Security Week 21: rejection of passwords, life of ancient vulnerabilities, virus in network equipment

Authorization by password plan to finally bury. Not for the first time, however. A year and a half ago, the funeral began on Twitter, suggesting entry via one-time codes on mobile. About the same method of burying passwords partially applied Telegram, but it seems nothing good came of it . Now passwords are burying Google, and it does it innovatively, with a twinkle, identifying the user by "character set speed, voice sample, location, walking style, facial features."

I read this news and could not get rid of déjà vu. Somewhere it was already ... Ah!

Tyrell : Is this to be an empathy test? Capillary dilation of so-called blush response? Fluctuation of the pupil. Involuntary dilation of the iris ...
Deckard : We call it Voight-Kampff for short.
')
Ahhh! In the film and the book, people used tests to reveal robots, and then robots would distinguish people from each other. But the principle is the same! The future has come. Billy, where is my electric sheep? The bright future seems to finally deprive us of direct control over our own devices, as it has already deprived control of the data. This and other insinuations under the cut.
All issues of digest - here .

In general, the Abacus project was announced by Google at last year’s Google I / O conference, and recently at the same event it was announced that the technology would be available to users later this year. Abacus is based on studying the habits mentioned above (including Drozdov’s voice) of a user for placing a certain Trust Score. As soon as the user's behavior changes, the Trust Score drops sharply, and at some point the device is blocked. Trust Score, by the way, is planned to be stored directly on the device, it will not be transmitted to Google servers. A similar position regarding the collection of biometric data is Apple.

Do I need to bury passwords at all? Perhaps yes, it is time. The entire past week consisted almost entirely of news about password leaks, users still protect their data with reliable combinations a la 123321 , and companies regularly lose these passwords. Password managers use on as many people as we would like. The time has come. In general, passwords can be called representatives of the computer old school: this is a relic of the past, such as full trust between computers within a local network. You can go even further and attribute passwords to the era of the old approach to the programming of electronic computers.



Recently, an article about this was published in Wired. Programming, as we understand it now, everything will be completely declared low-level, and the future coders will rather be engaged in training their self-learning machines with subsequent replication of the results. Well, as with dogs. You can call it white threading, but I see a clear connection between the development of the machine learning topic and Google’s approach to security.

I have no doubt about the prospects of the Abacus project, but we live in the real world, right? At first, everything that is possible will go wrong. Doubts of one of the commentators to the news on Threatpost are fully justified: what if my behavior changes due to some external reasons, and I would never be disconnected from my smartphone? Why does a computer have to solve such things for me? The joke about the alcohol detector in the phone, which blocks outgoing and chat, seems to cease to be a joke. Brave new world! The only good news is that the prestige of those who really understand the background of all these smart systems will only grow. Simultaneously with the complexity of the systems themselves, of course.

Last year's vulnerability in Microsoft Office is used by at least six groups for targeted attacks.
News Research

Experts of "Laboratory" published a rather unusual study on the use of a serious vulnerability in Microsoft Office. The unusual thing is that the vulnerability was discovered and closed back in September of last year, and in a rapidly changing threat landscape this is equivalent to the past century: they discovered, patched, provided protection, drove on. Alas, problems arise at the stage of rolling patches. In every detail, it is shown that a huge number of vulnerable systems, and in the infrastructure of structures, are extremely vulnerable to targeted attacks.

The vulnerability covered by the MS15-099 update affects Office versions from 2007 to 2013 and allows you to execute arbitrary code if you force the user to open the prepared image in EPS format. Last summer, the situation with this hole went according to a bad scenario: real attacks were discovered as early as August, before the patch was released. As you can see, the patch did not help much. Among the victims - many companies and government agencies in Asia. The exploit was used by at least six different groups, four of them still operate today. As usual, it all starts with a very plausible phishing email.



The letter is sent anonymously through the open relay mail server, from the "desired" recipient with a prepared attach. In another attack, a corporate server is used - that is, the attack is already under way from a conquered springboard in the victim’s infrastructure. In parallel, links between various attacks are found, for example, one of the identified groups seems to share infrastructure with the Adwind campaign, aimed at financial institutions in Singapore. The unpatched Microsoft Office very often becomes the entrance gate for targeted attacks, and more recently, crypto-fiber authors have started to use it (here there is interesting news about another tricky method of infection through macros). The conclusion from all this is simple: you should not give the attacker a chance to use at least known and closed vulnerabilities. Patching is good.

Virus attacks Ubiquiti network devices
News

Another news about the use of patches. Immunity researchers have discovered a rather strange virus that affects Ubiquiti network devices (for example, airMAX M, airMAX AC, ToughSwitch, airGateway, and airFiber models). Its functionality corresponds more likely to examples from “Antiquities” than to modern malware: using the vulnerability in the proprietary AirOS, it erases configs and replaces user usernames with obscene words. It is clear that even such actions cause significant damage to the owner companies, but the consequences of hacking network routers and access points can be much worse.

The problem is that the vulnerability affects versions of AirOS 5.6.2 and earlier, and was actually closed a year ago. Not everyone was able to update the firmware of their devices during this time. Why am I not surprised? Perhaps of all the potentially vulnerable points of the infrastructure, network devices represent the greatest danger in the event of a burglary: these are essentially the keys to the fenced perimeter. Representatives of the vendor, however, argue that the attacked devices were few and provide the victim with a utility to bring the network equipment to life.

What else happened:
TeslaCrypt - everything . The authors of one of the most conspicuous cryptocolls apologized and published a master key for decrypting data.

The hacking story of the SWIFT financial network continues. In addition to the central bank of Bangladesh , a financial institution in Ecuador suffered . Representatives of SWIFT, in turn, stopped pretending that they were not concerned, and began to share information about the attacks, albeit in closed form.

Discovered quite recently, a zoo nature in Adobe Flash has already been adopted by three exploit packs.

Antiquities:
Amz Family

Non-resident very dangerous viruses, infect .COM- and .EXE-files (or only EXE - "Amz-600") when starting an infected file. Change the first 13h bytes of COM files to the program for switching to the virus body. They contain a short word: "AMZ". Depending on the version, erase the FAT sectors of either all logical drives from A: to Z: (if they are present), or the current disk under the conditions:

“Amz-600” - if the number of the day of the week matches the number of the day of the month;
"Amz-789" - September 24 from 0:00 to 7:00 in the morning;
"Amz-801" - February 13 at 13 o'clock.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 23.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.