Key Windows 10 Anti-Malware Tech Critically Broken

Over a decade ago, Microsoft added support for a key malware mitigation technique that makes it harder for rogue applications to predict which code will be loaded into specific target addresses. This technique, called address space layout randomization (ASLR), stores data in different locations each and every time the application is run. If your code is riddled with security flaws, ASLR won’t secure it, but it will (hopefully) make it a little harder to find and therefore exploit. Or at least, that’s how it’s supposed to work — but Windows 10, it turns out, has a teensy little problem. It stores its supposedly randomized data in exactly the same place, each and every time.

To understand the magnitude of the failure, it may help to think of a loose analogy. Imagine you have an insecure mailbox that’s constantly being robbed. One hypothetical way to deal with this problem is to have many mailboxes scattered across your property. Each day, your long-suffering postal worker puts your mail (4-5 pieces) in a subset of available mailboxes (let’s say, 30 mailboxes total). A person could still search your property and find them, but it’s going to take longer and be more obvious.

Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME.

Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

— Will Dormann (@wdormann) November 15, 2017

Now, imagine that instead of putting your 4-5 pieces of mail in up to five different locations, your mailman stuck it in exactly the same locations, each and every time. That’s more or less what’s happening here and it’s a problem afflicting both Windows 8 and Windows 10. Without any entropy (randomness), there’s no protection offered at all.

There are two ways to enable ASLR. One is to use the /DYNAMICBASE flag provided by the Visual C++ linker. This method still works perfectly, as far as anyone can tell. But since relying on programmers or vendors to always keep their code properly secure is a recipe for disaster, Microsoft also provides tools to force applications to use ASLR whether they’re designed to do so or not. This capability is baked into the Fall Creators Update as the Windows Defender Exploit Guard and was previously available as Microsoft EMET (Enhanced Mitigation Experience Toolkit), a GUI for enabling security measures already baked into the OS. The screenshot below shows the newer Defender Exploit Guard baked into Windows 10 FCU.

The problem is this: Apparently Microsoft’s default ASLR implementation fails to activate a key sorting method of ASLR, known as “bottom-up ASLR.” Microsoft’s own technical documentation describes bottom-up ASLR as method of assigning a base address by searching “for a free region starting from the bottom of the address space (e.g. VirtualAlloc default).” Enabling ASLR without simultaneously enabling bottom-up ASLR means that memory values are stored in exactly the same location each and every time. Here’s how CERT describes the problem:

Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems. Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.

It finishes on the cheery note that there’s no practical solution to the problem currently available for deployment, but individuals can reenable the security ASLR is supposed to provide by importing the following registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

As always, we do not recommend mucking about in the registry unless you are certain you know what you’re doing. US-CERT has some additional details on both the problem and this fix available on its website. And yes, Windows 7 users, you get to preen a bit — this problem does not affect your operating system.

By Joel Hruska on November 20, 2017 at 3:12 pm

Microsoft Issues Black Friday Malware Warning: What You Need To Know

Microsoft Malware Protection Centre (MMPC) issued a warning Tuesday regarding a malware attack linked to  Black Friday. In a tweet, they termed a malicious document called “eMAG- Catalog Oferta Black Friday2017.doc” as the threat.

Apparently, this document would try to exploit DDE so that it could run a remote HTML application. DDE refers to Dynamic Data Exchange, a mode of interprocess communication used by the Windows operating systems. Using DDE, a program could access items made available by a different program. For instance, a program could access a single cell in an MS Excel spreadsheet used by another program. Using DDE, the first program could even get notified whenever a change is made in that particular cell.

Though other modes of interprocess communication, like Object Linking and Embedding (OLE), is also used in computing, DDE is frequently used because of its simplicity. This means the malware threat Microsoft issued could affect a wide digital landscape.

Microsoft clarified that the use of HTA (HTML Application) in the new malware is different from previous a DDE-based malware that used Powershell.(Powershell refers to the task automation and configuration framework created by Microsoft. It also has an allied coding language that was made open source in August 2016.)

But the new malware uses a different strategy: it links to a URL that has the word “test” in it. According to MMPC, this link currently remains inaccessible. Microsoft’s current theory is that cybercriminals would distribute a functional version of the malware using a spam campaign in the days immediately prior to Black Friday. The company said that the Windows Defender AV would detect the malware as “Exploit:097M/DDEDownloader.E.” but it said nothing about whether other antivirus programs would be able to spot it too.

So, come Black Friday, shop to your heart’s content but be on the lookout for this particular threat in your digital devices.

BY DHINOJ DINGS ON 11/21/17 AT 11:36 PM

How to lock down your web browser security

They shall not pass.

BY DAVID NIELD 7 DAYS AGO

These days we all spend a lot of our computing time peering through web browser windows, which means these programs are some of the biggest targets for hackers and malware. The good news is, keeping your browser safe and secure isn't too difficult a task.

You don't have to spend a whole afternoon or evening putting up the defences in your browser of choice, but it is worth spending a few minutes to make sure everything is locked down - follow these guidelines to minimise your risk of getting caught out online.

UPDATE YOUR BROWSER

You might not have realised it, but modern browsers are packed with security features designed to stop you from visiting dodgy websites and to prevent sites from taking control of your computer. To make sure these features are always present and correct, and guarding against the latest threats, keep your browser software updated.

Applying updates is in fact so important that most browsers make it very hard not to be running the latest version of the software, with patches and bug fixes applied in the background most of the time.

If you want to make sure you're running the latest version of your browser, open up the browser menu and choose Help then About Google Chrome (Chrome) or Help then About Firefox (Firefox). Updates for Microsoft Edge and Apple Safari are handled together with updates for the OS as a whole.

LOOK FOR THE GREEN PADLOCK

When you see a green padlock in the address bar of your browser, that means you've opened a site that uses HTTPS - simple speaking, the more secure version of the HTTP standard that most websites use.

Among the extra security measures that HTTPS brings with it is a method for checking that you really are connected to the site that you think you are. What's more, it encrypts data as it travels between your computer and the website, so someone sat behind you in a coffee shop can't intercept the information being sent.

You should make sure you can see the HTTPS green padlock whenever you're entering sensitive information into your web browser, and many sites, from banking sites to social networks, now use it by default.

CUT DOWN ON THE EXTENSIONS

Browser extensions can be very useful, but they also tend to be granted some pretty sweeping permissions regarding what they can do with the websites you visit and anything you type into your browser.

Most of the browser add-ons you've installed are probably perfectly safe, but it's a good idea to stick to the ones you're use regularly and trust, and get rid of the extensions that have become outdated or that you don't open much any more. There should be an option to do this somewhere inside your browser's settings screen.

As an added bonus, you might find your browser running that little bit more smoothly and more quickly once you've got rid of a few add-ons that were just taking up space.

PROTECT YOUR ONLINE ACCOUNTS

This isn't specifically related to your browser, but there are a host of ways you can keep your online accounts safe, from making sure you use different passwords on each one, to always logging off when using public computers.

If two-step authentication is offered, where you need a username, a password and a mobile code to gain access on a new device, take advantage of it. It's available on most major online accounts, including those from Apple, Google, Microsoft and Facebook.

Many accounts also have a feature where you can review recent logins for suspicious activity. On the Facebook site, for example, click Settings from the drop-down menu on the toolbar, then pick Security and login from the menu on the left.

PROTECT YOUR WINDOWS AND MAC OS ACCOUNTS

You probably have your browser set to remember all your passwords and other login details, and there's nothing wrong with that, but it also means that anyone who opens up your browser can then jump straight into Facebook, Twitter and so on.

To stop this from happening, make sure you and anyone else who uses the computer are given separate, password-protected user accounts. That should be enough to stop anyone from casually wandering by, picking up your laptop, and making off with access to all of your personal accounts.

Make sure the password lock screen appears after a set period of inactivity too - on Windows you need to open Settings then go to Accounts and Sign-in options (to force a password prompt); and then System and Power & sleep (to set the sleep time-out). On macOS, head to Security & privacy from System Preferences.

INSTALL A VPN

VPNs, or Virtual Private Networks, add an extra layer of security to your browser, essentially creating a secure, encrypted tunnel between you and the websites you visit. They're especially useful when you're on public Wi-Fi in coffee shops and hotels.

We don't have space for a full VPN round-up here but this article should give you a few ideas. It's worth paying a small fee every month for your service, as free options tend to be slow and not quite as secure as premium-level ones.

VPNs are less important on a home network, but wherever you use your computer, they make it harder for hackers to intercept the sites you're visiting and to spy on the data you're entering into your browser.

Windows 8 and Later Fail to Properly Apply ASLR, Here's How to Fix It

Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.

Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.

Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.

With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & Browser control and then Exploit protection settings).

While looking into a recently disclosed 17-years-old vulnerability affecting the Microsoft Office equation editor, CERT/CC vulnerability analyst Will Dormann discovered that ASLR was not randomizing the memory code locations of application binaries in specific conditions.

ASLR fails because of a modified registry value

According to Dormann, when users turned on system-wide ASLR protection, a bug in the feature's implementation on Windows 8 and later would not generate enough entropy (random data) to start application binaries in random memory locations.

"The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems," Dormann said today in a CERT alert he wrote on the topic.

"Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME."

Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

— Will Dormann (@wdormann) November 15, 2017

This is the equivalent of ASLR not being enabled at all, which means users are open to banal code reuse attacks that read an application's memory space and tailor malicious code to target that location every time.

The researcher says this issue affects only Windows 8 and later because Microsoft changed the registry values through which it started ASLR.

Workaround available

Dorman says that users must enable ASLR in a system-wide bottom-up configuration in order for ASLR to work properly.

While Microsoft is expected to fix the issue in a future patch, currently, the only way of starting ASLR in the proper configuration is by tinkering with the Windows Registry. US CERT/CC provided the following workaround.

Step 1: Create a blank text file and enter the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00


Step 2: Save the file with a .reg extension, for example, ASLR.reg.
Step 3: Open the Windows Registry Editor by searching for "regedit" in your Start menu.
Step 4: Select the File menu option and choose to import the .reg file you just created above.

Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click.

How to delete downloaded Windows Update files

Windows Update works for the most part pretty reliably. It is an automated system of Microsoft's Windows operating system that handles the downloading and installing of updates for the operating system.

At best, it is a silent service that runs in the background; it may ask you to restart the PC every now and then though as that is still required for many updates.

When you run into issues though with updates, you may spend hours or even days figuring out what is going wrong.

I cannot update one of my PCs to the Windows 10 Fall Creators Update for instance because of a bluescreen that I get whenever I try.

One of the things that you can try when it comes to updates, is to delete downloaded Windows Update files to start over.

If you suspect that something is wrong with the files, or if you want Windows Update to run a new check for updates to download new versions of updates that were released by Microsoft, then you may find the following tip useful for that.

If you run Windows Insider builds on a PC for instance, you may skip an already downloaded update to a new build to download a newer build and avoid having to update the system multiple times.

How to delete downloaded Windows Update files

It is thankfully pretty easy to delete all cached update files. This works on all supported versions of Windows, including Windows 7, Windows 8.1 and Windows 10.

• Go to C:\WINDOWS\SoftwareDistribution\Download using Explorer or any third-party file browser. If you navigate to the folder manually, you may need to enable the showing of hidden files first.
• Select all files of the folder. The easiest way to do that is to use Ctrl-A while the folder is active.
• Hit the Delete-key on the computer keyboard.
• Windows may need administrator privileges to delete certain files. Select "do this for all current items" and click continue to grant the permissions.

Ransomware-spreading hackers sneak in through RDP – Naked Security

by Mark Stockley



Thanks to Sophos security experts Peter Mackenzie and Paul Ducklin for their behind-the-scenes work on this article.



If there’s an unexploited niche caused by insecure software or behaviour then sooner or later a crook is going to wiggle into it and attempt to use it as a way to make money from someone else’s misery.



Sophos has recently uncovered a new ecological niche in the great internet hack-o-sphere that’s equal parts low-cunning and directness: crooks who are breaking into computers one at a time and running ransomware on them manually – clickety click – in the same way that you might run Word, Notepad or Solitaire.

Let me do that!

We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass distribution.



For example, the criminals behind WannaCry and NotPetya used a stolen NSA exploit to create worms that copied themselves from one computer to another, encrypting files, demanding ransoms and creating mayhem as they zig-zagged through and between networks.



More common still is phishing. Why bother with worms and exploits when you can simply sign up for crimeware online and click a button to crank out booby-trapped email attachments?



Phishing is a numbers game: most of your emails won’t get through, many of those that do will go unread, and even those that get opened may find themselves hitting a brick wall – a patched system, for example, or a user who realises that something phishy is going on and stops just short of getting infected.



The phishing crooks only make money if they can repeatedly find new ways to persuade users to open emails and do things their IT team have warned them about, such as saving attachments to disk and then launching them, or opening Office documents and deliberately enabling macros.



For this reason, some cybercriminals have decided that if you want something doing properly, you have to do it yourself.

The attack

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.



These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.



To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.

RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.



When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.



RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.



In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.



So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.



Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.



Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.



That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

What next?

Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:

• The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool.

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.

• The crooks turn off or reconfigure anti-malware software, using the newly-installed tweaking tools.

The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.



EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.

• The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware.

Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

• The crooks turn off Volume Shadow Copy (the Windows live backup service) and delete any existing backup files.

Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.



You can guess what happens next.

• The crooks upload and run ransomware of their choice.

Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.



The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.



In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.

How much is the ransom?

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.



But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.



Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:

At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.

Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.

The victims

The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.

With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

What to do?

• If you don’t need RDP, make sure it’s turned off. Remember to check every computer on the network: RDP can be used to connect to servers, desktops and laptops.

• Consider using a Virtual Private Network (VPN) for connections from outside your network. A VPN such as the one in Sophos XG Firewall and Sophos UTM requires outsiders to authenticate with the firewall first, and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.

• Use two-factor authentication (2FA) wherever you can. Sophos XG Firewall and Sophos UTM support 2FA, so that you need a one-time logon code every time. If crooks steal or guess your password, it’s no use on its own.

• Patch early, patch often. This prevents crooks exploiting vulnerabilities against your network as quickly as possible, thus reducing your exposure to danger.

• After an attack, check to see what the crooks have changed. Don’t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly-created user accounts.

• Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 x 3 = 36 passwords an hour, which makes a brute force attack impractical.

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.

Ransomware-spreading hackers sneak in through RDP – Naked Security

Mozilla terminates its deal with Yahoo and makes Google the default in Firefox again | TechCrunch

Posted Nov 14, 2017 by Frederic Lardinois (@fredericl)



With the launch of Firefox Quantum, Mozilla released what’s probably the most important update to its browser in recent years. It’s faster, lighter and you should give it a try. And as you do so, you’ll notice another change: Google is now the default search engine again — at least if you live in the U.S., Canada, Hong Kong and Taiwan.



In 2014, Mozilla struck a deal with Yahoo to make it the default search engine provider for users in the U.S., with Google, Bing, DuckDuckGo and others as options. While it was a small change, it was part of a number of moves that turned users against Firefox because it didn’t always feel as if Mozilla had the user’s best interests in mind. Firefox Quantum (aka, Firefox 57), is the company’s effort to correct its mistakes and it’s good to see that Google is back in the default slot (Disclaimer: TechCrunch is part of Oath, Verizon’s roll-up of AOL and Yahoo, though nobody at TechCrunch that I know has ever willingly used Yahoo Search).



When Mozilla announced the Yahoo deal in 2014, it said that this was a five-year deal. Those five years are obviously not up yet. We asked Mozilla for a bit more information about what happened here.



“We exercised our contractual right to terminate our agreement with Yahoo! based on a number of factors including doing what’s best for our brand, our effort to provide quality web search, and the broader content experience for our users. We believe there are opportunities to work with Oath and Verizon outside of search,” Mozilla Chief Business and Legal Officer Denelle Dixon said in a statement. “As part of our focus on user experience and performance in Firefox Quantum, Google will also become our new default search provider in the United States, Canada, Hong Kong and Taiwan. With over 60 search providers pre-installed as defaults or secondary options across more than 90 language versions, Firefox has more choice in search providers than any other browser.”



As Recode reported last year, there was a clause in the Mozilla deal that would have the potential Yahoo acquirer pay $375 million per year through 2019 if Mozilla didn’t want to work with the buyer. This clause also allowed Mozilla to walk away at its sole discretion. We don’t know if Mozilla invoked this clause to terminate the agreement, but it seems likely.



This move makes Google Mozilla’s default search engine in most of the world, with the exception of China, where the default is Baidu, and Russia, Turkey, Belarus and Kazakhstan, where Yandex is the default.



Historically, search engine royalties have been the main revenue driver for Mozilla. Back in 2014, the last year of the Google deal, that agreement brought in $323 million of the foundation’s $330 million in total revenue. Neither Google nor Mozilla discussed the financial details of this new deal, though once Mozilla releases its annual financial statement, we’ll get a better idea of what that looks like.



Mozilla terminates its deal with Yahoo and makes Google the default in Firefox again | TechCrunch

Hackers Claim to Break Face ID a Week After iPhone X Release | WIRED

By GREENBERG SECURITY

• 11.12.17
• 06:44 PM

When Apple released the iPhone X on November 3, it touched off an immediate race among hackers around the world to be the first to fool the company's futuristic new form of authentication. A week later, hackers on the actual other side of the world claim to have successfully duplicated someone's face to unlock his iPhone X—with what looks like a simpler technique than some security researchers believed possible.



On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they'd cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.



But it's also a hacking proof-of-concept that, for now, shouldn't alarm the average iPhone owner, given the time, effort, and access to someone's face required to recreate it.



Bkav, meanwhile, didn't mince words in its blog post and FAQ on the research. "Apple has done this not so well," writes the company. "Face ID can be fooled by mask, which means it is not an effective security measure."

In the video posted to YouTube, shown above, one of the company's staff pulls a piece of cloth from a mounted mask facing an iPhone X on a stand, and the phone instantly unlocks. Despite the phone's sophisticated 3-D infrared mapping of its owner's face and AI-driven modeling, the researchers say they were able to achieve that spoofing with a relatively basic mask: little more than a sculpted silicone nose, some two-dimensional eyes and lips printed on paper, all mounted on a 3-D-printed plastic frame made from a digital scan of the would-be victim's face.



The researchers concede, however, that their technique would require a detailed measurement or digital scan of the face of the target iPhone's owner. The researchers say they used a handheld scanner that required about five minutes of manually scanning their test subject's face. That puts their spoofing method in the realm of highly targeted espionage, rather than the sort of run-of-the-mill hacking most iPhone X owners might face. 1



"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue," the Bkav researchers write. They also suggest that future versions of their technique might be performed with a quick smartphone scan of a victim’s face, or even a model created from photographs, but didn't make any predictions about how easy those next steps might be to engineer.



Aside from the challenge of acquiring an accurate face scan, the researchers’ simpler setup outperformed more expensive techniques for attempted Face ID trickery—namely, the ones we at WIRED tried earlier this month. With the help of a special effects artist, and at a cost of thousands of dollars, we created full masks cast from a staffer's face in five different materials, ranging from silicone to gelatin to vinyl. Despite details like eyeholes designed to allow real eye movement, and thousands of eyebrow hairs inserted into the mask intended to look more like real hair to the iPhone's infrared sensor, none of our masks worked.



By contrast, the Bkav researchers say they were able to crack Face ID with a cheap mix of materials, 3-D printing rather than face-casting, and perhaps most surprisingly, fixed, two-dimensional printed eyes. The researchers haven't yet revealed much about their process, or the testing that led them to that technique, which may prompt some skepticism. But they say that it was based in part on the realization that Face ID's sensors only checked a portion of a face's features, which WIRED had previously confirmed in our own testing.

"The recognition mechanism is not as strict as you think," the Bkav researchers write. "We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Without more details on its process, however, plenty about Bkav's work remains unclear. The company didn't respond to the majority of a long list of questions from WIRED, saying that it plans to reveal more in a press conference later this week.

Most prominent among those questions, points out security researcher Marc Rogers, is how exactly the phone was registered and trained on its owner's real face. Bkav's staff could have potentially "weakened" the phone's digital model by training it on its owner's face while some features were obscured, Rogers suggests, essentially teaching the phone to recognize a face that looked more like their mask, rather than create a mask that truly looks like the owner's face.

"For the moment I can't rule out that these guys might be tricking us a bit," says Rogers, a researcher for security firm Cloudflare, who worked with WIRED on our initial attempts to crack Face ID, and was also one of the first to break Apple's Touch ID fingerprint reader in 2013.

But in response to questions from WIRED, Bkav denied any such trickery. A company spokesperson says that after crafting a mask that was able to fool Face ID—it first made four others that failed—the researchers re-registered their test iPhone X on the face of Bkav's staffer, to make sure that it hadn't biased the phone's model of his face. After that, they never entered a passcode into the phone, and yet the mask alone unlocked it.1

Bkav's history also lends its demonstration some credence. Nearly a decade ago, the company's researchers found that they could break the facial recognition of laptop makers including Lenovo, Toshiba, and Asus, with nothing more than two-dimensional images of a user's face. They presented those widely cited findings at the 2009 Black Hat security conference.

If Bkav's findings do check out, Rogers says that the most unexpected result of the company's research would be that even fixed, printed eyes are able to deceive Face ID. Apple patents had led Rogers to believe that Face ID looked for eye movement, he says. Without it, Face ID would be left vulnerable not only to simpler mask spoofs, but also attacks that could unlock an iPhone X even if the owner is sleeping, restrained, or potentially even dead.

The last of those situations is especially worrying, since it would theoretically be a problem for Face ID that even Touch ID didn't present, given that the latter checks for the conductivity of a living person's finger before unlocking. "That would mean this could be tricked without any liveness test at all," Rogers says. "I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID." It's also unclear if Face ID uses any methods beyond eye movement to indicate that someone is alive. (At least one researcher points out that Touch ID make also work on a corpse: SR Labs' Ben Schlabs sent WIRED a video unlocking an iPhone SE with an altogether non-living foam-backed fake fingerprint.)2

Despite the potential threat of snooping on a sleeping, kidnapped, or dead person’s iPhone X, Rogers considers the notion that someone will make a silicone-and-plastic mask of the average person's face far-fetched. A far more practical concern is someone simply tricking a victim into glancing at their phone.

"This is still not the kind of attack the average person on the street should worry about," Rogers says of Bkav's work. "It’s still probably easier to snatch the phone and just show it to someone to unlock it."

1Updated 11/13/2017 9:30 am EST with more information from Bkav.2Updated 11/13/2017 10:55 am EST with a comment from SR Labs on unlocking Touch ID with a non-living finger.

Hackers Claim to Break Face ID a Week After iPhone X Release | WIRED

Using E-Mail Encryption to Combat Cyber Breaches

Given the prevalence of email-based attacks, and the growing number of phishing attacks containing ransomware occurring globally, email security should be a forefront concern for any organization.



By Industry Perspectives | Nov 07, 2017



In the month following the Deloitte breach, consumers and businesses are still at risk of having personal and proprietary information stolen. The Deloitte hack compromised critically private information of six “blue chip” clients including usernames, passwords, IP addresses, and health information. Deloitte failed to utilize multi-factor authentication on a portion of their email system, giving cyber criminals easy access to the accounts.



The cyber criminals then sifted through emails looking for any valuable information they could use or sell for a profit. While the Deloitte hack was contained and only affected six clients, consumers and businesses are at risk from any organization that stores sensitive information about them and fails to implement critical cybersecurity measures. Consumers and businesses can have their information compromised by a variety of organization including healthcare organizations, educational institutions, legal firms, accountancy firms, financial institutions, and businesses/third party vendors through data contained in email accounts.



Regardless of the type of organization, there should be a greater level of responsibility and protection for consumer and client information. Organizations have failed to implement cybersecurity, and it is now an epidemic. By 2019, cybercrime will cost the global economy an estimated $2.1 trillion dollars.  To protect consumers and themselves, organizations must implement cybersecurity measures. Given the prevalence of email-based attacks, and the growing number of phishing attacks containing ransomware occurring globally, email security should be a forefront concern for any organization.



A critical first step is to ensure the use of multi-factor authentication for account logins. This added layer of security is integral to account protection and user verification. Cybercriminals seek out the easiest targets to make the fastest profit, utilizing multi-factor authentication encourages the criminal to move onto the next target. 



Another consideration for organizations is email encryption. Despite valiant efforts to keep cyber criminals from gaining access to email accounts, inevitably they will find a way in. Each employee with a company email address is a potential point of entry for a cybercriminal. Negligent employees that don’t follow password protocols, fall victim to phishing schemes, and download third party applications that contain malware, create opportunities for cyber criminals to gain access.



In the case of Deloitte, once cybercriminals gained access to the account they downloaded and archived the data to servers overseas to later sort through for any valuable information. Email encryption services put two-factor authentication and an extra level of security on all emails sent, eliminating the value proposition for cyber criminals by disallowing their ability to read the encrypted emails. It would be like breaking into a bank, but the vault is empty. 



Securing and protecting email accounts is a critical consideration for organizations of all sizes, from Big Four CPA firms to small businesses. Organizations should begin waging the war against cybercrime today by implementing multi-factor authentication for email accounts and considering an email encryption service. Increased global productivity through advances in technology should not come at the cost of privacy and security.



Using E-Mail Encryption to Combat Cyber Breaches