Cyber-criminal gangs are mirroring the practices of legitimate businesses to drive efficiencies and increase profits
Monthly Archives: May 2023
Brute-Forcing a Fingerprint Reader
It’s neither hard nor expensive:
Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.
BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.
In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.
With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)
The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.
Depending on the model, the attack takes between 40 minutes and 14 hours.
Also:
The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.
Introduction to the purpose of AWS Transit Gateway
Introduction
Today you look at the Global/Multi-site Enterprise Security Architecture of an organization and see a myriad of concerns. Increased levels of complexity, difficulties managing multiple third parties, difficulties implementing consistent levels of security, and so on. This makes it imperative for organizations to identify opportunities to simplify, streamline, and generally improve their infrastructure wherever possible.
Managing the level of complexity is becoming increasingly difficult. Security may be partially implemented, which is an ongoing challenging issue.
Terminology
AWS Region – a physical location around the world where we cluster data centers.
AWS Availability Zone (AZ) – is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
AWS Services – AWS offers a broad set of global cloud-based products, including compute, storage, database, analytics, networking, machine learning and AI, mobile, developer tools, IoT, security, enterprise applications, and more.
AWS Transit Gateway (TGW) – A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.
Global/Multi-Site Enterprise Architecture
Many organizations are using Global/Multi-site with dated technology spread throughout data centers and networks mixed in with some newer technologies. This can include uncounted third parties as well. These sites often include multiple environments (like Dev, QA, Pre-Prod, and Prod) supported by numerous technologies spread across both physical and virtual servers, including databases, web, and application servers, and more.
Modifications can be challenging when integrating legacy with new technologies. Sometimes can require a static approach when completely redesigning existing infrastructure. Understandably, most organizations tend to shy away from exploring anything that seems like a significant upgrade or change. Thankfully there are some solutions available that can substantially improve operations and infrastructure without the typical complexities and implementation challenges.
One such example is outlined below.
Example AWS Transit Gateway (TGW) Global Diagram
AWS Transit Gateway diagram
AWS Transit Gateway is a cloud-based tool that permits a simplified, secure networking approach for companies requiring a hybrid solution that can scale according to their global/multi-site enterprise business needs. The AWS Transit Gateway integrates with Palo Alto Security Devices, which helps to reduce the organization’s risk footprint.
AWS Transit Gateway architecture is used to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team development and workload hosting VPCs and your infrastructure shared services VPC. This information will help you make a more informed decision as you consider the recommended approach of using AWS Transit Gateway.
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.
As you expand globally, inter-region peering connects AWS Transit Gateways together using the AWS global network. Your data is secured automatically and encrypted; it never travels over the public internet, only on the AWS Global Network. Because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.
General tips
Data transfer charges apply based on the source, destination, and amount of traffic. Here are some general tips for when you start planning your architecture:
Avoid routing traffic over the internet when connecting to AWS services from within AWS by using VPC endpoints:
VPC gateway endpoints allow communication to Amazon S3 and Amazon DynamoDB without incurring data transfer charges within the same Region.
VPC interface endpoints are available for some AWS services. This type of endpoint incurs hourly service charges and data transfer charges.
Use Direct Connect instead of the Internet for sending data to on-premises networks.
Traffic that crosses an Availability Zone boundary typically incurs a data transfer charge. Use resources from the local Availability Zone whenever possible.
Traffic that crosses a regional boundary will typically incur a data transfer charge. Avoid cross-Region data transfer unless your business case requires it.
Use the AWS Free Tier. Under certain circumstances, you may be able to test your workload free of charge.
Use the AWS Pricing Calculator to help estimate the data transfer costs for your solution.
Use a dashboard to visualize better data transfer charges – this workshop will show how.
Cybersecurity
A Cybersecurity approach includes how to address a global enterprise architecture.
A collaborative approach permits meetings to review the global enterprise architecture/workflow.
Hold an introductory overview session to gather the preliminary information for each of the sections listed above and in relation to a phased/planned approach for introducing the AWS Transit Gateway. The phases can include compliance with standards such as NIST.
This extensive security approach would cover all the items listed in the prior sections and the required daily business workflows from end to end.
Global/multi-site security certificates, data at rest, data in transit, networks, firewalls/security devices, circuits, and communications. Topics include Strategies, Securing the Edge, Risk-based Cyber assessment, MTDR (Managed Threat Detection and Response), and Endpoint/Network Security
In the future, we will review other Cybersecurity offerings with AWS Services and the reasons why a company would want to invest in AWS Transit Gateway.
Conclusion
AWS provides the ability to deploy across multiple Availability Zones and Regions. This allows organizations to reduce the complexity of their architecture, improve overall performance, and increase dynamic scalability. By streamlining networks and removing unnecessary middlemen, organizations can also improve overall security by reducing risks associated with having multiple vendors while also increasing operational oversight across their infrastructure.
This blog post provided information to help you make an informed decision and explore different architectural patterns to save on data transfer costs. AT&T Cybersecurity offers services to assist you in your joouney. You can review the references listed below to gain additional perspective.
References & Resources
AWS Transit Gateway
AWS Overview of Data Transfer Costs for Common Architectures
AWS Solutions Library
Cisco CSR1000V-Transit VPC with Transit Gateway
AWS Pricing Calculator
Cost and Usage Analysis Well-Architected Lab
Data Transfer Cost Analysis Well-Architected Lab
AWS Cost Optimization
[RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery
Posted by RedTeam Pentesting GmbH on May 30
For longer running processes, Pydio Cells allows for the creation of
jobs, which are run in the background. The job “remote-download” can be
used to cause the backend to send a HTTP GET request to a specified URL
and save the response to a new file. The response file is then available
in a user-specified folder in Pydio Cells.
Details
=======
Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0,…
[RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download
Posted by RedTeam Pentesting GmbH on May 30
Advisory: Pydio Cells: Cross-Site Scripting via File Download
Pydio Cells implements the download of files using presigned URLs which
are generated using the Amazon AWS SDK for JavaScript [1]. The secrets
used to sign these URLs are hardcoded and exposed through the JavaScript
files of the web application. Therefore, it is possible to generate
valid signatures for arbitrary download URLs. By uploading an HTML file
and modifying the download URL…
[RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments
Posted by RedTeam Pentesting GmbH on May 30
Advisory: Pydio Cells: Unauthorised Role Assignments
Pydio Cells allows users by default to create so-called external users
in order to share files with them. By modifying the HTTP request sent
when creating such an external user, it is possible to assign the new
user arbitrary roles. By assigning all roles to a newly created user, access to
all cells and non-personal workspaces is granted.
Details
=======
Product: Pydio Cells
Affected…
Dark Web Data Leak Exposes RaidForums Members
USN-6115-1: TeX Live vulnerability
Max Chernoff discovered that LuaTeX (TeX Live) did not properly disable
shell escape. An attacker could possibly use this issue to execute
arbitrary shell commands.
USN-6116-1: hawk vulnerability
It was discovered that hawk incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
Upskilling the non-technical: finding cyber certification and training for internal hires
Finding qualified staff to replace vacancies or build out an expanding team can be a nightmare for already overburdened CISOs, especially given there’s a pernicious and ongoing shortage of skilled cybersecurity workers in the job market. One creative alternative to frustratedly trolling job-search sites is to look inward, rather than outward — to find capable, smart people already working at a company in other areas and train them to fill roles on the cyber team.
There are many benefits to upskilling over hiring anew: current employees don’t need to adjust to the corporate culture, they have institutional memory, they have relationships within the company, and they’re already in the human resources channel. The downside is their lack of training and certification — but that’s a small price to pay for gaining a talented team member.