The whole situation with droids in the Star Wars universe brings forth a certain… ethical-moral issue. The thing is, they’re sentient (they think, feel. and have emotions), while at the same time they’re owned by someone (or something). And even the “good” characters don’t regard this as much of a problem. Meanwhile, droids can have motives of their own, which don’t necessarily coincide with the whims and wishes of their owners.

Of the new things we learned from this season of The Mandalorian, we now know how droids get their software updates. It turns out, they visit bars to get updated… through booze! (I guess that makes a good excuse when asked “why are you drunk again?”: “Just updating, darling!”) The bars serve the drink Nepenthe, which is a lubricant for protection against mechanical wear-and-tear mixed with subparticles delivering programming updates and new commands from the mainframe. Truth be told, this doesn’t seem very safe: droids operate in almost every corner of the galaxy, while it’s the first time ever we see a bar for them. Still, at least now we know they can get any updates at all!

Assassin droid IG-11

Toward the end of Season 1, the rehabilitated assassin droid IG-11 — while surrounded by the Imperials — declared that, according to his manufacturer’s protocols, he should never be captured by the enemy, and so activated self-destruction. In theory, this is a good idea: it was designed not only to protect the information in the droid’s memory, but also to prevent turning the droid against the original owner.

However, there’s one problem: poor implementation of this self-destruct mechanism. In the third season, the lead character decides to reactivate his fallen comrade-in-arms. And it comes to light that this is quite doable! Moreover, even though the machine has lost plenty of its marbles, some scraps of information are still there — for example, it can still quote subparagraph 16 of the Bondsman Guild protocol. This vividly demonstrates how the self-destruct mechanism is not to be trusted with emergency data destruction: it’s not so reliable.

Astromech droid R5-D4

R5-D4 is a distinguished droid. He’s one of the first defective droids we see in the Star Wars universe ever. R5 is there from the very first (fourth) episode of Star Wars, when he was passed over for purchase by Luke Skywalker from Jawas due to a motivator malfunction. In the third season of The Mandalorian, the droid is foisted upon the series’ namesake as a co-pilot and to explore the planet of Mandalore — mostly destroyed by war. However, it turns out that R5 doesn’t show a great deal of respect for ownership rights, and stays true to his former masters — ex-rebels, now New Republic pilots.

We never find out whether this is due to astromech’s default functionality or a repercussion of software modification carried out by the rebels, but R5-D4 is able to access information networks and gain control of Imperial security systems. But that’s not what should concern: after all he does this in his owner’s interests. What’s more troubling is that one fine day he leaks the Mandalorians’ covert coordinates to his former war buddy. Furthermore, when Captain Teva decides to seek out the Mandalorians’ hiding place, he hardly goes and talks to all the droids he knows. Which means R5 keeps reporting his whereabouts to his Rebel friends and spies on his owners.

Reprogrammed droids from Plazir-15

The planet Plazir-15 is a world where people don’t work — all their labor-consuming jobs are done by reprogrammed Imperial and separatist droids. Let’s leave aside the question of why other worlds don’t live the same way, while the New Republic persists in scrapping Imperial equipment. Most of the time repurposed droids are grateful for a second chance, because otherwise they’d be disassembled. And yet the planet constantly faces droid-related incidents — from minor sabotage to direct assaults on humans.

The lead character undertakes an incident-response-team role to investigate the recent series of incidents, and discovers that the droids’ software has been tampered with. And the tampering was accomplished by poisoning the above-mentioned update delivery mechanism: in one of the batches of Nepenthe, subparticles were replaced with nano-droids that reprogram the drinkers to force them to inflict harm upon humans and their property. Yet another reason to doubt the reliability of this firmware update mechanism.

However, it’s not at all difficult to find the culprit. Commissioner Helgait, head of security in charge of the local SOC, is also a hacktivist. But this (so-called) colleague of ours went and left a financial trail by ordering nano-droids from the local information-security office under his own name (despite being head of security!). As least he was smart enough to create a mechanism to roll reprogrammed battle droids back to a separatist firmware version; only problem — he failed to actually use the mechanism for lack of time.

Cybersecurity status of the main factions

All in all, there’s one word to describe the developments in the information security policies of both the New Republic and the Imperial remnants, and the word is degradation.

New Republic

The New Republic is actively trying to integrate former Imperial servants into society. No doubt, it was a commendable initiative. However, it’s not the most prudent decision of all to give folks who’d fought on the enemy side less than a year ago access to any secret information. But this bothers no one: Moff Gideon’s (bad guy) former communications officer (bad guy) can be seen walking up and down the office of Colonel Tuttle (good guy) — in charge of distributing military aid to the Republican worlds. Meanwhile a former Imperial scientist is taking stock of discarded Imperial assets.

The situation is bad from any angle:

• There’s an Imperial probe droid hovering in the middle of the Coruscant (the Republic’s capital), which maintains direct interplanetary video communication between the Imperials and their spies.
• Within the limits of the city (yeah, the whole planet is actually within the limits of the city, but still) there sits, quite unguarded, an Imperial capital ship — anyone can walk right in and borrow some tools that aren’t quite legal.
• The “mental rehabilitation” procedure for victims of Imperial propaganda isn’t secured at all: Republic officers leave a perfect stranger at the Six-O-Two Mitigator’s control panel, even though manipulations with it can harm the patient or compromise the procedure.

Imperial remnants

The last two episodes present us with an opportunity to look at an Imperial base in the ruins of Mandalore. And it looks like the base was designed by someone with a very strange outlook on security. The base has a full-fledged information security and communications center, from which local specialists can track the movements of outsiders on the base map and connect to Imperial commanders stationed on other bases. As you would expect, the important information systems have strong physical security measures: to reach the center one has to pass a corridor with multiple force fields with Imperial stormtroopers posted in-between. But, believe it or not, the center has another door, which leads to a hangar with access to the surface of the planet! And that door isn’t guarded at all! Which kind of casts doubts as to the reliability of the overall access security system.

Other than that, there are the standard Imperial key system security screw-ups:

• The control panel that controls cloning facility can be accessed without any authentication whatsoever — sabotage it all you can.
• Scattered all over the base are ports for external droid interfaces, through which a totally unauthenticated droid can not only deactivate the force fields blocking the corridor, but also put out of action the fields’ regular controls. Come on, Imperials, didn’t you have the Death Star hacked the same way less than 10 years ago? Wasn’t there enough time to devise some countermeasures and add some security updates?

Ship control interception mechanism

There was one more incident on Plazir-15 — not very prominent but quite an alarming one. The local traffic control center somehow managed to take control over a Mandalorian spaceship during its landing approach. A rational arrangement in theory: it’s better to have the landing controlled by someone with local landscape knowledge. But on a practical level, the very existence of such a technology on a combat ship is a threat. One day it’s going to be exploited in a combat situation to crash the starfighter on the surface of the planet or into another spaceship.

How to avoid a fair share of these problems

The trouble with droids and spaceships could have been avoided if their information systems were based on a cyber-immune operating system. That would make droids, despite their wishes to the contrary or external commands, unable to perform any actions unless specifically sanctioned by the owner’s programming. Other than that, officers of the Empire and the Republic alike would be far better off with regular modern cybersecurity awareness training.

Cybersecurity and Empire employees

Overall, the main item of interest from a cybersecurity perspective is when outsiders penetrate the Inquisitors’ secret facility and gain access to the Imperial computer systems. Before that, however, we see a skirmish on the planet Mapuzo that also arouses our curiosity. Let’s start with that.

Checkpoint on Mapuzo

This despoiled mining planet is believed to be home to the Empire’s most wanted Jedi, Kenobi. Stormtroopers at the checkpoint apprehend a suspicious-looking man and call in the Viper Probe Droid equipped with a facial recognition system to identify him. And guess what? It works!

One question: why didn’t these brainy machines take part in the search for droids in Episode IV nine years later? If, instead of asking passers-by silly questions, the patrol in Mos Eisley had used face recognition, they would have found and arrested Obi-Wan. The Empire couldn’t have known that he was being played by another actor!

Underwater Fortress Inquisitorius and Mustafar’s moon Nur

In terms of information security the secret fortress of the Inquisitors (which everyone knows about) has to be one of the Empire’s most advanced facilities we see in the Star Wars universe. It’s similarly well-secured physically too…

Quite incredibly — by the Star Wars universe standards — people here have their IDs checked at the entrance, the doors are opened with authentication devices called code cylinders, and the underwater gateway is controlled entirely from a computer console — not from a panel by the entry hatch as is usually the case. And there’s also something totally unheard-of: the corridors are patrolled by mobile security cameras. It’s a mystery, why just nine years later these security practices were entirely abandoned by the Empire. In Episode IV, the selfsame Kenobi walks freely around the Death Star and doesn’t even need to log in to access the tractor beam control unit!

But, as you’ve probably guessed, all these security measures don’t do any good. And as usual, it’s all down to the carelessness of a single employee — the so-called “lead security on this level”. The fact is that Kenobi is assisted by an insider — Captain Tala Durith — a bona fide Imperial officer with excellent social-engineering skills who’s become disillusioned with the Empire.

When Tala’s documents are checked at the fortress entrance, it turns out that she’s assigned to a different sector entirely and has no business being at the secret facility. However, Tala pulls rank and convinces the officer on duty — that same “lead security” we mentioned earlier — that she’s brought secret intelligence for the Inquisitors, so she’s allowed in.

Once inside, she enters some kind of control room and logs in to one of the terminals, passing authentication with her code cylinder. There’s something clearly flawed with the delimitation of user rights: why would she have any rights in the system at all if she genuinely has nothing to do with this sector?!

Anyway, Tala gains access to both the fortress’s schematics and the underwater gateway control unit, which she uses to let Kenobi in. The senior officer in the control room eventually grasps that there’s an outsider at the terminal — though it takes him about 20 minutes to do so. But his subsequent actions defy logic: for some reason he takes Tala to a secluded corner behind some units to check her entry pass, in which corner he stays — laid-out with a broken neck for the rest of the series!

Clearly, the staff at this secret facility are totally unprepared for incidents of this nature. Generally speaking, this problem could have been solved with regular pen testing. That said, there probably aren’t that many specialists in this field on Mustafar.

Empire opponents’ cybersecurity methods

Let’s talk about the Empire’s opponents as well. There are no rebels as such in this series: the forces of conventional good are represented only by opposition-minded Alderaan and the underground anti-Imperial network The Path, which doesn’t so much fight the Empire as shelter and transport dissidents (surviving Jedis and Force-sensitives). And there’s, of course, Ben Kenobi himself. In terms of information security, things are, unsurprisingly, not great.

The ruling house of Alderaan

Alderaan’s rulers — the Organa family — have very weird attitude to security (information and otherwise), which raises many questions. Since the very beginning of the Empire, Senator Bail Organa has been actively involved in all sorts of anti-Imperial endeavors. What’s more, the existence of his adopted daughter, Leia, must be kept secret from Vader. You’d think he’d be concerned for the safety of his own family at least. But no, Flea from RHCP the mercenary Vect Nokru has no trouble snatching the princess right from inside the palace walls.

It should be mentioned, that Leia is inseparable from the mini-droid Lola (L0-LA59). So why doesn’t Bail install a solution like Kaspersky Safe Kids on her beloved gadget? Then at least he’d know where the princess had been taken! Especially since remote droid-location technologies do exist and are actively used in the series.

L0-LA59 droid security

In one episode, the Inquisitors, having “droid-napped” L0-LA59, fit her with a malicious surveillance device that lets them control the machine remotely. It’s not clear why the Empire doesn’t exploit this technology later on: it could have, for example, in Episode V, seized control of C-3PO in Cloud City instead of sending him to the smelter. Even more baffling is why the House of Organa doesn’t use droids built on the basis of a cyber immune operating system, which would simply block both connections to untrusted devices and external malicious commands.

Bail Organa and communications

The biggest mystery of all is how Bail Organa, with all his oppositionist views, even lived to see the destruction of Alderaan. Not only does he repeatedly reach out to Obi-Wan Kenobi (which in itself is a death sentence), he does so over an unsecure communication channel, laying out secret information with references to Luke and Tatooine in cleartext.

Note, too, that the messaging system doesn’t only lack encryption: the receiving device even has no basic authentication. In other words, anyone can pick up the device and listen to the last message. Now there’s someone who could definitely use some cybersecurity awareness training!

The Path shelter on planet Jabiim

The Path’s shelter has barely a nodding acquaintance with cybersecurity. The hangar door controller — without which there can be no quick evacuation — is a strange contraption teeming with wires and located in the ventilation ducting. The malicious droid easily gains access to this device and physically disables something in it, making the door uncontrollable.

What’s more, because the critical system is so conveniently located, it’s practically impossible to get to the door controller and fix it. Of course we’re talking here about heroic oppositionists with no funding of any kind. Still, seeing how difficult it is even for a ten-year-old child to squeeze their way through to the device, it’s hard to imagine who the designers thought would maintain and repair the system.

Takeaway

As you can see, nine years before the first Star Wars movie, the Empire was far, far better at information security than it was later on, while its opponents were lacking even a basic understanding of such. Perhaps the reason why the Empire ditched most of its progressive security measures is because in any case they did nothing to actually prevent intrusions and other incidents.

In reality, things couldn’t be more different. A modern attacker in fact doesn’t write the malware himself, but rents it, and he doesn’t spend resources on hacking — he simply goes to the shadow market of initial access brokers. Experts in our Digital Footprint Intelligence service decided to find out how much money changes hands when cybercriminals buy and sell access to company infrastructure.

How much for access?

So how much do attackers spend when buying access to your infrastructure? This depends on many factors, but the most significant one is your company’s revenue. After analyzing about two hundred adverts on the darknet, our experts came to the following conclusions:

• most ads offer access to small companies;
• almost half the ads offer access for less than $1000;
• cases where access is sold for more than $5000 are quite rare;
• the average cost of access to large companies ranges between $2000 to $4000.

For sure, those are hardly enormous sums of money. But ransomware operators expect to reap in much greater sums from their blackmailing endeavors, so they are at least willing to spend this much on initial access. It seems to be the market price that’s been settled on through organic supply-and-demand and widely-known purchasing power.

What’s for sale?

Attackers offer different types of access. Sometimes it’s information about a vulnerability that can be exploited for access. Other times it’s credentials for accessing Citrix or the site’s hosting panel. But in the vast majority of cases (in more than 75% of ads) they offer a variant of access via RDP (sometimes in conjunction with a VPN). Accordingly this option of remote access to the company’s infrastructure should be treated with increased attention.

Where do the bad guys get hold of access?

There are many options for obtaining initial access. Sometimes cybercriminals use the simplest way: password mining. But most often they send phishing emails to employees, or emails with malicious attachments (spyware, or, for example, stealers, which automatically collect credentials, authorization tokens, cookies, and so on from infected devices). Sometimes attackers also exploit known vulnerabilities in software before administrators patch it.

Detailed results of the study, with examples of real initial access ads, can be found in the report on the Securelist website.

How to stay safe?

Since most often the subject of sale is remote access to a company’s infrastructure via RDP, it is this that should be protected first of all. Our experts give the following recommendations:

• organize RDP access only through VPN;
• use strong passwords;
• use Network Level Authentication (if possible);
• use two-factor authentication for all critical services.

In order to make passwords less likely to be leaked through phishing, it’s also recommended to use reliable security solutions with an anti-phishing engine both on employee devices and at the mail gateway level. And to be on the safe side, periodically raise your personnel's cybersecurity awareness.

In addition, it’s quite useful to find out if someone is already discussing ways of accessing your company’s infrastructure on the darknet, so monitoring such activity is advised. It is such monitoring that our Digital Footprint Intelligence service carries out.

Large organizations have relatively clear strategies for complying with all of those laws and regulations. Typically, they give an employee — a data protection officer (DPO) — the responsibility of ensuring compliance with the rules on processing personal data, and they allocate sizable budgets to the development of internal regulations and for conducting regular audits. However, a lack of resources can make compliance more challenging for small organizations.

Human factor

The problem most often lies with employees, not all of whom are as careful as they should be with other people’s personal data. That carelessness can lead to unintentional leaks.

Consider one common scenario: employees who deal with PII daily storing scans containing personal data in a corporate shared environment. From their point of view, they’re simply uploading data to the company’s OneDrive or SharePoint directories. Strictly speaking, their actions do not constitute a leak, but they have made the data accessible to colleagues who may not be appropriately trained to work with such information and who therefore should not have access to it.

The problem is not that these colleagues will necessarily allow a data leak to occur. However, thinking that they do not have access to any supercritical or confidential information, they may accidentally leave their work laptop unsupervised from time to time. Furthermore, if the organization experiences an unrelated data leak incident, a surprise audit of its data processing and storage practices — and, potentially, hefty fines for allowing broad employee access to customers’ or employees’ personal data — may follow.

How to minimize the risk of personal data landing in shared access

The simplest way to keep personal data out of shared storage is to monitor whether employees use business collaboration tools to transmit such data. That is to say, you need to understand exactly what employees are sharing, where they store the information, and whether they share links to it with anyone outside the organization. In theory, you need a separate DLP solution to do that, but not all businesses have the resources for one. There is an alternative, though.

The Data Discovery feature in our latest Kaspersky Endpoint Security Cloud solution is an excellent option for any organization that uses Microsoft 365 services for collaboration. Data Discovery detects files containing PII or bank card data, clearly shows its location, and provides additional context — independent of whether the information is stored in a structured or unstructured format.

Although the feature currently operates only with German, Italian, and American document formats, we are continuing to refine it. We expect the product to support detection of other countries’ documents in the near future.

Control over alternative collaborative tools

We know that employees may sometimes go further and upload important corporate information onto third-party cloud services. In other words, they may be storing data in places and with tools whose security IT does not control.

We therefore recommend that you start by clearly explaining to your employees that they must not use third-party cloud services for confidential or sensitive data. Then, monitor all use of cloud services and block them as needed. Another feature in Kaspersky Endpoint Security Cloud — Cloud Discovery — can help there.

The Cloud Discovery and Data Discovery features supplement our solution's standard protection mechanisms. Thus, it not only protects companies from external cyberthreats but also makes compliance with personal data protection laws and regulations easier.

The Brothers Grimm and Charles Perrault may have constructed their tales around cyberincidents, but Hans Christian Andersen paid special attention to protective technologies. It appears the Grimms and Perrault were funded by companies specializing in incident investigation, whereas Andersen worked for a security solution vendor. Let’s consider some examples of his output.

The Wild Swans

The introduction to this fairy tale is pretty standard: A recently widowed king marries a wicked queen who turns out to be a witch — a common euphemism in fairy tales for an insider threat. Despising the young princes, she encrypts them (makes them birds). Curiously, Andersen reveals that the encryption algorithm is flawed — the evil stepmother tries to encrypt them in .big_birds_without_voice format but ends up with .swans.

Further on, the tale describes the princess’s ordeals and some attempts to contact third-party cryptography consultants, but a large part of the story is about how the princess manually writes 11 decryptors — one for each of her brothers.

The tale relates how she weaved the decryptor code out of nettles she harvested from a church graveyard. The mention of the graveyard seems to hint at the C++ programming language (the two plus signs represent crosses), which, not coincidentally, was developed by Andersen’s fellow countryman Bjarne Stroustrup. That is, the princess wrote the decryptors in C++.

But Andersen remains impartial; we see that with the last decryptor, which contains an error, leaving some of the last brother’s files encrypted.

The Princess and the Pea

The fairy tale “The Princess and the Pea” feels a bit like a report on implementing a medieval sandbox-based behavioral analysis engine. Perhaps Andersen wrote it for some specialist periodical, or as a whitepaper on a success story.

In short, the story tells of a prince who has to prove the woman he wants to marry is a real princess. To that end, his mother prepares an isolated, controlled space (in other words, a sandbox), simulating the princess’s bedroom. She hides a trigger in the bed to provoke normal princess behavior, obfuscating the trigger with 20 thick mattresses and feather beds. According to the mother’s hypothesis, a real princess would respond to the trigger even in such conditions, whereas a fake princess would be unaware of it.

Next, the research subject, placed in the bedroom, responded appropriately to the trigger, and thus the prince’s mother issued the verdict: Princess.

Today, we use behavioral-detection technologies to detect malicious, rather than princess, behavior. The basic principle remains the same, however. For example, Kaspersky Research Sandbox analyzes the normal operation of a computer in a corporate network and emulates it in an isolated space to then monitor the behavior of potential threats.

The Tinderbox

In “The Tinderbox,” Andersen writes about a hacker. Simply called the soldier, our hacker uses a kind of communicator called Tinderbox to contact a criminal group of monstrous dogs. The dogs provide him with coins and a communication channel to the princess, bypassing government restrictions. What’s more, they conceal his criminal activities in the real world by physically eliminating unwanted people. In other words, it’s a dark-web tool, and the name Tinderbox is clearly a reference to Tor.

“The Tinderbox” is atypical in some regards, primarily in its choice of protagonist. The heroes of fairy tales tend to be positive characters, or at least they evoke feelings of empathy. Here the central character, far from being a hero, is immoral to the core.

In the course of his extremely short tale, the soldier swindles, robs, and kills an old woman who told him where to get money, repeatedly kidnaps a princess, does away with her parents as well as the judges and the royal councilors, and ultimately seizes power. Andersen clearly wanted to depict the man as a criminal.

Returning to the information security prism, we are not interested in the tinderbox per se, but rather in the measures palace defenders used to pinpoint where and how the soldier makes contact with the princess. The queen (note that, as in “The Princess and the Pea,” it is the woman of the family who is responsible for information security at the palace — that’s how Andersen shows how important the role of CISO was in medieval times) makes several attempts to get a fix on the hacker.

First, she instructs the in-house (in-palace) cyberthreat analyst — a lady-in-waiting — to trace the intruder’s address manually. The lady-in-waiting correctly identifies the subnet the soldier is using, but the complex system of address obfuscation keeps her from determining the precise machine. In other words, to throw her off the scent, one of the dogs marks the surrounding gateways with the same chalk cross as on the soldier’s gateway.

The second attempt is more sophisticated and more successful. The queen embeds an implant in the princess’s client app — a bag of buckwheat groats. During the next communication session, the buckwheat implant marks the intermediate nodes through which the cybersavvy dog redirects the signal to “Soldier’s window” — that is, directly to his Windows-based computer. As a result, the soldier is traced, arrested, and sentenced to death.

Unlike “The Princess and the Pea,” however, this is a cautionary tale, not a success story. A passerby is bribed to deliver the communicator to the condemned man, who enlists the help of the whole canine criminal group; ultimately, the queen’s efforts were in vain.

The Emperor’s New Clothes

Rounding out our selection of Andersen tales about information security technologies is another famous one, “The Emperor’s New Clothes.” The original tale is quite clearly a satirical critical article about cybercharlatans — in this case, vendors who lavish praise on their own next-gen blockchain- or AI-based cybersecurity.

In “The Emperor’s New Clothes,” the king allocates money to develop a full-fledged cybersecurity system, but the contractors just flourish some snazzy blockchain-themed presentations and pocket the cash. The king’s advisers, knowing nothing about the technology and afraid of looking stupid, confirm its great prospects. Later, a young but seemingly experienced pentester notices that the royal protection system is not merely full of holes, but entirely nonexistent.

The cybersecurity industry has moved on quite a bit since Andersen’s time. Modern organizations  choosing security solutions should be guided less by advertising slogans and more by the results of independent tests.

What’s changed in the Matrix in the 18 years since the last update? Today, we’re evaluating the latest installment from a cybersecurity perspective. As usual, spoiler alert!

Fighting pirate avatars

As before, external hackers have infiltrated the Matrix. In the original trilogy, whether the system was serious about fighting the Zion Resistance or just pretending to be was never entirely clear (and the Matrix is hardly the only fictional universe that’s convoluted). The new movie creates the impression that the Matrix programs genuinely do not want outsiders in their system, that countermeasures are in full force but simply not effective enough.

Pirate signal from hacker ships

Hacker ships continue to transmit pirate signals to the Matrix, as they did before in “real reality.” No firewall was ever implemented at the entrance to the Matrix, though that would have been logical. Using a Zero Trust approach from the start would have prevented a lot of hassle.
Status: Unsolved

Pirate avatar transfer system

Either the Matrix defeated the system that broadcast pirate avatars through simulated telephone landlines and the hackers had to invent something new, or the hackers improved their methods and abandoned wire telephony. Either way, the system is different now: The new breed of rebel uses a complex system of dynamic redirects. In other words, the rebels can now turn doors and mirrors into portals both for quickly transporting pirate avatars from place to place and for logging in to the system. That’s very similar to the work of the Keymaker in the second movie — perhaps the hackers managed to replicate (or borrow) part of his code.
Status: Worse than before

Pirate avatar tracking system

The Matrix has become far more responsive to outside avatars’ actions. Countermeasures are now applied (and much more quickly) in almost every case of rebel infiltration — perhaps the creators of the Matrix followed our recommendations for the original trilogy and finally implemented EDR. Moreover, hackers are now forced to obfuscate their tracks constantly, for example by opening portals in a moving train to keep their activity hidden from the agents for longer.
Status: Greatly improved

Matrix agents

The Matrix has abandoned its unique and probably resource-intensive agents. They remain as code, but they exist exclusively within a looped, double-virtual simulation. The Matrix, you see, has learned to switch the avatar of any connected human to bot mode, acting for the system. Visually, the difference is that, whereas an Agent previously replaced a person’s avatar, now the avatar outwardly remains the same but is taken over by the AI.

By comparison with agents, bots act more primitively, but they can operate in swarm mode, synchronously and (subjectively) more efficiently. Physical laws still govern the bots’ behavior, however, and the result is essentially the same. Hackers can still get the job done; they just have to work a little harder for it.
Status: Different, not better

Rogue programs

The Matrix used to be full of unnecessary programs that had no useful system functions. Along with the update, the AI purged obsolete software throughout the system, destroying the vast majority of rogue programs — not all, of course, but precious few remain. Some have emigrated to the physical world (we won’t say how; that would be one spoiler too many). In any event, getting rid of outdated software is the right move.

Status: Greatly improved

Network segmentation

The Matrix’s attitude toward isolating subnets remains poor. From the outside, the rebels manage to break in —not only to the Matrix, but also to a simulation of the Matrix, deployed inside on double-virtual servers. In other words, the simulation is on the same thoroughfare, so to speak; once inside the network, an intruder can go anywhere — say, accounts or R&D. In short, the implementation is very sloppy, especially given the absence of an entrance firewall or Zero Trust system.

Status: About the same

Anomaly control system

The original trilogy’s system for controlling anomalies in the code (by means of the One) no longer works. Instead, we have a new system, in which the One and Zion no longer go through cycles of recreation; rather, the Matrix tries to manipulate the reconnected Neo through Trinity and colleagues.

The result is even more deplorable than before. Instead of one human with some avatar code anomalies, they get two — and that might not be all.
Status: Much worse

The problem of ex-Agent Smith

The Matrix did not destroy the code of former Agent Smith, but instead took control of it and tried to implement it in a complex new anomaly control system. The AI is likely interested in that part of the code that retains elements of Neo’s code.

The part responsible for uncontrolled replication seems to have been deleted. However, by the end of the movie, Smith frees himself (as usual, thanks to Neo’s intervention), and he remains in the Matrix. What’s more, he can now jump from avatar to avatar, an ability the Matrix can’t control. In other words, if before Smith was a rather stupid virus, it has now morphed into a full-fledged APT.

Status: Much worse

New problems

The balance of power has changed significantly. First, Zion was not destroyed at the end of the original trilogy, which greatly strengthens humanity. Second, following a split on the machine side, some AI carriers — both intelligent machines and purely software-based personalities — are now on humanity’s side. The result is several fundamentally new issues.

Data leaks

The AI carriers absconded with a fair amount of information, some of which is sensitive. The humans now know a lot more about the architecture of the Matrix and various critical systems.

Critical infrastructure security

The hackers are far more active in the “real reality” and now periodically attack critical infrastructure at the physical level. Moreover, the renegade machines actively help humanity hack into other machines at the hardware level, for example, by breaking into the harvester control system and other protected objects. As a result, the Zion rebels can continue stealing the bodies of humans connected to the Matrix.

General takeaways

To sum up, the Matrix update has worsened the overall security of the machines, not improved it. If the AI had not turned enslaved humans into batteries, perhaps people could have helped out with an independent vulnerability analysis — well worth the effort before rolling out a massive update.

For starters, between the limited data human characters have and the constant misinformation from the AI, viewers never know precisely what’s true, or how realistic their view of the world is at any given moment.

But we are not interested in philosophical subtext here; our focus is on information security, so we will rely on what are considered the established facts at the end of the third movie. Spoiler alert for anyone who hasn’t watched the whole trilogy but intends to.

Fighting the Zion Resistance

At the trilogy’s finale, it becomes clear that the struggle with rebels infiltrating the Matrix is all staged. For the latest cycle of rebellion to succeed, the Matrix needs a certain number of external enemies, so we don’t know for sure whether the agents are really trying to catch Morpheus and his team, or if they’re just simulating a frenzy of activity. From a cybersecurity perspective, it’s not clear whether we’re seeing bugs or features — a design flaw or something deliberately introduced into the Matrix (perhaps as a sort of honeypot).

Pirate signal from Resistance ships

The Matrix’s population consists of avatars of enslaved humans who are wired to the system, and of programs that originally existed in the form of code. Why remote broadcasting of signals from outside the system was initially implemented, allowing third-party avatars to be uploaded, remains unclear.

Such anomalies are usually a result of some sort of debug access that someone forgot to close, but in this case the developers were not human, so that explanation doesn’t fit. Anyway, even if they implemented remote connection on purpose — if it was a feature, not a bug — why didn’t the auto-programmers implement a firewall to block any pirate signals?

Uncontrolled avatar transmission system

Inside the Matrix, pirate avatars can appear and disappear only through phone cables (although how mobile and landline phones differ inside a virtual reality framework is not explained). Moreover, Matrix agents are, in principle, able to deactivate the line — at least, they cut it when Morpheus was captured. But if it is so critical for Matrix infiltration and exfiltration, why don’t the agents ban it, or at least disable it throughout the operation zone?

Incomplete addressing system

Despite the objective need for such information, the Matrix lacks precise location data for each specific object inside virtual reality. We can assume that pirate avatars are able to hide their location in virtual space, but to stay on the tail of the still-connected Neo in the system, agents needed an additional tracking device. There’s obviously a fault in the addressing system.

That raises questions about Morpheus’ notorious red pill. In his words, it is a tracking program “designed to disrupt your input/output carrier signals, so we can pinpoint your location.” Why isn’t the Matrix monitoring for such anomalies? Being able to intercept the “rescue team” seems pretty important.

Artificial constraints on Matrix Agents

Matrix agents are AIs that can temporarily replace the avatar of any human connected to the system. They can violate the conventional laws of physics, but only up to a point. The twins from the second part of the trilogy are far less impeded by physics, so why can’t such conditional constraints be lifted, at least temporarily, during the operation to capture perpetrators?
Adding to the mounting errors in their code, for some reason agents have the ability to disconnect from the Matrix information system simply by removing their earpieces, a clear vulnerability if ever there was one.

Zion mainframe codes

The whole point of the machines’ hunt for Morpheus in the first movie was to gain the access codes to the Zion mainframe, which every captain knows. That raises a host of questions about why the person with the access codes to the rebels’ critical infrastructure would also be the one who goes into the Matrix.

That point is especially strange if one recalls that there are people on board without any interface for connecting to the Matrix. Entrusting valuable information to them would obviously be far safer. It’s a misstep by the liberated humans, plain and simple: equivalent in today’s real world to attaching a sticky note with passwords to your monitor and then giving a TV interview with it in the background.

Rogue software

For some reason, the Matrix is unable to effectively get rid of programs that are no longer required. Lurking deep inside are various smart apps from old versions of the Matrix: information smugglers, semiphysical militants, a program called Seraph that defines its function as “I protect that which matters most” (a predictable slogan for any information security company).

According to the Oracle, they should all have been removed, but instead they chose to disconnect from the system and live autonomously inside the virtual reality. The existence of uncontrolled obsolete software is a clear vulnerability, just as it is in real life. They literally help hackers attack the Matrix!

Software smuggling

Some programs exist exclusively in the “world of machines” yet can be smuggled in to the virtual world of the Matrix, which human avatars can inhabit. The ability to bring in such programs highlights some serious system segmentation issues. In particular, a direct communication channel should not exist between two segments designed to be isolated.

Backdoor corridor

Among the exiles is the Keymaker program, which creates keys for backdoors. We don’t know to what extent the Keymaker actually is an exile — perhaps he, like the Oracle, is part of the system to control the rebels through the Chosen One. Not only does the Keymaker cut access keys using a file and a lathe, but it also informs hackers of the existence of a whole corridor of backdoors granting access to different parts of the Matrix, from the Core Network to the Source, the heart of the system. Both the Keymaker and the corridor pose a fundamental security threat to the entire system, especially considering how it’s protected against outsiders.

The main problem with the corridor’s security is that for some reason it exists according to the notional laws of the virtual world, depending on emulated power plants (that do not actually produce power) and computers at these virtual stations. And these laws in the Matrix, as we know, are notoriously easy to break. Even putting an agent in the corridor would be more effective — so why didn’t they? No money to pay its salary?

Clones of Agent Smith

Matrix agents originally had a feature that let them replace the avatar code of any hardwired human. However, agents have always existed as individual copies. At the end of the first movie, Neo, having acquired anomalous abilities, infiltrates Agent Smith and tries to destroy him from the inside, with some part of the code of Neo’s avatar being transferred into the agent’s code. After that, Smith goes haywire and gains the ability to bypass artificial constraints, both the laws of the physical world and the ban on existing in one copy. In other words, he becomes a full-fledged virus.

By all appearances, Smith is the first virus in the Matrix; otherwise, there is no explanation for why the system has no antivirus solution for tracking software anomalies, isolating and removing dangerous applications that threaten the security of the system. Considering that most of the people freed from the Matrix are hackers, we find that very odd.

Be that as it may, the existence of Smith, now able to copy his code into any avatar or program, serves as an argument in Neo’s negotiations with the AI. In the end, Neo physically connects to the Matrix, allows Smith to “infect” his avatar, connects to the Smith-net, and destroys all of the Smiths.

As a result, the machines agree to a truce, to stop exterminating humans, and even to release those who don’t want to live in the Matrix. But they could have just built a secure operating system from the start, or at least used a reliable security solution in combination with an EDR system capable of tracking network anomalies!

Why CVE-2021-44228 is so dangerous

CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system.

What makes CVE-2021-44228 especially dangerous is the ease of exploitation: even an inexperienced hacker can successfully execute an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to the log, and after that they are able to upload their own code into the application due to the message lookup substitution function.

Working Proofs of Concept (PoC) for the attacks via CVE-2021-44228 are already available on the Internet. Therefore, it’s not surprising that cybersecurity companies are already registering massive network scans for vulnerable applications as well as attacks on honeypots.

This vulnerability was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

What is Apache Log4J and why is this library is so popular?

Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it.

Many large software companies and online services use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more. Because of the library being so popular, some information security researchers expect a significant increase in the attacks on vulnerable servers over the coming days.

#Log4Shell pic.twitter.com/1bKDwRQBqt

— Florian Roth ⚡️ (@cyb3rops) December 10, 2021

Which versions of the Log4j library is vulnerable and how can you protect your servers from attack?

Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. The simplest and most effective protection method is to install the most recent version of the library, 2.15.0. You can download it on the project page.

If for some reason updating the library is not possible, Apache Foundation recommends using one of the mitigation methods. In case of Log4J versions from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

To protect earlier releases of Log4j (from 2.0-beta9 to 2.10.0), the library developers recommend removing the JndiLookup class from the classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.

In addition, we recommend to install security solutions on your servers — in many cases this will allow you to detect the launch of malicious code and stop the attack’s development.

You can find more information about Log2shell vulnerabilities here:

Whether the oversight is deliberate (highlighting the outdatedness of Bond and the whole 00 section concept) or due to the incompetence of the scriptwriters and lack of cyberconsultants is not clear. Whatever the case, here’s a look at some of the absurdities we spotted in the films, in order of appearance. Spoiler alert!

Casino Royale

In Craig’s first Bond movie, we see the following scene: Bond breaks into the house of his immediate superior, M, and uses her laptop to connect to some kind of spy system to find out the source of a text message sent to a villain’s phone. In reality, Bond could only do that if:

• MI6 does not enforce an automatic screen lock and logout policy, and M leaves her laptop permanently on and logged in;
• MI6 does not enforce the use of strong passwords, and M’s passwords are easily guessable;
• M does not know how to keep her passwords secret from her colleagues, or she uses passwords that were compromised.

Any one of these scenarios spells trouble, but the third is the most likely one; a little later in the story, Bond again logs in remotely to a “secure website” using M’s credentials.

Bond’s password attitude is no better. When he needs to create a password (of at least six characters) for the secret account that will hold his poker winnings, he uses the name of colleague (and love interest) Vesper. What’s more, the password is actually a mnemonic corresponding to a number (like the outdated phonewords for remembering and dialing numbers on alphanumeric keypads). It is effectively a 6-digit password, and based on a dictionary word at that.

Quantum of Solace

The least computerized of the last five Bond movies, Quantum of Solace nonetheless  includes a moment worthy of attention here. Early in the film, we learn that Craig Mitchell, an MI6 employee of eight years — five as M’s personal bodyguard — is actually a double agent.

Of course, that’s an old-school security issue rather than the cyber kind. However, M’s carelessness with passwords, as seen in the previous film, suggests MI6’s secrets may well be in the hands of cat-stroking supervillains the world over.

Skyfall

At the other end of the cyberspectrum lies Skyfall, the most computerized of the five. Here, information security lies at the very heart of the plot. The cybermadness is evident from scene one. For convenience, we’ll break down our analysis chronologically.

Data leak in Istanbul

An unknown criminal steals a laptop hard drive containing “the identity of every NATO agent embedded in terrorist organizations across the globe.” Even MI6’s partners do not know about the list (which moreover does not officially exist).

The very idea of such a drive is already a massive vulnerability. Let’s assume that the database is vital to MI6 (it is). What, then, was it doing in a safe house in Istanbul, protected by just three agents? Even if the drive is, as we’re told, encrypted and alerts MI6 of any decryption attempt?

Cyberterrorist attack on SIS

The first real cyberincident crops up a bit later: a cyberterrorist attack on the headquarters of the British Secret Intelligence Service. The attacker tries to decrypt the stolen drive — seemingly, according to the security system, from M’s personal computer. The defenders desperately try to shut down the computer, but the evildoers blow up the SIS building on the bank of the Thames.

The ensuing investigation reveals that the assailant hacked into the environmental control system, locked out the safety protocols, and turned on the gas; but before doing so, they hacked M’s files, including her calendar, and extracted codes that make decrypting the stolen drive a question of when, not if.

Let’s assume the alert from the stolen drive on M’s computer represented an attempt at disinformation or trolling (after all, the drive could not have been in the building). And let’s ignore questions about the building’s gas supply — who knows, maybe MI6 corridors were lit with Jack-the-Ripper-era gas lanterns; Britain is a land of traditions, after all.

In any case, hacking the engineering control systems is perfectly doable. But how did the engineering control systems and M’s computer — supposedly “the most secure computer system in Britain” — end up on the same network? This is clearly a segmentation issue. Not to mention, storing the drive decryption codes on M’s computer is another example of pure negligence. They might at least have used a password manager.

Cyberbullying M

The perpetrators tease M by periodically posting the names of agents in the public domain. In doing so, they are somehow able to flash their messages on her laptop. (There seems to be some kind of backdoor; otherwise how could they possibly get in?) But MI6’s experts are not interested in checking the laptop, only in tracing the source of the messages.

They conclude it was sent by an asymmetrical security algorithm that bounced the signal all over the globe, through more than a thousand servers. Such tactic may exist, but what they mean by “asymmetrical security algorithm” in this context is about as clear as mud. In the real world, asymmetric encryption algorithm is a term from cryptography; it has nothing to do with hiding a message source.

Insider attack on MI6

Bond locates and apprehends the hacker (a former MI6 agent by the name of Silva), and takes him and his laptop to MI6’s new headquarters, unaware that Silva is playing him. Enter Q: nominally a quartermaster, functionally MI6’s hacker-in-chief, actually a clown.

Here, too, the reasoning is not entirely clear. Is he a clown because that’s funny? Or was the decision another consequence of the scriptwriters’ cybersecurity illiteracy? The first thing Q does is connect Silva’s laptop to MI6’s internal network and start talking gobbledygook, which we will try to decipher:

• “[Silva]’s established failsafe protocols to wipe the memory if there’s any attempt to access certain files.” But if Q knows that, then why does he continue to analyze Silva’s data on a computer with such protocols installed? What if the memory gets erased?
• “It’s his omega site. The most encrypted level he has. Looks like obfuscated code to conceal its true purpose. Security through obscurity.” This is basically a stream of random terms with no unifying logic. Some code is obfuscated (altered to hinder analysis) using encryption — and why not? But to run the code, something has to decipher it first, and now would be a good time to figure out what that something is. Security through obscurity is indeed a real-life approach to securing a computer system for which, instead of robust security mechanisms, security relies on making data hard for would-be attackers to puzzle out. It’s not the best practice. What exactly Q is trying to convey to viewers is less than clear.
• “He’s using a polymorphic engine to mutate the code. Whenever I try to gain access, it changes.” This is more nonsense. Where the code is, and how Q is trying to access it, is anyone’s guess. If he’s talking about files, there’s the risk of memory erasure (see the first point). And it’s not clear why they can’t stop this mythical engine and get rid of the “code mutation” before trying to figure it out. As for polymorphism, it’s an obsolete method of modifying malicious code when creating new copies of viruses in the strictest sense of the word. It has no place here.

Visually, everything that happens on Silva’s computer is represented as a sort of spaghetti diagram of fiendish complexity sprinkled with what looks like hexadecimal code. The eagle-eyed Bond spots a familiar name swimming in the alphanumeric soup: Granborough, a disused subway station in London. He suggests using it as a key.

Surely a couple of experienced intelligence officers should realize that a vital piece of information left in plain sight — right in the interface — is almost certainly a trap. Why else would an enemy leave it there? But the clueless Q enters the key without a murmur. As a result, doors open, “system security breach” messages flash, and all Q can do is turn around and ask, “Can someone tell me how the hell he got into our system?!” A few seconds later, the “expert” finally decides it might make sense to disconnect Silva’s laptop from the network.

All in all, our main question is: Did the writers depict Q as a bumbling amateur on purpose, or did they just pepper the screenplay with random cybersecurity terms hoping Q would come across as a genius geek?

Spectre

In theory, Spectre was intended to raise the issue of the legality, ethics, and safety of the Nine Eyes global surveillance and intelligence program as an antiterrorism tool. In practice, the only downside of creating a system such as the one shown in the film is if the head of the Joint Secret Service (following the merger of MI5 and MI6) is corrupted — that is, if as before, access to the British government’s information systems is obtained by an insider villain working for Bond’s sworn enemy, Blofeld. Other potential disadvantages of such a system are not considered at all.

As an addition to the insider theme, Q and Moneypenny pass classified information to the officially suspended Bond throughout the movie. Oh, and they misinform the authorities about his whereabouts. Their actions may be for the greater good, but in terms of intelligence work, they leak secret data and are guilty of professional misconduct at the very least.

No Time To Die

In the final Craig-era movie, MI6 secretly develops a top-secret weapon called Project Heracles, a bioweapon consisting of a swarm of nanobots that are coded to victims’ individual DNA. Using Heracles, it is possible to eliminate targets by spraying nanobots in the same room, or by introducing them into the blood of someone who is sure to come into contact with the target. The weapon is the brainchild of MI6 scientist and double agent (or triple, who’s counting?) Valdo Obruchev.

Obruchev copies secret files onto a flash drive and swallows it, after which operatives (the handful who weren’t finished off in the last movie) of the now not-so-secret organization Spectre break into the lab, steal some nanobot samples and kidnap the treacherous scientist. We already know about the problems of background checks on personnel, but why is there no data loss prevention (DLP) system in a lab that develops secret weapons — especially on the computer of someone with a Russian surname, Obruchev? (Russian = villain, as everyone knows.)

The movie also mentions briefly that, as a result of multiple leaks of large amounts of DNA data, the weapon can effectively be turned against anyone. Incidentally, that bit isn’t completely implausible. But then we learn that those leaks also contained data on MI6 agents, and that strains credulity. To match the leaked DNA data with that of MI6 employees, lists of those agents would have to be made publicly available. That’s a bit far-fetched.

The cherry on top, meanwhile, is Blofeld’s artificial eye, which, while its owner was in a supermax prison for years, maintained an around-the-clock video link with a similar eye in one of his henchmen. Let’s be generous and assume it’s possible to miss a bioimplant in an inmate. But the eye would have to be charged regularly, which would be difficult to do discreetly in a supermax prison. What have the guards been doing? What’s more, at the finale, Blofeld is detained without the eye device, so someone must have given it to him after his arrest. Another insider?

Instead of an epilogue

One would like to believe all those absurdities are the result of lazy writing, not a genuine reflection of cybersecurity practice at MI6. At least, we hope the real service doesn’t leak top-secret weapons or store top-secret codes in cleartext on devices that don’t even lock automatically. In conclusion, we can only recommend the scriptwriters raise their cybersecurity awareness, for example by taking a cybersecurity course.

The malefactors compromised three versions of the library: 0.7.29, 0.8.0, and 1.0.0. All users and administrators should update the libraries to versions 0.7.30, 0.8.1, and 1.0.1, respectively, as soon as possible.

What UAParser.js is, and why it is so popular

JavaScript developers use the UAParser.js library for parsing the User-Agent data browsers send. It is implemented on many websites and used in the software development process of various companies, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, and more. Moreover, some software developers use third-party instruments, such as the Karma framework for code testing, which also depend on this library, further increasing the scale of the attack by adding an additional link to the supply chain.

Introduction of malicious code

Attackers embedded malicious scripts into the library to download malicious code and execute it on victims’ computers, in both Linux and Windows. One module’s purpose was to mine cryptocurrency. A second (for Windows only) was capable of stealing confidential information such as browser cookies, passwords, and operating system credentials.

However, that may not be all: According to the US Cybersecurity and Infrastructure Protection Agency’s (CISA’s) warning, installing compromised libraries could allow attackers to take control of infected systems.

According to GitHub users, the malware creates binary files: jsextension (in Linux) and jsextension.exe (in Windows). The presence of these files is a clear indicator of system compromise.

How malicious code got into the UAParser.js library

Faisal Salman, the developer of the UAParser.js project, stated that an unidentified attacker got access to his account in the npm repository and published three malicious versions of the UAParser.js library. The developer immediately added a warning to the compromised packages and contacted npm support, which quickly removed the dangerous versions. However, while the packages were online, a significant number of machines could have downloaded it.

Apparently, they were online for a little more than four hours, from 14:15 to 18:23 CET on October 22. In the evening, the developer noticed unusual spam activity in his inbox — he said it alerted him to suspicious activity — and discovered the root cause of the problem. It is hard to know how many times the infected libraries have been downloaded during this time, but within three days from the incident their malicious code was detected by the security solutions at several dozen of our corporate clients around the world.

What to do if you downloaded infected libraries

The first step is to check computers for malware. All components of the malware used in the attack are successfully detected by our products.

Then update your libraries to the patched versions — 0.7.30, 0.8.1, and 1.0.1. However that is not enough: According to the advisory, any computer on which an infected version of the library was installed or executed should be considered completely compromised. Therefore, users and administrators should change all credentials that were used on those computers.

In general, development or build environments are convenient targets for attackers trying to organize supply-chain attacks. That means such environments urgently require antimalware protection.