Security Week 16: hacking a mouse from 225 meters, a cryptographic detector on Mac OS X, a million dollars for hacking an iPhone

The most noticeable change in the news background on the topic of information security compared to, say, last fall is a heated debate around and around data encryption. Starting with theoretical studies on potential vulnerabilities, for example, in SHA-1 , the topic acquired a purely practical color as the dispute between Apple and the FBI evolved, with the transition of the Whatsapp messenger to full data encryption and increasing attention to the problem of crypto-fiber (although it would seem are they here?). Kryptolochers here can and really have nothing to do with it, but I cannot help noting the irony of the situation: in one case, the progressive part of the society advocates full data encryption, in the other it suffers a lot of pain from the fact that the data was encrypted without demand, and as a rule is very reliable. Encryption is not a panacea if everything else breaks down without difficulty. Only comprehensive protection of information, only hardcore.

So this week, the FBI has transparently hinted at how much the iPhone 5c hacking, about which Apple was about to court, cost. More than 1 million dollars, presumably for a zero-day vulnerability that allowed to bypass the protection of the device. Let me remind you that in September last year the company Zerodium promised to pay the same amount for the vulnerability. And it seems sad somehow: protect — don't protect, anyway, moneybags hack. But to guarantee 100% data security in principle is impossible, and in fact any protection tries only to make hacking unnecessarily expensive. So in the context of the story about the iPhone, this is good news: breaking is expensive.

Other companies are also not going to give away user data cheaply. At least, when it does not bring profit to them, only reputational costs. Viber promised to implement full encryption of all communications this week, they claim that they can only see the fact of communication between the two subscribers (= metadata), but not the content. And only Blackberry continues to protect random access to personal correspondence at the request of the authorities. No one is against it, but the approach of Blackberry, once a pioneer of secure mobile communications, seems outdated.
')
Next: features of hacking computers through a mouse at a distance and how to make a cryptographic detector that either works or not. Previous issues here .

Hacking a computer through a wireless mouse: researchers have increased the attack range to 225 meters
News

The fighters of the invisible front from Bastille Networks continue to explore the vulnerability through which no one has ever hacked and is not going to. This story began in February: it was then that the researchers showed how using the unnatural use of the mouse to set letters and vulnerabilities in the authorization system, you can hack any computer on any operating system. It is enough to log in (through the hole) on the USB receiver as a mouse, without confirming the user, and start sending characters to the computer, like a keyboard. There is no need to inject malicious code into the system, just write and execute it directly in the system.



Cool of course. Two months later, the researchers improved their result in range: using kopek equipment (no more than $ 50 for everything), they increased the range of working with a USB receiver to 225 meters from the original 100. It seems like the threat has become more than two times more dangerous, then why " No one hacked? Well, honestly, maybe we just do not know about it: go and understand what happened in such a situation. USB receivers (this is not about Bluetooth) - this is such a thing in itself, a black box the size of a connector. In 2016, a horror story came to us from the nearest future, when such whistles in the form of sensors, controllers and other things will be a dime a dozen, they will be responsible for our electricity, water and heart rate correction, but will remain black boxes. More precisely, I want it to be somehow wrong, but better and more transparent.

For mass cybercrime, this method remains difficult. I will assume that for the organizers of targeted attacks this method is from the category of exotics. While simpler tricks work, what’s the point of running around with antennas? The trouble is that many owners of wireless mice need to either change the model or wait patiently for the vulnerability to be exploited. Many USB receivers are not treated at all. However, Microsoft has recently joined Logitech, initially the only company that closed the vulnerability. And the question of backfilling: thanks to the researchers, we learned about this problem. And how many similar failures out of the blue remain unknown?

Cryptograph Detector for Mac OS X and Perception Problems
News

Crypto Trojans are different. They use different methods of infection, and sometimes even rely on a short-sighted user who authorizes the launch of a malicious script. But they have one thing in common: sooner or later they begin to encrypt files. Synack researcher Patrick Wardl decided to take advantage of this obvious lack of encryption and wrote the Ransomwhere utility. It works only under two conditions: if (1) an untrusted process tries to simultaneously (2) encrypt many files, you need to block this action and ask the user for confirmation.

There are many problems with this approach, and the researcher honestly reports about most of them in his blog . One of the few notable Trojans for Mac OS X - KeRanger - was distributed by appendix to the popular Transmission client, it was signed by a developer certificate and thus was a trusted process. And this is not the only way to get around this utility. Attempting to encrypt data is essentially simultaneous work on changing a large number of files, but it is impossible to detect crypto-fiber by this attribute - there will be a lot of false positives. Wardl refers to some kind of mathematical magic, namely, the calculation of the level of data entropy, which is expected to change when a file transitions from a normal state to an encrypted state. But such magic is based on information about typical encryption algorithms, and if the cybercriminal uses a different algorithm, or their original combination, the magic can and will work, or maybe not.

In general, I have no complaints about the utility: this is a research project, and a program written by a specialist for specialists. The problem is that the media ( for example , for example # 2) presents this as a ready-made solution to protect against all cryptographs on a global scale. This is not true. Real protection cannot be based on a single technical piece of equipment. The concept is good (we use it ourselves), but ideally, 98% of cryptographic players should not undergo such testing at all: they should be blocked at earlier stages, from clicking on a suspicious URL to downloading a malicious script.

What else happened:
Cisco Talos continues to investigate the Samsam server cryptograph discovered by them using a vulnerability in JBoss. Alas, they unearthed more than 3 million potentially vulnerable servers, including schools (60,000 in the US) and libraries with specific software. Vulnerability, by the way, was patched 6 years ago.

29% of Android devices are not updated fast enough to be considered safe. In October last year, 85% of devices considered unsafe. Where does this difference come from? A fresh report was made by Google itself, and 85% were counted by independent researchers, naturally, according to different criteria and methods. In any case, it turns out too much.

136 vulnerabilities closes a new Oracle patch. Of these, seven with a maximum level on the CVE scale.

Antiquities:
"Shake"

Resident very dangerous virus. Standardly infects the .COM files of the current directory when calling the GetDiskSpace function (int 21h, ah = 36h). The infected files set the time to 60 seconds. Intercepts and does not restore int 24h. When an infected program starts with a probability of 1/16, it says “Shake well before use”. Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 82.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.