Tag: security

Trend says that destructive hacking on the rise

1858_4_CourseOfEmpire_Destruction_ColeHacking attacks which are designed to destroy a company, rather than just steal information, are on the rise.

A poll by the Organisation of American States found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.

Less than 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.

The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.

The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.

The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.

The report was compiled by Trend Micro whose Chief Cyber security Officer Tom Kellermann said additional destructive or physical attacks came from political activists and organised crime.

“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”

Destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states centre on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot and Target.

 

RSA conference bans booth babes

Theatre_Cinderella_RAF60F5The RSA Conference next month will be missing “booth babes”.

According to a post by security expert Bill Brenner on the LiquidMatrix blog:

“All Expo staff are expected to dress in business and/or business casual attire. Exhibitors should ensure that the attire of all staff they use at their booth (whether the exhibitor’s direct employees or their contractors) be considered appropriate in a professional environment. Attire of an overly revealing or suggestive nature is not permitted.

Examples of such attire may include but are not restricted to:

  • Tops displaying excessive cleavage;
  • Tank tops, halter tops, camisole tops or tube tops;
  • Miniskirts or minidresses;
  • Shorts;
  • Lycra (or other Second-Skin) bodysuits;
  • Objectionable or offensive costumes.

The rules apply to all booth staff, regardless of gender, and will be strictly enforced. If someone attractive shows up in anything remotely skimpy they will be asked to change their attire or leave the premises immediately if organisers feel their appearance might be offensive to other exhibitors or attendees.”

Linda Gray, event manager, RSA Conferences said that the change in the language in the exhibitor contracts was the best way to ensure all exhibitors were made aware of these new guidelines.

“We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show.” They have yet to receive any complaints, Gray said.

 

Biometrics come into their own

fingerprintBiometric systems, particularly in relation to smartphones, look like they’re going to boom during this year.

ABI Research, a market analysis company, said that worldwide revenues for such systems will deliver $3.1 billion this year.

The systems will be targeted not only at home users but at authentication systems for the enterprise market, according to ABI.

Algorithms linked to cloud computing are set to give better user authentication, with applications for mobile payments, bring your own device (BYOD) systems.

The research said that the leaders in the biometric pack are Apple and Samsung but there are other players who are introducing voice and face recognition into the equation.

We reported elsewhere today that Apple is rumoured to be brining out three more iPhones this year that incorporate fingerprint recognition.

Dimitrios Pavlakis, digital security research analyst at ABI, said: “Biometry is moving rapidly into the security ecosystem and its adoption by CE devices will jumpstart this phenomenon.”

 

Disconnected computers can be hacked

wargames-hackerFor years the most basic method of super security for a computer was to unplug it from the network or internet.

However a team of security experts from Ben-Gurion University of the Negev (BGU) have discovered a new method to breach air-gapped computer systems.

Dubbed “BitWhisper” the hack enables two-way communications between adjacent, unconnected PC computers using heat.

According to a paper penned by Mordechai Guri, computers and networks are air-gapped when they need to be kept highly secure and isolated from unsecured networks, such as the public Internet or an unsecured local area network. Typically, air-gapped computers are used in financial transactions, mission critical tasks or military applications.

According to the researchers, “The scenario is prevalent in many organisations where there are two computers on a single desk, one connected to the internal network and the other one connected to the Internet. BitWhisper can be used to steal small chunks of data (e.g. passwords) and for command and control.”

BGU’s BitWhisper bridges the air-gap between the two computers, approximately 15 inches (40 cm) apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.

By regulating the heat patterns, binary data is turned into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and converted into data.

“These properties enable the attacker to hack information from inside an air-gapped network, as well as transmit commands to it… Only eight signals per hour are sufficient to steal sensitive information such as passwords or secret keys. No additional hardware or software is required. Furthermore, the attacker can use BitWhisper to directly control malware actions inside the network and receive feedback.”

 

Egyptians cloned Google security certificate

amumSearch engine Google is furious that an Egyptian networking company  managed to clone its security certificate.

According to Google’s bog, the search engine became aware of unauthorised digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. MCS is a Value Added Distribution focusing on Networking and Automation businesses based near Cairo.

This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and it means that the misused certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misused certificates for other sites likely exist.

Google got on the blower to the CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push.

CNNIC said that it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. But MCS installed it in a man-in-the-middle proxy which meant they could intercept secure connections by masquerading as the intended destination.

This was so that effectively it could use the certificate for customers who wanted to monitor their staff use of the world wide wibble.

“However CNNIC delegated its substantial authority to an organization that was not fit to hold it,” growled Google.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate

UK teams up with Israel over security

Screen Shot 2015-03-24 at 14.56.43Francis Maude, minister for the Cabinet Office in matters of cyber security, said that the UK and Israel have established three collaboration ventures to get government funding for cyber security.

The governments will contribute £1.2 million of funding to create a bilateral cyber research programme, he said.

The Universities of Bristol and University College London will team up with Bar Ilan University, while the University of Kent will tie up with the Israeli Ministry of Science and Technology.

The groups will work on six topics including identity management; governance; privacy assirance; mobile and cloud security; human aspects of security; and cryptography.

Maude said he wants the UK to be one of the safest places to do business online. “Cyber security is a shared global threat and I’m pleased that we are deepening our research relationship.”

The UK is a founding member of a global network called D5 – founding members also include South Korea, Estonia, Israel and New Zealand.

 

IBM sounds alarm over mobile app security

Screen Shot 2015-03-20 at 14.39.31The Ponemon Institute and IBM have jointly released a report which they said displays “the alarming state” of mobile insecurity.

According to the research, 40 percent of large companies – including many in the Fortune 500 – aren’t protecting the mobile apps they build.

And they’re not good against protecting their BYOD (bring your own device) gizmos against cyber attack. That leaves the gates to their corporate treasure chest effectively open.

The survey looked at security practices in over 400 large enterprises and claims that the average company doesn’t test half of the mobile apps they build. And what’s even worse is that 50 percent of these enterprises don’t devote any budget whatever towards mobile security.

IBM and the Ponemon Institute estimate that malicious code infests and infects over 11.6 million mobile devices.

The organisations surveyed spend an average of $34 million a year on mobile app development, with only 5.5 percent spending part of the budget on security.

“End user convenience is trumping end user security and privacy,” IBM said.

 

Opera buys privacy company

tim-cook-securityOpera Software bought a Canadian company called SurfEasy, for an undisclosed amount.

SurfEasy has a VPN (virtual private network) system aimed at securing smartphones, tablets and PCs, Opera said.

A VPN adds an extra level of net security to filter traffic between the web nd devices.

Opera said that over 90 percent of US net users are now worried about their online privacy and want to protect themselves when they’re online.

Opera, which has 350 million users worldwide said that privacy and security has always kept that as its top priority

The CEO of Opera, Lars Boilesen, said more and more people are looking for security on phones and other devices.

The said Opera will collaborate with the SurfEasy team to create joint products, using the Opera browser as the basic foundation for the collaboration.

 

Apple gatekeeper security broken

dottedborderemmelinagnome9thmarch2014 011FORMER NSA and NASA staffer Patrick Wardle, who heads up research at security start-up Synack, he has found a way to bypass protections in Apple Macs without getting caught.

Download files, known as .dmg files, for products including Kaspersky, Symantec, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sent over unencrypted HTTP lines, rather than the more secure HTTPS. For some reason they trust Apple’s Gatekeeper security technology to recognise the digital signatures they sign in.

Anyone who intercepts a download to corrupt it won’t get away with it, as the Gatekeeper will see that the vendors’ original signature has been altered and ignore it.

But Wardle noticed that the Apple Gatekeeper software doesn’t check all components of Mac OS X download files. This makes it possible to sneak a malicious version of what’s known as a ‘dylib’ (dynamic libraries) file into legitimate downloads done over HTTP to infect Macs and start stealing data.

Dylibs are designed to be re-used by different applications; they might be used for actions such as compressing a file or using graphics capabilities of the operating system.
If an attacker can “hijack” the dylib processes used by Mac apps, however, they can carry out nasty attacks and send user data to their own servers, the researcher explained.

It is not that easy to pull off. The attacker would have to get on the same network as a target, either by breaching it or simply logging on to the same public Wi-Fi.

They would also have to inject a legitimate yet vulnerable application into the download and shuffle around the content of the .dmg so that the injected legitimate software is shown to the user.

At the upcoming CanSecWest conference in Vancouver, he will be explaining 101 things you can do with an evil dylibs ajd discover which Coldplay and U2 single the Mac owners is listening to.

Wardle reverse engineered the iCloud protocol and set up a command and control server on a secondary malicious iCloud account, meaning the connection he used to “steal” from his own PC would also be trusted.

You would think that Jobs’ Mob would be worried about it all, but apparently Wardle said they did not really care.

He said that they didn’t seem to understand the full ramifications of it. It would mean that Apple would have to re-architect OS X and expand Gatekeeper’s capabilities to fully address the issues raised by his new class of attack.

Wardle was miffed that the security companies were placing users at risk with unprotected downloads of their software installers and failing to protect against more advanced attacks like his own.

 

A billion people get their data leaked

IBM logoA report from IBM’s security division estimates that in 2014 “at lease” a billion records of people across the world were leaked.

That’s about one in seven of this planet’s humanoid population.

IBM released its X-Force quarterly report and relays information about over 9,000 security “vulnerabilities” affecting over 2,600 vendors in 2014. That’s an increase of 9.8 percent compared to 2013 and Big Blue said it’s the highest single year total in the 18 years it’s been tracking such things.

The USA has suffered the most because at 74.5 percent that’s far higher than other territories. IBM said that 40.2 percent of the most common attacks didn’t get described by those surveyed but malware and DDoS accounted for as much as 17.2 percent each.

IBM said that there was a big rise in so-called designer vulnerabilities.

All operating systems seemed to be under attack – including Windows, Mac OS X and Linux.

One key vulnerability happened in October with a researcher showing there are thousands of security problems in Android apps.

 

Qualcomm gives fingers for ultra-security

Churchill-first-V-signQualcomm has announced details of its Ultrasonic Finger Print Reader which is part of its  new Snapdragon processor.

The idea is that the tech can be used by smartphone ODMs and OEMs to provide ultrasecurity for their phones.

Qualcomm’s tech uses ultrasonic waves to scan all of the ridges and wrinkles of your fingers. This means that it can do a deeper analysis than the 2D image created by a fingerprint mashed up against a capacitive sensor.

It can also penetrate beneath the surface of your skin to identify unique 3D characteristics of your print.

Ultrasonic waves can go through glass, aluminum, steel and plastic housings of any phone, they don’t need a dedicated touch pad or button to work. You could conceivably touch any part of the smartphone with a finger to gain access to the phone itself.

While many might see the technology as a stab in the eye of Apple, which uses the old style of fingerprint technology. Qualcomm’s major competitor is MediaTek, whose processors and related technology are used in millions of phones, especially in China and areas where low cost smartphones are selling well.

Qualcomm’s new Ultrasound fingerprint reader means it has a weapon to counter MediaTek.

The thought is that this could win Qualcomm a lot of business.

 

 

US advances cyber threat bill

National-Security-Agency--008A move that would allow the US government to share cyber information with private companies has been given the nod by a key committee.

The US Senate Intelligence Committee voted 14-1 on Thursday to approve a bill intended to enhance information sharing between private companies and intelligence agencies about cybersecurity threats.

The Bill will go to the Senate where it is expected to get a full backing – after all many private companies would like all that data that the US intelligence services collect and are quite happy to pay their tame Senators to change the law to get it.

Privacy advocates opposed the bill, worrying that it would do too little to prevent more data collection by the National Security Agency and other US intelligence agencies.

Privacy concerns were cited by the only member of the committee who voted against the bill, Democratic Senator Ron Wyden of Oregon who saw it as another surveillance bill.

In practice the law is targeted at preventing the major cyber attacks and co-ordinate companies and government departments better. Microsoft, Lockheed Martin and Morgan Stanley, had pushed for a such a threat-sharing bill.

 

Car industry can’t do computer security

jalopyWhile every tech company and its dog is trying to slam their technology into cars, it is starting to look like the automotive industry can’t cope with the need for security.

A Dallas law firm has filed a lawsuit against three major automakers claiming they have failed to take basic measures to secure their vehicles from hackers.

The lawsuit, filed in the US District Court for the Northern District of California by attorney Marc Stanley, is on behalf of three vehicle owners and “all others similarly situated”. It alleges that the cars are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.

“Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers,” Stanley said in a statement.

But the case is bringing to light problems which may bedevil the car industry in the future. After all if they are having problems with the security on cars now, how are they going to manage when autodriven vehicles are in charge.

Modern cars and light trucks contain less than 50 separate electronic control units (ECUs) — small computers connected through a controller area network (CAN) or other network such as Local Interconnect Networks or Flexray.

New high tech cars will contain shedloads of them, and if hacked could be driven by hackers into walls or other cars.

The court case claims that the car companies are also habitually secretive about these sorts of problems – something that does not bode well if you are sitting in the back of a self drive taxi.

“Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants’ vehicles are not secure, and are therefore not safe,” the lawsuit states.

Last year, at the Black Hat security conference in Las Vegas, two industry experts released a 92-page report revealing “the 20 most hackable cars.”

DARPA reported that the defect represents a “real threat to the physical well-being of drivers and passengers.” Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, “but they did nothing,” the lawsuit states.

Tor wants government freedom

tor-browsingSecurity outfit Tor has said it wants to wean itself off US government cash.

In 2013, Tor received more than $1.8 million from the US government, about 75 percent of the $2.4 million in total annual expenses, according to their latest publicly available tax returns.

While Tor is grateful for the cash, it is worried that conspiracy theorists claim that the US spooks have the system wired up to be a honeypot.

The premise is that while  Tor is meant to keep you anonymous on the Internet but it’s funded in large part by the US government who does not want you to be anonymous. So it must be a way that the government locates those who want to be anonymous and tracks them down.

Technically this is tricky, but it is probably better for Tor if it was free of a government involvement – particularly when that government has been seen as a big fan of snooping.

Developers recently discussed the push to diversify funding at Tor’s biannual meeting in Spain, including setting a goal of 50 percent non-U.S. government funding by 2016.

Tor developers at the meeting also brought up the possibility of lobbying foreign governments within, for instance, the European Union.

However, increasing non-governmental funding is a major priority. Individual donations rose significantly in the last year and Tor plans on soliciting them much more aggressively in 2015. Every new download of Tor—there were 120 million in 2014—will be asked to donate to the project, a change expected to take place in the near future.

Tor is launching a crowdfunding campaign in May of this year.

Lenovo installed malware on laptops

lenovo_hqA security firm made the alarming assertion that Lenovo had pre-installed software on notebooks it sells that makes them more likely to be hacked.

The program called Superfish, which Lenovo installed on computers intended for home use was software that auto-displays adverts.

And according to Reuters, Errata Security, an American company, said Superfish opens up encrypted connections, so letting hackers take over PCs.

Lenovo officials are on holiday for the Chinese New Year and so far have not responded to the allegations.

However, Ken Westin, a senior security analyst at Tripwire had plenty to say on the matter.

“With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies,” he said.

“If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk,” he added.