HaCoder

Simple bug could lead to RCE flaw on apps built with Electron Framework

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims’ computers.

Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, WordPress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.

Besides its own modules, Electron framework also allows developers to create hybrid desktop applications by integrating Chromium and Node.js framework through APIs.

Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.

To prevent unauthorised or unnecessary access to Node.js APIs, Electron framework by default sets the value of “webviewTag” to false in its “webPreferences” configuration file, which then sets “nodeIngration” to false.

This configuration file with the hardcoded values of some parameters was introduced in the framework to prevent real-time modifications by malicious functions, i.e., by exploiting a security vulnerability like cross-site scripting (XSS).

Moreover, if an app developer skips or forgets to declare “webviewTag: false” in the configuration file, even then the framework by default considers the value of “nodeIntegration” as false, to take a preventive measure.

Critical RCE Flaw Could Hit Apps Built With Electron Framework

However, Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without “webviewTag” declared, by exploiting a cross-site scripting flaw, to achieve remote code execution.

The exploit re-enables “nodeIntegration” in runtime, allowing attackers to gain unauthorised control over the application server and execute arbitrary system commands.

It should be noted that the exploit would not work if the developer has also opted for one of the following options:

nativeWindowOption option enabled in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.

The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery.

Electron developers patched the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4.

So, app developers should ensure their applications are patched, or at least not vulnerable to this issue.

For more technical details on the Electron vulnerability and PoC exploit code, you can head on to the Trustwave’s blog post.

It should also be noted that the Electron bug has nothing to do with the recently discovered flaw in Signal app, which has also recently patched a critical cross-site scripting vulnerability that leads to remote code execution, whose full technical details are scheduled to be published exclusively on The Hacker News this evening. Stay Tuned!

Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks

A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system.

The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems.

Whenever your system joins a network, it’s the DHCP client application which allows your system to automatically receive network configuration parameters, such as an IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The vulnerability resides in the NetworkManager integration script included in the DHCP client packages which is configured to obtain network configuration using the DHCP protocol.

Felix Wilhelm from the Google security team found that attackers with a malicious DHCP server, or connected to the same network as the victim, can exploit this flaw by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

Although full details of the vulnerability have not been released, Wilhelm claims his PoC exploit code is so short in length that it even can fit in a tweet.

Meanwhile, Barkın Kılıç, a security researcher from Turkey, has released a tweetable proof-of-concept exploit code for the Red Hat Linux DHCP client vulnerability on Twitter.

In its security advisory, Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Fedora has also released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other popular Linux distributions like OpenSUSE and Ubuntu do not appear to be impacted by the vulnerability, as their DHCP client implementation doesn’t have NetworkManager integration script by default.

Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.

Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients’ Signal desktop app just by sending them a message—without requiring any user interaction.

To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.

The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.

In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.

If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.

Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate code injection vulnerabilities in Signal were limited to embedding an HTML iFrame, or image/video/audio tags onto the victim’s desktop app.

However, researchers have now managed to craft a new PoC exploit that could allow remote attackers to successfully steal all Signal conversations of the victims in the plaintext just by sending them a message.

This hack literally defeats the purpose of an end-to-end encrypted messaging app, allowing remote attackers to easily get the hold on users’ plain-text conversations without breaking the encryption.

Attackers Could Possibly Steal Windows Password As Well

What’s worse?

In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.

“In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it,” the researchers explain.

Though they haven’t claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim’s username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim’s system.

We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.

I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.

Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.

However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.

Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.

And if you don’t, you should immediately update your Signal for desktop as soon as possible, since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.

12 Russian Intelligence Agents Indicted For Hacking DNC Emails

The US Justice Department has announced criminal indictments against 12 Russian intelligence officers tied to the hack of the Democratic National Committee (DNC) during the 2016 US presidential election campaign.

The charges were drawn up as part of the investigation of Russian interference in the 2016 US presidential election by Robert Mueller, the Special Counsel, and former FBI director.

The indictments against 12 Russian military officers were announced by Deputy Attorney General Rod Rosenstein during a DoJ press conference on Friday—just 3 days before the Russian leader Vladimir Putin is scheduled to meet with President Donald Trump.

All 12 Russian officers are members of the country’s GRU military intelligence unit and are accused of carrying out “large-scale cyber operations” to hack into DNC network and steal Democrats’ emails to influence the 2016 presidential election.

Here’s the list of all 12 defendants:

Viktor Borisovich Netyksho
Boris Alekseyevich Antonov
Dmitriy Sergeyevich Badin
Ivan Sergeyevich Yermakov
Aleksey Viktorovich Lukashev
Sergey Aleksandrovich Morgachev
Nikolay Yuryevich Kozachek
Pavel Vyacheslavovich Yershov
Artem Andreyevich Malyshev
Aleksandr Vladimirovich Osadchuk
Aleksey Aleksandrovich Potemkin
Anatoliy Sergeyevich Kovalev

The indictments alleged that the election hacking targeted Hillary Clinton’s campaign, DNC and the Democratic Congressional Campaign Committee (DCCC), with an intention to release that information online under the name DNCLeaks.

“The Internet allows foreign adversaries to attack America in new and unexpected ways. Free and fair elections are hard-fought and contentious,” Rosenstein said. “There will always be adversaries who work to exacerbate domestic differences and try to confuse, divide, and conquer us.”

However, Rosenstein said the indictments did not allege that the cyberattacks ultimately affected vote count or changed the outcome of the 2016 election.

According to the indictments, Guccifer 2.0, who posed as a lone hacker from Romania and released sensitive documents hacked from the DNC server, and a website that released records under the name DCLeaks was operated by a Russian hacking team known as “Unit 74455.”

The team allegedly used Bitcoin to purchase purchasing servers (including the one in Malaysia to host the DCLeaks website), registering domains, and otherwise making payments in furtherance of hacking activity.

The indictments include 11 criminal counts:

One count for a criminal conspiracy to commit an offense against the U.S. through cyber operations by the GRU that involved the staged release of stolen documents to interfere with the 2016 presidential election.

Two counts through nine charge aggravated identity theft for using identification belonging to eight victims to further their computer fraud scheme.

Ten counts for conspiracy to launder money in which the defendants laundered the equivalent of over $95,000 by transferring the funds used to purchase servers and fund other costs related to their hacking activities through cryptocurrencies like Bitcoin.

Eleven counts for conspiracy to commit an offense against the U.S. by attempting to hack into the computers of state boards of elections, secretaries of state, and US companies that supplied software and other tech related to the administration of elections.

Although the defendants claimed to be “American hacktivists” on the DCLeaks website, the indictments note that no American was a knowing participant in any related activity or knew they were communicating with Russian intelligence officers.

Hackers Used Malicious MDM Solution to Spy On ‘Highly Targeted’ iPhone Users

Security researchers have uncovered a “highly targeted” mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.

Exploiting Apple MDM Service to Remotely Control Devices

To enroll an iOS device into the MDM requires a user to manually install enterprise development certificate, which enterprises obtained through the Apple Developer Enterprise Program.

Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.

Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” Apple explains about MDM.

Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.

However, researchers at Cisco’s Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.

Spying Through Compromised Telegram and WhatsApp Apps

According to the researchers, the attackers behind the campaign used the MDM service to remotely install modified versions of legitimate apps onto target iPhones, which were designed to secretly spy on users, and steal their real-time location, contacts, photos, SMS and private messages from chat applications.

To add malicious features into secure messaging apps, such as Telegram and WhatsApp, the attacker used the “BOptions sideloading technique,” which allowed them to inject a dynamic library into the legitimate apps.

“The injection library can ask for additional permissions, execute code and steal information from the original application, among other things,” researchers explain.

The malware injected into the compromised versions of the Telegram, and WhatsApp applications were designed to send contacts, location, and images from the compromised device to a remote server located at hxxp[:]//techwach[.]com

“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” researchers said.

“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”

At this time, it is not known who is behind the campaign, who was targeted in the campaign, and what were the motives behind the attack, but researchers find evidence suggesting the attackers were operating from India, while the attackers planted a “false flag” by posing as Russian.

“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices. We found testing devices enrolled on the MDM with an Indian phone number and registered on an Indian provider,” Talos researchers said.

“All the technical details point to an actor based in the same country as the victims: India.”

At the time of reporting, Apple had already revoked 3 certificates linked to this campaign, and after getting informed by the Talos team, the company also canceled the rest two certificates as well.

Programming languages you should try

The popularity of languages changes rapidly, but which ones should you look out for?

By Techworld staff May 23, 2018|

If you’re a newbie to programming, it might make sense to start with a language like Scratch or HTML. But once you’ve got to grips with the basics, there are a vast array of languages you can start learning. The problem is, there are so many to choose from and each has its own purpose.

There’s a reason why programming languages such as JavaScript, PHP and C# are so popular. They are simply the best at what they do and continue to be in high demand from employers. However, there are plenty of scruffy, but innovative programming languages that can provide heaps of value to a developer.

Are you a developer? Find the latest jobs here.

Predicting which languages will eventually rise to the top of the charts is difficult, of course, and a lot of the languages listed will have been around for a while and even be in use by many, but all are continuing to grow in popularity outside of the top few.

Here are programming languages that look set to play a bigger role within businesses in coming years.

Find the latest jobs in development here.

1. Ballerina

Image: Twitter

Ballerina was developed by open source tech provider WSO2 and released in 2017. It is a compiled, type safe, concurrent programming language. Designed to be cloud-first, its specialism is integration and parallel processing, helping to implement microservices with distributed transactions, reliable messaging, stream processing, and workflows. Ballerina has built-in support for modern web protocols and data formats.

The developer experience is designed to maintain flow, where the edit, build, debug cycle is rapid and integrated to your team’s lifecycle toolchain, the Ballerina web page explains.

2. Julia

Designed by Jeff Bezanson, Stefan Karpinski, Viral B. Shah and Alan Edelman in 2009, Julia is a high-level dynamic programming language ideal for fast numerical functions and analysis.

Julia can be described as a remedy to Python’s speed issues. The creators based Julia on what they love about Python, its simple syntax and its ability to separate your data and clean it, but altered it so any code you create can be compiled immediately.

If you’re after a speedy Python, then learn Julia.

3. Scala

If you’re a frustrated Java user, Scala could be the answer to your prayers.

Designed by Martin Odersky in 2004, Scala is a general-purpose programming language where ‘object-oriented meets functional’.

Scala runs on the JVM (Java Virtual Machine) platform, so it is compatible with the entire Java class of specifications.

And compared to Java, Scala offers cleaner, simpler, more flexible syntax.

4. TypeScript

TypeScript grew in popularity at the start of the year and has held strong as 2017 has gone on. This was reflected in its ranking from tech publisher RedMonk, gaining 17 points in its Github ranking and overlapping Erlang and Rust in the first quarter.

Described as ‘JavaScript that scales’, TypeScript adds types to all of the variables adding a feeling of security. One of its biggest pulls is that developers can take advantage of Angular, a framework for creating web applications that is written in TypeScript. Although, you don’t need to use TypeScript to use Angular.

5. R

R offers an open source software environment for statistical computing.

First appearing in 1993, R has gained much popularity in the wake of data driven thinking and occupations, for example, data mining, statisticians and even scholars.

It provides a simple and effective resource for analysing subsets of data, although it can’t compete with larger enterprises such as Hadoop.

6. Kotlin

Meant to compile quickly and run alongside Java, Kotlin is a statically-typed programming language that runs on the Java Virtual Machine and can be compiled to JavaScript source code.

Created by Russian software development company, JetBrains, Kotlin is in use at Pinterest, Evernote, Uber and Coursera.

7. Swift

Image: Apple

Swift, revealed at Apple’s WWDC conference in 2014, was intended as a replacement for the Objective-C language for OSX and iOS development and created to make development on iOS devices easier, GitHub’s Joe Nash says. Apple made the language open source in December 2015 under the Apache license, helping it to gain huge popularity within the developer community.

Swift – which has similarities to more modern languages like Ruby and Python – has been enjoying “meteoric” growth since launching, according to RedMonk analyst Stephen O’Grady.

All of Apple’s education content and apps for learning to code use Swift and popular apps including Airbnb, Kayak and TripAdvisor were all created using Swift.

8. Rust

Created by Mozilla, Rust 1.0 was released in 2014, having been in development for a number of years.

Close in some respects to C and C++, Mozilla describes it as a “new programming language which focuses on performance, parallelisation, and memory safety”.

“By building a language from scratch and incorporating elements from modern programming language design, the creators of Rust avoid a lot of “baggage” (backward-compatibility requirements) that traditional languages have to deal with.”

RedMonk’s O’Grady recently noted: “Anecdotal evidence has been accumulating for some time that the language was piquing the interest of developers from a variety of spaces.”

“Mozilla has invested millions to build Rust with the goal of making a better and safer language for systems programming. The language itself is incredibly advanced, and developers are already using Rust to create a wide range of new software applications, such as game engines, operating systems, file systems, browser components and simulation engines for virtual reality,” adds Joe Nash, program manager at GitHub.

9. Go

Image: Google

This open source language is viewed as faster and easier to use than more established languages such as Java and C, from which it is derived.

It is used by a number of organisations, from the BBC to SoundCloud, and Facebook to the UK government award-winning GOV.UK site. It is also used by enterprise software startup du jour, Docker.

“Go is an attempt to combine the ease of programming of an interpreted, dynamically typed language with the efficiency and safety of a statically typed, compiled language,” its creators say.

“Go is becoming very popular for distributed web applications. This is a great language for modern systems development and is discussed a lot in line with the containers movement,” GitHub’s Joe Nash adds.

FBI issues alert over two new malware linked to Hidden Cobra hackers

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.

Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.

The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let’s get into the details of both the malware one by one.

Joanap—A Remote Access Trojan

According to the US-CERT alert, “fully functional RAT” Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.

The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.

Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.

Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.

During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.

Brambul—An SMB Worm

Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.

The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware.

“When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets,” the alert notes.

“If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.”

Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim’s systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim’s system.

The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a “suicide script.”

DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.

DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.

Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Attackers Can Use Sonic and Ultrasonic Signals to Crash Hard Drives

Researchers have demonstrated how sonic and ultrasonic signals (inaudible to human) can be used to cause physical damage to hard drives just by playing ultrasonic sounds through a target computer’s own built-in speaker or by exploiting a speaker near the targeted device.

Similar research was conducted last year by a group of researchers from Princeton and Purdue University, who demonstrated a denial-of-service (DoS) attack against HDDs by exploiting a physical phenomenon called acoustic resonance.

Since HDDs are exposed to external vibrations, researchers showed how specially crafted acoustic signals could cause significant vibrations in HDDs internal components, which eventually leads to the failure in systems that relies on the HDD.

To prevent a head crash from acoustic resonance, modern HDDs use shock sensor-driven feedforward controllers that detect such movement and improve the head positioning accuracy while reading and writing the data.

However, according to a new research paper published by a team of researchers from the University of Michigan and Zhejiang University, sonic and ultrasonic sounds causes false positives in the shock sensor, causing a drive to unnecessarily park its head.

By exploiting this disk drive vulnerability, researchers demonstrated how attackers could carry out successful real-world attacks against HDDs found in CCTV (Closed-Circuit Television) systems and desktop computers.

“An attacker can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and preventing surveillance systems from recording video,” the research paper reads.

These attacks can be performed using a nearby external speaker or through the target system’s own built-in speakers by tricking the user into playing a malicious sound attached to an email or a web page.

In their experimental set-up, the researchers tested acoustic and ultrasonic interferences against various HDDs from Seagate, Toshiba and Western Digital and found that ultrasonic waves took just 5-8 seconds to induce errors.

However, sound interferences that lasted for 105 seconds or more caused the stock Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.

“In the case that a victim user is not physically near the system being attacked, an adversary can use any frequency to attack the system,” the researchers explain.

“The system’s live camera stream never displays an indication of an attack. Also, the system does not provide any method to learn of audio in the environment. Thus, if a victim user were not physically near the system, an adversary can use audible signals while remaining undetected.”

The researchers were also able to disrupt HDDs in desktops and laptops running both Windows and Linux operating system. They took just 45 seconds to cause a Dell XPS 15 9550 laptop to freeze and 125 seconds to crash when the laptop was tricked to play malicious audio over its built-in speaker.

The team also proposed some defenses that can be used to detect or prevent such type of attacks, including a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference, a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor, and noise dampening materials to attenuate the signal.

You can find out more about HDD ultrasonic acoustic attacks in a research paper [PDF] titled “Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems.”

Google Developer Discovers a Critical Bug in Modern Web Browsers

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser.

Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.

For security reasons, modern web browsers don’t allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.

That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.

However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.

Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.

In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.

However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.

In a blog post published today, Archibald detailed this vulnerability, which he dubbed Wavethrough, explaining how an attacker can leverage this feature to bypass protections implemented by browsers that prevent cross-origin requests.

“Bugs started when browsers implemented range requests for media elements, which wasn’t covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard,” Archibald explained.

According to Archibald, this loophole can be exploited by a malicious website using an embedded media file on its webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.

The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.

“I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio,” Archibald said.

Archibald has also published a video, and a proof-of-concept exploit demonstrating how a malicious website can fetch your private content from websites like Gmail and Facebook, whose response will be same for the malicious site as your browser loads them for you.

Since Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected.

“This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against,” Archibald said.

FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams.

Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.

Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.

Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.

New Biometric Metrics to Identify Spoofing and Imposter Attacks

Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input.

In brief, ‘False Accept Rate’ defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while ‘False Reject Rate’ records how often a biometric model accidentally classifies the user’s biometric as incorrect.

Moreover, for user convenience some biometric scanners also allow users to authenticate successfully with higher false-acceptance rates than usual, leaving devices open to spoofing attacks.

Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.

In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, says.

“Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g., trying to sound or look like a target user).”

Google to Enforce Strong Biometric Authentication Policies

Based upon user’s biometric input, the values of SAR/IAR metrics define if it is a “strong biometric” (for values lower than or equal to 7%), or a “weak biometric” authentication (for values higher than 7%).

While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:

• It will prompt the user to re-enter their primary PIN, pattern, password or a strong biometric if the device is inactive for at least 4 hours (such as when left at a desk or charging).

• In case, you left your device unattended for 72-hours, the system will enforce policy mentioned above for both weak and strong biometrics.

• For additional safety, users authenticated with weak biometric would not be able to make payments or participate in other transactions that involve a KeyStore auth-bound key.

Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.

“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” Mohan said.

“A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”

The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.