Screen recording Android app found to be spying on users

Read Time:26 Second

A screen recorder app with over 50,000 downloads on Google Play Store was found to be discreetly recording audio using the device’s microphone and stealing files, suggesting it might be part of an espionage campaign, according to researchers at ESET.

iRecorder was a legitimate app made available in September 2021 and a remote access trojan (RAT) AhRat was most likely added to it in 2022. The app is currently unavailable on the app store.

To read this article in full, please click here

Read More

Brute-Forcing a Fingerprint Reader

Read Time:1 Minute, 55 Second

It’s neither hard nor expensive:

Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.

BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.

In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.

With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)

The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—­one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.

Depending on the model, the attack takes between 40 minutes and 14 hours.

Also:

The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.

Other news articles. Research paper.

Read More

Introduction to the purpose of AWS Transit Gateway

Read Time:5 Minute, 16 Second

Introduction

Today you look at the Global/Multi-site Enterprise Security Architecture of an organization and see a myriad of concerns. Increased levels of complexity, difficulties managing multiple third parties, difficulties implementing consistent levels of security, and so on. This makes it imperative for organizations to identify opportunities to simplify, streamline, and generally improve their infrastructure wherever possible.

Managing the level of complexity is becoming increasingly difficult. Security may be partially implemented, which is an ongoing challenging issue.

Terminology

AWS Region – a physical location around the world where we cluster data centers.
AWS Availability Zone (AZ) – is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
AWS Services – AWS offers a broad set of global cloud-based products, including compute, storage, database, analytics, networking, machine learning and AI, mobile, developer tools, IoT, security, enterprise applications, and more.
AWS Transit Gateway (TGW) – A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.

Global/Multi-Site Enterprise Architecture

Many organizations are using Global/Multi-site with dated technology spread throughout data centers and networks mixed in with some newer technologies. This can include uncounted third parties as well. These sites often include multiple environments (like Dev, QA, Pre-Prod, and Prod) supported by numerous technologies spread across both physical and virtual servers, including databases, web, and application servers, and more.

Modifications can be challenging when integrating legacy with new technologies. Sometimes can require a static approach when completely redesigning existing infrastructure. Understandably, most organizations tend to shy away from exploring anything that seems like a significant upgrade or change. Thankfully there are some solutions available that can substantially improve operations and infrastructure without the typical complexities and implementation challenges.

One such example is outlined below.

Example AWS Transit Gateway (TGW) Global Diagram

AWS Transit Gateway diagram

AWS Transit Gateway is a cloud-based tool that permits a simplified, secure networking approach for companies requiring a hybrid solution that can scale according to their global/multi-site enterprise business needs. The AWS Transit Gateway integrates with Palo Alto Security Devices, which helps to reduce the organization’s risk footprint.

AWS Transit Gateway architecture is used to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team development and workload hosting VPCs and your infrastructure shared services VPC. This information will help you make a more informed decision as you consider the recommended approach of using AWS Transit Gateway.

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-region peering connects AWS Transit Gateways together using the AWS global network. Your data is secured automatically and encrypted; it never travels over the public internet, only on the AWS Global Network. Because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

General tips

Data transfer charges apply based on the source, destination, and amount of traffic. Here are some general tips for when you start planning your architecture:

Avoid routing traffic over the internet when connecting to AWS services from within AWS by using VPC endpoints:
VPC gateway endpoints allow communication to Amazon S3 and Amazon DynamoDB without incurring data transfer charges within the same Region.
VPC interface endpoints are available for some AWS services. This type of endpoint incurs hourly service charges and data transfer charges.
Use Direct Connect instead of the Internet for sending data to on-premises networks.
Traffic that crosses an Availability Zone boundary typically incurs a data transfer charge. Use resources from the local Availability Zone whenever possible.
Traffic that crosses a regional boundary will typically incur a data transfer charge. Avoid cross-Region data transfer unless your business case requires it.
Use the AWS Free Tier. Under certain circumstances, you may be able to test your workload free of charge.
Use the AWS Pricing Calculator to help estimate the data transfer costs for your solution.

Use a dashboard to visualize better data transfer charges – this workshop will show how.

Cybersecurity

A Cybersecurity approach includes how to address a global enterprise architecture.

A collaborative approach permits meetings to review the global enterprise architecture/workflow.

Hold an introductory overview session to gather the preliminary information for each of the sections listed above and in relation to a phased/planned approach for introducing the AWS Transit Gateway. The phases can include compliance with standards such as NIST.

This extensive security approach would cover all the items listed in the prior sections and the required daily business workflows from end to end.

Global/multi-site security certificates, data at rest, data in transit, networks, firewalls/security devices, circuits, and communications. Topics include Strategies, Securing the Edge, Risk-based Cyber assessment, MTDR (Managed Threat Detection and Response), and Endpoint/Network Security

In the future, we will review other Cybersecurity offerings with AWS Services and the reasons why a company would want to invest in AWS Transit Gateway.

Conclusion

AWS provides the ability to deploy across multiple Availability Zones and Regions. This allows organizations to reduce the complexity of their architecture, improve overall performance, and increase dynamic scalability. By streamlining networks and removing unnecessary middlemen, organizations can also improve overall security by reducing risks associated with having multiple vendors while also increasing operational oversight across their infrastructure.

This blog post provided information to help you make an informed decision and explore different architectural patterns to save on data transfer costs. AT&T Cybersecurity offers services to assist you in your joouney. You can review the references listed below to gain additional perspective.

References & Resources

AWS Transit Gateway
AWS Overview of Data Transfer Costs for Common Architectures
AWS Solutions Library
Cisco CSR1000V-Transit VPC with Transit Gateway
AWS Pricing Calculator
Cost and Usage Analysis Well-Architected Lab
Data Transfer Cost Analysis Well-Architected Lab
AWS Cost Optimization

Clearscale Blog

Read More

[RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery

Read Time:26 Second

Posted by RedTeam Pentesting GmbH on May 30

For longer running processes, Pydio Cells allows for the creation of
jobs, which are run in the background. The job “remote-download” can be
used to cause the backend to send a HTTP GET request to a specified URL
and save the response to a new file. The response file is then available
in a user-specified folder in Pydio Cells.

Details
=======

Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0,…

Read More

[RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download

Read Time:24 Second

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Cross-Site Scripting via File Download

Pydio Cells implements the download of files using presigned URLs which
are generated using the Amazon AWS SDK for JavaScript [1]. The secrets
used to sign these URLs are hardcoded and exposed through the JavaScript
files of the web application. Therefore, it is possible to generate
valid signatures for arbitrary download URLs. By uploading an HTML file
and modifying the download URL…

Read More

[RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments

Read Time:24 Second

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Unauthorised Role Assignments

Pydio Cells allows users by default to create so-called external users
in order to share files with them. By modifying the HTTP request sent
when creating such an external user, it is possible to assign the new
user arbitrary roles. By assigning all roles to a newly created user, access to
all cells and non-personal workspaces is granted.

Details
=======

Product: Pydio Cells
Affected…

Read More