In order to gain the upper hand against a machine, You’ll need to understand the limitations and weaknesses it have. And there are plenty of them. While usually the word ‘vulnerability’ is used, it is a quite narrow approach, because it is derived from a concept of ‘good networks’ attacked by ‘threat actors’. But oftentimes we see bad actors employing machines aswell, and in the near future autonomous artifical intelligence will propel machines that will need a different approach to combat.
And we use the word ‘weakness’ to make it comparable to Human Weaknesses, which are plenty aswell.
Why we use the word ‘machines’ instead of, say computers? Because it is hard to differentiate between computers, peripherals and associated integrated gadgets that altogether make up the computer-controlled realm. In the world of the Internet-of-Things, the AI-distorted virtual social sphere and the possibly autonomous AI-driven armed drones we find it appropriate to call the phenomenon simply as the ‘machine’.
So, here comes a growing list of known Machine Weaknesses. So far only the weaknesses / vulnerabilities of the computers are covered here, but it is under bettering and extending day by day. What you will read here is part and parcel of NEW COMPENDiUM: it is a generic content based on the accumulated human knowledge.
Part 1 – (MW1) Weaknesses of computer-driven machines)
MW1A0. Weaknesses resulting from economical manufacturing
Information technology also means industrial manufacturing technology, so it is a cost-effective pursuit of production: preferably the cheapest components are installed. Accordingly, there are integrated components that have been manufactured unchanged for decades and therefore their technical description and defects are widely known.
MW1A1. Power Supply
The power supply for machines is as important as air is to the humans. This is the most critical of many other conditions because the operation of the machine is unimaginable without electricity.
MW1A1.1. External Power Supply
A basic weakness is the exposure to the removal or destruction of a continous external power supply. This weakness enables any adversary to achieve voltage fluctuations, to increase resistance within the electrical network and to reduce the nominal power of uninterrupted power supplies. (Alternative or renewable resource exploitation can overcome dependence on electrical power, but in the absence of continuity of supply, uninterruptible power supplies are required.)
MW1A1.2. Internal Power Supply
The characteristics of the machine’s power supply determine its performance and all power failures of the power supply can prevent its operation. According to its type, it can be rechargeable battery and external power supply. The external supply / mains power and the internal power supply of the computer have different technical parameters so that some transformer or inverter is needed. These parts could be directly targeted and any failure of these automatically results for the machine as a whole an inability to function.
MW1A2. Electronic Integrity
The minimum requirement of a machine is the ability to automatically auto-operate per circuit and switch. Computer / machine circuits and switches have technical limits and could be damaged if overridden. In the case of damaged circuits, the computer / machine may not be able to automatically turn itself on.
The computer can be instructed to perform continuous arithmetic and logic operations. The main component of this is the Central Processing Unit’s (CPU) Arithmetic Logic Unit (ALU) and external mathematical co-processors (FPU, Weitek, GPU). In the case of a logical loop or an unexpected outcome, the arithmetic or logical units may be unable to return the control or terminate the operations.
MW1A4 Core Logic
MW1A4.1. Flow Distortion
Machines are driven by computers, which are control systems that control processes based on a program. If the process itself is defective or distorted, the computer will try to control it. In those cases where the process shutdown would be the optimal step, other steps may cause damage to the system.
MW1A4.2. Network Centrism
Connected computers are a network. Because computers are capable of networking by design, they always have the ability to communicate with new channels (LAN, GPRS, WiFi, Bluetooth, etc.). This means that all the defences are useless, if a computer is accessed in a novel or previously unused way.
The network plus all human interaction in the cyberspace are together the Internet. Therefore, every part of the Internet is unique. This makes the machines hard to detect anomalies, because for a machine everything human or natural IS an anomaly.
MW1A5. The machine’s cell level: the individual circuit
The current state of each circuit is characterized by whether it receives power, signals, and it affects the status of other circuits or circuits in the state of 0 or 1 of each particular circuit. Each circuit can perform the following two operations:
1.) be in an instantly readable 0 or 1 state and
2.) can be switched to a different state.
For this reason an outage of a single circuit lead to a shortfall of many circuits that are dependent on the former.
MW1A6. The machine’s tissue level: tolerances and logic gates
The tissue is the sum of the cells that are capable of functioning. Physically speaking in the case of a machine, there are identical circuits with identical tolerances and logic gates, i.e. groups of one or more circuits whose status (0 or 1) switches one or more other circuits. This enables to calculate those circumstances, under which parts of the machine will not be able to function (because of the identical circuitry) – and it also enables to calculate which circuit to override or damage in order to make it inoperable, because of the inability to operate necessary logic gates.
MW1A7. The machine’s organ level
The body is a set of different functions and structures that serve a high level of purpose. A high level goal combines several processes to produce an optimized input or output (or both). The organs can be ranked according to their relationship to the existence of the system. Their systematic principles are backward interpreted legacy, meaning that a newer model body can perform the task of the older model in the same way and completely. This legacy or inheritance makes it possible for all previously written codes to run on a brand new model – and if it has no prompt defence against it, it will be enough to bring it down.
MW1A7.1. Central Processing Unit (CPU)
For what it is and what is the role it plays, its weaknesses are automatically come into being , like:
- The CPU is central, so in the absence of it the computer can not do its tasks,
- It is a processor, so its task is to process the inputs and send the processed data to output – so there is no way for a machine to function without it,
- It is a unit, so it is not only logically but physically a production unit – which means that if one of its components is getting damage, the whole unit will be useless.
The processor performs arithmetic and logic operations. Part of the Arithmetic Logic Unit (ALU) is a a circuit that produces a timing signal (clock generator), and a control unit that changes the order in which the circuits, tissues and organs are access the current and data (~ where non-access is also a sequence). A shuffle in the clock signal makes the orderly operation of any computers impossible.
Processors are different, backward-compatible instruction set architecture families that are typical of a particular type of computer family (such as ARM Android, Windows Phone, x86 PC, Apple Axx iPhone, etc.). The architecture which is laid out in order to make it possible for manufacturers to build machines around these make it possible to be able to find and exploit core weaknesses of said processors – because if it works on one processor, it will work on any processor in the family (and even back-, or forwards in the family line).
The motherboard is a form factor printed circuit board (PCB) that houses printed or cable buses connecting organs, connectors for CPU, memory and I / O devices, and their connector / controller and some simpler integrated I / O devices. The programs required to handle the organ signals are stored in the memory of the chips on the mainboard (firmware). These programs can be overwritten (EEPROM) or non-overwritable (ROM). Overwriting the mainboard chips’ memories (flashing) is risky because if it became interrupted the function becomes inaccessible or freezes because of an incorrect program or a bad write. What more, a program stored in an unwritable memory can not be changed even if its vulnerability becomes known. These programs are unavoidable, lacking or bypassing them makes it impossible to operate the particular tissue / organ for the machine.
The memory stores all the data the processor needs to perform any of its tasks. The size of the memory is determined by the addressability of the processor. This in a 16-bit system is 64 KB, in a 32-bit system is 4 GB and in a 64-bit system is 16ExaB (which is so great that it is practically unimaginable at the moment). For 16- and 32-bit systems, Physical Address Extension (PAE) can be segmented by addressing the memory.
Data stored in memory in the absence of power supply:
- either conjointly receive 0 values (states) – so the contents of the memory becomes deleted,
- or all stored values are retained. In this case, data stored in the memory however, remains in vain, for the CPU needs to rewrite the registry and therefore cannot locate the data stored in the memory modules – so while it is possible to recover the contents by forensics, but the CPU could not use these any further,
- the contents of the memory could be written to dump or page files that are accessible and can be analyzed on other computers (by humans and machines aswell) – so it provides an insight for an attacker how to access the machine’s core functions.
MW1A7.3.1. Memory usage
The memory usage of the computer is based on the fact that, in order to process any data, the processor must read the data, write it in memory, and record it where it put the data in the memory. In the absence of this, the processor can not work with the data.
Principal order of use of memory:
Taking a job:
1. The CPU reads 8 bits from an I / O device.
Data input (input):
1. The CPU reads 8 bits from an I / O device.
2. The CPU writes the 8 bits into the memory (RAM).
3. The CPU uses its own memory (register) to record the memory (RAM) that the data is written to.
1. The CPU reads the register to find out where in the memory is the input bit (8 bit) to be processed.
2. The CPU reads the 8-bit input data from the RAM based on the addressing.
3. Performs a CPU operation (arithmetic or logical) with 8 bit data.
4. The CPU writes the resulting 8 bits into the memory (RAM).
5. The CPU uses its own memory (register) to record where in the memory (RAM) the data (addressing) has written.
1. The CPU reads the register to find out where in the memory is the processed 8-bit data.
2. The CPU sends the 8 bit data from the RAM to the I / O device (output).
3.The CPU clears the register.
A fault in reading or writing either the RAM or the Register therefore means a CPU malfunction, where it can not do any more steps.
MW1A7.3.2. Memory fault tolerance
Depending on the production technology of memory modules, they have different fault tolerance capabilities. Failures of memory modules can be caused by the presence of filled particles, irradiation, surge and undercurrent. These are mostly soft errors that can be rewritten. Reasons for non-correctable errors are usually production wastes due to scattering of technical parameters, defects in manufacturing technology, degradation due to maximum operating parameters, insufficient co-operation of modules with different power consumption and incompatibility of different standard modules.
MW1A7.3.3. Memory size
The size of the memory is determined by binary or decimals, but they are both described in GB sizes. If differences between the two values are not or are not well managed, memory overflow may occur or double-, triple-faulting may occur.
Some internal logics use binary and decimal numbers simultaneously (eg. Binary Encoded Decimals – BCDs), in which case errors in memory addressing will always cause triple fault.
MW1A7.4. Full-size I / O
Every data storage device has a registry area (an allocation table for example), a positioning area, and a storage space. A damage of the first two or overwriting these with incorrect data makes them unsuitable for I / O activity.
Each mass storage device has chips with flash-enabled firmware programs. By overwriting them, their operation can be influenced or prevented.
MW1A7.5. Sensors (input only)
Input-only devices are sensors (keyboard, mouse, camera, etc.) that send data about the signals they detect – typically as instant interruptions – to the CPU. Each input device will automatically be recognized if it sends the signal according to the standard – even if they only emulate that device.
For example, it is enough to properly use the USB + V, earth and two data channels for the emulation, as it communicates with the predefined 7-bit codes to the CPU to push the left and right mouse buttons and move them all the way. The mouse sends the signals in the above channels (eg 1010101 for the left mouse button, 1010110 for the right mouse button). Emulation allows any input device to be a direct intervention device.
MW1A7.6. Super I / O devices
Super I / O devices are combined and uniformly controlled low bandwidth I / O devices that the motherboard can handle uniquely. Some of them directly supply data to the CPU, while others send data to the specified location by bypassing the CPU but under its control. There are many standards (Northbridge-Southbridge, Low Pin Count bus, etc.) out there.
Such devices include:
- floppy disk (3.5 “) controller,
- parallel port (simultaneously parallel with multiple bits),
- serial port (1 bit data transfer at one time),
- embedded and / or keyboard controller, which can be supplemented with a PS / 2 keyboard and / or mouse controller,
- programmable timer (like Intel 8254),
- real-time clock,
- (CMOS) BIOS memory,
- thermometer sensors,
- voltage sensors,
- ventilator speed sensors,
- Chassis Intrusion Sensor / Opening Chassis sensors,
- processor cooling fan (pulse-width modulation),
- BIOS ROM Interface (if not directly tied to the LPC bus)
- internal data flow encryption devices (like the Internal Trusted Platform Module TPM or ISO / IEC 11889),
- infrared port controller,
- Infrared Sensor Controller (IrDA),
- MIDI port,
- Legacy Plug and Play Controllers,
- computer watchdog timer (used to detect and recover from computer malfunctions).
Any malfunction of these simpler devices would cause the whole system to malfunction or to be unable to operate.
MW1A8 Core programming functions
MW1A8.1. Machine code
Any command that programs a more complex logic center than an Integrated Circuit (IC) is executed in machine code. Any element that is having an interpretative ability is programmable in machine code. The Operating System (OS) can not control machine code programs because it is written in a higher level of programming language – therefore any Operating System can be circumvented in a direct machine code access.
MW1A8.2. Performance Optimization Procedures
The CPU has several routines that try to avoid unnecessary operations, thus accelerating its work and optimizing energy and data usage. Because of this, it is completely predictable how and in what order it will solve a given task.
MW1A8.2.1. Branch prediction
A branch predictor is a digital circuit that is usually part of the CPU that tries to guess which way a branch (e.g. an if–then–else structure) will go before this is known definitively. If another CPU is used to do the same guesswork and compile an unusual set of branches (e.g. where all predictions will be false), the resulting code could encumber a CPU so as to slow down or to cease functioning under the greatly heightened workload.
MW1A8.2.2. Speculative execution
The CPU loads everything into the operational memory that it may need. If a particular code was not needed, it does not take into account the presence of the code. At the end of each operation, all the codes will exit. If a large volume of smaller codes are sensed as a necessary code, the CPU’s performance will fall below the expected levels, and more and more organs and periphelrals will produce faults.
The CPU’s performance is maximized so that it can not be idle. This is done by instruction pipelining (~ sequencing, dataflow, paralellism). Pipelining tries to supply all parts of the processor with a specific command by converting incoming instructions into a series of sequential steps executed simultaneously by different processor units. Operations from the various parts will be processed as soon as the pipeline ends.
The disadvantage of pipelining is that 3 or more operations are interrupted when the CPU is interrupted, so there is a possibility of double-triple fault failures, which could cause an Operating System to freeze or restart the system it is installed on.
Program interruption is the sequence of operations when the running of a program by the CPU is interrupted and a higher priority (more important, more urgent) program execution is started by saving the status of the currently running program in a temporary storage so that it can be resumed later. After interruption, the original program will continue to run where it has stopped (the status of the original program has been restored).
System programming interrupts are important, because events that needs immediate attention may occur during the execution of programs, which can be solved only by the temporary suspension of the “normal” execution of the currently executed program(s).
- Completing specified external operations that can be expected but can not be precisely scheduled (a periphery indicates that an input or output operation has been completed – for example a button is pressed down on the mouse or keyboard),
- intentional, ie. program-driven events (system calls),
- defined program defects (eg division with 0) and
- compensation of random and unexpected events (like serious hardware failure or power outage).
Interruptions exist at a number of levels, the lowest level is the world of hardware / BIOS interrupt requests. Hardware interrupts are asynchronous and can occur in the middle of instruction execution, which could lead to instant freezes / faults (like inserting a hardly readable CD into the driver). The highest level is where the interrupt requests of softwares / user applications are handled (eg. message-signaled interrupt, push notification, doorbell, etc.).
Using purely interruption requests, it is possible to suspend or divert CPU’s original activity unjustified.
MW1A8.4. Double fault
A double fault occurs when the processor detects an error while attempting to execute a pending interrupt or an exception. For example, a double error occurs when an interrupt request is received, but there is no such interrupt in the CPU interrupt handler. If the processor detects an error when calling a Double Fault Handler, a triple error is generated and the processor turns off / restarts. Because of this a number of pre-set conditions could be engineered, when the Operating System will restart – and consequently it is able to cold-boot it with a doctored version.
The error is x86-specific. On the Acorn RISC Machine (ARM) and other MOS Technology 6502 based systems, reset also has the highest priority and therefore it is possible to soft reset with vector interrupts.
MW1A8.5. Triple fault
In x86 computer architecture, triple fault is a CPU generated exception that occurs when the CPU attempts to call the exception handling after the double error, but encounters another failure. Processors with x86 specification cause a shutdown cycle when a triple fault occurs. This usually forces motherboard hardware to initiate CPU reset, which causes restart of the whole computer.
Triple errors indicate the operating system kernel or device drivers problem. In modern operating systems, the triple error is typically caused by a buffer overflow or under-operation in a device controller that is described through the Interrupt Descriptor Board (IDT). If the IDT is corrupted, at the next interruption, the processor will be unable to call the required interrupt manager or dual error handler because the IDT descriptors are defective, so the system stops / restarts. On the Acorn RISC Machine (ARM) and other MOS Technology 6502 based systems, reset also has the highest priority and therefore it is possible to soft reset with vector interrupts.
This phenomenon makes it possible to run low-level disruptive programs to restart the system on most systems (root, jailbreak, re-opping). As of now these kind of ‘vulnerabilities’ are the most sought after, with some of these are being legally bought for as much as 1.5 million USD.
WM1A8.6. Hypnosis (netborne system rigging)
If a central (datacenter) or network (server) machine, which is considered a reliable source of data, sends wrong or distorted data for some reason, the CPU will execute erroneous operations or send erroneous commands to the output devices. In this way an infection of a central machine is enough to bring down a whole network if the trust system between the networked machines is one-way from the top down.
The relation between real and sensory data is thus: A ≠ A
WM1A8.7. Mass psychosis / data poisoning
All data scanned by the machine trough its sensors and / or its I / O devices will be interpreted in any case, even if the facts, decisions, emotions and the motives behind the data are unclear. A group case is “mass psychosis” where most of the data is meaningless, so the comprehensible data are statistically so small in the whole dataset that the data processed reflect a misunderstood system of conclusions.
WMA8.8. Autohypnosis (system self-suggestion, distorted experience of reality)
If the sensory data of the machine is distorted in a particular direction (~ is actually larger or smaller in a given spectrum or a number of spectrums), then the CPU sends higher or lower intensity control to output devices. This is because deliberately incorrect data will be provided with the sensors in question (eg. artificially elevated temperature, etc.).
The relation between real and sensory data is thus: A ≠ A
WM1A8.9. Psychotic Effect / Psychosis (reality border blurring)
Psychosis is an abnormal state of the mind when it is difficult to find out what reality is and what it is not. In the case of the machine, this analogy can be detected when the CPU is unable to read data from I / O devices or when a sensor continuously disseminates data that is different from the real values. Defective sensors lead to serious interpretation problems as they are analogous to delusions, misconceptions and / or delusions. This could be easily exploited to make a self-aware machine to quit a particular operation.
The relation between real and sensory data is thus: A = A ≠ A
WM1A8.10. Shock effect
The shock is a sudden impact from the outside environment or an abnormal state of internal operation that is not foreseeable. For computer systems, this is a simultaneous, sudden and uniform burden. Any part of your computer and network can be shocked and this will always cause a crash (eg DoS, DdoS).
The machine can not know about certain parts of itself that bypass the CPU and / or the Operating System. If their automation stops for any reason, this will lead to the collapse of the processes, the disintegration of the inputs, operations and output.
WM1A8.12. Compliance constraint
This is the case when user programs / applications running on the computer are demanding resources from the operating system and CPU so much that each process / thread can only be processed very slowly. The CPU load is greatly increased, while overall, no user program can deliver outstanding performance at the same time. Replacing by analogy: the system takes up too many features that require too much resources, so it can only perform slow operations (with a fraction of the normal speed).
WMA8.13. Physiological overload
The needs of the internal system processes of the computer are not satisfied, but the operating system or the user programs can not or do not know about it because of lack of monitoring or inability to do so (because they do not have a core monitoring subroutine). It could lead to overheating and consequently to double- and triple faults, which ends in a restart of the machine.
WM1A8.14. Understanding (unsupported belief / dataset disfiguration)
The computer gains sensory or I / O knowledge, incorrectly evaluates it, then stores this false (deceitful) data and compares and evaluates false data for the entire dataset as compared to all subsequent data.
WM1A8.15. Time factor / external time
The machine or program externally measures something that can be modified without knowing the system (for example, changing the CMOS clock and date to circumvent the time limit of a try-out software). This way it is not only possible to alter internal processes within a machine, but also to force a network to deny access for a machine because of its corrupted settings (like a ‘date not passed’ check).
WM1A8.16. Start and stop sequence (power on / off sequence)
Only when the machine is powered up and the startup sequence is successful create the conditions for a machine to operate. When the system is switched off, the shutdown sequence must ensure the system can be restarted. If the power off sequence is incorrect or an error occurs, the system can not turn on (restart) without error correction – or at all.
WM1A9. Kernel elements (analogous to brainstem – spinal cord)
WM1A9.1. BIOS (firmware interface)
Kernel-level program execution and device management for motherboard options are implemented through the BIOS. The BIOS is flashable in most cases and is vulnerable. In some versions of the BIOS, options are restricted to make a particular higher level program (eg. Operating System) exclusive (eg EFI / UEFI).
However, because of the legacy building principles, these firmware programs also include legacy support for BIOS services, so they remain vulnerable at the kernel level.
WM1A9.2. Low level DOS access (shell / terminal access)
The startup sequence of each computer and all I / O operations are performed with low level instructions that serve higher level programs. However, the computer is directly accessible and programmable with low level instructions (external bootstrap loader, reverse shell, etc.). If this low level relationship arises, all higher level programs are completely circumvented. Acquiring a reverse shell on a target machine is almost always the goal of the attackers, because it allows complete control over the targeted system.
WM1A10. Device managers
The device manager can operate all connected devices by installing standard drivers. These device managers can be exchanged and can be used to exploit any vulnerability of said peripherals / organs because they are could not scanned heuristically by softwares of any level. Drivers and .CAB and .INF files can be recognized, decoded and rebuilt to contain malicious code.
WM1A11. Operating System
The Operating System is able to communicate via a machine code, so trough any Operating System it is possible to perform I / O operations directly to the peripherals of the computers and to program the programmable elements. This means that by infecting an Operating System a complete control could be established over any machine.
WM1A11.1. Boot options / selector
Almost all motherboards can selectively boot operating systems, so BIOS decides which operating system to boot. This can not be controlled by the operating system before it is loaded, so it is possible to circumvent and / or replace the Operating System if a physical access or a Wake-on-LAN connection could be established to the said machine.
WM1A11.2. Resident programs
The Operating System includes for each type of operation (user task) a resident and several programs called / loaded only if needed. However, the resident program can not continue to work if it is unable to pass the workflowto a necessary external program. It means that if a necessary non-resident program could be damaged / altered / deleted the Operating System will fail.
Those parts / subroutines that are used by several programs are stored in the external dynamic-link library files of the Operating System, which are always writable because they need to be changed continuously. Because they are writable, however, they are vulnerable too. (.DLL, .DRV, .OCX) The dynamic-link library is a MS Windows concept, but modular computing and coupling GUIs with APIs, etc. made the approach similar in all OS realms.
The registry contains all the settings of the Operating System programs that the Operating System needs to know. It contains two types of data: key and variable. Any value can be entered in the registry and everything can be changed. Thus those programs that are sensitive of the loss / alteration of their recorded settings becoming vulnerable.
WM1A11.5. Internal deviation
The Operating System updates and service packs only change some files, so more and more instances of different versions work together and their compatibility could not be tested because of the endless number of variations on particular machines. This leads to the occurrence of potential double / triple faults.
WM1A11.6. Three-level programming
The Operating Systems are written in at least three different levels of programming languages. These may include differences that may interfere with the resource management of the machine. Three levels require three different interpreter programs (assemblers), which are not necessarily fully compatible. An example of the three levels: Java SDK (.NET) ⇒ Common Intermediate Language v. C ⇒ Assembly.
WM1A12. Logical necessities
WM1A12.1. Routines and subroutines
Any program contains a number of routines and repetitive subroutines, each of which makes the whole program vulnerable if coded faulty.
WM1A12.2. Memory resident programs
Resident programs can change while running in the memory without any changes in their stored version – and could not be detected by other programs (such as an operating system, anti-virus). This makes memory resident malicious programs a prime vehicle to deliver payloads into the targeted systems.
WM1A12.3. User preferences
User programs are storing the settings made by the user in user initialization files (eg. preferences). Because user programs do not have the task of protecting the file system, they have never been encrypted. This means that it is very easy to change the settings in such a way to cause faults in a system (like changing memory usage limits, write permissions, etc.)
WM1A12.4. Session storage in files
User programs save the partial or end result of their use into files in a given format and then load them in the same session as soon as possible. By modifying the files, however, the user program’s behaviour can be modified.
WM1A12.5. Nonheuristic operation
While user programs are running in machine code, they can not be restored to the original code neither by the Operating System, nor an anti-virus program, so they can be heuristically checked only in their pre-input, default versions. There is no way to control their malicious activity with data, without obtaining their specific input data separately.
WM1A12.6. I / O privileges
User programs can only work with full write / read privileges. If their access to the memory or a data storage device is limited or becomes non-operative, their operation crashes.
WM1A12.7. User rights
Permissions only classify the user, not the program that requests or manages the privilege. Thus, if a user program does not know whether a password is required it will run without asjking for one. However, without user authentication, it can not perform any operations in the Operating System and therefore crashes. This was a widely exploited way to break codes for more than two decades and it still is – because it is the basis of cracking program protections.
The password has to be stored and has two holders who do not know each other or influence each other’s activities (eg. server’s operator and user). Thus, data leakage from either party affects both parties, but one party will be aware of it only if it is informed by the other party.
WM1A12.9. File sharing
A file created by a user program is used by several other programs and several other computers over the network. This means that a single well-circulated non-executable file (such as a document in a widely used format) could infect many machines within a wide network in a short timeframe.
WM1A13. Open Internet
WM1A13.1. Structure browser
MW1A13.2. Network symbiosis
- The server-side softwares service the browser’s requests, but they can’t know how to prevent its running on the client-side.
- The browser can only communicate trough the Operating System’s networking framework, and can not circumvent it.
This means that custom attack vectors could be tailored, where trough the browser either the Operating System or the server is actually targeted.
WM1A13.3. Base communication
Communication is not or not necessarily encrypted between all components of an everyday network. (eg. tower <-> mobile phone, computer <-> wifi) Also, because of the wide availability of WiFi routers with outdated and very easily circumvented encryption schemes (like the default WPA2 encryption), the easiest way to hack into a small network is oftentimes trough the base communication (that is between the two machines, like the ISP’s routers, etc.).
WM1A13.4. Distribution of incoming data
The full network (~ Internet) communication arrives to the standard network card, and then it goes unencrypted to the CPU and then to the user program (Operating System, etc.). This makes it possible to tap the unencrypted flow of data between the network card(s) and the CPU.
WM1A13.5. Man-in-the-middle attacks
The first connection point (eg tower, router, modem) can be attacked or interchanged. The machine can not detect it, so communication can be attacked (eg stinger, line-tracing).
In an intrusion attack, communication between the two parties is compromised by an attacker by diverting the communication channel (typically a computer network) of both parties to itself. Thus, the two parties believe that they are talking to each other, while in reality both are in contact with the attacker, so that they can play off the challenge / response protocols that are not prepared for such an attack by simply forwarding the challenge to the other party and sending back the response.
WM1A13.6. Firewall Network Exposure
Any HW or SW firewall can only perform its tasks if it is able to access the network itself. They can also be upgraded only when the network is available. Therefore cutting off the network’s data stream from the firewall essentially makes it useless.
WM1A13.7. Trust principle
The firewall and / or antivirus software can only detect the sources of danger that the manufacturer has made aware of. Here the trust principle appears, ie the user must accept that the manufacturer does not deliberately allow the existence of the back doors in the user’s system.
WM1A13.8. Same-origin policy
In principle, all the elements of a web site come from the same storage space, but in practice, because of the advertisements, plugins, statistics counters, etc. this principle does not apply. User agent origin determination is done by the IETF RFC 6454 standard, an almost decade-old ruleset.
An example of how the same-origin policy is implemented from the Wikipedia:
|http://www.example.com/dir/page2.html||Success||Same protocol, host and port|
|http://www.example.com/dir2/other.html||Success||Same protocol, host and port|
|http://username:firstname.lastname@example.org/dir2/other.html||Success||Same protocol, host and port|
|http://www.example.com:81/dir/other.html||Failure||Same protocol and host but different port|
|http://example.com/dir/other.html||Failure||Different host (exact match required)|
|http://v2.www.example.com/dir/other.html||Failure||Different host (exact match required)|
|http://www.example.com:80/dir/other.html||Depends||Port explicit. Depends on implementation in browser.|
MW1A13.9. HTTP headers
All the information in the header of each web page (all .html files) is interpreted by the browser without the possibility of asking and refusing. This allows the spread of malicious code parts encoded in metadata, even as simply as by overloading (like a few hundred Megabytes of ‘meta tags’).
MW1A13.10. Network application protocols (sign languages , html, php)
Network application protocols provide the computer with macro commands that they execute according to their own system – and by calling their own available programs. This is done without asking and refusing. The server-side of the sign languages (eg Apache, php, php5) may also be appropriate from the target machine’s command on the server’s command that the server can not refuse if its default settings do not contradict (httpd.conf, .htaccess, and php.ini files ).
MW1A13.11. Cascading Style Sheets (CSS)
For easier access to webpages and faster page views, environmental variables for all pages of a site are compressed into style sheets. These files (.xhtml, .css) are always readable and, if they are writable, they can make the server attackable through all the files on the site.
MW1A13.12. Document Object Model (DOM)
The DOM treats all pages as a tree structure wherein each node is an object representing a part of the document. The browser therefore treats all documents (such as images, video, spreadsheets, etc.) as an embedded object and loads them individually. Therefore, if an unknown document type or a vulnerable code snippet is invoked, displaying embedded documents will result in a malicious code running.
MW1A13.13. Geolocation and other identifiers
The browser sends all default settings to the remote server, so it shares important information with unknown actors such as screen resolution, Operating System specs, geographic location, language settings, physical data and name of the computer, user name in the Operating System, etc. This means that any server that is servicing the browsers that are visiting a site is actually gathers a trove of individual information.
MW1A13.14. Safe browser runtime environment (sandbox)
The browser launches all programs to run in a secure runtime environment, separate from other sessions. However, the browser itself can be programmed from any session so it can be avoided.
MW1A14. Acquiring access via open Internet
MW1A14.1. Cross-Site Scripting (XSS)
The web site can be embedded with macro elements that make the user to provide key data for parties other than its intentions – without being aware of it (eg, bank access data).
MW1A14.2. Meet-in-the-middle attacks
Meet-in-the-middle is a cryptographic attack where encryption with the composition of a two-function known as open and encrypted text is encrypted by storing texts encrypted by the first text of the open text and decoding the encoded text by a second function. If it was matched, it was possible to crack the encryption.
MW1A14.3. Malicious software – web applications infected with malicious code
Web applications infected with malicious code are trying to disguise their intentions in front of the user and system security HW and SW devices. Its purpose is however to perform activity on the computer for the benefit of the maker of the malicious code. (such as viruses, worms, spyware, ransomware, aggressive adware, and an invisibly hacking rootkit).
MW1A14.4. Ad Network
Ad networks are an aggregate of promotional programs and the advertising data they display that, with or without the knowledge of the user, not only display advertisements on a computer monitor, but keep up-to-date communication channels with one or more unknown sites. These networks are powered by highly optimized programs that try to provide the most advertising features without the slightest downtime (eg adware, SEO tools, etc.). Because of the financial feasibility of this sector, most novel programming methods are first tried out in this realm (sometimes even before it enters governmental arsenals).
Psychological manipulation / social engineering is a non-IT attack aimed at users of a particular system. It is intended to gather data or system knowledge about the features of the system to collect enough information to enter into the particular system. This can be done through personal, telephone networking activities, etc. but mainly it is in the domain of professional HUMINT assets.
WM1A14.6. Hijacking the communication channel
By modifying any part of the interconnected elements of standard network communication, the communication channel between the two computers can be changed. For example, XMLHTTP request rules, CORS, WebSocket, Messager IRC, DNS channel.
WM1A14.7. Advanced Persistent Threat
The well-fed professionals, who are backed by governments can deploy complex and sophisticated tools that can only be experimented with extraordinary effort. These attackers are looking for solutions that logically overcome protection methods.
WM1A15. Direct attack of users
WM1A15.1. Acquiring user input
User activities that are entered into the browser or in other user programs running at the same time, and activity on the clipboard content. These could be potentially accessed from any other (intentionally or non-intetionally) running program.
- Frame keylog function,
- Keyboard input events,
- Mouse events,
- Visible and invisible parts of forms (autofill),
- use of signed Java scripts in an inappropriate order.
MW1A15.2. Authentication bypass
Identification can be avoided in cases where the authentication is recorded in any file or memory segment, so if there is no need to repeat the authentication for each operation. In these cases, the identity of the server and / or the client could be spoofed by the fact that the file or memory segment is falsified.
- Non-cookie session tracking,
- Circumvention of anonymous (eg TOR) services by direct requests,
- Password manager attack,
- Internet (non-internet-of-things) camera and microphone programming.
By re-using the session ID and the cookies containing it and reusing it within the time span, the server believes that a particular client is identical to a previously-correctly identified client and thus provides data to it.
MW1A15.4. HTTPS bundle to HTTP
Transforming an encrypted HTTPS connection onto a non-encrypted HTTP connection that the two computers on both sides of the communication channel believe that they have requested the other. This usually works by accepting a .htaccess or httpd.conf file by using a temporary mirroring of a particular storage that contains downgrade instructions. These can be written in the Apache Directives version of Perl Compatible Regular Expressions (PCRE) and executed without a question or rejection by both the server and the client.
MW1A15.5. Attacking certificates
Direct attacks against the TLS / SSL encryption system of Internet communication are aimed at uncovering encryption.
- Renegotiation attack,
- Downgrade attacks: eg. FREAK, Logjam,
- Cross-protocol attack: eg. Drown
- BEAST attack,
- CRIME and BREACH attacks,
- POODLE attack,
- RC4 attack,
- Code truncation,
- Unholy PAC attack,
- Sweet32 attack,
- Professional tools eg. Heartbleed bug, BERserk attack, Cloudflare bug.
MW1A16. Attacking plug-ins, add-ins and extensions
There are three ways to make browsers up to date: extensions, add-ins, and plug-ins. Because they are able to run in a stand-alone way, they can be attacked separately. Typically, plug-ins for click-to-play, Java controllers, Flash, ActiveX controllers, PDF readers, and media formats (html5, mp3, etc.) have many vulnerabilities.
MW1A17. Internet fraud
MW1A17.1. Password-fishing (phishing)
This attack vector makes the user believe that they enter their password at a known location, that is deceptively appear to be the location visited, but the information they enter is placed in the hands of the attacker.
MW1A17.2. Targeted password fishing (spear phishing)
By collecting some of the data of the attacked person using specific personal information available openly, the attacker convince others to provide data (like providing new login password for one’s boss) to the impersonated target. Typically, it is directed against key members of organizations.
MW1A17.3. Deceptive sites
The visited site is similar to the desired web site, but it is hosted by an attacker with the aim of obtaining access information for the users who provide data there.
MW1A18. Technical logic
Advanced Persistence Threat (APT) is always targeted against a specific target. The method is that by knowing the technical logic of some elements of the system, physical damage (eg stuxnet) is caused by a parameter change that causes technical vulnerability. The technical logic also includes tools (eg fuzzer, metasploit, BEEF) that are testing all existing vulnerabilities on a given system.
MW1A19. Source code
Knowing the original source code (eg open source or raw code obtained from the manufacturer) or the translation of the code makes it possible to identify the errors (eg WordPress, phpBB, etc.) and the vulnerabilites necessary to break a system.
MW1A20. Human factor
Human error may arise from programming errors, malicious programmer leaks, deliberate confidential communications from an employee with insider knowledge, co-operation with an attacker, etc. These vulnerabilities are of an IT nature, but their handling and many times their recognition are human tasks.
Applications with huge user base (eg Facebook, eBay, Amazon, etc.) are served and operated by bundled computers (servers). However, there are limited possibilities to handle clusters, since such target software is limited and most of these are at least partly known (eg, Apache HADOOP).
Part 2 – (MW2) Weaknesses of the Artifical Intelligence
MW2A1 The reproducibility problem
AI’s reproducibility problem, in which researchers can’t replicate each other’s results because of inconsistent experimental and publication practices and competing formats and programming languages. Researchers often can’t replicate their own results – and virtually no one else can, either. It means that the AI is an unpredictable decision maker, yet more and more decisions are relegated to its domain.
MW2A2 The interpretability problem (a.k.a. the “black box” problem)
The difficulty of explaining how a particular AI has come to its conclusions is such that it nearly or completely impossible. The AI networks of connected hardware and the accompanying layers of softwares are too complex for humans to comprehend its exact decisions. Amazing AI models are being built every day, but we don’t quite understand them. And every day, this gap is going to get a bit larger. It means that we have less and less understanding of how AI operates and how could human operators possibly control it.
MW2A3 Inordinate research into AI
The hype surrounding the AI, that is streaming from the media made many emerging computer users to become computer scientists fortnight. The numerous repositories, softwares, dataset dumps, machine learning APIs, etc. made this field an unregulated mess of trial-and-error researches. Companies rush to include some kind of an AI in their products, no matter how faulty these are. Thus there is no clear vision of how things are progressing in the AI development field yet. And no standards has been set. And because literally hundreds of thousands are building their carreers on this irregular scientific-looking field, and many of them are hailing from the Third World, they will not let a few companies to dictate what and how can be done – without putting up a fight. And also it doesn’t help that all the serious researches are made secret – obviously because they are either military or intelligence related.