Musings tagged as security

Lenovo has released a security advisory about some serious security issues (a holy trinity of weak encryption, hardcoded password, and access without admin authentification) with their Windows-based Fingerprint Manager Pro software. So, if you are running Windows on your Lenovo (why, oh why would you shoot yourself in the foot like that?) and have not deactivated the fingerprint sensor anyway, since biometric security is insecure as fuck and nothing beats a proper password, you should probably take a look.

NSA No Longer Honest

Wed, Jan 24, 2018

Now, before you go all “NO SHIT!” on me, not too long ago the mission statement of the NSA cited four core values: Honesty, Respect for the Law, Integrity, and Transparency. Since you just read this, I will give you a minute to get your snickering under control…. got it? … can we move on? … ok, thanks.

So now the current version of the updated core values cites six core values: Commitment to Service, Respect for the Law, Integrity, Transparency, Respect for People, and Accountability. Gone is the honesty, we never used that one anyway, right? The same sinking ship also took “honor the public’s need for openness” with it. Convenient!

Also of interest is that, with the new and revised core values, Respect for People only applies to NSA personnel and Transparency only applies to “those who authorize and oversee NSA’s work”.

Mozilla released a statement about how they plan to play an important role in getting more encryption out there. Especially since services like Let’s Encrypt make it blatantly easy (and free of charge) to obtain a properly signed certificate Mozilla announced that

Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc.

This is awesome! Want that new shiny property that makes your website look all flashy? You better serve it via SSL then. I actually do know quite a few marketing-type “webdesigners” that have no clue about proper website security. Also they usually don’t give a fuck. “Why should I go through the trouble and serve everything via SSL? I’d rather spend time on implementing <insert useless feature that makes the website even more cluttered here>.”

Well now you have to care about encryption if you want the masses to see your stuff. Very nice move from Mozilla.

PC-Wahl Hack by the CCC

Mon, Jan 1, 2018

Last year, the Chaos Computer Club (CCC) hacked the software which was used in the German national elections. They made their findings public before the elections took place but the software, riddled with vulnerabilities, was still used. During the most recent Chaos Communication Congress the involved researchers gave a nice talk (German) (also available with English dubbed audio) on the subject which I can recommend as it is not only informative but entertaining as well. Also you do not have to be a hacker or programmer to understand this. While they do have some technical slides, on the whole this is very digestable even for non-professionals.

After all, this software (or something equally insecure) might be used in your country as well.

A team of security researchers has developed an algorithm with which they can fool neural network based image classifiers, such as Google’s Cloud Vision, with a remarkable success rate of > 95 %. They can actively change the classification result by generating an image which looks like A but gets classified as B. In their publication it is shown how they successfully fooled several neural network image classifiers to think that a picture showing a couple assault rifles actually shows a helicopter. A picture of a guy on a snowboard and a guy on skis is classified as a dog.

In a nutshell they take a reverse approach and start with an image that shows the adversarial (fake) object, for example a helicopter. This image of course gets classified as such. Then this image is modified over several iterations to look different, for example like a couple assault rifles, while still retaining its classification as a helicopter. In the end they show that they can pretty much make anything be labeled as something completely different with a success rate of more than 95 %. The combinations are staggeringly confusing:

  • a cat gets labeled as an airplane
  • an airplane gets labeled as a deer
  • a deer gets labeled as a truck
  • a lionfish gets labeled as eggnog (this could really hurt ^^)

One thing these images have in common is that they sort of lose their (fake) touch if they get transformed, for example rotated by more than 30 degrees. Also we are talking images so who cares about someone being able to fool a neural network into thinking a perfectly aligned 2D image of a rifle is a helicopter?

Well, they did not stop there as their newest publication deals with robust adversarial examples. In reality this culminates in them printing a 3D model of a turtle which is classified as a rifle regardless of background or rotational angle. Oh, and they made a baseball look to a neural network like an espresso. Check this screenshot of page 8 of the most recent paper:

adversarial thumb

Essentially they went the same route as before, modifying the texture to look like A but be classified as B. Albeit with more tweaks so it keeps up the sharade even when rotated.

I think this is remarkable, especially in light of neural network based image classifiers being used more and more not just in everyday life but also for security purposes. So if you can reliably make a security system think that an assault rifle is actually a helicopter, a teddy bear, or a cup of espresso, just by painting or printing a certain texture on it, you pretty much won the game there.

This also tells us it still pays off having a human brain, for now at least.

Using Windows? The art of process doppelgänging can now be yours no matter your flavour of Windows. Security researchers presented their work at BlackHat and according to their presentation they are able to circumvent detection by AV (another nail in the coffin for those) by using NTFS operations to write to a file, turn part of the file into a transaction section, and create a process from it. Afterwards they roll back the transaction and there is no trace left of what they did.

Even better, apparently this attack is unpatchable as it “exploits fundamental features and core design of the process loading mechanism in Windows”. It does rely on undocumented functions which bleepingcomputer lists as something positive. I’d say it’s just a matter of time before this stuff will be documented for those who are interested in it. Since when has “Only a few people know about this” ever been a good defense?