Tag Archives: hacking

(Literal) Script Kiddies Stumble Upon Linux Lock Screen Bypass Vulnerability

Posted on by
Reply

script-kiddie

In hacker culture, a script kiddie is someone who possesses little to no technical skill themselves. Rather than creating their own tools and techniques, they utilize existing scripts or tools in order to vandalize websites or trick unsuspecting Internet users into entering their credentials into a fake login form. In a literal sense, script kiddies aren’t actually “kids”. However, while listening to a cybersecurity podcast recently, I heard something that may argue otherwise.

The podcast I am referring to is the Day[0] podcast, specifically episode 60 titled “Breaking Lock Screens & The Great Vbox Escape”. A little over thirty minutes in, one of the show hosts, Specter, mentions a lock screen bypass in Linux Mint, one of the various distributions of the Linux operating system. What caught my attention wasn’t the bypass itself, but how and by whom said bypass was carried out. No, it wasn’t an exploit discovered by a Nation-State, nor was it Google’s Project Zero team, it was simply two children.

I went ahead and found the actual issue posted by Github user “robo2bobo” (who I will refer to as R2B) on the linuxmint/cinnamon-screensaver repository, which hosts the code for the Cinnamon desktop environment’s screen locker and screensaver program. A desktop environment is, in its most basic form, a bundle of programs running on top of an operating system, such as Mac or Windows, that provide common graphical user interface (GUI) elements. The issue, titled “Screensaver lock by-pass via the virtual keyboard”, offers further insight into how two kids were able to “discover” this exploit. R2B explains that their kids were interested in hacking into their parents Linux desktop, and with permission began typing random keys and clicking all over the screen. To R2B’s surprise, this behavior caused the screensaver to crash, allowing the kids to bypass authentication and unlock the desktop. In the world of cybersecurity, this technique is known as “fuzzing”, in which random data is provided as input to a computer program in hopes of causing unexpected behavior, such as a crash or memory leakage. Jumping back to our definition of script kiddies, there is no better term to describe the discovery of this vulnerability. Kids with no technical knowledge whatsoever were able to “hack” their way into their parents computer simply by mashing random keys on the keyboard and clicking like no tomorrow.

Clement Lefebvre, the man behind Linux Mint, commented on the issue. He reported that this vulnerability affects all Linux distributions running the Cinnamon desktop environment, specifically version 4.2 and up, as well as any software that uses libcaribou (an on-screen keyboard library). Clement goes on to clarify that the specific cause of the crash is due to pressing “ē” (by clicking and holding on the “e” key) on the on screen keyboard. Clement mentions that this is a “high priority bug”, and that a fix should be expected soon. As of writing this post, that comment was made 13 days ago. Until a fix is implemented, keep your kids away from your keyboard and mouse, or anyone for that matter.

Sources included in this post can be found at:

https://dayzerosec.com/posts/episode-60

https://googleprojectzero.blogspot.com/

https://github.com/linuxmint/cinnamon-screensaver/issues/354

Could Ransomware Affect The Upcoming Election

Posted on by
10

As we approach Election Day on Tuesday, November 3rd, fears are bubbling up about potential election interference from ransomware. Ransomware is a type of malicious software that locks up a user’s system or device and makes it unusable. In politics, it can have a much worse effect such as when it was targeted onto Baltimore’s city government, the University of California, and the website of an Illinois public health district. Even large companies have been affected with Microsoft stating that it took down a major hacking network that was being used to spread ransomware.

In the context of elections, ransomware can freeze user access to voter polls or websites displaying election results. According to Jason Healey, a cybersecurity expert at Columbia University, “The concern at [the Department of Homeland Security] and the Pentagon will be that ransomware will hit at the county and state level to disable voting registers, vote tallying and reporting, and result reporting.” While this may seem like a very important issue, there are some factors that can help to combat this issue. One reason is that the ransomware would have to adapt to different types of software that are used. Every voting jurisdiction uses different software so in order to infiltrate the system, an individualized attack would have to be created slowing down the efficiency of the attacks.

As a result, the US government has issued public advisories warning of the potential threat of ransomware. Government officials have been investing in stronger firewalls, better risk analysis platforms, and device protection as well as keeping important voting infrastructure from other systems. Cities are starting to become more and more prepared than before. The ways to combat ransomware are simple: “Create regular backups of your data that you store offline. Learn to recognize fraudulent emails or links and try to avoid falling for them. Keep your devices and apps up to date with the latest security updates.”

Source: https://www.cnn.com/2020/10/15/tech/ransomware-2020-election/index.html

Apple’s Cyber Security Flaw

Posted on by
3

The world is undoubtedly growing at an exponential rate when it comes to technology and as we find a solution to one problem, another 100 issues emerge. Wiretapping was essentially the only form of a security breach that phones faced. But within over a decade since the first smartphones, the conveniences of a pocket-sized computer birthed an endless amount of risks to people’s privacy.

Since its early gen iPhones, the tech giant has made it inaccessible to jailbreak their smartphones. But up until recently, Apple has funded $1 million into its cybersecurity to deal with software errors found in its recent iOS 12.4 update. A Google researcher was the first to discover the programming flaw, which was patched in iOS 12.3 but reintroduced in iOS 12.4. Through certain Apps on the App Store, iPhone users with this recent software update are now vulnerable to malicious activity. These exploit chains can give hackers access to real-time data such as GPS location, photos, and messages. Another security researcher, Pwn20wnd, who specializes in jailbreak developments, has mentioned that users are also vulnerable to their information from being stolen through the browsing of certain websites through the Safari app. According to security researcher Jonathan Levir, even iPhones with predating software are susceptible to exploits.

Although Apple has not officially addressed the issue, many iOS programming experts have advised iPhone users to be cautious of what apps they download and what websites they browse.

Innovation is a double-edged sword, and Apple’s situation is a prime example. The convenience of having a portable supercomputer has eased some aspects of life. It has also blindly walked ourselves to inconceivable issues. I suppose that we as a society are in a perpetual motion of transformation and refinement.

Sources:

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

https://www.businessinsider.com/apple-ios-12-4-update-jailbreak-poses-iphone-security-threat-2019-8?r=US&IR=T

https://www.businessinsider.com/google-researchers-found-a-bunch-of-malicious-sites-that-quietly-hacked-iphones-for-years-2019-8

https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years

The Bike Sharing Industry is Out to Conquer the World

Posted on by
3

Many cities around the US and the world are seeing an increase in the bicycle sharing business. This is a public transit system in which bicycles are made available for shared use on a short-term basis for a fee. Customers can pick up a bike from any location and dock it, or drop it off, at specified bike racks. Different services also allow the option to drop it off anywhere for use by someone else, bikes can be traced by a smartphone mapping app that shows bikes available around you.

The growth this industry has seen is due in part to the connectivity and payment options that the user has. People can easily access this service by downloading an application and paying directly from their phone. Many aspects of the business model that allowed companies such as Uber to be successful are seen with dock-less bikes which has attracted many investors, especially in China. Over ninety percent of biggest bike sharing programs began here and are continually looking to expand to countries around the world, creating a billion-dollar industry. This service has become an essential tool that has positively impacted many people around the world.

Image result for bike sharing

One of the primary reasons why investors are attracted to this business is because of the monetization possibilities that come from the collection of data within this system. Data mining in this industry has become a powerful tool for these investors to get their return on investment. The data that is collected comes from GPS chips that transmit location every second. This allows for the tracking of movement among the customers which can be helpful for the company and the city to determine the most popular drop off locations. Cities like South Bend in Indiana can use this data to consider the best places to construct new bike paths and protected bike lanes. Companies can also decide on the best places to build bigger parking spaces, a problem that cities like Amsterdam have seen during the rise of this industry. The most bike friendly city in the world has tested with the idea of banning dock-less bikes as their stations take up useful public space from many pedestrians. However, this problem can be resolved through the collection of data. This could allow for city officials to strategically place hubs for dock-less bikes in order to accommodate both the company and the people who rely on this service. Seattle for example has taken this data into account and used it to their advantage. They optimize their general bike infrastructure spending through this analyzation of data collected by bikes.

The problem of privacy concerns the public, especially during a time of our lives where tech companies don’t have sophisticated privacy laws to follow. Serious implications could arise if hackers for example, get access to this data and are able to collect information about someone’s daily bike route. Some suggest hiring independent auditors to check up on companies to make sure they are safeguarding a rider’s privacy. Facebook for example was created to improve social interactions between people, but over the past year, it is easy to see that its primary purpose is to collect personal data that is then sold to a third party. If the bike sharing industry stays true to its purpose, it will continue to benefit society so long as the data isn’t individualized or sold off to companies for make profit.

Image result for bike sharing

Quantum Communications Prevent Hacking

Posted on by
Reply

In our class we have talked several times about our concerns with future security as the Internet becomes more and more dominant. We have talked about our concerns with hacking, losing our information, having our information stolen, and having our lives controlled by companies. We feel that this stuff will become a bigger threat as the Internet of Things becomes a possible reality; however on the other frontier while hacking possibilities and capabilities become bigger, so does our possible security.

A satellite launched in 2016 by Chinese researchers have created quantum cryptography, a method of cryptography which makes data much safer and theoretically “unhackable” by classical communications. It gives a quantum key which is unique and secure to the user. It is for example impossible to copy data encoded in a quantum state and reading it while it is encoded would actually change the state itself and allow for detection of eavesdropping. Currently our encryption keys rely on mathematics in order to secure whatever we are doing. Though difficult to hack into and calculate, it is theoretically possible for a government with large computational powers to break into your information or for a genius mathematician to come up with a numerical system that could break the encryption key tomorrow. However, with quantum cryptography, it uses the powers of quantum physics and particles to make it provably unhackable.

This satellite makes usage of photons and quantum particles in order to make long-distance communication. Some problems of the idea currently are the fact that it is difficult to maintain long-distance communication and expensive. However, with this new breakthrough quantum communication has become possible over 1,200 kilometers, which is 10 times farther than ever before. With this breakthrough we might come to see a world which does not need to worry about hacking anymore and a much more secure world.

The biggest problem that I can see with this is the expense and the possible politics that may come out of it. Our system today is already so enveloped with the standard encryption that it may be difficult for people, whether it be companies or governments, to accept change because of its possible expense. However, I believe that it is a necessary expense and gateway to a much safer future. Marginal expenses from information theft will eventually exceed the lump sum expense from paying for satellites that are capable of quantum encryption and it is a future that I am willing to pay for to see.

Sources:

https://www.sciencenews.org/article/two-way-communication-possible-single-quantum-particle

https://www.popsci.com/what-is-quantum-cryptography

Is Hacking Possible to avoid?

Posted on by
2

A week back, software engineers pushed an amazingly limitless ambush on the web, and they could do it since they had an expansive number of web related sharp devices in their equipped drive. It’s unreasonably easy to hack a substantial bit of these sorts of gadgets, and The Atlantic shows precisely how fast this hacking could happen.

As a trial, The Atlantic set up a fake web toaster; a server proposed to look as if it were a web related contraption and a primary center for an ambush. It was tested inside its first hour of nearness, and the ambushes are continuing consistently right now, as reported by The Atlantic’s post.

Sharp contraptions are enormous to software engineers because various developers’ wellspring of compel doesn’t start from what the devices under their control can do, yet what number of them there are. Right, when using Distributed Denial of Service (DDoS) ambushes, you mainly need to clobber your target with however much action as could sensibly be normal, a toaster or a tablet, it doesn’t have any effect at all from where it starts.

 

hacking

The primary certified response for this issue is to keep up a vital separation from wise devices or make them harder to hack. For some circumstance, which can infer that you should change the executive mystery word on your new cooler, yet in various cases, it is up to makers. A couple of webcams used as a part of a week prior’s ambush had their passwords was hard coded into their firmware, requiring a survey to adjust.

So next time you wind up considering a splendid device over its blockhead choice, permanently stop for a moment to think whether you genuinely need to incorporate this bit of inherent ability to the web, and how you can keep it from falling into the wrong hands.

Sources:

http://www.popularmechanics.com/technology/security/a23602/virtual-toaster-hacked-immediately/