What a Web inject does is while the page loads, malware that changes the web page before the user sees it.  In this article, two website Web injects are used for Coinbase and Blockchain.info.  With Coinbase, the inject disables the enter key forcing the user to press a fake submit button, thus giving the user credentials to the hacker.  Likewise, the Web injects for Blockchain.info changes the web page so that the payment transaction goes to the hacker.

In the future, the use of online websites for bitcoin transactions (or payment transactions in general) will continue to increase.  A study claimed that by 2024, the number of bitcoin users will reach 200 million (RT news).  Therefore, hackers will always try to exploit the user’s information.  So in the future, companies with online payment platforms and bitcoin wallets will need to continue to research hacker attacks and stay up to date with security.  Also, users should be more aware of the how hackers use Web injections.  So for example, if a button does not work or there is a strange error, they should notify the companies.  This is all that companies and users can really do in this situation.  Just continue to develop security tools and pay attention to details on the webpages.

-Jamie Smith




OURSA Conference

One of the worlds largest computer security conferences, RSA, has recently been in the spotlight for all of the wrong reasons. The conference, which is six weeks away, just released their lineup of keynote speakers, which contains 22 individuals, and only one of those are female. Even worse, the one female speaker, Monica Lewinsky, is not even in the security field, she is speaking about anti-bullying. There was a large uproar regarding this which resulted in the foundation of a new conference, ironically named OURSA, which was formed in a mere 5 days. It is a predominantly female created conference, with the help of allies, that will take place at the same date and time as RSA. The lack of representation isn’t a new issue though, since over many different conferences there has been a collective loss of inclusion of different minorities, including women. RSA responded to the conference by saying the keynote speaker list is not final, and “…it also blamed the lack of women in the field, where just 11% of positions worldwide are held by women.” Firstly, that is an extremely sexist response, but second, if the percentage of positions held by women are so low, wouldn’t it be inspiring to see more female keynote speakers to inspire the next generation? This will only be a one time event and will only be able to host 1000 people instead of the 43,000 that RSA hosted last year. Nevertheless, this will be a groundbreaking conference that will hopefully shed light upon the issues with diversity in the community and the promotion of inclusion within all groups.





-Becca Fried

Extended Validation is Broken

Extended Validation is a tool that can be used by site owners in order to prove the identity of their site beyond a standard HTTPS certificate.  While an HTTPS certificate proves that the server you are communicating with is the site identified by the domain name, it can be easy to spoof domain names for some sites (like facebok.com).  If a site is verified, a person may be likely to trust it without verifying the domain name.

In order to receive an Extended Validation certificate, one must prove to a Certificate Authority that they “are” that name, rather than just owning the domain name.  Most commonly, this is done by proving that you own a company by that name – which is a fairly secure system.  However, in this report, Ian Carroll exploits a vulnerability not in the technical system, but in the United States.

In America, the same company name can be registered in different states (since, for all practical purposes, we are 50 separate countries that are just really friendly).  Carroll takes advantage of this fact by registering the company name “Stripe, Inc.” in Kentucky (Stripe is a popular payment platform, registered in Delaware).  He uses the site registered with this certificate not for malicious purposes but in order to spread awareness of the vulnerability, hosting his whitepaper on the vulnerability there.

This issue raises many questions on how we should be verifying identity, as well as how browsers should deliver verification information to the client.  The entire vulnerability is completely technically sound in that the entire process does what it should (the company named “Stripe, Inc.” has been verified to serve this content).  There is, unfortunately no simple way to solve this problem.  Should the certificate authority only issue these certificates for companies that are “big” or, even more ambiguously, “well-known”, and deny verification to startups?  Should the browser also display the state name of registration along with the certificate (assuming that the common citizen knows the state name of every website he or she visits)?  These are not difficult answers, but their answers are fundamental to the future of identification in an increasingly automated world.


– Ryan Volz

Identity Security Against New Algorithms

Recently there was a new piece of software developed that is able to hauntingly transpose any celebrities face onto another’s body and compellingly copy their facial movements. It has been about 2 years since this was technically possible with hardware processing limitations as well as research limitations. Now, a tool has been released that is able to automate this process for anyone with a sufficiently powerful computer. Previously anyone who would want to perform such a seemingly impossible task would have to have a lot of domain knowledge about machine learning hand data sciences. Or alternatively, they could also produce similar results with a huge CGI budget and many technically skilled artists. Currently, there is a tool available that is able to automate this entire process with varying results.

This brings up obvious security implications. If fake video of someone is produced without their consent or knowledge, this can be used for blackmail. Currently, there are few methods to authenticate footage that is used for judicial verification and such to prove a video’s validity. There troubling implications of using machine learning to produce these hauntingly realistic results. Currently, there are no methods that detect fake videos that can be used to verify videos produced via this machine learning algorithm.

Lucky for us, the internet is currently distracted by Nicolas Cage and putting his face on anything and everything else. However, Nicolas Cage never agreed to have his likeness handled in such a way. Even if it is only for the amusement of others, he has not been paid or anything for his image to be used in these videos. I think this technology with have severe implications for the movie industry and the security of one’s likeness being used. One recent example is the Star Wars Rogue One. Industrial Light and Magic did the CGI work for Star Wars Rogue One. ILM used both Carrie Fischer and Peter Cushing’s likenesses to produce new scenes with the now deceased actor’s likenesses using CGI. The producers asked for consent from both of the actor’s families, but Cushings and Fischer never agreed to such things themselves. It is terrifying to see the ability to make such convincing fakes fall into the hands of anybody with a computer.

It is clear that two things need to happen to keep people’s likenesses safe. One, everyone should stop trusting videos they see, especially containing celebrities, immediately. This is important because there is no way to tell if a video is real or fake anymore given the results produced by this technology. Two, additional securities need to be put in place to verify the integrity of a video. Currently, there aren’t any compelling ways to see if a person actually is in a video or not. Everyone knows what it is like to have seen a viral video and recognized that it was set up or faked. But when you saw someone’s face clearly in a video you knew that it was them. Now, there are no grounds to trust videos just because you can see someone’s face.

– Cameron Knight

The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm


Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016