Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Thermal Attacks Crack Passwords

Researchers at the University of Glasgow have developed a system called ThermoSecure which can crack passwords by using a thermal imaging camera to take a photo of a keyboard after a user has typed a password. Images captured by the camera appear more bright the more recently they were touched, and with some assistance from AI, the system can crack 86% of passwords when images taken within 20 seconds of the user typing.

Although the success rate dropped to 76% when images were taken within 30 seconds and 62% after 60 seconds. The success rate drops as passwords got longer - six-character passwords were always breakable , but even with passwords of 16 characters, the system could break 67% of passwords after 20 seconds.

Suggested mitigations include using backlit keyboards, as these produce more heat, or switching to alternative authentication mechanisms such as biometrics.

Barker, Dan, Heat from fingertips can be used to crack passwords, researchers find, Evening Standard, 10 October 2022. Available online at https://www.msn.com/en-us/news/technology/heat-from-fingertips-can-be-used-to-crack-passwords-researchers-find/ar-AA12NcEW.

Room Temperature Quantum Network Repeater for Brooklyn Navy Yard

Quantum networking startup Qunnect has announced a round of funding that will permit it to build a testbed quantum key distribution network linking buildings in Brooklyn's historic Navy Yard. The Qunnect hardware is unique in that it operates at room temperature and can fit in conventional server racks.

To date, Qunnect has received funding from the DoE and other government agencies, but has announced $US8 million in funding from Airbus Ventures, The New York Ventures Fund, and others.

Current quantum key distribution devices work by transmitting photons over fiber optic cables, but are subject to light attenuation, which loses more photons as the cable length increases. This means the networks need repeaters, which are the obvious vulnerable point in a QKD network. Qunnect's devices use lasers to create pairs of entangled photons, one of which is temporarily stored in a phial of rubidium vapour while the other is sent over the fiber to the next repeater, where it is entangled with a photon from another pair, and the process continues.

By using the rubidium vapour quantum memory, rather than conventional semiconductor memory, the repeater assures confidentiality; any attempt to observe the quantum state will collapse it, triggering the generation of a new key. And although preserving quantum state is notoriously tricky, rendering quantum computers vulnerable to noise, the Qunnect device can store and release the quantum state of single photons with 95% fidelity, and for up to 0.8 ms, which is enough for communication over "metropolitan scale" quantum networks.

Pasternack, Alex, A new quantum network in Brooklyn opens the door to an untappable internet, Fast Company 12 October 2022. Available online at https://www.fastcompany.com/90793603/a-new-quantum-network-in-brooklyn-opens-the-door-to-an-untappable-internet.

Timing Attack Opens Possibility of Supply Chain Attacks in Private NPM Packages

As expected, the NPM registry API will return an HTTP 404 (Not found) response code for private packages when queried by an unauthenticated and unauthorized user. However, researchers at Aqua Nautilus have discovered that there is a significant difference in the time taken to return this result for a private package that does not exist vs a private package that does exist.

This leaks information about the existence of private packages, including packages that were once public but were converted to private. From this, the attackers can create malicious packages in NPM's public scope; leading to a supply-chain attack.

Kadkoda, Yakir, Private npm Packages Disclosed via Timing Attacks, blog post, 12 October 2022. Available online at https://blog.aquasec.com/private-packages-disclosed-via-timing-attack-on-npm.

Drones Used to Deliver Wi-Fi Credential Stealer, Access Confluence Page

Greg Linares reports, via Twitter, the discovery of a sophisticated attack on a financial services company involving the use of two DJI drones to deliver tools to the rooftop of the company's building.

The first drone, a DJI Phantom, was carrying what was described as a 'modified Wifi Pineapple Device' - a specialised Wi-Fi pen-testing device from Hak5. This was used to capture the credentials of a user, which could then be used to access the corporate wi-fi network. Having obtained these credentials, the attackers then hard-coded them into a second set of tools - a "Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another wifi device" - loaded onto the second drone, a DJI Matrice 600.

This landed near an HVAC vent and was slightly damaged, but still operable, and was used to target a Confluence page on the intranet. This activity was detected, an investigation launched and quickly focused on the wifi network when it was discovered that the user whose credentials had been used was logged in both via the wifi and from home several miles away. Signal tracing and investigation with a Fluke wifi tester led the team to the roof, where the drones were discovered.

Linares, Greg, This will be a thread discussing ..., Twitter thread, 11 October 2022. Available online at https://twitter.com/Laughing_Mantis/status/1579550302172508161.

Yet Another Attack Framework

Cisco Talos researchers have discovered yet another attack framework which they assess, with moderate confidence, is being used in the wild. The framework, which is delivered as a single 64-bit Linux executable, has RAT payloads compiled for Windows and Linux, and is written in the Go programming language.

'Alchimist' [sic], and its matching C2 tool, has a web interface written in Simplified Chinese. It can generate a configured payload, establish remote sessions, deploy a payload to its victims, capture screenshots, run shellcode remotely and run arbitrary commands.

In most respects, Alchimist is similar to the Manjusaka C2 framework previously reported by Talos; the only major difference is that Manjusaka makes use of the Gin web framework and an existing asset bundling framework called packr, while Alchimist implements those features as native Go code.

Raghuprasad, Chetan, Asheer Malhotra and Vitor Ventura, Alchimist: A new attack framework in Chinese for Mac, Linux and Windows, blog post, 13 October 2022. Available online at https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.