16 votes

Saturday Security Brief

Saturday Security Brief

Topics: Attack Surface Management, Active iMessage exploit targetting journalists, Academic research on unique EM attack vectors for air-gapped systems.

Any feedback or thoughts on the experience of receiving and discussing news through this brief or in general are welcome. I'm curious about this form of staying informed so I want to experiment. (Thanks again for the suggestion to post the topics as comments.)


Attack Surface Management

This concept is about ensuring that your network is equipped to handle the many issues that arise from accommodating various "Servers, IoT devices, old VPSs, forgotten environments, misconfigured services and unknown exposed assets" with an enterprise environment. Some of the wisdom here can be applied better think about protecting our personal networks as well. Outdated phones, computers, wifi extenders, and more can be a foothold for outside attackers to retain persistant access. Consider taking steps to migigate and avoid potential harm from untamed devices.

Consider putting certain devices on the guest network if your router supports doing so and has extra rules for devices on that network so they can't cause damage to your other devices directly.

"A report from 2016 predicted that 30% of all data breaches by 2020 will be the result of shadow IT resources: systems, devices, software, apps and services that aren’t approved, and in use without the organization’s security team’s knowledge. But shadow IT isn’t the only area where security and IT teams face issues with tracking and visibility."

Attack Surface Management: You Can’t Secure What You Can’t See ~ Security Trails


Multiple Journalists Hacked with ‘Zero-Click’ iMessage Exploit

Mobile spyware is continuing to evolve and tend towards professional solutions. Recently this technology has been abused to conduct espionage on journalists of major networks. Where once these exploits typically required some mistaken click from the user, new developments are allowing their activities without any trace or requiring interaction from the target.

"NSO Group’s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses."

"In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked."

"The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates."

"More recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces."

The Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit ~ Citizen Lab


Security researchers exfiltrate data from air-gapped systems by measuring the vibrations made by PC fans.

Besides this potential exploit the article mentions past research done by Guri and his team which is worth checking out, like:

  • LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED

  • AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data

  • MAGNETO & ODINI - steal data from Faraday cage-protected systems

  • PowerHammer - steal data from air-gapped systems using power lines

  • BRIGHTNESS - steal data from air-gapped systems using screen brightness variations

"Academics from an Israeli university have proven the feasibility of using fans installed inside a computer to create controlled vibrations that can be used to steal data from air-gapped systems."

Academics steal data from air-gapped systems using PC fan vibrations ~ Zdnet


Good Practices

"Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident."

Turn on MFA Before Crooks Do It For You ~ Krebs on Security

7 comments

  1. [3]
    Parameter
    Link
    Attack Surface Management Attack Surface Management: You Can’t Secure What You Can’t See ~ Security Trails
    3 votes
    1. [2]
      opheron
      Link Parent
      I liked this summary, I'll be sending it along to my mentees. Thanks for doing this post series! I've been enjoying them so far :)

      I liked this summary, I'll be sending it along to my mentees. Thanks for doing this post series! I've been enjoying them so far :)

      1 vote
      1. Parameter
        Link Parent
        Thanks for reaching out! That makes me happy. Feel free to do so again if anything occurs to about the format and your experience with it that you to share.

        Thanks for reaching out! That makes me happy.

        Feel free to do so again if anything occurs to about the format and your experience with it that you to share.

  2. [2]
    Pistos
    Link
    https://www.zdnet.com/article/backdoor-account-discovered-in-more-than-100000-zyxel-firewalls-vpn-gateways/
    3 votes
    1. Parameter
      Link Parent
      Well, that's disturbing. Home routers are such a headache. My TP Link router behaving oddly a few months ago, scans showed exposed ports relating to the remote management backdoor, a few features...

      Well, that's disturbing. Home routers are such a headache.

      My TP Link router behaving oddly a few months ago, scans showed exposed ports relating to the remote management backdoor, a few features were broken, timezone issues.

      I was hoping it was legitimate and didn't pose a risk to my home network so I contacted TP Link, got moved up to senior support, and asked them to see if my device had been compromised. They looked into it and completely resolved the issues but communicated vaguely about the specifics. So I don't know if they removed a bad actor or just improved the security of their backdoor. Good either way, I suppose.

      4 votes