Week 9 Show Notes: Pegasus and Master Faces Bypassed (2FA)

00:00:04 Carl 

Simple cyberdefense weekly updates for August 6, 2021. 

00:00:37 Carl 

Welcome back to the simple Cyber Defense podcast. This week we have some interesting topics with mobiles, we’re going to be talking about the Pegasus malware that’s going around and some facial recognition bypasses and also a deeper dive into two factor authentication. My name is Carl I’m joined with. 

00:00:57 Ahmad 

Hi my name is Ahmad. 

00:00:59 Carl 

And here we go to begin. 

00:01:07 Carl 

So, you want to start with the facial one? Or you want to get into the Pegasus? 

00:01:12 Ahmad 

Let’s get into Pegasus and then we’ll jump in. 

00:01:13 Carl 

Pegasus OK, yeah ’cause it’s a very interesting piece of malware that’s been going around. So interesting enough the Pegasus malware was first discovered in 2016. 

Now it started with the spear phishing text messages. What spear phishing text messages? It’s a text message that’s crafted personally for you, so, say you’re a businessman who’s traveling different places. What that text message will be is most likely look like a potential client trying to reach out to you for a question or something. Then have a link in there and you click on the link it down. Then the malware launcher on your phone. 

Apple discovered this flaw back around 2016. And just shortly after it was discovered, Apple patched that ability. But the hackers, or the NSO Group who was responsible for that exploit, actually smartened up and created another exploite, or another vulnerability, which was called a zero click attack. Basically, all they had to do was just send you the message and it automatically downloaded the malware so you didn’t even have to open it, look at it, or click on anything. As soon as that text message hit your phone. Boom you were infected. A lot of these phones had the attention on the iPhones, but Android was also affected too, so it didn’t matter if you had an iPhone or Android. If you got that text message for that particularly crafted zero day, or zero click, 

You’re infected no matter what, even if you just received it. A lot of attention was around the iMessage and WhatsApp apps. Those were two messaging apps that were responsible mainly for these zero click attacks because they’re very popular. And it was just so easy just to send a message to either one of these platforms and boom, you got infected. The WhatsApp was mostly targeted for the Android side and the iMessage was mainly just for the iPhones. 

Another interesting way that they could have gotten the malware onto your computer is if they manually created a hotspot kind of thing, so as soon as your device wirelessly connected to it, like oh I got free Wi-Fi in this area, so we connect to that that Wi-Fi. They would download the malware onto your phone. It mostly took advantage of the Apple’s iMessage or with the, 

Sorry I’m drawing a blank. 

The last week bug with the Wi-Fi issues. And once they had that malware on there, they had full and complete control over your phone and what they can do is then copy any data that’s on your phone, contact lists, emails, your text messages, who you phoned. Everything that’s on your phone. They could copy it and use it gor whatever purposes. 

Now this NSO group is, I believe an Israeli company, is that right? 

00:05:04 Ahmad 

Yeah yeah, 

00:05:14 Carl 

 And they claimed that they only sold to government entities, but somehow most of the people who were targeted were either humanitarian groups or journalists. 

And let’s face it, the governments aren’t really the best people to keep things secret. Let’s just look at what happened with the CIA and the Eternal blue malware, or the backdoor that they had, eventually attackers got ahold of the Eternal blue and turned it into what was known as the Wanna Cry ransomware and now we are still dealing with ransomware now and if it wasn’t for that Eternal blue the attackers wouldn’t really had that way to get in there begin with. 

So, who knows if these malware or these backdoors or the exploits that this NSO group is selling to governments? If they ever were given to attackers, or if hackers even were able to say get into a government website or database or wherever they’re storing these and steal them for themselves and then use it against anybody because these exploits happen on any phone out there. And many Androids are never going to see the latest updates, so even if they were able to patch these up on Android, many of them won’t even get the latest updates because they’re so far beyond their end of life. But people still use them because they can’t afford anything else. And the same with the iPhones is a lot of people aren’t going to get the latest updates either. Some people are even still on iOS 12 when iOS 14 is the newest one right now. 

And with the example of the spear phishing text message moving to the zero click that shows you that this NSO group has a stockpile of different exploits to use for these messages. So, when Apple patched one up, they just used another one. So how many more they have? We don’t know they could have 10 more 20 more hundred more. There’s just sitting and waiting. OK, this exploit got patched, let’s move on to this one boom, we got your iPhone again. So, this is very dangerous thing. I think  

really, the only way to protect yourself against this is just to be very careful around your text messages. And as soon as you see an update, try to get that update to your phone. And if your phone can’t take that update, probably consider getting another phone, if you can. If you have a really old Android that’s sitting on very old firmware.  

You just might have to save up and get a newer cheaper Android device. But the thing is, you 

got to be very careful. Also, be careful what you store on your phone because in this day and age with everything being so interconnected with each other, you may say, oh, it’s safe on my phone. But if one of these exploits get on there. For how long will it stay on your phone? We don’t know. 

00:09:00 Carl 

So is there any questions you have Omar? Ahmad, sorry. 

00:09:03 Ahmad 

No, no. I just I have a comment about this. This is one of the things that has been discussed a lot about Pegasus is that we refer to it as malware. Even though it doesn’t really fit the bill, because this is a government sanctioned program and it’s a, it’s a legitimate program. 

Right? Yeah, that is being marketed and is being marketed to two or two regimes that are known to be OK. It doesn’t matter whether you’re for or against selling it to oppressive regimes, but just the fact that it is a there is something out there and just that dangerous. Just because I can manufacture nuclear weapons, it doesn’t mean I should do. It doesn’t mean I’m able to do it. It doesn’t mean the government is allowing me to do it, so this is this is regulation that is needed. Yet you got other states or other countries that are, you know, they’re spending a lot of money on research, and they’re actually subsidizing the type of research, you know, and without any care which hands that type of program falls in the hands up. 

So that’s kind of, you know, because before when referred to malware you refer to a program that you know that got on your on your computer and you know some small group somewhere it did it to bother you or cause DDoS attacks or to steal your information or put a backdoor or whatever. But it’s kind of like this one is not one of those. It’s just a program that the company is by or, you know, has big customer now. 

00:10:40 Carl 

Yeah, wait, go ahead, sorry. 

00:10:42 Ahmad 

No, Go, yeah, I was. I was done with that. 

00:10:44 Carl 

I was going to say these are more. The way I would class this is more like a vulnerability that’s being exploited more than malware itself because what malware usually does is alter the device, the way it normally functions. But the way this is, it’s exploiting vulnerabilities in the software to bypass security, so that’s not really what malware does, it’s more vulnerability being exploited. 

00:11:05 Ahmad 

Right. Right. Which you know, it’s a good segue to our next our next topic here, which is master faces and also it’s another Israeli company that that is doing this this research. And they found the they have this. The created this algorithm that can bypass over 40% of facial facial recognition and authentication, visual ID authentication systems. And the developed world is called a neural network that’s capable of generating master faces. These are like facial images that are each capable of impersonating multiple IDs. So, with one of those faces that can unlock multiple devices, 

they’re saying that using only nine faces of the faces that are generated by that algorithm, they’re able to unlock 40 to 60% of the population. That’s with nine generated faces. Now, the way it works is there is an algorithm. You know, there was a paper that was written and the way that it works is they collect the facial recognition data and then it goes into an optimizer algorithm. The optimizer algorithm goes and creates another face with that with that data using, uh, using uh, there’s three different 

companies that work with the facial recognition, which is a dylib face net and spear fates. And then what happens is it’ll go through face to face generator and then it will create a log through a function at face descriptor. Then it will take that face descriptor or function of that face descriptor and a function for another phase and generate another. Algorithm put in the optimizer and then generate another face. Keep doing this, what’s called a neural network. What is a neural network? It’s a computing system with interconnected nodes that work on the imagine like the neurons in your brain, and these nodes are like those neurons in your brain 

And that imagine like that algorithm going into, a layer of neurons that’s called like all that input. And I have the output on the outside. In the middle there is a hidden layer between the input and the output layer, and that hidden layer is a continuous inflow of the logs and the data that’s coming in. So, it’s artificial intelligence or it’s teaching itself. And this is the next step of artificial intelligence is, how can I take those logs to teach myself? How can I be better and get to the point where now with only nine master faces, literally master keys, they can unlock 40 or 60% of population? 

Now they can convert those into data and unlock any device, and now that takes us to the next ethical point. I didn’t put any malware on your device, I just have figured out the ability to how to unlock the device. Does that make me the bad guy? I would still say yes, because you’re breaking into the device. 

00:14:51 Carl 

You’re gaining unauthorized access. 

00:14:53 Ahmad 

Right! And you know, this is just the evolution of technology, right? Initially, you know when the Internet was first invented, there was just like 2 computers connected to one another with a hard wire. You didn’t need a username, you didn’t need a password. All you need to know the name of the 

other computer. 

00:15:14 Carl 

Yep, and where the files are stored. 

00:15:17 Ahmad 

Exactly, and you know, it’s kind of like passwords came after that? OK, so now we all get online, and it’s not just two computers, it’s millions of computers on millions of networks and we all need to get somewhere and get something. So now I need to access my email. I need to access my banking information etc. User ID alone is not enough. I need a user ID. And a secret way to get in, which is password? 

Well, back when things were simpler, passwords were OK, but historically they have been bad for many reasons. We as human beings we have lousy memory, right? We can’t remember, and there is a recent report that looked at over 1.4 billion stolen passwords and they found that most of them were something simple like 11111 or 123456 or I love you or password or whatever. 

00:16:15 Carl 

Or QWERTY. 

00:16:17 Ahmad 

Exactly, or password that is with a zero, right? Yeah, that’s very smart, right? The second thing is we as users just have too many accounts and when we have too many accounts, we use the same password for the same, or minor change, and when that happens, well, guess what? I get in, well, let’s say, you know, let’s say passwords are excellent and you’re doing everything that you can to protect your passwords and you know you can refer to our previous podcast about what you know how to choose a password. 

But what if somebody has access to your password? It doesn’t matter how good it is. 

00:16:56 Carl 

Like a data breach. 

00:17:00 Ahmad 

Like a data breach, right! Something that you have no control over. OK, why would there be a data breach? Because just like you, you have bad passwords, so does the system admin on the other side and that website that’s storing your it’s human error, right? Or they could have fallen under, you know, an attack, right? 

That’s when the next thing came out, which is 2 factor authentication. OK, and thinking about two factor authentication, I honestly think there should be multiple factor authentication which there exists in for, you know, high purity. But I think that should be the standard. It should be the standard multi factor authentication, so two factor authentication, it just adds another layer and as we talked about before, that security is more about how many layers can I add between myself and the threat actor, right? 

What is 2 factor authentication that came to the rescue? Well, it is simply. Another way or two. Two different steps for you to get into a network or to get into that to get into the data that you need to get access to it. So, it has to be one of those three. Two of those three things, something you know, like a password, like a PIN number like an answered a secret question. The only you know the answer to. Like your mother’s maiden name, and of course you’re not gonna use your real mothers maiden name, right? Right, and then the second thing is something you have like a token or a smartphone. You know Authenticator app. There’s yeah, it’s a great app, right? That’s the second thing. And the third thing is something you are and that could be like the biometrics. It could be your fingerprint. It can be your area so it can be 

your voice, all that stuff. 

00:18:44 Carl 

Or even your face. Which we talked about. It’s not good ’cause they can bypass that. 

00:18:50 Ahmad 

Exactly, but now not. Imagine this with two factor authentication. If it’s something I am and something I know and they have access now, we can bypass my face, right? And that’s something I am. And now the something I know they were able to get my password. That’s why I say two factor authentication. Right now, is not enough. You need a multi factor authentication. 

00:19:11 Carl 

No multi yeah. 

00:19:14 Ahmad 

Yeah, so uhm, I hope that that kind of, you know, gives a little bit of a solution to how we can protect ourselves and our digital wellbeing and how to stay anonymous and private online. 

Do you have anything to add? 

00:19:30 Carl 

No, I think that pretty much wraps it up for this week. 

You can always look at the links down in the show notes below if you want to go expand into the topics that we talked about. Everything we talked about will be linked below in our notes. And this concludes this week and we hope to see you next week for another episode and. 

00:19:57 Carl 

If you like what was in this episode, please consider liking subscribing and sharing with others. For more information to suggest a topic or to donate, head over to simplecyberdefense.com. 

Links:
What is Pegasus spyware and how does it hack phones? – https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones
Edward Snowden calls for spyware trade ban amid Pegasus revelations – https://www.theguardian.com/news/2021/jul/19/edward-snowden-calls-spyware-trade-ban-pegasus-revelations
Pegasus Project: Apple iPhones compromised by NSO spyware – https://www.amnesty.org/en/latest/news/2021/07/pegasus-project-apple-iphones-compromised-by-nso-spyware/
‘Master Faces’ That Can Bypass Over 40% Of Facial ID Authentication Systems – https://www.unite.ai/master-faces-that-can-bypass-over-40-of-facial-id-authentication-systems/
Microsoft fixes serious Windows Hello security flaw – https://www.techradar.com/news/microsoft-fixes-serious-windows-hello-security-flaw
Windows Hello bypassed using infrared image – https://therecord.media/windows-hello-bypassed-using-infrared-image/