Tag: security

Lenovo installed malware on laptops

lenovo_hqA security firm made the alarming assertion that Lenovo had pre-installed software on notebooks it sells that makes them more likely to be hacked.

The program called Superfish, which Lenovo installed on computers intended for home use was software that auto-displays adverts.

And according to Reuters, Errata Security, an American company, said Superfish opens up encrypted connections, so letting hackers take over PCs.

Lenovo officials are on holiday for the Chinese New Year and so far have not responded to the allegations.

However, Ken Westin, a senior security analyst at Tripwire had plenty to say on the matter.

“With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies,” he said.

“If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk,” he added.

 

Lockheed Martin jets into cyber security

DF-SC-82-10542US defence contractor Lockheed Martin sees cyber security as its number one growth area over the next three to five years.

Although it is better known for its jet aircraft, Lockheed Martin is the main provider of IT technology to the US government, said expects double-digit growth in its overall cybersecurity business over the next three to five years.

Lockheed said it was making strong inroads in the commercial market by using its experience and intelligence gathered while guarding its own networks and those of government agencies.
Chief Executive Officer Marillyn Hewson said Lockheed was providing cyber security services for more than 200 customers around the world in the energy, oil and gas, chemical, financial services and pharmaceuticals business.

Hewson told the company’s annual media day that Lockheed had faced 50 “coordinated, sophisticated campaign” attacks by hackers in 2014 alone, and she expected those threats to continue growing.

Lockheed now represented a large number of companies on the Fortune 500 list, including 79 percent of utilities, 35 percent of oil and gas companies, 46 percent of chemical firms, and 46 percent of financial firms.

It has been helped by the fact that other weapons makers, including Boeing and Harris have largely exited the cyber security business after finding it difficult to generate any real cash.

Obama blows hot and cold on encryption

thewhitehouseWhile his security spooks are complaining that company moves to use strong encryption is making their life difficult, President Barack Obama said he likes the technology, other than when he doesn’t.

Talking to Recode, Obama appears to have jumped on the side of the big tech corporations against the NSA and when asked if American citizens should be entitled to control their data, just as the president controls his own private conversations through encrypted email, he said yes.

Obama replied that he’s “a strong believer in strong encryption …. I lean probably further on side of strong encryption than some in law enforcement.” He maintained that he is as firm on the topic as he ever has been.

However the matter, claimed Obama was hypothetical. If the FBI had a good case against someone involved in a terrorist plot and wants to know who that person was communicating with? Traditionally, they could get a court order for a wire tap. Today, a company might tell the FBI they can’t technically comply.

He warned that the first time that an attack takes place in which it turns out that we had a lead and we couldn’t follow up on it, because the data was encrypted the public’s going to demand answers.

“Ultimately everybody, and certainly this is true for me and my family, we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption,” he said.

So, in other words, everyone should have strong encryption which should turn itself off when the security services want to have a look at it.

Dutch government hit in cyber barrage

dutch-childrenWebsites run by the Dutch government were downed yesterday morning after a cyber attack.

The outages affected many of the government’s web sites and lasted for over seven hours.

And the cyber attackers – whoever they are – also used a distributed denial of service (DDoS) attack to take down a satirical website called GeenStijl.nl.

No one has yet claimed responsibility for the attack.

According to Reuters, phone systems and emergency channels stayed online.

The government information service said it is inestigating the attack along with the Dutch National Centre for Cyber Security.

The attackers targeted the hosting company that services the government sites – Prolocation.

Dating applications expose businesses

1930s-couple-620x400Big Blue is warning that millions of people using dating apps on company smartphones could be exposing their employers to hacking, spying and theft.

IBM security researchers said 26 of 41 dating apps they analysed on Google Android mobile platform had medium or high severity vulnerabilities.  Curiously the IBM team did not look at dating applications on Apple gear, probably because the company signed a deal to push Apple gear in the workplace.

Unfortunately IBM did not name and shame the vulnerable apps but said it had alerted the app publishers to problems.

Apparently Tinder, OkCupid and Match have become hugely popular in the past few years due to their instant messaging, photo and geolocation services. In 2013 it was estimated that 31 million Americans have used a dating site or app.

IBM found employees used vulnerable dating apps in nearly 50 percent of the companies sampled for its research. By using the same phone for work and play or “bring your own device,” it means that companies are wide open for such attack vectors.

Am IBM report said that while BYOD was seen as a way that companies could save cash by allowing employees to use their home gear on corporate networks , if not managed properly, the organizations might be leaking sensitive corporate data via employee-owned devices.

IBM said the problem is that people on dating apps let their guard down and are not as sensitive to potential security problems as they might be on email or websites.

If an app is compromised, hackers can take advantage of users waiting eagerly to hear back from a potential love interest by sending bogus “phishing” messages to glean sensitive information or install malware, IBM said.

A phone’s camera or microphone could be turned on remotely through a vulnerable app, which IBM warned could be used to eavesdrop on personal conversations or confidential business meetings. Vulnerable GPS data could also lead to stalking, and a user’s billing information could be hacked to purchase things on other apps or websites.

Strangely, despite its dire warnings to Android users, IBM said it had not so far seen a rash of security breaches due to dating apps as opposed to any other kind of social media.

Meanwhile, it recommends that dating app users limit the personal information they divulge, use unique passwords on every online account, apply the latest software patches and keep track of what permissions each app has.

ARM buys OffSpark

lightningBritish chip designer ARM has bought Dutch firm Offspark, which is an open source security software outfit.

It is all part of ARM’s cunning plan to make chips for the internet of things.  It seems that the move by Intel to buy McAfee is starting to make some sense and ARM is seeing the wisdom of having inhouse security software.

Offspark’s PolarSSL technology is designed for sensor modules, communication modules and smartphones.

ARM said buying the group would add its security and software cryptography to its IoT platform, designed to link billions of devices online.

It is not clear how much ARM paid for the security outfit. ARM has promised that the  technology will remain open source and will be made available to developers for commercial use.

It complements ARM’s Cryptobox technology of mbed OS that enables secure execution and storage.

Apparently ARM is to  release mbed OS under an Apache 2.0 licence which will include mbed TLS, Thread, and other key technologies toward the end of 2015.

The release of mbed TLS 1.3.10 is now available under GPL and to existing PolarSSL customers on polarssl.org.

 

Top encryption software project nearly went under

Glens_EnigmaA free email encryption software project which was used by whistleblower Edward Snowden nearly went under this week when the bloke behind it ran out of cash.

Koch’s code is behind most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win.  If he packed it in, he would create a nightmare scenario for the security industry.

Werner Koch appealed for cash to keep his Gnu Privacy Guard project going.  He wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.

He has been running the project more or less for free because he believed there was a need to have some sort of open saucy encrypted software.  In 2013 he was all set to pack it in and then the Snowden news broke, and he realised that this was not the time to cancel.

It is not as if the industry has been particularly helpful, despite its dependence on him, the security industry has not been that helpful.

Koch could not raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He has been living off $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date but he needed $137,000 to pay himself a decent salary and hire a full-time developer.

A lifeline was thrown to him this week. He was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

The cash gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when Propublica  http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”

US health firm comprehensively hacked

Sheffield: CEO of AnthemAn American health insurer appears to have been hacked and lost millions of its customers’ records.
Anthem said that hackers stole the identities of customers across all of its business units.
It has about 37 million customers in the USA and has reported the attack to the Federal Bureau of Investigations (FBI).
It has said it has now closed the hole but that’s somewhat equivalent to closing the gate once the horse has bolted.
The hackers do not appear to have had access to Anthem customers’ credit card records.
It has set up a website to try to explain what happened, with its CEO and president claiming his company had state of the art information security systems.
He said that despite that, his company “was the target of a very sophisticated external cyber attack.  These attackers gained unauthorised access to Anthem’s IT systems”.
Anthem has hired a company called Mandiant to assess its IT systems.
Sheffield said: “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge.”

Organisations anticipate internet of things

Internet of ThingsAlthough there’s still a clear lack of standards with different vendors vying to take the lead, many organisations are getting ready for the internet of things (IoT).
Companies including Intel, Qualcomm, Google and others want to have a big stake in the future of IOT.
And there’s no doubt the hype is generating interest.
That’s the conclusion of market research company Gartner which said in a study that 40 percent of businesses think the IoT will have a “significant” impact in the next three years.
Nick Jones, a senior analyst at Gartner, said: “Only a small minority has deployed solutions in a production environment. However, the falling costs of networking and processing mean that there are few economic inhibitors to adding sensing and communications to products costing as little as a few tens of dollars”.
But even though many organisations are anticipating the IoT, few have put executives in leadership roles.
The main concerns of the  people surveyed are security and privacy.  And there is a shortage of people with the relevant skills to plot the future.

 

Authentication market value to soar

Screen Shot 2015-02-03 at 16.35.17By the end of this year, mobile multi-factor authentication software and services will be worth $1.6 billion by the end of this year.
The reason is that user names and passwords to identify people aren’t secure enough, according to ABI Research.
And attacks against organisations, of whatever size, continue to flourish with many breaches made because of weak passwords.
That means there’s considerable market demand for authentication technology that gives an additional layer of security.
ABI thinks that one time passwords and tokens are emerging as the favourite way of authentication.
They offer better security because passwords generated only work for a single session or transaction.
Microsoft, Apple, Facebook, Google and Twitter already use two factor authentication methods. And one type of two factor authentication uses hardware based security tokens.
Companies like MobileIron, Gemalto, Entrust,, Centrify, CA, Symantec and others are competing for market share.
ABI believes the market is so ready for this kind of secure technology that by 2020 the authentication market will be worth $13.2 billion.

 

Help! My Mini needs a patch

350350000patch37As a sign of a 21st century problem, car maker BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.

Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.

Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.

Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.

ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.

The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS.  Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.

The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.

Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.

 

 

UK makes Google change privacy policy

OgleThe Information Commissioner’s Office (ICO) has made Google sign an undertaking to improve information about how it collects personal data in the UK.
The ICO said that following an investigation it found that Google’s search engine was “too vague” in describing how it used personal data it had collected.
The ICO said Google has signed a formal undertaking to make changes to its privacy policy so that it meets the needs of the UK Data Protection Act.
The ICO worked with other European data protection authorities, it said.
The enforcement officer at the ICO, Steve Eckersley, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.”
Google will have to make agreed changes by the 30th of June this year, and take even more steps over the next two years.
Google’s undertaking can be found here.

 

Big data has serious risks

server-racksScientists at the Massachusetts Institute of Technology (MIT) said just four pieces of vague information can open the door to crackers and hackers.
The researchers said the dates and locations of just four transactions can identify 90 percent of people in a data set recording three months of credit card transactions by 1.1 million users.
For example, say the MIT scientists, that someone with copies of just three recent receipts, or one receipt, an Instagram photo of you, and a tweet about the phone you just bought will have a 94 percent chance of extracting your credit card records from a million other people.
The implications are serious, because both public and private entities see aggregated digital data as a source of insight.
Big Data, however, holds socially beneficial implications, the researchers said.
They are looking at other ways to protect peoples’ data from being filched.

 

DLink routers vulnerable to Bulgarian exploit

khankrumA Bulgarian ethical hacker has found a hole in the firmware of DLink routers which make them vulnerable to remote changing of DNS settings and, effectively, traffic hijacking.

Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.

The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.

The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).

Donev released exploit code for the flaw in a security advisory and said that it could be  exploited remotely if the device’s interface is exposed to the Internet.

It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

 

Western spooks behind Regin

 james_bond_movie_poster_006Security experts at Kaspersky Lab have discovered shared code and functionality between the Regin malware and a similar platform  in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.

The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.

Writing in their blog, Kaspersky Lab researchers Costin Raiu and Igor Soumenkov  said that considering the extreme complexity of the Regin platform there’s little chance that it can be duplicated by somebody without having access to its source codes.

They think that the QWERTY malware developers and the Regin developers were the same or working together.

The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.

QWERTY is  a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.

Kaspersky researchers Raiu and Soumenkov said QWERTY malware is identical in functionality to a particular Regin plugin.

Raiu and Soumenkov said within QWERTY there were three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.

Side-by-side comparisons of the respective source code shows they are close to identical and sharing large chunks of code.

Regin was discovered in late November by Kaspersky Lab and it was quickly labelled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.