Tag: security

Egyptians cloned Google security certificate

amumSearch engine Google is furious that an Egyptian networking company  managed to clone its security certificate.

According to Google’s bog, the search engine became aware of unauthorised digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. MCS is a Value Added Distribution focusing on Networking and Automation businesses based near Cairo.

This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and it means that the misused certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misused certificates for other sites likely exist.

Google got on the blower to the CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push.

CNNIC said that it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. But MCS installed it in a man-in-the-middle proxy which meant they could intercept secure connections by masquerading as the intended destination.

This was so that effectively it could use the certificate for customers who wanted to monitor their staff use of the world wide wibble.

“However CNNIC delegated its substantial authority to an organization that was not fit to hold it,” growled Google.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate

UK teams up with Israel over security

Screen Shot 2015-03-24 at 14.56.43Francis Maude, minister for the Cabinet Office in matters of cyber security, said that the UK and Israel have established three collaboration ventures to get government funding for cyber security.

The governments will contribute £1.2 million of funding to create a bilateral cyber research programme, he said.

The Universities of Bristol and University College London will team up with Bar Ilan University, while the University of Kent will tie up with the Israeli Ministry of Science and Technology.

The groups will work on six topics including identity management; governance; privacy assirance; mobile and cloud security; human aspects of security; and cryptography.

Maude said he wants the UK to be one of the safest places to do business online. “Cyber security is a shared global threat and I’m pleased that we are deepening our research relationship.”

The UK is a founding member of a global network called D5 – founding members also include South Korea, Estonia, Israel and New Zealand.

 

IBM sounds alarm over mobile app security

Screen Shot 2015-03-20 at 14.39.31The Ponemon Institute and IBM have jointly released a report which they said displays “the alarming state” of mobile insecurity.

According to the research, 40 percent of large companies – including many in the Fortune 500 – aren’t protecting the mobile apps they build.

And they’re not good against protecting their BYOD (bring your own device) gizmos against cyber attack. That leaves the gates to their corporate treasure chest effectively open.

The survey looked at security practices in over 400 large enterprises and claims that the average company doesn’t test half of the mobile apps they build. And what’s even worse is that 50 percent of these enterprises don’t devote any budget whatever towards mobile security.

IBM and the Ponemon Institute estimate that malicious code infests and infects over 11.6 million mobile devices.

The organisations surveyed spend an average of $34 million a year on mobile app development, with only 5.5 percent spending part of the budget on security.

“End user convenience is trumping end user security and privacy,” IBM said.

 

Opera buys privacy company

tim-cook-securityOpera Software bought a Canadian company called SurfEasy, for an undisclosed amount.

SurfEasy has a VPN (virtual private network) system aimed at securing smartphones, tablets and PCs, Opera said.

A VPN adds an extra level of net security to filter traffic between the web nd devices.

Opera said that over 90 percent of US net users are now worried about their online privacy and want to protect themselves when they’re online.

Opera, which has 350 million users worldwide said that privacy and security has always kept that as its top priority

The CEO of Opera, Lars Boilesen, said more and more people are looking for security on phones and other devices.

The said Opera will collaborate with the SurfEasy team to create joint products, using the Opera browser as the basic foundation for the collaboration.

 

Apple gatekeeper security broken

dottedborderemmelinagnome9thmarch2014 011FORMER NSA and NASA staffer Patrick Wardle, who heads up research at security start-up Synack, he has found a way to bypass protections in Apple Macs without getting caught.

Download files, known as .dmg files, for products including Kaspersky, Symantec, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sent over unencrypted HTTP lines, rather than the more secure HTTPS. For some reason they trust Apple’s Gatekeeper security technology to recognise the digital signatures they sign in.

Anyone who intercepts a download to corrupt it won’t get away with it, as the Gatekeeper will see that the vendors’ original signature has been altered and ignore it.

But Wardle noticed that the Apple Gatekeeper software doesn’t check all components of Mac OS X download files. This makes it possible to sneak a malicious version of what’s known as a ‘dylib’ (dynamic libraries) file into legitimate downloads done over HTTP to infect Macs and start stealing data.

Dylibs are designed to be re-used by different applications; they might be used for actions such as compressing a file or using graphics capabilities of the operating system.
If an attacker can “hijack” the dylib processes used by Mac apps, however, they can carry out nasty attacks and send user data to their own servers, the researcher explained.

It is not that easy to pull off. The attacker would have to get on the same network as a target, either by breaching it or simply logging on to the same public Wi-Fi.

They would also have to inject a legitimate yet vulnerable application into the download and shuffle around the content of the .dmg so that the injected legitimate software is shown to the user.

At the upcoming CanSecWest conference in Vancouver, he will be explaining 101 things you can do with an evil dylibs ajd discover which Coldplay and U2 single the Mac owners is listening to.

Wardle reverse engineered the iCloud protocol and set up a command and control server on a secondary malicious iCloud account, meaning the connection he used to “steal” from his own PC would also be trusted.

You would think that Jobs’ Mob would be worried about it all, but apparently Wardle said they did not really care.

He said that they didn’t seem to understand the full ramifications of it. It would mean that Apple would have to re-architect OS X and expand Gatekeeper’s capabilities to fully address the issues raised by his new class of attack.

Wardle was miffed that the security companies were placing users at risk with unprotected downloads of their software installers and failing to protect against more advanced attacks like his own.

 

A billion people get their data leaked

IBM logoA report from IBM’s security division estimates that in 2014 “at lease” a billion records of people across the world were leaked.

That’s about one in seven of this planet’s humanoid population.

IBM released its X-Force quarterly report and relays information about over 9,000 security “vulnerabilities” affecting over 2,600 vendors in 2014. That’s an increase of 9.8 percent compared to 2013 and Big Blue said it’s the highest single year total in the 18 years it’s been tracking such things.

The USA has suffered the most because at 74.5 percent that’s far higher than other territories. IBM said that 40.2 percent of the most common attacks didn’t get described by those surveyed but malware and DDoS accounted for as much as 17.2 percent each.

IBM said that there was a big rise in so-called designer vulnerabilities.

All operating systems seemed to be under attack – including Windows, Mac OS X and Linux.

One key vulnerability happened in October with a researcher showing there are thousands of security problems in Android apps.

 

Qualcomm gives fingers for ultra-security

Churchill-first-V-signQualcomm has announced details of its Ultrasonic Finger Print Reader which is part of its  new Snapdragon processor.

The idea is that the tech can be used by smartphone ODMs and OEMs to provide ultrasecurity for their phones.

Qualcomm’s tech uses ultrasonic waves to scan all of the ridges and wrinkles of your fingers. This means that it can do a deeper analysis than the 2D image created by a fingerprint mashed up against a capacitive sensor.

It can also penetrate beneath the surface of your skin to identify unique 3D characteristics of your print.

Ultrasonic waves can go through glass, aluminum, steel and plastic housings of any phone, they don’t need a dedicated touch pad or button to work. You could conceivably touch any part of the smartphone with a finger to gain access to the phone itself.

While many might see the technology as a stab in the eye of Apple, which uses the old style of fingerprint technology. Qualcomm’s major competitor is MediaTek, whose processors and related technology are used in millions of phones, especially in China and areas where low cost smartphones are selling well.

Qualcomm’s new Ultrasound fingerprint reader means it has a weapon to counter MediaTek.

The thought is that this could win Qualcomm a lot of business.

 

 

US advances cyber threat bill

National-Security-Agency--008A move that would allow the US government to share cyber information with private companies has been given the nod by a key committee.

The US Senate Intelligence Committee voted 14-1 on Thursday to approve a bill intended to enhance information sharing between private companies and intelligence agencies about cybersecurity threats.

The Bill will go to the Senate where it is expected to get a full backing – after all many private companies would like all that data that the US intelligence services collect and are quite happy to pay their tame Senators to change the law to get it.

Privacy advocates opposed the bill, worrying that it would do too little to prevent more data collection by the National Security Agency and other US intelligence agencies.

Privacy concerns were cited by the only member of the committee who voted against the bill, Democratic Senator Ron Wyden of Oregon who saw it as another surveillance bill.

In practice the law is targeted at preventing the major cyber attacks and co-ordinate companies and government departments better. Microsoft, Lockheed Martin and Morgan Stanley, had pushed for a such a threat-sharing bill.

 

Car industry can’t do computer security

jalopyWhile every tech company and its dog is trying to slam their technology into cars, it is starting to look like the automotive industry can’t cope with the need for security.

A Dallas law firm has filed a lawsuit against three major automakers claiming they have failed to take basic measures to secure their vehicles from hackers.

The lawsuit, filed in the US District Court for the Northern District of California by attorney Marc Stanley, is on behalf of three vehicle owners and “all others similarly situated”. It alleges that the cars are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.

“Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers,” Stanley said in a statement.

But the case is bringing to light problems which may bedevil the car industry in the future. After all if they are having problems with the security on cars now, how are they going to manage when autodriven vehicles are in charge.

Modern cars and light trucks contain less than 50 separate electronic control units (ECUs) — small computers connected through a controller area network (CAN) or other network such as Local Interconnect Networks or Flexray.

New high tech cars will contain shedloads of them, and if hacked could be driven by hackers into walls or other cars.

The court case claims that the car companies are also habitually secretive about these sorts of problems – something that does not bode well if you are sitting in the back of a self drive taxi.

“Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants’ vehicles are not secure, and are therefore not safe,” the lawsuit states.

Last year, at the Black Hat security conference in Las Vegas, two industry experts released a 92-page report revealing “the 20 most hackable cars.”

DARPA reported that the defect represents a “real threat to the physical well-being of drivers and passengers.” Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, “but they did nothing,” the lawsuit states.

Tor wants government freedom

tor-browsingSecurity outfit Tor has said it wants to wean itself off US government cash.

In 2013, Tor received more than $1.8 million from the US government, about 75 percent of the $2.4 million in total annual expenses, according to their latest publicly available tax returns.

While Tor is grateful for the cash, it is worried that conspiracy theorists claim that the US spooks have the system wired up to be a honeypot.

The premise is that while  Tor is meant to keep you anonymous on the Internet but it’s funded in large part by the US government who does not want you to be anonymous. So it must be a way that the government locates those who want to be anonymous and tracks them down.

Technically this is tricky, but it is probably better for Tor if it was free of a government involvement – particularly when that government has been seen as a big fan of snooping.

Developers recently discussed the push to diversify funding at Tor’s biannual meeting in Spain, including setting a goal of 50 percent non-U.S. government funding by 2016.

Tor developers at the meeting also brought up the possibility of lobbying foreign governments within, for instance, the European Union.

However, increasing non-governmental funding is a major priority. Individual donations rose significantly in the last year and Tor plans on soliciting them much more aggressively in 2015. Every new download of Tor—there were 120 million in 2014—will be asked to donate to the project, a change expected to take place in the near future.

Tor is launching a crowdfunding campaign in May of this year.

Lenovo installed malware on laptops

lenovo_hqA security firm made the alarming assertion that Lenovo had pre-installed software on notebooks it sells that makes them more likely to be hacked.

The program called Superfish, which Lenovo installed on computers intended for home use was software that auto-displays adverts.

And according to Reuters, Errata Security, an American company, said Superfish opens up encrypted connections, so letting hackers take over PCs.

Lenovo officials are on holiday for the Chinese New Year and so far have not responded to the allegations.

However, Ken Westin, a senior security analyst at Tripwire had plenty to say on the matter.

“With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies,” he said.

“If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk,” he added.

 

Lockheed Martin jets into cyber security

DF-SC-82-10542US defence contractor Lockheed Martin sees cyber security as its number one growth area over the next three to five years.

Although it is better known for its jet aircraft, Lockheed Martin is the main provider of IT technology to the US government, said expects double-digit growth in its overall cybersecurity business over the next three to five years.

Lockheed said it was making strong inroads in the commercial market by using its experience and intelligence gathered while guarding its own networks and those of government agencies.
Chief Executive Officer Marillyn Hewson said Lockheed was providing cyber security services for more than 200 customers around the world in the energy, oil and gas, chemical, financial services and pharmaceuticals business.

Hewson told the company’s annual media day that Lockheed had faced 50 “coordinated, sophisticated campaign” attacks by hackers in 2014 alone, and she expected those threats to continue growing.

Lockheed now represented a large number of companies on the Fortune 500 list, including 79 percent of utilities, 35 percent of oil and gas companies, 46 percent of chemical firms, and 46 percent of financial firms.

It has been helped by the fact that other weapons makers, including Boeing and Harris have largely exited the cyber security business after finding it difficult to generate any real cash.

Obama blows hot and cold on encryption

thewhitehouseWhile his security spooks are complaining that company moves to use strong encryption is making their life difficult, President Barack Obama said he likes the technology, other than when he doesn’t.

Talking to Recode, Obama appears to have jumped on the side of the big tech corporations against the NSA and when asked if American citizens should be entitled to control their data, just as the president controls his own private conversations through encrypted email, he said yes.

Obama replied that he’s “a strong believer in strong encryption …. I lean probably further on side of strong encryption than some in law enforcement.” He maintained that he is as firm on the topic as he ever has been.

However the matter, claimed Obama was hypothetical. If the FBI had a good case against someone involved in a terrorist plot and wants to know who that person was communicating with? Traditionally, they could get a court order for a wire tap. Today, a company might tell the FBI they can’t technically comply.

He warned that the first time that an attack takes place in which it turns out that we had a lead and we couldn’t follow up on it, because the data was encrypted the public’s going to demand answers.

“Ultimately everybody, and certainly this is true for me and my family, we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption,” he said.

So, in other words, everyone should have strong encryption which should turn itself off when the security services want to have a look at it.

Dutch government hit in cyber barrage

dutch-childrenWebsites run by the Dutch government were downed yesterday morning after a cyber attack.

The outages affected many of the government’s web sites and lasted for over seven hours.

And the cyber attackers – whoever they are – also used a distributed denial of service (DDoS) attack to take down a satirical website called GeenStijl.nl.

No one has yet claimed responsibility for the attack.

According to Reuters, phone systems and emergency channels stayed online.

The government information service said it is inestigating the attack along with the Dutch National Centre for Cyber Security.

The attackers targeted the hosting company that services the government sites – Prolocation.

Dating applications expose businesses

1930s-couple-620x400Big Blue is warning that millions of people using dating apps on company smartphones could be exposing their employers to hacking, spying and theft.

IBM security researchers said 26 of 41 dating apps they analysed on Google Android mobile platform had medium or high severity vulnerabilities.  Curiously the IBM team did not look at dating applications on Apple gear, probably because the company signed a deal to push Apple gear in the workplace.

Unfortunately IBM did not name and shame the vulnerable apps but said it had alerted the app publishers to problems.

Apparently Tinder, OkCupid and Match have become hugely popular in the past few years due to their instant messaging, photo and geolocation services. In 2013 it was estimated that 31 million Americans have used a dating site or app.

IBM found employees used vulnerable dating apps in nearly 50 percent of the companies sampled for its research. By using the same phone for work and play or “bring your own device,” it means that companies are wide open for such attack vectors.

Am IBM report said that while BYOD was seen as a way that companies could save cash by allowing employees to use their home gear on corporate networks , if not managed properly, the organizations might be leaking sensitive corporate data via employee-owned devices.

IBM said the problem is that people on dating apps let their guard down and are not as sensitive to potential security problems as they might be on email or websites.

If an app is compromised, hackers can take advantage of users waiting eagerly to hear back from a potential love interest by sending bogus “phishing” messages to glean sensitive information or install malware, IBM said.

A phone’s camera or microphone could be turned on remotely through a vulnerable app, which IBM warned could be used to eavesdrop on personal conversations or confidential business meetings. Vulnerable GPS data could also lead to stalking, and a user’s billing information could be hacked to purchase things on other apps or websites.

Strangely, despite its dire warnings to Android users, IBM said it had not so far seen a rash of security breaches due to dating apps as opposed to any other kind of social media.

Meanwhile, it recommends that dating app users limit the personal information they divulge, use unique passwords on every online account, apply the latest software patches and keep track of what permissions each app has.