Meatware (Week 3)

Threats come in different ways such as worms, viruses, and exploit code that is designed to enable malware to make use of vulnerabilities in the system. Sophisticated techniques make it difficult for anti-malware tools and researchers to find, analyze, and detect malicious code. It’s easy to see the solution to the problem only through technical means. However, information professionals must acknowledge the human aspects.

Meatware, also known as wetware and liveware, refers to the human element within a computer system. The term is conceptually used to define the human side of a computer and reflects the computer's dependence. The technical sophistication often tries to exploit human weaknesses Humans are the weakest link in any system through extensive use of social engineering, trying to trick people into doing something that undermines their security. In many cases the wrong behaviors of users; the failure to comply with security policies and lack of awareness targets the system, expose the confidentiality, integrity, and availability.

Let’s consider the attack surface for users: mobile, wireless access, cloud computing, and social media which all collude to make life more connected. The human factor is the underlying reason why many cyber attacks are successful. The most affective method are phishing scams that designed to disclose information such as usernames, passwords, personal identification numbers, and any other information. The classic phishing scam takes the form of a well crafted email. It is transmitted to millions with either a link or attachment containing malware or links that redirect to malicious sites that download malware or illicit confidential information. Social media like Facebook, MySpace, LinkedIn, Twitter and others are increasingly targeted to send out messages containing links to malicious intent. People aren’t only vulnerable due to a lack of awareness. The lure of free audio or video content, or bare pictures, can entice people into clicking on a link that should simply be ignored. However, common sense suggests not taking action because it could be harmful.

Technology is a core part of any solution for dealing with vulnerabilities. Yet, the human aspect is required and necessary. This isn’t just a home issue because the same people operate systems at the business. How individuals navigate the Internet from home, face the same issues at work. Thus, security professionals need to find ways to raise awareness of the risks associated with online activity and develop effective methods to minimize these risks. It’s important to education with training. People are the core building blocks of an effective security strategy. People need to be educated in simple language of the threat, protection measures, the why, and how these may affect them in carrying out their duties. It’s also essential to create a culture of openness to encourage reporting suspicious activity. Cybercrime is here to stay and information professionals need to find ways to mitigate the risk.

References:

What is Meatware? - Definition from Techopedia. (n.d.). Retrieved March 28, 2016, from https://www.techopedia.com/definition/8282/meatware

Paganini, P. (2012). Why humans could be the weakest link in cyber security chain? Retrieved March 28, 2016, from http://securityaffairs.co/wordpress/9076/social-networks/why-humans-could-be-the-weakest-link-in-cyber-security-chain.html

Emm, D. (2010, March 3). Patching human vulnerabilities. Retrieved March 28, 2016, from https://securelist.com/analysis/publications/36287/patching-human-vulnerabilities/

Android Ecosystem Fails Meatware (Week 2)

In July 2015, security firm Zimperium published a series of critical remote code execution vulnerabilities in the Android media playback engine that were found in April 2015. This vulnerability was called Stagefright. Stagefright is a media library within Android that allows the operating system to interpret various media, namely video files, audio files, and picture files, which was delivered through a Multimedia Messaging System (MMS). This vulnerability was considered difficult for attackers due to the use of Address Space Layout Randomization (ASLR) on newer Android versions, a technique to protect against memory-based attacks. Continued criticism of Andriod’s slow patching process, Google and Samsung pledged to release new security updates for Android every month. However, subsequent to publishing the details, multiple patches and vulnerabilities continued through December 2015 (Jeg, 2015).

Building on previous work, NorthBit researchers develop a more practical exploit that is fast, reliable and stealthy. The new exploit is named Metaphor and it is a nonspecific for Stagefright. Previous Stagefright exploits used MMS, however Metaphor relies on JavaScript, thus user interaction is required to compromise the device. This specific vulnerability involves parsing MPEG-4 files and causing a heap overflow (Be’er, 2016).

Below is the the general idea how Metaphor enables a hacker to take control of a Android device (Shekhar, 2016):

• it tricks the user into visiting a malicious site,
• the malicious site contains a multimedia file,
• the media file resets the internal state of the phone,
• attackers server sends a custom generated video file that exploits the vulnerability to gather the device’s information,
• hacker uses the compromised systems information to further exploitation.

Metaphor works against Android versions 2.2 through 4.0 and 5.0 and 5.1, which together are estimated to run 275 million phones (Goodin, 2016). While Google has patched and continues to patch the Stagefright flaws, many will not be fixed. Android users have to rely on carriers and device manufacturers to push the updates and is adapted by each vendor. In addition, Android versions 2.2 through 4.0 are not supported any longer. The underlining issue is that the carriers and hardware partners have the control, unlike Apple. Apple had 70 percent adoption of iOS 9 within 2.5 months of releasing the operating system because it controls both the software and hardware (Jeg, 2016). Android is not an ecosystem, but fragmented schizophrenic allowing anyone and anything to do what they please without supervision.

NorthBit White Paper: https://www.exploit-db.com/docs/39527.pdf

Metaphor - Stagefright Exploitation Breaking ASLR

References:

Goodin, D. (2016, March 18). 275 million Android phones imperiled by new code-execution exploit. Retrieved March 21, 2016, from http://arstechnica.com/security/2016/03/275-million-android-phones-imperiled-by-new-code-execution-exploit/

Rashid, F. Y. (2016, March 18). New exploit spotlights Android's Stagefright vulnerability. Retrieved March 21, 2016, from http://www.infoworld.com/article/3045383/security/new-exploit-spotlights-androids-stagefright-vulnerability.html

Plummer, Q. (2016, March 19). Stagefright Exploit Is Back And Millions Of Android Devices Are Vulnerable: What You Should Know. Retrieved March 21, 2016, from http://www.techtimes.com/articles/142157/20160319/stagefright-exploit-is-back-and-millions-of-android-devices-are-vulnerable-what-you-should-know.htm

Shekhar, A. (2016, March 17). Metaphor — Here’s How This Remote Android Exploit Hacks Your Phone In 10 Seconds. Retrieved March 21, 2016, from http://fossbytes.com/millions-of-devices-under-threat-a-new-remote-android-hacking-exploit-arrives/

Be'er, H. (n.d.). 39527 [PDF]. NorthBit.

Apple vs. FBI (Week 1)

On February 16th, 2016, a federal judge ordered Apple to assist in enabling the search of a subject’s Apple iPhone 5c by providing reasonable technical assistance in obtaining access to the subjects data. The order describes reasonable technical assistance as: a means to bypass or disable the auto-erase function to allow an unlimited amount of attempts at guessing the subject’s passcode and application that can be loaded and executed from the subject’s device’s Random Access Memory, which does not modify any data on the subject’s device to maintain integrity.

Apple has formally opposed the order and published an open letter on Apple’s website. The open letter asserts that the order would have "implications far beyond the legal case at hand, undermining users' privacy and giving the US government the equivalent of a master key, capable of opening hundreds of millions of locks. The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

The backdoor Apple is speaking about, is a vulnerability that weakens the information systems (iOS device) so that it could be exploited by the Federal Bureau of Investigations (threat source). The judge’s order ignores the basics of security, which is defined as the quality or state of being secure, free from danger.  The idea of being secure is to be protected from the risk of loss, damage, unwanted modification, or other.

So what does the court order request really mean? If Apple loses its case and creates a tool that circumvents security mechanisms it would be introducing a vulnerability in its product that would affect millions of users that will eventually be exploited and misused.

As a Apple iPhone user, I have reasonable assurance that my data is will maintain it’s confidentiality if I lose my device because of the auto-erase, iteration count with escalating time delays, and encryption security controls implemented. If I lose my iPhone in a public place and a individual find my device then they have physical access for a brute force attack. The individual that finds my device may have malicious intent. iOS functionality protects against brute force attacks if all features were enabled by the user as described bellow:

• Passcode: the passcode provides the entropy for the encryption, thus data retrieved without authentication is unrecognizable. The standard cryptography used is Advanced Encryption Standard 256. 
• Auto-erase: the data on the device is erased after 10 consecutive incorrect attempts to enter the passcode. 
• Iteration count: this provides a mechanism to slow (time based) the attacker from gaining access, thus it would take more than 5 and a half years to try all combinations of six-character alphanumeric passcode with lowercase letters and numbers. 

On February 20, 2016, the FBI stated that "Apple may maintain custody of the software, destroy it after its purpose under the order has been served, refuse to disseminate it outside of Apple and make clear to the world that it does not apply to other devices or users without lawful court orders," the Justice Department told Judge Sheri Pym. "No one outside Apple would have access to the software required by the order unless Apple itself chose to share it.” However, what this statement means is it allowing this vulnerability can be protected by Security Through Obscurity (STO). STO is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. However, this logic is flawed. If the security of a system is maintained by keeping the implementation of the system a secret, the entire system collapses when the first person discovers how the security mechanism works. Just search the Internet of how determined people are to discover these secrets. This is creating pandoras box that can’t be undone. This will put people, companies, and governments at risk. Unauthorized privacy data will be gained, corporate systems will be breached, and national security will be weakened because they also rely on the same protections of the devices in their operations.

References:

Decker, E. M. (2016, February 16). ED-15-0451M [Order Compelling Apple, Inc. To Assist Agents In Search]. California, Los Angeles. https://cdn2.vox-cdn.com/uploads/chorus_asset/file/6053155/in-the-matter-of-the-search.0.pdf

Cook, T. (2016, February 16). A Message to Our Customers. Retrieved March 18, 2016, from http://www.apple.com/customer-letter/

Vincent, J. (2016, February 17). Tim Cook: Apple will fight US demands to build an iPhone backdoor. Retrieved March 18, 2016, from http://www.theverge.com/2016/2/17/11031364/apple-encryption-san-bernardino-response

IOS Security. (2015, September). Retrieved March 18, 2016, from https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Dean, M., Herring, C., & Associated Press. (2016, February 20). DOJ Would Allow Apple To Keep or Destroy Software To Help FBI Hack iPhone. Retrieved March 18, 2016, from http://www.foxnews.com/us/2016/02/20/doj-would-allow-apple-to-keep-or-destroy-software-to-help-fbi-hack-iphone.html