Face-Palm #89: Taiwanese Police Epic Fail

There are a limited number of instances that would warrant a face-palm. These are generally limited to the moments in time when you are wondering what they were thinking. One of these recently occurred in Taiwan. The government ran a cyber-security quiz sponsored by the Taiwan Presidential office. This was designed to exhibit the government’s focus on cybersecurity and the efforts to address this. These events as a rule of thumb have a give-away or SWAG which is handed out with business or entity names and emblems on them. The Taiwanese event was no different and handed out 250 flash drives. 

Unfortunately, 54 of these were infected with a virus. The virus wasn’t a plain, vanilla variety intent to annoy the user, but was coded to steal the user’s personal data and had been linked to fraud. Of the 54 infected drives, 20 had been recovered. 

 

The flash drives were manufactured in China. The malware however did not originate with the manufacturer, but with a supplier based in Taiwan. Allegedly, an employee intended to test the 54 flash drive’s storage. The malware, XtbSeDuA.exe, was on the employee’s system. This was coded to only affect 32 bit systems. 

Although the affected parties are limited, due to the 32 bit system target, the issue is much larger. The governance was significantly lacking in this instance.

30,000 Florida Medicaid Patient’s Now Have One More Thing to Worry About

In early January 2017, the Florida Agency for Health Care Administration notified approximately 30,000 Medicaid recipients their medical records and personal records had been accessed. This happens all too often as we have read about frequently. The attack vector varies with each attack based on the environment, tools applicable to the OS and configuration, etc. In this specific instance, the attackers used a phishing campaign, which have grown in use and popularity. The user fell victim to a simple phishing email on November 15, 2017. This was rather unknown until the agency was notified on November 20, 2017 from the Inspector General from the state.

The spoils from the successful attack included a large amount of data and information the attackers were able to access. This included the partial and full data with the the enrollee’s full name, Medicaid ID numbers, birth dates, addresses, diagnoses, medical conditions, and SSN. This has provided nearly all the data needed to take over the enrollee’s identity.

There are a number of issues associated with this, which are disheartening. The Agency had no idea they had been successfully phished and compromised. Their logs, internet access, and other areas had not been reviewed to a sufficient level and/or all of the data from the data exfiltrating the data and medical records for approximately 30,000 enrollees had not been noted. This is a fair amount of data that was moved from the business. Also the employee did not report the phishing email(s) or they had clicked on the email.

This breach provides a number of teachable lessons for others. The InfoSec Engineer should have been monitoring the logs via some form of SIEM or app (e.g. Splunk) for odd/anomalous activity, e.g. a mass amount of data being forwarded in a very short amount of time. The vast amount of data involved would not have lent itself well to a manual review on a regular basis. The access time of the day should have also been noted for these. This amount of data involved should have been significant enough to be noticed on some level. Also there should have been some form of phishing training for the staff. This may have been beneficial to the business in that this may have been avoided.

Granted the Agency may have budgetary constraints. This is a common issue, especially as tax dollars are decreasing while costs are increasing. There are however free and low cost alternatives to a full service phishing vendor’s offering. There are also free or lower cost SIEMs available for implementation.

As we look forward, the Agency could have used machine learning techniques and algorithms to better review the logs and other activities for anomalies and patterns. This would also function to require less processing time.

Biometric Authentication with a Selfie

For well over a decade there has been talk of the demise of the password. There have been multiple people in the industry who have claimed the password’s time is limited for years. Initially the password had a vital role of securing access to various files, the user’s email account, etc. Without this, any number of people would have access to the data and information that in theory should have been private and confidential. Initially, the password’s composition convention was relative basic. This was basic and not very robust or creative. As time passed and the attacker’s realized this, the systems began to add complexity to the password’s format. This necessity was driven by the potential issues. This addition assisted with mitigating the risk of the access being compromised. As a bi-product or secondary effect, this also increased the amount of time required for a successful brute force attack. 

 

As the password became more complex, the attackers have adjusted their methods to compensate for this. This cyclical relationship will continue. As this has been a relatively short-term fix, a new logging method has been in process. There have been many options researched, developed, and putin full and limited use. These have included retinal and iris scans, blood vessel locations in the hand and face, and various other methodologies. These have been met with various levels of success with the various uses. One of these authentication methods gaining more attention within the last year has been facial recognition.

Early On

The facial recognition software initially implemented algorithms which were rudimentary. These used non-advanced geometric models. These worked within the system to note the location of certain facial features from photographs or other data source. These could focus on the eyes, ears, nose, and mouth location. From the initial data points, the algorithm calculated the distances and subsequent ratios. Naturally over time, this function evolved and improved. These now use mathematical representations and matching processes.

Updated Uses

Initially, this was implemented for user validation and authentication. In most instances, this did work relatively well in most instances. In theory, this new and expanded application is safer than passwords. This is a step to address the need for improved security. The user is able to lose or forget a password. The user password could be cracked. In the alternative, there is only one face like the user, except in the case of a maternal twin, there is a single “form” of data. As a further benefit, this does take less time to process. 

 

One area this is being used as a new outlet, is using this for authentication for payments. The vendor predominantly implementing this has been Amazon. The selfie is used to authorize the Amazon online purchases. With this technology, the user’s image is used for the authentication. This also has been coded to also use motions or gestures for the authentication. With the motion integration, this is beneficial as the person has to show they are a person, and not a picture or other 2D representation. Amazon is confident in this technology’s application to the point they patented it with 20160071111 on March 10, 2016. 

 

Mastercard also plans on implementing a similar protocol. With their version, the users would blink for the online purchases to authorize the payment. Google was testing their own method also. Their product is termed “Hands Free”. This is intended to allow for persons to pay with their smart phone by simply saying “I’ll pay with Google”. Google reportedly was also going to use facial recognition. This project though had been shuttered.

Issues

We certainly live in an interesting time. These advances in technology continues to amaze not only the consumer, but the industry. The trajectory of advancements continues to be exponential. This increase in usefulness does come with a price. The progression has not taken the time to explore security or work through most of the use cases. If there were to be a breach and the database with the facial scan data compromised, there would be rather significant issues for multiple parties. This includes not only the entity having to forensically investigate the issue, seek the extent of the data exfiltrated, if it was being actively or passively sold on the dark web, securing the enterprise, and other assorted issues, but also for the users. Their facial recognition data would be compromised. They only have one face. The attackers and unauthorized parties could use this to their benefit for years and years. The users are not able to randomly change their face, bone structure, location of eyes, and nose structure at will, which are used in the computation for the authentication. This is not an isolated topic, and has occurred with government entities in the recent past (e.g. OPM). 

 

There would also be difficulties if the person were to be a victim of violence to the face or in a serious car accident. The user would not be able to follow the general process to reset their password. There would need to be many more steps involved with this instance with other departments to validate the issues leading up to this. 

 

Apple recently experienced issues with the facial recognition applications. Although this technology is advanced, it is not perfected. In this case with the new iPhone, there is the opportunity to use facial recognition to unlock the phone. With a quick smile, the user can be calling or connecting with the internet. There have however been at least one instance recorded where a mother unlocked her iPhone X, relocked it, and handed the phone to her child, who was likewise able to unlock the phone.

These advances are a natural progression of our society and efforts. These and other advances should be placed in use. These should however be tempered with security and full testing procedures.

Rootkit redux

In season 1 of Mr. Robot, the much exalted series, one of the female lead actors asks innocently during one of the conversation “What is a rootkit?” (eps1.0_hellofriend.mov, ~ 32 minute mark). Although this is known and appreciated in various levels, not all have been exposed to this issue. 

 

The attacks used have various levels of complexity with the implementation. These range from the simple phishing attack with an embedded link to the malicious site to the more sophisticated, complex attacks involving multiple steps, access to hardware or other steps which normally could be carried out only by someone with significantly more experience. This form is not the easiest, however would be seated in the middle portion of the spectrum, as averaged across the OS spectrum. 

 

As difficult it is to perpetrate, this may be more difficult to detect by the non-IT personnel. Generally the users will have a vendor’s AV package, update it regularly, and run a scan periodically. As these have the full faith and credit placed in them by the users, these may be missing the rootkits, if present on the system. These have tended to be difficult to detect for many reasons. The primary issue has been these are active prior to the system’s OS booting. This allows the rootkit to customize certain aspects to make it recognizable as an authorized part of the system and to avoid being noticed, or other attributes. This coding and functionality allows the rootkit to be hidden so the user is inclined to believe the system has not been breached.

Defined

The broad, general definition is a software tool that is placed on the target system to allow the attacker access in some form at a later date. Due to their function, these are not coded to propagate on their own. To code these also requires a certain level of expertise. The person trying to code for this would need to do more than watch a few YouTube videos or visit two or three DIY websites. Coding an effective rootkit requires time. There are many uses for these. The coder may create and deliver to the target a rootkit to accumulate data from the user’s computer(s) and the user’s accessing the system. This data could then be exfiltrated and later sold on the dark web or used by the attackers themselves. Depending on the data, this could provide the affected users with years of headaches. This could also cause the system(s) to malfunction or BSOD. For the enterprising attacker, this could be used to originate spam, as it is send across the globe. This allows the attacker root access to the system. This is particularly useful over the long- and short-term.

Methods of Infection

As with many of the other malware infection and attack vectors, there are a number of ways the user may infect their system. The user could be fortunate enough to receive malware with the rootkit present and download it. This may be provided to the user with the usual email attachment, that has been used with so many other malware examples. The user while perusing through the internet and open a malicious site and inadvertently infect their system. These are a few examples, which could be mitigated with user training and awareness.

Types

The varied functionality has driven the number of rootkit types. Each type is used for the different types of targets. These may be application level, kernel level, or generally BIOS level kits. The ones mostly used at this point are the application and kernel level rootkits. With the application level rootkits, the executable files may be replaced with unauthorized files. With the kernel level rootkits, the attacker modifies the code or puts alternative code in place of the authorized code. With the Linux systems, this may be done with loadable kernel modules. 

 

The BIOS level rootkit is more advanced than the prior two methodologies. This is widely used, due to its increased functionalities. This is however more difficult to install. As these are saved onto a memory chip, the rootkit is more difficult to remove.

Samples

Over the years, there have been many different samples of the rootkit to become known in the industry. With such significant functionality, it is natural for this to be well-used with the different industries. This was first rootkit was coded in 1990 by Lane Davis and Steven Dake, targeting the UNIX OS. One of the first malicious rootkits was the NTRootkit, targeting Windows systems. The Mac platform was not left alone. The first Mac OS X rootkit was noted in 2009. This was coded to originate hidden system calls and kernel threads. 

 

As a rule of thumb, the rootkit is generally coded by the attackers for a malicious purpose. This has been repeated for years with other malware also. The attackers are not going to code this for something to do. Curiously one of the highest profile instances was with a corporation coding this for one of their products sold to consumers. This was intended to infect their clients starting in 2005 with the Sony BMG copy protection issue. Sony BMG happened to include a rootkit on their CDs which unbeknownst tot he user was engineered to limit the user’s access to the CD. This was rather significant and placed an unwanted spotlight directly on Sony for a long time. Other well known examples have been the t0rnkit in 2000, Zeus, Stuxnet, and Flame in 2002.

Detection

Although difficult to detect, this is not impossible and merely takes a bit more effort and time. The user or IT staff member tasked to assist the user may use an OS that is trusted and not infected for the search, use behavior based detection methods, scanning the system for the rootkits signature (if known), and analyzing a memory dump of the suspected systems.

Once found, the usual next step is to remove the issue. As easy as this appears, the process itself is much more complicated, and in certain cases impossible, as the rootkit is placed in the kernel. The user may have the pleasure of reinstalling their system’s OS.

Although rootkits have the potential to give the IT Department a rather powerful and extensive headache, there are training topics, much like the ones for other malware, that are available to increase awareness and mitigate the potential for infection, and hours of clean-up.

Medical Records are Valuable Assets Requiring Security

            As each week passes, more medical facilities are compromised and an increasing number of consumer medical records are bundled for sale on the dark web. These to be sale-able, the medical records must hold value in some form. Without this, the medical records would not be targeted.

            The attackers are able to use this for identity theft. These medical records contain obviously charting for the patient, but also the full patient name, SSN, and other ID data, e.g. the state driver’s license number. There may also be present in the record the patient’s payment information, present in the record the patient’s payment information, including the credit card number. The patient record may also have the patient’s picture. With this information and data, credit card fraud and identity theft is moderately easy. This could occur repeatedly occur over the years. The records could be sold repeatedly over the years, repeating the cycle.

            This theft may not be noticeable for years. The attackers tend to slowly and methodically extract value from this. In comparison, a credit card is canceled and a new card issued relatively quickly after fraud is detected.

            The medical records may be used for Medicare Fraud. This may involve fraudulent billing and over-billing. With a mass-amount of records, this could be rather lucrative for the deviants.

            The affected parties have a limited number of actions to take when this occurs. The consumer could contract with a third-party service to monitor their personal credit report. This has been met with mixed results as these services don’t always stop the credit reports from being pulled, as personally experienced. The other primary option is for the consumer to freeze their account. These options also have their own issues.

Compromises; It's not just for banks anymore!

The typical target in the past has been entities holding confidential, sensitive information. This is readily marketable and depending on the information, may be significantly valuable. This has been experienced in the medical field for the last few years. For example, the number of retail clients visiting stores in a region of the U.S. would be less valuable than schematics from a DoD contractor for the new jet or strategy documents from the FDIC.

            The attackers have switched their focus a bit to another industry and entity, which happens to hold sensitive information. The latest notable compromise victim is involved with the automobile finance companies. Employees of the Nissan Canada Finance (NCF) and Infiniti Financial Services Canada detected on December 11, 2017 a portion of the customer’s data had been compromised. This did not affect every one of their customers. The data exfiltrated may have contained the names, addresses, details of the vehicle, VINs, credit scores, loan amounts, and information on the monthly payments. This is the second known time Nissan had been targeted, with the prior instance being in 2012.

            Seemingly, this is not very valuable to the unauthorized third party. Upon further review, this is actually quite useful. The holder of the data has the person’s private, relevant information. With the social security number, the person is able to fully validate the identity of another person. Banks have begun to use information from the user’s credit report for a secondary source of identification. If the person seeking to assume the other’s identity had this, the impersonator could easily use.

It is curious the attack had waited this long to focus on and attack these entities. The businesses do hold a large amount of sensitive information and may not have deemed themselves a sufficient target. The recent breach and outward data flow show any entity is a target, especially those with helpful information.