Lifecycle of an Exploit Software updates can be inconvenient and can sometimes break components. For these reasons people frequently postpone updates or avoid doing them all together. Some are not even aware that software updates exist, or that the updates only exist to provide new features. This article is to explain how a virus, or exploit, is developed and why software updates are important. Bug Discovered The bigger the software (the amount of code), the more complex. This simple fact makes plenty of room for potential flaws (more opportunity for bugs). Remember, humans create software and nobody is perfect. Keep in mind when I say "software", this means EVERYTHING on a computer such as; websites, operating systems, photo editing, drivers, firmware and so on. Hackers, good and bad alike, continuously seek out flaws to find a means to exploit them. The good, or ethical, hackers are known as "white hat"(researchers) and the bad ones as "black hat" (criminals). What happens next depends on who discovers the software bug, develops the proof of concept, and exploits first. What is a "ZERO-DAY" A previously unknown and unpatched software bug, developed into an exploit is referred to, in the industry, as a "zero-day". These 0-days are VERY valuable to both the white and black hats. I'll explain why shortly, but be mindful that these bugs are sought after like diamonds because of their value. Both hats work meticulously, and often, without sleep in order to discover the next 0-day. This all happens in the dark so that nobody is aware. Although it is exciting for the hacker, once found, its reveal would mean a pay cut. Yes, both hats get paid for their efforts, so they keep quiet until the paycheck has arrived. The Criminal When a black hat finds a bug and develops the exploit first, like any business, they begin making plans on how to use it to maximize profit. A criminal may stockpile exploits to use in combination for a big money making scheme, or to utilize on its own. An attack is carefully planned and obfuscated so the payoff is worth the effort and the risk of exposure is little. Many times with 0-days the hack is done and the criminal has cleaned their tracks before anyone notices a problem. Once discovered, as the recipients of the attack recovers, developers of the affected software become aware of the exploit and build a patch to close the security hole that was so brutishly revealed. The exploit is public knowledge now. If this update is for a client facing software such as Adobe Reader or Windows, each user will have to install the update to close that hole. Too often, users do not take updates seriously, and therefore do not update their software, leaving room for more criminals to enter the scene. The new bad guys can now use this exploit and target all of the systems which have not applied the update. Sometimes, you might see the same virus floating around the internet years or even decades later, because it is still effective when computers are not updated. The Criminal Industry So why do these bad guys find work so hard to break and exploit your software? The short answer is "MONEY". The long answer is there are many ways an attacker can make money from exploiting your system. In fact, it has become a billion dollar industry. There are sometimes lone hacker types but there are also large organizations with CFOs, project managers and even HR people to hire talent. An underground, criminal business so to speak. I will not go into detail here but some of the most common ways these bad guys make money are; ransomware, cryptojacking / coin mining on your system, selling your personal data such as passwords, SSNs, credit cards, etc. for identity theft, blackmail, extortion and more. Compromised systems are also used to launch further attacks so the attacks are de-centralized and more difficult to track, each system would report back to a "command and control system". There are even cybercrime service companies which might offer virus packages, and support for when it does not work properly. They are limited only by their imagination. The Researcher The white hat / researcher goes through a different process to make money on a discovered bug. After their research and proof of concept is complete, they responsibly contact the developer of the software with a write-up on how the exploit accomplished. Many software companies have "bug bounty" programs where a researcher can submit a bug and once verified, will receive a substantial reward. Google paid out almost $3M in 2017 for bug bounties. As seen in this Tech Crunch Article: https://goo.gl/YtMBL9. Following which, the developer will build and release a patch, and again, if it is a client side software, users are supposed to install the update. It is the gap from the time when the patch is released to when the user installs the update that becomes interesting. Black hats begin reverse engineering the patch to see what was fixed, then they can begin their campaign to exploit all of the unpatched systems. Updating While software updates may be inconvenient, it can make the difference between a good day and a really bad day. It is good practice to utilize a system which checks for and manages updates automatically, while informing you of updates that have failed to install. AuthorJeremy Sonntag - NetCertPro
0 Comments
Lifecycle of an Exploit Software updates can be inconvenient and can sometimes break components. For these reasons people frequently postpone updates or avoid doing them all together. Some are not even aware that software updates exist, or that the updates only exist to provide new features. This article is to explain how a virus, or exploit, is developed and why software updates are important. Bug Discovered The bigger the software (the amount of code), the more complex. This simple fact makes plenty of room for potential flaws (more opportunity for bugs). Remember, humans create software and nobody is perfect. Keep in mind when I say "software", this means EVERYTHING on a computer such as; websites, operating systems, photo editing, drivers, firmware and so on. Hackers, good and bad alike, continuously seek out flaws to find a means to exploit them. The good, or ethical, hackers are known as "white hat"(researchers) and the bad ones as "black hat" (criminals). What happens next depends on who discovers the software bug, develops the proof of concept, and exploits first. What is a "ZERO-DAY" A previously unknown and unpatched software bug, developed into an exploit is referred to, in the industry, as a "zero-day". These 0-days are VERY valuable to both the white and black hats. I'll explain why shortly, but be mindful that these bugs are sought after like diamonds because of their value. Both hats work meticulously, and often, without sleep in order to discover the next 0-day. This all happens in the dark so that nobody is aware. Although it is exciting for the hacker, once found, its reveal would mean a pay cut. Yes, both hats get paid for their efforts, so they keep quiet until the paycheck has arrived. The Criminal When a black hat finds a bug and develops the exploit first, like any business, they begin making plans on how to use it to maximize profit. A criminal may stockpile exploits to use in combination for a big money making scheme, or to utilize on its own. An attack is carefully planned and obfuscated so the payoff is worth the effort and the risk of exposure is little. Many times with 0-days the hack is done and the criminal has cleaned their tracks before anyone notices a problem. Once discovered, as the recipients of the attack recovers, developers of the affected software become aware of the exploit and build a patch to close the security hole that was so brutishly revealed. The exploit is public knowledge now. If this update is for a client facing software such as Adobe Reader or Windows, each user will have to install the update to close that hole. Too often, users do not take updates seriously, and therefore do not update their software, leaving room for more criminals to enter the scene. The new bad guys can now use this exploit and target all of the systems which have not applied the update. Sometimes, you might see the same virus floating around the internet years or even decades later, because it is still effective when computers are not updated. The Criminal Industry So why do these bad guys find work so hard to break and exploit your software? The short answer is "MONEY". The long answer is there are many ways an attacker can make money from exploiting your system. In fact, it has become a billion dollar industry. There are sometimes lone hacker types but there are also large organizations with CFOs, project managers and even HR people to hire talent. An underground, criminal business so to speak. I will not go into detail here but some of the most common ways these bad guys make money are; ransomware, cryptojacking / coin mining on your system, selling your personal data such as passwords, SSNs, credit cards, etc. for identity theft, blackmail, extortion and more. Compromised systems are also used to launch further attacks so the attacks are de-centralized and more difficult to track, each system would report back to a "command and control system". There are even cybercrime service companies which might offer virus packages, and support for when it does not work properly. They are limited only by their imagination. The Researcher The white hat / researcher goes through a different process to make money on a discovered bug. After their research and proof of concept is complete, they responsibly contact the developer of the software with a write-up on how the exploit accomplished. Many software companies have "bug bounty" programs where a researcher can submit a bug and once verified, will receive a substantial reward. Google paid out almost $3M in 2017 for bug bounties. As seen in this Tech Crunch Article: https://goo.gl/YtMBL9. Following which, the developer will build and release a patch, and again, if it is a client side software, users are supposed to install the update. It is the gap from the time when the patch is released to when the user installs the update that becomes interesting. Black hats begin reverse engineering the patch to see what was fixed, then they can begin their campaign to exploit all of the unpatched systems. Updating While software updates may be inconvenient, it can make the difference between a good day and a really bad day. It is good practice to utilize a system which checks for and manages updates automatically, while informing you of updates that have failed to install. AuthorJeremy Sonntag - NetCertPro How can your Password get Hacked? It's truly surprising how many people are unconcerned with the strength of the passwords they use, when in fact everyone??s passwords are under constant attack. I often hear phrases like, "I'm not a target" and "There's nothing important there anyways". Well, my effort here will work in tandem with other pieces I have written on password security. Don't Take Passwords Lightly https://netcertpro.com/Full-Article/14/dont-take-passwords-lightly/ Passwords Vol. 2 The Solution https://netcertpro.com/Full-Article/17/passwords-vol-2---the-solution/ Also, I encourage you to read Troy Hunt's article on passwords. ( founder of https://haveibeenpwned.com/ ) The only secure password is the one you can't remember -Troy Hunt https://www.troyhunt.com/only-secure-password-is-one-you-cant/ The most common passwords from the Gawker breach: https://goo.gl/oV5ifw 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, starwars, shadow, princess, cheese I think, if the average person takes a few minutes to understand what dangers are lurking on the internet, they can use that knowledge to better protect themselves. Below you will find a brief but hopefully clear explanation of methods in which your passwords might come into the hands of someone else. Brute Force Brute force is exactly what it sounds like. Try every number, letter, and symbol combination possible until the password is found. This sounds like it could take a long time, and it very well might, however, there are additional techniques attackers have developed which can sometimes yield results much quicker. A popular brute force technique referred as 'dictionary attack', where, instead of systematically trying every combination possible, it makes use of a special dictionary of words, names, popular passwords, etc., often containing hundreds of thousands of entries. There are many different brute force dictionaries that have been built, some of which target 'leetspeak' where you replace letters like 'E' with numbers '3'(J3R3MY). There are even special dictionaries which target specific industries (teachers, lawyers, or accountants), and dictionaries which target job title (CEO, CFO, accountant, human resource). Brute forcing a password can occur any place a password exists, however some are more difficult than others. Many online entities will limit how many times you can try to enter your password before the account is locked. However, if the whole password database from an entity is stolen, there are fewer limits. Stolen Database When a data breach occurs at a company, often a whole database is taken. That database may contain all users and passwords (usually encrypted). This happened to Yahoo and many other companies. See here for a list of data breaches. https://goo.gl/LpohUw Once the attacker has the data, they can begin the decryption process. This is where brute force methods can come into play. If the encryption is not strong, they will eventually be successful and have access to the usernames and passwords in that database. Following which, the compromised company will ask that you change your password for their service. It's pretty common that stealing the database, cracking the passwords, and using the cracked passwords are all different people or groups. Usually, with each step of this process the data is sold on the dark web and another group which specializes in the next step takes over. A cybercrime production line if you will. Password Reuse When a password database has been compromised and cracked, as has happened many times before, the attacker will assume many users have the same password across all or many of their various accounts. Therefore, they test each listed user, password combo with a large list of popular services like Facebook, LinkedIn, email services and more. They usually have great success with this. Bad guys may go after smaller targets with less money to spend on securing their website, such as a local shop that also sells online. The users in that database are just as valuable because they likely reuse their passwords too. Then sometimes there are high profile breaches like Yahoo which reveal millions of accounts. Social Engineering Technology has improved exponentially over the years, as has its security, which leaves one weak link, the human. Bad guys have learned very sophisticated psychological methods to convince you to perform some action like click a link, open a file, or remit some bit of important information, your password for example. This can come in many forms. Phone calls, physical visits onsite, webpage pop-ups / redirects, but the most popular and effective is phishing. Phishing is simply social engineering via email. As for acquiring your password with a phishing attack, a popular method is to send you an email which convinces you to 'login' or 'verify account'. You click the link and happily type in your password, unaware that the site you just accessed in fact belongs to the bad guy. Key Logger Virus A virus is just another program, but with malicious intent. A well-crafted virus will not make itself known to the user until it is too late, if ever. Viruses can be installed or acquired in many different clever ways but usually the user, knowingly or not, chooses to install it. Once installed, a virus is limited only by the imagination of its developer. One function a virus might execute is to record and catalog all of your keystrokes, the website or resource you are using when you type and screenshots the progression. At this point, it does not matter if you change your password because the bad guy would have access to everything you have typed Password Reset Attack Every website and online service secures your account with a password and we humans can not remember passwords. We are terrible at it. This simple fact forces each of these services to offer some means of resetting your password. It is simple to figure out the reset process for any given service. Sign up and use the service, then 'forget' the password. Once the recovery process is known, the attacker can collect info on you then try and reset your password. Linked Accounts Facebook, Google, Microsoft provide a service called 'Oauth'. You have seen this before through suggestions such as, "Sign in with Facebook". If your Facebook account were accessed by someone other than you, they would have that same "Sign in with Facebook" feature you use, available to them in all the places you have set it up. Most people forget or do not even realize they use it because of the easy set-up process. 0-Day / Previously unknown hack Software development is complicated. After long hours of hard work and peer review there are still mistakes or oversights. Interested parties find these mistakes and use them to their advantage. This is one avenue for data breaches or self-replicating viruses, depending on the type of mistake in the software. As an end user, your best protection from a 0-Day is to use reputable software, keep your software updated, use STRONG passwords, and do not reuse them. Once aware of a security flaw, companies are usually quick to fix it, but in the case of software like Windows, you still have to install the update. Using and maintaining strong passwords is much easier than most people think. Use a password manager if you need extra help, one that has been thoroughly vetted of course. Personally, I trust Lastpass. Use a single strong password to access the 'Vault', then the rest of your passwords can look like this - qM5e^tqoU#JFo7LKl4gQu ? You should not be able to remember your passwords because they need to be secure enough to protect your information. AuthorJeremy Sonntag - NetCertPro |
AuthorJeremy Sonntag & Archives
November 2019
Categories
All
|