Security Week 26: Dumping data through a fan, iOS core decrypted, crypto-password on password archives

There is such a category of research in the field of information security, which I call “horror stories from the future.” In no case do I want to detract from the merits of such research: it often happens that the threat, considered to be very theoretical, ten years after the research becomes quite real. Of course, this always happens unexpectedly . Such potential vulnerabilities include, for example, reprogramming USB controllers , attacks on algorithms used to encrypt data , and even, for example, vulnerabilities in USB receivers for wireless keyboards and mice . The last example is especially indicative: it is not at all a theoretical attack, but still very laborious. While there are easier methods, they will not be difficult to use. Or it is better to say in another way: the moment when such methods are still used, will mark a qualitatively new level of protection of IT systems. Much more advanced than now.

So, researchers from the Ben-Gurion University of Israel showed a new attack of this type, which theoretically allows them to penetrate the air-gapped system. Air-gapped is such a well-established term for computer infrastructure at critical facilities, which is disconnected from the Internet and from less important networks of the same enterprise for maximum protection. It has long been understood that this method is not a panacea, see the example of Stuxnet, which obviously infected such carefully guarded systems, extending to USB flash drives (“Hi, I downloaded a new film here, look at it while sitting at work”).

Suppose that in the responsible offices after this incident, all connectors were filled with epoxy. Has it become safer? Not really. The study (Source in PDF , article on Wired) shows how you can merge data from a protected computer by changing the rotational speed of the fan on the processor.
All releases of the series - here .

The fan frequency was set to 1000 revolutions per minute in order to “transfer” the unit, and to 1600 turns to transfer zero. Thus, researchers were able to transfer data at a speed of 15-20 bits per minute or 1200 bits (150 characters) per hour. Despite the devilish cunning of the method of attack, it remains nothing more than a concept, if only for the reason that the computer should already be infected to start the transfer. The fantasy inspired by current examples suggests that even the most protected system can be compromised at least at the assembly stage, for example, by planting a self-replicating bookmark in the BIOS. Fan encryption is still necessary to accept, for this, the researchers used a smartphone with a special software (in reality it should be an employee’s smartphone, and it should also be broken).
')


The study develops the theme of similar scientific work. In 2013, German experts demonstrated ( PDF ) a way to exfiltrate data through the dynamics of a laptop or desktop computer. Then, in one of the experiments, it was possible to transfer data from a laptop to a laptop over a distance of 3 to 20 meters at frequencies of 18 and 18.5 kilohertz at a speed of 20 bits per second. In general, even if all the speakers in a clean room were destroyed, there are ways to transfer the data. Both studies, however, begin with the infection of the attacked computer. Obviously, we must first fight with him, and then remove the speakers with a soldering iron.

This summer, "Lab" celebrates its 19th anniversary. The same album has been performed by The Prodigy's “The Fat of The Land” album. It would seem, what could be the connection between these events? Watch this video carefully:



Noticed in the third minute? There is literally a split second. However, no, absolutely no connection.

Apple decided not to encrypt the iOS kernel anymore
News and discussion.

In the beta version of the tenth release of iOS, Apple's mobile operating system, an important change was discovered, not originally announced by the vendor. The OS kernel turned out to be unencrypted, although in previous versions encryption was included, and thus seriously complicated the lives of researchers, for example, to search for vulnerabilities. Apple explained what happened this week by responding to an appropriate request from TechCrunch: since the kernel does not store user information, rejecting encryption increases performance. Well, that is, did not explain anything.

As is usually the case, an important security action, and even Apple, has generated a lot of theories about what the reason really was . And it's about Apple’s approach to security in general. On the one hand, the company clearly explains that the privacy of user data is a priority for it. At least, Apple speaks of this very convincingly. From recent examples - the rejection of “bookmarks” for access to user data, end-to-end encryption for messages, the Differential Privacy announcement at the MacWorld conference — a scientific approach to processing a large array of statistics from users so that it is impossible to identify a specific person.

On the other hand, Apple has traditionally had a difficult relationship with security researchers. There is no public program Bug Bounty, but there are cases of a strange reaction to vulnerability data. You can, for example, recall the recent case when Apple reported that it fixed a simple bypass of Gatekeeper’s defender on Mac OS, although in fact there just added a binary from the sent proof of concept to the blacklist.

Moreover, Apple does not like when iOS restrictions and protection systems are trying to get around. Canceling kernel encryption theoretically gives researchers a better chance of finding new vulnerabilities in the system. If this is white hat hackers - such finds will increase the security of the system and will benefit everyone. And if not white hat? And here conspiracy theories begin: they say this is a tricky move, in order not to argue with the FBI and similar state agencies in court, since the latter, with their resources, will have plenty of opportunities to circumvent the built-in protection methods. But if we ignore attempts to find subtext everywhere, then Apple’s solution in the long term will do more good than harm and is the right way to make the platform safer.

Well, productivity will increase.

More primitive in cryptographs: a cryptographic trojan found that does not use encryption
News Proofpoint study .

I have already said many times that the problem of cryptographs is not related to their, let's say, technical sophistication. On the contrary, common Trojans use fairly mundane (and in most cases easily detected) methods of infection, sometimes taken from the seemingly long-forgotten arsenal of virus writers fifteen years old. The reason for their "success" lies partly in the insecurity of the victims' computers, in part in the correct business model and the availability of such modern technologies as strong encryption, TOR and Bitcoin.



A new Trojan named Bart uses equally unassuming methods of infection and a completely dull data encryption system. In fact, there is no encryption either: a ZIP archiver with a password is used instead. Since encryption is supported in the compression algorithm itself, the piece turns out to be reliable and not yet unpackable without knowing the password. This approach eliminates the need for a C & C server. Instead, a code is stored on the user's computer, which is transmitted when the ransom is paid, and the unlock code is returned. A couple of nice details: in the list of target file extensions there is “support” of Nintendo 64 emulators. When attacking a computer with Russian, Ukrainian or Belarusian system languages, files are not blocked. But the ransom is significantly higher than the average for the hospital - 3 Bitcoins, or about 2 thousand dollars.

What else happened:
Unusual vulnerability in Swagger allows generating malicious code in this framework.

Known explorer packs Angler and Nuclear suddenly disappeared from the network radar.

Found the original botnet of 25 thousand cameras.

Antiquities:
"Terror"

Resident harmless virus. When closing or executing COM and EXE files, it infects them (EXE is standard, COM changes the first 11 bytes of the header), and when calling the function FindFirst tries to hit COMMAND.COM in the middle. Contains the text "Terror". Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 85.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.