We’ve been keeping a sharp eye on attackers, and today isn’t the exception, but it’s time for us to discuss what are the good guy’s limits, and how they tackle them. GOT(IT) #26 packs a few heads-ups, like Outlook’s flaw -update!-, and some insight on the police’s work at cracking phones.
Outlook Flaw Facilitated Password Breaches
Windows recently issued a patch for a flaw that had been disclosed about 18 months ago, the Microsoft Outlook vulnerability (CVE-2018-0950), discovered by Will Dormann from the CERT Coordination Center.
This flaw is present in Outlook’s rendering process for remotely-hosted OLE content, specifically when a Rich Text Format message is previewed, initiating SMB connections.
The attacker can send an RTF email to the victim with an OLE object, which is then loaded by the attacker’s SMB server. Outlook willl then itiate its automatic authentication process using the remote server over SMB protocol and using Single Sign-on (SSO), handing over both the victim’s username and NTLMv2 hashed password.
Depending on the password’s complexity, the receiver could crack it fairly quickly. But that’s not all the information he’ll get, he will also receive the IP address and the domain’s name.
Windows has indeed patched the issue. However, this patch only blocks Outlook from initiating SMB connections when previewing RTF emails and it doesn’t prevent other SMB attacks. Visit the new’s source for a comprehensive guide to mitigate what the patch doesn’t cover.
How Hackers Target Accounting Firms
KrebsonSecurity shared last week an interesting story on an accountant who was targeted by a comprehensive cyberattack that seems to have been focusing on Public Accountant’s (CPAs).
This insight proves an old theory: tax preparation firms and accountants are not ready to block this kinds of threats, and their security systems are not old, but completely obsolete at times.
The scheme started with a web-based keylogger that logged the target’s keystrokes and took constant screenshots of the user’s activities, uploading them to a basic web-based form, indexed by user and organized by day.
But, how did they get this malware on the victim’s machine on the first place? Well it seems he skipped quite a few updates, like the one we see on the screenshot above! Krebs suspects it originated from an infected email document or link, since most CPAs handle tons of documents via this channel.
Now, let’s cut to the chase. What are CPAs basic concerns when it comes to having all your credentials, contacts, and documents leaked? It kind of speaks for itself, doesn’t it? But the most common case: fraudulent tax returns.
Police Forces Looking at GrayKey to Crack iPhones
Motherboard has conducted a country-wide investigation in the US to research how law enforcement agencies tackle device encryption, inspired the legal and ethical struggle federal agencies faced when trying to gain a backdoor access to a suspect’s personal devices.
It seems that while the FBI continued their legal struggle, police forces turned to a cheap alternative: third-party gadgets that crack phones at a low-cost.
Apple always appears to be part of the story whenever we hear some law enforcement agency pushes to access a device’s encrypted data for evidence. It’s not a coincidence, since Apple’s personal privacy and security policies have always proved to be tough to tackle (any iPhone encrypts its user’s data by default).
According to Motherboard’s investigation, police forces and federal agencies have found the solution in GrayKey -and similar offerings-, a cheap device that claims it can tackle any ‘up-to-date’ iPhone and crack its encryption.
Motherboard uncovered evidence that implies both the Maryland and Indiana State Police have procured the tool. While other forces like the Secret Service, the State Department and the DEA showed interested in doing so and even contacted the creators, Grayshift, for quotations.
It’s not the first time federal agencies use external tools to crack devices. The FBI bought forensic tools from Cellebrite back in 2016, for about $2 million dollars, but this time the costs have lowered, and cracking the latest iPhone with iOS 11 can range from $15,000 to $30,000, depending on whether you buy the version which requires an online connection -limited to 300 unlocks, or the offline and unlimited one.
The other way -or ‘the FBI way’- would be to coordinate factory-created backdoors with manufacturers, for them to access whenever the legal need arises. But, since the general public and the companies themselves see this as handing over the right to privacy on a silver platter to all federal agencies, it doesn’t look like it will happen anytime soon.
At the moment, it continues to be their only alternative. New phones come out, new providers crack them, and these agencies get the how-to tools. The grey-ish legal line that defines this struggle will hardly move, especially when personal privacy is the hot topic of 2018, with GDPR around the corner and Facebook proving these concerns are not simply ‘paranoia’.
This last year has been both great and awful for user privacy. The bad? Well, it’s vulnerable, like, really vulnerable. The good? Users are starting to say ‘we’re not gonna take it!’, and learning how to protect it from being breached.