Tag: security

ARM buys OffSpark

lightningBritish chip designer ARM has bought Dutch firm Offspark, which is an open source security software outfit.

It is all part of ARM’s cunning plan to make chips for the internet of things.  It seems that the move by Intel to buy McAfee is starting to make some sense and ARM is seeing the wisdom of having inhouse security software.

Offspark’s PolarSSL technology is designed for sensor modules, communication modules and smartphones.

ARM said buying the group would add its security and software cryptography to its IoT platform, designed to link billions of devices online.

It is not clear how much ARM paid for the security outfit. ARM has promised that the  technology will remain open source and will be made available to developers for commercial use.

It complements ARM’s Cryptobox technology of mbed OS that enables secure execution and storage.

Apparently ARM is to  release mbed OS under an Apache 2.0 licence which will include mbed TLS, Thread, and other key technologies toward the end of 2015.

The release of mbed TLS 1.3.10 is now available under GPL and to existing PolarSSL customers on polarssl.org.

 

Top encryption software project nearly went under

Glens_EnigmaA free email encryption software project which was used by whistleblower Edward Snowden nearly went under this week when the bloke behind it ran out of cash.

Koch’s code is behind most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win.  If he packed it in, he would create a nightmare scenario for the security industry.

Werner Koch appealed for cash to keep his Gnu Privacy Guard project going.  He wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.

He has been running the project more or less for free because he believed there was a need to have some sort of open saucy encrypted software.  In 2013 he was all set to pack it in and then the Snowden news broke, and he realised that this was not the time to cancel.

It is not as if the industry has been particularly helpful, despite its dependence on him, the security industry has not been that helpful.

Koch could not raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He has been living off $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date but he needed $137,000 to pay himself a decent salary and hire a full-time developer.

A lifeline was thrown to him this week. He was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

The cash gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when Propublica  http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”

US health firm comprehensively hacked

Sheffield: CEO of AnthemAn American health insurer appears to have been hacked and lost millions of its customers’ records.
Anthem said that hackers stole the identities of customers across all of its business units.
It has about 37 million customers in the USA and has reported the attack to the Federal Bureau of Investigations (FBI).
It has said it has now closed the hole but that’s somewhat equivalent to closing the gate once the horse has bolted.
The hackers do not appear to have had access to Anthem customers’ credit card records.
It has set up a website to try to explain what happened, with its CEO and president claiming his company had state of the art information security systems.
He said that despite that, his company “was the target of a very sophisticated external cyber attack.  These attackers gained unauthorised access to Anthem’s IT systems”.
Anthem has hired a company called Mandiant to assess its IT systems.
Sheffield said: “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge.”

Organisations anticipate internet of things

Internet of ThingsAlthough there’s still a clear lack of standards with different vendors vying to take the lead, many organisations are getting ready for the internet of things (IoT).
Companies including Intel, Qualcomm, Google and others want to have a big stake in the future of IOT.
And there’s no doubt the hype is generating interest.
That’s the conclusion of market research company Gartner which said in a study that 40 percent of businesses think the IoT will have a “significant” impact in the next three years.
Nick Jones, a senior analyst at Gartner, said: “Only a small minority has deployed solutions in a production environment. However, the falling costs of networking and processing mean that there are few economic inhibitors to adding sensing and communications to products costing as little as a few tens of dollars”.
But even though many organisations are anticipating the IoT, few have put executives in leadership roles.
The main concerns of the  people surveyed are security and privacy.  And there is a shortage of people with the relevant skills to plot the future.

 

Authentication market value to soar

Screen Shot 2015-02-03 at 16.35.17By the end of this year, mobile multi-factor authentication software and services will be worth $1.6 billion by the end of this year.
The reason is that user names and passwords to identify people aren’t secure enough, according to ABI Research.
And attacks against organisations, of whatever size, continue to flourish with many breaches made because of weak passwords.
That means there’s considerable market demand for authentication technology that gives an additional layer of security.
ABI thinks that one time passwords and tokens are emerging as the favourite way of authentication.
They offer better security because passwords generated only work for a single session or transaction.
Microsoft, Apple, Facebook, Google and Twitter already use two factor authentication methods. And one type of two factor authentication uses hardware based security tokens.
Companies like MobileIron, Gemalto, Entrust,, Centrify, CA, Symantec and others are competing for market share.
ABI believes the market is so ready for this kind of secure technology that by 2020 the authentication market will be worth $13.2 billion.

 

Help! My Mini needs a patch

350350000patch37As a sign of a 21st century problem, car maker BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.

Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.

Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.

Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.

ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.

The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS.  Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.

The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.

Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.

 

 

UK makes Google change privacy policy

OgleThe Information Commissioner’s Office (ICO) has made Google sign an undertaking to improve information about how it collects personal data in the UK.
The ICO said that following an investigation it found that Google’s search engine was “too vague” in describing how it used personal data it had collected.
The ICO said Google has signed a formal undertaking to make changes to its privacy policy so that it meets the needs of the UK Data Protection Act.
The ICO worked with other European data protection authorities, it said.
The enforcement officer at the ICO, Steve Eckersley, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.”
Google will have to make agreed changes by the 30th of June this year, and take even more steps over the next two years.
Google’s undertaking can be found here.

 

Big data has serious risks

server-racksScientists at the Massachusetts Institute of Technology (MIT) said just four pieces of vague information can open the door to crackers and hackers.
The researchers said the dates and locations of just four transactions can identify 90 percent of people in a data set recording three months of credit card transactions by 1.1 million users.
For example, say the MIT scientists, that someone with copies of just three recent receipts, or one receipt, an Instagram photo of you, and a tweet about the phone you just bought will have a 94 percent chance of extracting your credit card records from a million other people.
The implications are serious, because both public and private entities see aggregated digital data as a source of insight.
Big Data, however, holds socially beneficial implications, the researchers said.
They are looking at other ways to protect peoples’ data from being filched.

 

DLink routers vulnerable to Bulgarian exploit

khankrumA Bulgarian ethical hacker has found a hole in the firmware of DLink routers which make them vulnerable to remote changing of DNS settings and, effectively, traffic hijacking.

Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.

The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.

The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).

Donev released exploit code for the flaw in a security advisory and said that it could be  exploited remotely if the device’s interface is exposed to the Internet.

It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

 

Western spooks behind Regin

 james_bond_movie_poster_006Security experts at Kaspersky Lab have discovered shared code and functionality between the Regin malware and a similar platform  in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.

The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.

Writing in their blog, Kaspersky Lab researchers Costin Raiu and Igor Soumenkov  said that considering the extreme complexity of the Regin platform there’s little chance that it can be duplicated by somebody without having access to its source codes.

They think that the QWERTY malware developers and the Regin developers were the same or working together.

The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.

QWERTY is  a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.

Kaspersky researchers Raiu and Soumenkov said QWERTY malware is identical in functionality to a particular Regin plugin.

Raiu and Soumenkov said within QWERTY there were three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.

Side-by-side comparisons of the respective source code shows they are close to identical and sharing large chunks of code.

Regin was discovered in late November by Kaspersky Lab and it was quickly labelled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.

 

 

Patch that Flash!

wargames-hackerSoftware company Adobe released a security bulletin that patches its Flash Player.
The updates apply to Windows, to the Macintosh, and to the Linux operating system.
The security bulletin said that Adobe is aware of an exploit used in attacks against older versions of the Flash player.
Affected software includes the Flash Player Desktop Runtime, Flash Player for Linux, Flash Player for Google Chrome, and Flash Player for Internet Explorer 10 and Internet Explorer 11.
You can find details of what you need to do by going to this page. The patch itself won’t be available until next week, it seems.

Oracle pushes out huge security update

Sisyphus-Image-01CDatabase outfit Oracle has pushed out a record number of patches in a security update.

Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.

All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.

Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.

The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.

There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.

UK open to security abuse

ciscologoA report from networking giant Cisco revealed that only 41 percent of UK companies have good security processes in place.
That places it well below India at 54 percent, and below the US at 44 percent and Germany at 43 percent.
But the situation is worse in Asia.  Only 36 percent of Chinese enterprises have adequate security while Japan has only 24 percent.
Cisco’s annual security review reveals that hackers are moving from compromising servers and operating systems to target individual users’ browsers and emails.
Some of the favoured techniques are Snowshoe spam, which generates many spam emails from a large range of IP addresses to avoid detection.
Attackers are also taking advantage of the relatively weak security of JavaScript and Flash by attacking both at the same time.
According to the survey, less than 50 percent of firms patch and configure systems to ensure security.
The survey canvassed executives at 1,700 companies and it appears there is a gap in perception with 75 percent thinking their security tools are very effective, while the reality is quite different.

 

Skeleton Key exposes password flaws

skeletonsSecureWorks, the security arm of Dell, has found malware which it has dubbed “Skeleton Key” which shows up weaknesses in the password system.

The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.

It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.

But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.

Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.

Google chucks rocks in glass house

obj058aIt seems that there is a large amount of pot calling kettle black when it comes to security.

Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.

That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.

The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.

To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.

Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.

The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?