Friday, April 10, 2015

Getting Closer to a New Machine Era



"Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666."   -Revelations 13:16-18

A Word from the Blogger

We are emerging to a new phase.  As passwords are slowly becoming more obsolete because of its nature of being insecure and hard to remember, a new era is emerging which will have a lot of controversy.  Since biometric methods of authentication haven't delivered what they promised,  they also been proven to fail a lot of times in these few years and we have seen how it can be easily bypassed in the last few months, we are now to wonder:  how are we supposed to store our information and do our "private" actions through the Internet without having our account (which, by the way, now contains everything we do) compromised.

www.slate.com


Even though I really love technology and I enjoy experimenting with it, I am completely against the ideology of merging humans with robots.  I am completely against the ideology of having robotic parts embedded into our body to surpass our average capabilities and nature of being what we are... humans.  By merging embedded robotic parts with our  body to make ourselves "more efficient", is a mocking to God because of the arrogance and pride of wishing to be not only like Got but better than God.  If God wanted us to be robots, he would have created robotic parts in ourselves.  Also, it goes against the laws of nature which is also enforced, controlled and mediated by God. If the laws of nature are altered, an endless of domino reaction cataclysms would occur.

The Article

I have read some news which I could not let them slip.  In fact, I had other Blog entries in production and ready to push into live publishing, but I believe this is more important; so I started on this topic right away.  This event will the start of a huge dystopian life change in which the human race will long regret.

On Friday April 17, 2015 in the Wall Street Journal, came an article, one of the most ever life changing in history.  "A PayPal executive who works with engineers and developers of Paypal said that "to find and test new technologies, embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive on-line interactions." Also, the head of PayPal's and Braintree's Global Development Advocacy Jonathan LeBlanc said that "The future of identification would not rely on passwords." As we know, PayPal has not only proven in the past to be a more secure than traditional forms of on-line payments but also has proven to have certain vulnerabilities which exposed its user's use-rnames and encrypted passwords but also two-factor authentication techniques were previously hacked.


The Problem - Fear to the Public

For these reasons as well as the fact that passwords (no matter how much encryption they have) are always eventually brekable, PayPal is turning its odds to a more "reliable", secure and easier to use: 

http://www.makeuseof.com






http://www.slideshare.net/jcleblanc/kill-all-passwords

As any seasoned salesmen and social-engineer already know, in order to sell a product or convinced someone to do a certain thing (a thing he wants you to do), he first has to create the need for it. One of the techniques used to accomplish this is to create fear. Once the fear and need is established, the solution comes next.  LeBlanc states his solution to authentication by using:

  -Fingerpring Scanning
  -Vein Recognition
  -Heart rate monitoring

 By the following methods:

  -Ingestible Technology: Ingestible capsules will be used and powered by stomach acids to detect glucose, blood pressure,digestive health and patterns.

  -Brain-Chip Implants will be used (through
 
http://www.slideshare.net/jcleblanc/kill-all-passwords

These methods, LeBlanc  states they will be "natural body identification", which we already know it will not be true, because the machine (bits and bytes) will be required to analyze body patterns, which does not make it 100% natural.  Think about false positives of our body reaction through the use of drugs, anomalies, sickness, and unexplained pattern behaviors.

FIDO Alliance

PayPal has partnered with FIDO Alliance to incorporate better authentication systems for their users.  One of their projects is the Universal 2 Factor (U2F) authentication. As FIDO Alliance states on one of its videos, U2F offers a more "open, secure and easy to use standard by using a public and private key pair." The Bluetooth USB-like adapter device will not require drivers and will be used as a second method of authentication (after inputting the password) and will be the intermediate between the browser and the user to prevent keylogging, phishing (the most weak link) and MitM (man-in-the-middle) attacks.  It will be also used with the mobile devices which, with the integral part of Duo Push will be used as a phone App.

https://fidoalliance.org/about/overview

In my opinion, this will be the bridge and the temporary solution for PayPal before they go full speed with the new and so radical change which will change our lives forever.


Final Thoughts

We are now living a very crucial time when the fight for privacy,  human rights, wars, terrorist attacks made through false flag operations and our form of communication as well as authentication will be playing a huge new role and change to a more dystopian reality which will be combined with our "own form of control" by using our own medical record, health situation and body parts to keep our private data, the data that never had to be released to the public domain, secure.  It is now the time to change our dormant state and fight for our human rights, which is the last thing we have left.  If we don't anything, one day our future grand children will look at the past (if not altered) and ask: what has happened with our humanity?
 
 Sources

WallStreet Journal Article:  http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password

LeBlanc Presentation:  http://www.slideshare.net/jcleblanc/kill-all-passwords


FIDO Alliance: https://fidoalliance.org/news-more/videos/

PayPal FIDO:  https://www.paypal-pages.com/samsunggalaxys5/us/index-faq.html

Friday, April 3, 2015

The Evolution of Hacking: Advanced Persistent Threats (APT)

www.itbusinessedge.com

 Introduction

In the last couple of decades we had observe some of the most brilliant hacking techniques ever known. We also delved into a lot of sophisticated Malware which redefined the whole concept of security. As more and more simplicity are being worked on the tools and more people adapt to the whole security world, we have seen a substantial growth in not only sophistication but also security persistence.  Here is what becomes: APTs.

Nowadays, we are not only fighting against malicious and curious hungry people who want our data, identity and financial information but also against governments, mafias, and "terrorist" nations to gain trade and national secrets.  As this world might be coming to an imminent end (the end of humanity), it is logical to think that more and more havoc will be caused into our lives and in order to survive, we will have to accept a New World government, where everything will be monitored, judged, moderated and executed within one a World Organization in justification for total security and safety for all humanity.

As more havoc is being done in this society, so it happens in our digital world. Better autonomic, resillient and cognitive systems are also put into the market (and our society) and to the hands of the gifted ones (and malicious users) in order to provide this society with more advanced, smart ways to silently break into the most sophisticated and secure systems. Advanced Persistent Threats is defined as " a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity." By disseminating each word, we have a better idea of what APT really is:

Advanced - Multi-vector 0 day attacks.

Persistent - Undetectable attacks over a long period of time.

Threat - Manace over sensitive information to a critical infrastructure and assets.

Past Examples

Below there are only a handful of APT examples:

PoisonIvy
Stuxnet
NightDragon
GhostNet
Lurid

Past Targets

Moonlight Maze (1998)
Titan Rain (2003)
US Congressmen (2006)
Oak Ridge National Laboratory (2007)
Los Alamos National Laboratory (2007)
US Department of Defense (2008)
Office of His Holiness the Dalai Lama (2008)
Operation Aurora (2009)
Australian Resource Sector (2010)
French Government (2010)
Canadian Government (2011)
Australian Government (2011)
Comodo Affiliated Root Authority (2011)
RSA (2011)
Oak Ridge National Laboratory (2011)
L-3 Communications (2011)
Lockheed Martin (2011)
Northrop Grumman (2011)
International Monetary Fund (2011)


How APT Works


First, it is important to identify the phases of a successful APT.  In order to successfully attack a system without being detected, a series of out of the radar sophisticated techniques must be used.

First Step - Advanced (Infection)

Attack is conducted by sending the RAT's Trojan (server file) by tricking the user to run it.


Methods can be used as attachments, visiting a website which a vulnerability was taken advantaged of the malicious user which can download the Trojan of the RAT.  An indirect and less suspecious method is being used by simply throwing a USB drive with the RAT's Trojan software to the target's backyard, car, or personal item such as his coat, or pant's pocket.  If he plugs it in thinking he luckily found a USB he can use, the malicious user can craft an autoexecutable which executes the RAT's Trojan software in the background.  He can put random school documents or home-made pictures (not his own) to make it less suspecious.  A more advanced alternative is if the malicious user crafted a malicious software which downloads the server file (RAT's Trojan) when innactivity is detected on the target's machine, so he doesn't notice system's performace or hints when the connection, download and auto-execution is taking place.

The attacker, once the victim is infected, can manages the victim's PC through the Remote Administration Tool (the RAT).
 
When the victim is infected, it simply notifies the malicious user who is running the RAT on his end.  Then, the malicious user can conduct a series of activities:

  -Keylogging (logs every single keystroke)
  -Uploads and downloads system's files
  -Unrestricted remote shell login
  -Uses proxy services to hide attacker's identity (through HTTP/SOCKS)
  -Kills, lists and starts system processes
  -Spies on victim's webcam
  -Screen Captures
  -Full administrative access to files and system's registry
  -Used to send SPAM from the victim's machine
  -Logs-off, restarts and shutdowns the victim's computer
  -Update the RAT's server (trojan) on the victim's machine
  -Uninstallation of RAT itself

Second Step - Persistent (Methods)

The persistent phase comes when the attacker conducts such stealthy activities, such as:

  -Updating the server file on the victim's machine so it doesn't get detected by anti-malwar
  -Inject the server file to a specific system process. i.e: winlogon.exe, iexplorer.exe or rundll32.exe.
  -The server file's shortcut image can be changed as well as the name of the file to avoid detection.
  -Auto-runs and connects to attacker if the server's injected service is killed

Third Step - (Exfiltration) Threats

This serious threat can be used to make nefarious exfiltration of mass data such as:

  -Network footprinting
  -Assets enumeration
  -Usernames and Passwords
  -Administrative domain account creation for further access
  -Plant backdoors for evasion
  -Secret data and company secrets' leak
  -Data and infrastructure corruption
  -Compromise other hosts
  -Privilege Escalation
  -Encrypt critical files and demand ramson to decrypt it
  -Etc,Etc,Etc

Final Thoughts

As we are going through a war phase, a lot of attacks are being made with digital weapons.  More instrusive controls such as better digital IDS/IPS signatures, more skilled people, Firewall rules and Anti-virus behavioral scans as well as signatures (come on, they do help a little) are getting behind exponentially with the emerge of more sophisticated APT malware.  With the evolution of cognitive systems, soon we won't have to enlist to fight wars because machines will be able to fight them for us.  The hacking techniques now being used as almost automatic and will soon be cognitive and conducted with the help of a more accurate AI (artificial intelligence).  In this information age, not only critical infrastructure but also the whole society's information is the target and at risk minute by minute.  That is why we need to be our own Firewall and not only be diligent about our activities and actions (they do cause an effect), but also about how we determine our future.