Positive Research Center

Syndikovat obsah
Positive Researchhttp://www.blogger.com/profile/12273696227623127095noreply@blogger.comBlogger23013
Aktualizace: 39 min zpět

How to Protect Yourself When Shopping Online

26 Listopad, 2018 - 13:00
Image credit: PexelsOnline shopping safety is a pressing issue for both consumers and business users, especially in the holiday season. As customers flock to online stores to cross off their Christmas wish-lists, cyber criminals look to take advantage of the high traffic and customers looking for the best deal.

Always remember, the Internet is not a governed, safe environment. It’s the wild west. There really are no guarantees to security when shopping online and even big companies can be affected by security vulnerabilities. This blog covers some of the greatest security risks this Christmas season, and gives practical tips to help you shop safely online this year.

Phishing ScamsDuring promotional periods, such as Black Friday or Cyber Monday, you’re more likely to fall victim to phishing scams – attacks sent directly to people via email to steal your payment or personal information. Attackers send out phishing emails posing as large retailers with attractive discounts and – for many consumers – this is enticing enough to make a poor decision and click on a malicious link. This link may provide your personal and payment data directly to the bad guys, or infect your device with malware.

Even large companies can be susceptible to these attacks. In our own research, Positive Technologies found that 88 percent of employees open unknown files and links they receive by email. Earlier this year, Saks Fifth Avenue was a victim of one such crime, and five million credit and debit card numbers were stolen from their systems.

Phishing campaigns are designed to play to your emotions. Emails will attempt to convince you that they’re from a trusted source, and it can be hard to discern if an email is genuine or not.

Here are a few tips for spotting and avoiding phishing scams:

  1. Be wary of unwanted emails or emails from an unknown source. If a shop you don’t usually receive emails from is contacting you for the first time, it could be a fake.
  2. Look for misspellings in the email. Criminals don’t have a marketing department and a sloppy email might indicate a cheap scam.
  3. Is the email addressed to you by name? Criminals are unlikely to know your full name, so they may address you by Sir or Madam.
  4. Do not click on unknown links contained within emails. It may sound like a great deal, but in fact it could cost you dearly.
  5. Remember that the sender’s email address is not a guarantee that the email came from the person or organization that the message claims to be. If something seems fishy, check with the sender directly.

Compromised E-Commerce WebsitesCriminals don’t just target customers directly, they also target the retailers they use. If a website it compromised and you input your credit card details, you may be handing your banking information directly to cyber criminals and could see fraud on your account later on.

Of course, this isn’t your fault. However, customers should be vigilant and aware of this risk. On some websites, you may see visual indications of “security,” such as padlock icons which show that a website is using SSL, or Secure Sockets Layer – a protocol that encrypts information sent between a web browser, like Google Chrome, and a web server, such as those operated by the retail company you’re shopping from. However, this is no guarantee that your information is secure. We saw companies like Newegg, Ticketmaster and British Airways affected by malware over the summer that stole credit card data entered onto the websites – and they used SSL.

Customers, therefore have to take their own steps to protecting themselves online.

Here are our top tips to protecting yourself from compromised websites:

  1. Try free tools that help you distinguish risky websites from safe ones. For example, Web of Trust.
  2. Remember, even “safe” websites can be attacked so also consider using free malware blocking tools. NoScript, for example, is a free browser extension that will block the malicious code from loading during your checkout session.
  3. Use virtual cards for online shopping. These typically have a short lifetime and allow you set specific limits per transaction. This means if you are compromised, a cyber criminal can’t access your entire bank account. Some banks and credit providers, such as Bank of America (ShopSafe), Capital One (ENO) and Citi offer these but there are other dedicated providers, such as Entropay.
  4. If you have to pay online using your debit or credit card, choose your credit card. You are typically entitled to better protection over purchases so are more likely to be covered if you are a victim of fraud.
  5. Monitor your bank account thoroughly to spot fraudulent activity early on. Enable SMS notifications for your account so that you receive visual confirmation for the purchases you make. If your bank account allows you to set transaction limits, enable this feature as well. And of course, if you notice any suspicious transactions, inform your bank immediately and block the card.

Author: Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies

What We Have Learned About Intel ME Security In Recent Years: 7 Facts About The Mysterious Subsystem

23 Listopad, 2018 - 14:38
Image: UnsplashIntel ME has captured the attention of researchers during the last years. There is an air of mystery about the technology. Although it has access to virtually all the data on the computer, and hackers can get total control over the machine if they manage to compromise Intel ME, there are no official documents or guides regarding its use. That is why researchers from all over the world have to deal with the technology on their own.

We have studied Intel ME over the last years, and here is what we have found about this mysterious subsystem so far.

Vulnerabilities in ME allow compromising even a turned-off computer
At the end of 2017, Positive Technologies experts Mark Ermolov and Maxim Goryachy spoke at Black Hat Europe about a vulnerability in Intel Management Engine 11, which allows intruders to access most of the data and processes on a device. You will find a detailed description of the problem in our article.

The vulnerability in Intel ME allowed executing arbitrary code. This threatens many technologies, including Intel Protected Audio Video Path (PAVP), Intel Platform Trust Technology (PTT or fTPM), Intel Boot Guard, and Intel Software Guard Extensions (SGX).

To intercept data in ME, JTAG debugging mechanism can be used 
By exploiting the bug in the bup module, the experts managed to turn on the PCH red unlock mechanism, which opens full access to all PCH devices in order to use them via DFx chain—in other words, using JTAG. ME kernel is precisely one of such devices. The experts could then debug the code executed on ME, read memory of all the processes and the kernel, and also manage all the devices inside the PCH. They found out that there are about 50 internal devices in modern computers to which only ME has full access, while the main processor has access only to a very limited subset of them.

Full access also means that any intruder exploiting this vulnerability can bypass the traditional software protection and conduct attacks even when the computer is turned off.

JTAG can be activated in the mobile version of ME
Intel TXE is the mobile version of ME. Vulnerability INTEL-SA-00086 allows activating JTAG for the subsystem kernel. Positive Technologies experts developed JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. This utility can be used to activate JTAG for Intel TXE.

The subsystem can be disabled in undocumented mode
Positive Technologies experts Maxim Goryachy and Mark Ermolov delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. Although it is impossible to entirely disable ME on modern computers, hackers can still compromise devices in an undocumented mode called High Assurance Platform (HAP). The experts discovered a special HAP bit, which after being installed allows disabling Intel ME at an early stage of booting.

The name High Assurance Platform belongs to a trusted platform program linked to the U.S. National Security Agency (NSA). Presentation with program description is available online. This mechanism was presumably introduced by the U.S. government agencies striving to reduce the likelihood of side-channel data leaks.

ME security flaws threatening MacBook
This June, Apple released updates that eliminated the CVE-2018-4251 vulnerability. The vulnerability was in the Manufacturing Mode component—a service mode for configuring, setting, and testing an end platform at the production stage. This mode allows setting critical platform parameters that are stored in the one-time programmable memory (FUSES). The mode must be disabled before the device is put on sale and purchased by a user.

Neither the mode nor its potential risks are described in Intel public documentation. An ordinary user cannot disable the mode, as the relevant management utility is not officially available.

The vulnerability allows an attacker with administrator rights to gain unauthorized access to critical parts of firmware, write a vulnerable version of Intel ME, and exploit it to secretly gain a foothold in the device. Next, it is possible to obtain full control over the computer and spy with no chance of being detected.

Vulnerable Intel chipsets are used all over the world, from home and work laptops to enterprise servers. The update previously released by Intel does not prevent exploitation of vulnerabilities CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707, because with write access to ME region, an attacker can write a vulnerable version of МЕ and exploit a vulnerability in it.

Intel patches the same bugs in ME twice
In early July, Intel issued two security advisories (SA-00112 and SA-00118) regarding fixes for firmware vulnerabilities in Intel Management Engine. Both advisories describe vulnerabilities with which an attacker could execute arbitrary code on the Minute IA PCH microcontroller.

The vulnerabilities are similar to ones previously discovered by Positive Technologies security experts in November 2017 (SA-00086). But that was not the end of the story, as Intel later released new fixes for ME vulnerabilities.

CVE-2018-3627, the vulnerability at issue in advisory SA-00118, is described as a logic bug (not a buffer overflow) that may allow execution of arbitrary code. An attacker needs local access to exploit this vulnerability, whereas the vulnerability described in advisory SA-00086 is locally exploitable only in case of OEM configuration errors. This makes this vulnerability more dangerous.

Things are even worse with CVE-2018-3628, which is described in advisory SA-00112. This vulnerability enables remote code execution in the AMT process of the Management Engine firmware. Moreover, all signs indicate that—unlike CVE-2017-5712 in advisory SA-00086—attackers do not need an AMT administrator account.

Intel characterizes the vulnerability as "Buffer overflow in HTTP handler," which suggests the possibility of remote code execution without authorization. This is precisely the nightmare for all Intel users.

How to disclose Intel ME encryption keys
However, this was not the end of Intel ME adventures. In autumn, the company had to fix another bug in the subsystem, which led to the disclosure of Intel ME encryption keys. The vulnerability was detected by Positive Technologies experts Dmitry Sklyarov and Maxim Goryachy.

Intel ME (Management Engine) stores data with the help of MFS (which likely stands for "ME File System"). MFS security mechanisms make heavy use of cryptographic keys. Confidentiality keys are used to keep the MFS data secret, while Integrity keys allow controlling the integrity. MFS data are divided into two categories according to sensitivity. They are protected by different key sets. The most sensitive data are protected by Intel Keys, with Non-Intel Keys being used for everything else. Thus, four keys are used—that is, Intel Integrity Key, Non-Intel Integrity Key, Intel Confidentiality Key, and Non-Intel Confidentiality Key.

By exploiting the vulnerability discovered by Mark Ermolov and Maxim Goryachy, attackers can obtain all the four keys and fully compromise MFS protection mechanisms. Intel later issued an update eliminating this vulnerability. By increasing the SVN (Security Version Number), Intel updated all keys to make MFS security work as intended. It should now have been impossible to obtain the MFS keys for updated ME firmware versions (those with the new SVN value).

But in 2018, Positive Technologies experts discovered vulnerability CVE-2018-3655, described in advisory Intel-SA-00125. They found that Non-Intel Keys are derived from two values: the SVN and the immutable non-Intel root secret, which is unique to each platform. By using the earlier vulnerability to enable the JTAG debugger, it is possible to obtain the second value. Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version.

Attackers can calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value, and therefore compromise the MFS security mechanisms that rely on these keys.

What now?
We recently published a detailed description of the CVE-2018-4251 vulnerability in MacBook. Mark Ermolov and Maxim Goryachy will speak at HiTB conference on how attackers can exploit the vulnerability. They will alsol discuss protection mechanisms, such as a special utility developed by our experts.