Glass brick fences, online translator plot, remote Boeing hacking
API vulnerabilities threaten Twilio and Amazon S3 confidential data
News in Russian , appthority report
It’s hard to explain why Twilio developers decided to make it so that the code for applications using their Rest API and SDK needs to be hard-wired to provide credentials for access to the database. But they did just that. This is despite the fact that Twilio’s own security policies forbid such fortels.
')
APIs for accessing Twilio services allow you to exchange messages and voice calls - functions that are required in corporate applications. Anyone who can rip the keys from the Twilio account from this code will get access to all the metadata and voice recordings that are stored on the corporate account. And these are millions and millions of minutes of talking and countless text messages about important contracts, orders for equipment and love affairs of genders. As they say, oops.
Experts from Appthority gave the found vulnerability the capacious name Eavesdropper. After analyzing more than a thousand solutions using Twilio technologies, they found 685 vulnerable applications (about half of them for iOS, half for Android) and 85 compromised uchetok. And the bill of installations of these applications goes to millions.
Since making applications based on vulnerable APIs is like building a fence of glass bricks, you don’t need special equipment or software tools to operate this hole, just a little ingenuity.
The anatomy of the attack is this: first, the hacker finds an application that uses the Twilio code — by reading the descriptions in the store or simply checking all the applications in a row with functions, say, voice communication. Then it breaks the application into lines and searches for the one with the Twilio credentials (the key and password are within 100 bytes from each other and next to the api.twilio.com call). Next is a matter of technology: knowing the key and password, you can extract compromising information from your account in many ways.
On this, however, the fried news does not end there: analyzing leaky applications, Appthority found in 40% of them a similar error that compromises other services - including Amazon S3. Since the names of Amazon's “baskets” are unique, and heterogeneous data is often merged in the repositories themselves, even access to the names alone allows you to learn a lot about the structure of the company's virtual network. And in many cases, the bonus is access to the content itself.
Correcting vulnerabilities of this kind is difficult and expensive: you will need not only to remove embedded records from the application code, but also to change the credentials themselves - if you do one thing, then either the applications will stop working or potential hackers will have access to the archives. Therefore, we will almost certainly hear about these holes.
News in Russian , more in English .
If you build a fence of transparent bricks, your secrets will no longer be secrets. If you post on the notice board a confidential contract with the note “Translate, please!” - sooner or later it will be stolen. The oil and gas giant Statoil has attacked this rake: its employees used the Translate.com service for translation, and it would be fine if the letters contained important contracts and other confidential data.
Like many other similar services, Translate.com tried to get rid of the inevitable gems by using machine learning. For this, all downloaded texts were saved and analyzed. After transferring them from the cloud, no one deleted them, and until recently they were quietly indexed by Google search engine.
This blatant fact was accidentally discovered by Norwegian journalists when they were looking for information about Statoil in the public domain. Representatives of Translate.com said that since the new version of the service does not save translations, it’s okay, and, apparently, were quick to overwrite everything. But some materials can still be viewed in the Google cache.
No one is insured against the fate of Statoil: online translators are used not only by small companies who cannot afford professional services, but also by the professionals themselves. NDA contracts will not stop anyone if you need to urgently translate something from Albanian to Polish, and a specialist is not at hand. And it’s almost impossible to control the process: even if you hire third-party specialists and only give them tasks via an online service with the export option turned off, there’s still no guarantee that they’ll somehow fail and push the text into the online translator - for example, taking a screenshot and recognizing it using OCR.
Volkswagen decided the question radically: they made their own machine translation and automatic translation system, and banned all others from using their employees. But they have an annual income more than Chile or Finland, they can.
News
Do you love action movies the way I love them? If yes, then surely you have met the scene where hackers break into the control system of the aircraft. Most often passenger and most often remotely. And then, depending on the arrogance of the scriptwriters, they either put a giant Airbus on the highway with the help of an aircraft simulator, or they do something equally epic.
Two years ago, security expert Chris Roberts had already taken off an American airline flight for a joke in the style of “But wouldn’t it be time I got into board control systems via Wi-Fi and shooed them thoroughly?” And even blacklisted. However, the problem with air safety is not a joke.
Last year, the US Department of Homeland Security (DHS) ordered an experiment, asking a panel of experts to crack the Boeing 757 control system, dedicated specifically for this purpose. The guys took only two days, and they used only the equipment that could be easily carried through the terminals of the airport. Moreover, the burglars did not attract "misguided Cossacks" from the crew and did not even touch the "Boeing" itself - only radio communication, only hardcore. What exactly they did, of course, was not disclosed, so that Hollywood screenwriters will have to wriggle out to the best of their imagination.
According to a DHS spokesperson, vulnerability did not become news to aircraft designers - unlike pilots who were present at the announcement of the results of the experiment.
The news is extremely disturbing also because so far the service personnel have not encountered the threat of hacking into aviation networks, which are fundamentally different from the ground ones. True, the new Boeing models are protected from the found vulnerabilities, but in the old ones nobody corrected anything. Most likely, it will not fix it, considering that replacing a line of code in the firmware of one plane costs as much as a million dollars. Smaller companies, which mainly exploit the old Boeing, will go bankrupt, even if they just think in this direction.
But measures, of course, must be taken. Who knows, maybe in a couple of years at the airport the control will select everything with electronic stuff, including cameras and singing teddy bears.
Aids-552
Resident very dangerous virus. Standardly infects EXE files when they are closed. Every 16th COM file to be closed, writes a part of its code (the file is not restored, as the virus does not save the old contents of the file). When you run such a file, the word "AIDS" is not displayed in large letters. Changes int 3, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
News in Russian , appthority report
It’s hard to explain why Twilio developers decided to make it so that the code for applications using their Rest API and SDK needs to be hard-wired to provide credentials for access to the database. But they did just that. This is despite the fact that Twilio’s own security policies forbid such fortels.')
APIs for accessing Twilio services allow you to exchange messages and voice calls - functions that are required in corporate applications. Anyone who can rip the keys from the Twilio account from this code will get access to all the metadata and voice recordings that are stored on the corporate account. And these are millions and millions of minutes of talking and countless text messages about important contracts, orders for equipment and love affairs of genders. As they say, oops.
Experts from Appthority gave the found vulnerability the capacious name Eavesdropper. After analyzing more than a thousand solutions using Twilio technologies, they found 685 vulnerable applications (about half of them for iOS, half for Android) and 85 compromised uchetok. And the bill of installations of these applications goes to millions.
Since making applications based on vulnerable APIs is like building a fence of glass bricks, you don’t need special equipment or software tools to operate this hole, just a little ingenuity.
The anatomy of the attack is this: first, the hacker finds an application that uses the Twilio code — by reading the descriptions in the store or simply checking all the applications in a row with functions, say, voice communication. Then it breaks the application into lines and searches for the one with the Twilio credentials (the key and password are within 100 bytes from each other and next to the api.twilio.com call). Next is a matter of technology: knowing the key and password, you can extract compromising information from your account in many ways.
On this, however, the fried news does not end there: analyzing leaky applications, Appthority found in 40% of them a similar error that compromises other services - including Amazon S3. Since the names of Amazon's “baskets” are unique, and heterogeneous data is often merged in the repositories themselves, even access to the names alone allows you to learn a lot about the structure of the company's virtual network. And in many cases, the bonus is access to the content itself.
Correcting vulnerabilities of this kind is difficult and expensive: you will need not only to remove embedded records from the application code, but also to change the credentials themselves - if you do one thing, then either the applications will stop working or potential hackers will have access to the archives. Therefore, we will almost certainly hear about these holes.
Online translator merged data in open access
News in Russian , more in English .
If you build a fence of transparent bricks, your secrets will no longer be secrets. If you post on the notice board a confidential contract with the note “Translate, please!” - sooner or later it will be stolen. The oil and gas giant Statoil has attacked this rake: its employees used the Translate.com service for translation, and it would be fine if the letters contained important contracts and other confidential data.
Like many other similar services, Translate.com tried to get rid of the inevitable gems by using machine learning. For this, all downloaded texts were saved and analyzed. After transferring them from the cloud, no one deleted them, and until recently they were quietly indexed by Google search engine.
This blatant fact was accidentally discovered by Norwegian journalists when they were looking for information about Statoil in the public domain. Representatives of Translate.com said that since the new version of the service does not save translations, it’s okay, and, apparently, were quick to overwrite everything. But some materials can still be viewed in the Google cache.
No one is insured against the fate of Statoil: online translators are used not only by small companies who cannot afford professional services, but also by the professionals themselves. NDA contracts will not stop anyone if you need to urgently translate something from Albanian to Polish, and a specialist is not at hand. And it’s almost impossible to control the process: even if you hire third-party specialists and only give them tasks via an online service with the export option turned off, there’s still no guarantee that they’ll somehow fail and push the text into the online translator - for example, taking a screenshot and recognizing it using OCR.
Volkswagen decided the question radically: they made their own machine translation and automatic translation system, and banned all others from using their employees. But they have an annual income more than Chile or Finland, they can.
Hackers break into planes
News
Do you love action movies the way I love them? If yes, then surely you have met the scene where hackers break into the control system of the aircraft. Most often passenger and most often remotely. And then, depending on the arrogance of the scriptwriters, they either put a giant Airbus on the highway with the help of an aircraft simulator, or they do something equally epic.
Two years ago, security expert Chris Roberts had already taken off an American airline flight for a joke in the style of “But wouldn’t it be time I got into board control systems via Wi-Fi and shooed them thoroughly?” And even blacklisted. However, the problem with air safety is not a joke.
Last year, the US Department of Homeland Security (DHS) ordered an experiment, asking a panel of experts to crack the Boeing 757 control system, dedicated specifically for this purpose. The guys took only two days, and they used only the equipment that could be easily carried through the terminals of the airport. Moreover, the burglars did not attract "misguided Cossacks" from the crew and did not even touch the "Boeing" itself - only radio communication, only hardcore. What exactly they did, of course, was not disclosed, so that Hollywood screenwriters will have to wriggle out to the best of their imagination.
According to a DHS spokesperson, vulnerability did not become news to aircraft designers - unlike pilots who were present at the announcement of the results of the experiment.
The news is extremely disturbing also because so far the service personnel have not encountered the threat of hacking into aviation networks, which are fundamentally different from the ground ones. True, the new Boeing models are protected from the found vulnerabilities, but in the old ones nobody corrected anything. Most likely, it will not fix it, considering that replacing a line of code in the firmware of one plane costs as much as a million dollars. Smaller companies, which mainly exploit the old Boeing, will go bankrupt, even if they just think in this direction.
But measures, of course, must be taken. Who knows, maybe in a couple of years at the airport the control will select everything with electronic stuff, including cameras and singing teddy bears.
Antiquities
Aids-552
Resident very dangerous virus. Standardly infects EXE files when they are closed. Every 16th COM file to be closed, writes a part of its code (the file is not restored, as the virus does not save the old contents of the file). When you run such a file, the word "AIDS" is not displayed in large letters. Changes int 3, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/342684/
All Articles