Tag: security

Worm found at nuclear control system

Shin Kori nuclear power plant, South Korea: Wikimedia CommonsA South Korean company was hit by what authorities described as a low risk computer worm.

The Korea Hydro & Nuclear Power Co was hit by a hack earlier this month and data stolen from its system.

But the South Korea energy ministry said today that the control systems for three nuclear reactors were unaffected by the hack, according to a Reuters report.

The energy minister told the South Korean parliament that the worm was most likely transmitted to the computer systems by an infected USB device – a claim that some have their doubts about.

The CEO of Korea Hydro and Nuclear Power told the parliament that all of the country’s reactors were invulnerable to viruses and worms.  But nevertheless he said that the firm was hiring more IT security staff to be on the safe side.

Some people believe that North Korea is behind attacks on South Korea computer installations.  The two countries are still technically at war with each other.

A British telco hacked my browser

wargames-hackerTop British telcos are hijacking their customers’ browsers to make sure that David Cameron’s anti-porn filter rules are enforced.

BT, Sky, and Virgin Media are struggling to get customers to say yes or no to the controversial adult content blocks, because unlike David Cameron, the majority of customers are happy with being able to see what they like.

When a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off and never see anything that would offend Cameron and his blue rinse friends ever again.

According to Wired the measures being taken by ISPs have been described as “completely unnecessary” and “heavy handed” by Internet rights groups.

The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers.

If you click on an interesting Channeleye story you could be redirected to a page asking about web filtering.  The only way you would be safe is if you only look at encrypted websites.

BT is blocking people’s browsers until they make a decision, making it impossible for customers to visit any websites once the in-browser notification has appeared.

A spokesperson for the UK’s biggest ISP said: “If customers do not make a decision, they are unable to continue browsing. The message will remain until the customer makes a decision.”

BT said that it is not forcing people to activate BT Parental Controls and if a user selects “No” they will be taken to a confirmation page and be able to continue browsing without the message reappearing.

The digital rights organization Open Rights Group (ORG) said that ISPs risked encouraging customers to trust hijacked sessions by displaying messages in this way.

“How can a customer tell the difference between an ISP hijack and a phishing site made to look the same? There are better ways for ISPs to contact their customers—particularly given that they have our phone numbers, email and actual addresses,” an ORG spokesperson said.

Sky is also hijacking browser sessions to ask customers if they want to turn on its Sky Broadband Shield web filter. Unlike BT, Sky said it would not disconnect or block customers if they refused to make a decision.

Virgin said it had no plans to disconnect or block customers who did not make a decision, adding that its in-browser message about its Web Filters system could be ignored. The ISP did not say how it planned to get any remaining undecided customers to make a decision if they continued to ignore prompts.

However, all this is playing directly into the Government’s hands by setting a precident. ISPs for years have said that they are not responsible for what their customers see online. By forcing customers to say “yes” or “no” for the web filters they are placing themselves in a role which the government can use.

The next thing could be looking at emails at the request of whatever daft arse idea that the government has about terrorism, or childcare

MIT invents new web programming language

nand-chipsComputer scientists at the Massachusetts Institute of Technology (MIT) think their invention might make life a lot easier if you’re developing web pages.

They’ve just gone and invented a programming language called Ur/Web that they claim will let developers write web apps as self contained program.

The compiler part of the equation auto generates XML code and style sheet specs, and then just goes right ahead and throws Javascript and database code where it should be.

Adam Chlipala, a professor of software tech at MIT claimed Ur/Web makes web pages more secure.

But there’s still some pain for web developers said Chiplala because the compiler doesn’t auto generate style sheets.

Once you’ve typed in your code the compiler takes a long hard look at it and gives a list of CSS classes.

He said that the last thing developers want is for apps to have the ability to read and overwrite passwords.  Web frameworks generally speaking assume every little line of a program has complete access to a database. Ur/Web doesn’t, he claims.

MIT didn’t say how you’ll get your paws on the programming language.

Apple auto-updates machines

Apple's CEO Tim Cook - shot from WikimediaA potential security threat has forced Apple to send an automatic update to machines without people saying yeah or nay to its installation.

Apple developed auto updates some time ago but this is the first time it’s taken advantage of the technique.

Microsoft has been auto updating its operating systems for quite some while, as security threats come to light.

The update patches problems highlighted by Carnegie Mellon University and the US Department of Homeland Security, relating to a part of Apple’s OSX operating system dubbed the network time protocol.

Apple is often perceived as having secure machines not subject to the type of threat Windows machines face.

Apple said the update doesn’t even need people to restart their machines, meaning that most people will have been unaware of the action taken.

Steel furnace hit by hackers

wargames-hackerFears that computer hackers could compromise industrial as well as military and commercial systems have been confrmed.

A report by the German Federal Office for Information Security (BSI) said that a large German steel mill was shut down after hackers stole logins allowing them to compromise the industrial infrastructure.

The BSI did not name the company but said the hackers were sophisticated technically and hacked into software that administered the plant.

They forced the plant to shut down and also compromised a blast furnace.

The news underlines concerns of the extent to which key parts of a country’s infrastructure is open to compromise by hackers.

Over the weekend, hackers compromised some South Korean nuclear installations and published diagrams  showing the layout of some installations.  The hackers have threatened to damage the nuclear installations themselves if the reactors are not shut down before December 25th.

It’s not known if control systems are vulnerable to such attacks.

Chips with built in security go postal

smartphones-genericABI Research believes that by the end of this year processors including embedded security technology will reach the billion mark.

Vendors are building in the Trusted Execution Environment (TEE) will reach 366 million as part of that figure.

The shipments are driven by governments, financial service companies and other enterprises largely to ensure secure ID and payments.

The market for TEE devices is still in its early stages, said ABI.  But shipments are bound to increase for them and for Host Card Emulation (HCE).

ARM is integrating TruZeone architecture into every Cortex-A family processor it licenses to vendors.

Unlike TEE devices, HCE depends on the cloud and lets banks introduce mobile NFC products without relying on smartphone SIMs.  ABI said that HCE support in smartphones is growing exponentially, and will account for shipments of 252 million by the end of the year.

Players in the game include ARM, Nok Nok Labs, NXP Semi, Infineon, Trustonic and Obertur Technologies.

Human error causes most data breaches

Detail showing fleeing Persians (King Darius centre) from an AncA request to the Information Commissioner’s Office (ICO) under the Freedom of Information Act has revealed that most data breaches are caused by human error.

Egress Software made the FOI request and the ICO revealed that only seven percent of breaches in the first three months of this year were because of technical glitches.

That means the fast majority were down to human error and carelessness by people.  And fines levied because of technical errors amounted to zero, while the ICO levied £5.1 million for companies that made the mistakes.

The data breaches are across many different sectors. The public sector showed healthcare organisations are top of the disgrace league, followed by local government and educational organisations.

The private sector also showed a rise in data breaches with the financial industry, the housing sector, telecoms and recruitment all showing big rises.

Tony Pepper, CEO of encryption company Egress Software, said: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt.”

Intel buys password company

Intel-logoChip giant Intel has bought a Canadian company that attempts to take the pain out of passwords.

Intel Security – which includes the McAfee unit – didn’t say how much it paid for PasswordBox, which only started business in June 2013.

It’s unclear how many of the company’s 44 employees will be employed by Intel.

Intel will give new and existing customers a premium subscription at no cost until it gets round to releasing products under its own branding.

PasswordBox has around 14 million users worldwide.  The software lets you coordinate different logins and passwords in a sort of digital wallet so you don’t have to remember – or write down – all those different passwords that are easy to forget.

Amnesty releases anti-spying software

amnestyHuman rights organisation Amnesty International said today it and other organisations have released software to detect spyware.

The software – called Detekt – scans PCs and detects surveillance software, some of which is used by governments to spy on journalists and other activists.

Marek Marczynski, head of military security and police at Amnesty said: “Goverments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remote turn on their computer’s camera or microphone to secretly record their activities.”

He claimed the used the technology “in a cowardly attempt to prevent abuses from being exposed”.

The software is being made available by Amnesty, by the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft.

Marczynski said: “Detekt is a great tool which can help activists stay safe but ultimately the only way to prevent these technologies from being used to violate or abuse human rights is to establish and enforce strict controls on their use and trade.”

Apple made into security lemon curd

LemoncurdAlthough the Tame Apple Press makes much of the security features of the iPhone, it is still the easiest phone to hack.

The Mobile Pwn2Own competition that took place alongside the PacSec Applied Security Conference in Tokyo on November 12-13 has a long tradition of knocking over the latest smartphones and always finds Apple smartphones the easiest.

If you believe the Tame Apple Press, the iPhone  with its sandbox technology was supposed to be super-secure. However it turns out that the iPhone continues to be a doddle. In fact, it has become traditional for the first day of the competition for Apple to be shown up.

In this case, members of the South Korean team lokihardt@ASRT “pwned” the device by using a combination of two vulnerabilities. They attacked the iPhone 5s via the Safari Web browser and achieved a full sandbox escape.

The competition, organised by HP’s Zero Day Initiative (ZDI) and sponsored by BlackBerry and the Google Android Security team, targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5.

Later in the day, Team MBSD from Japan hacked Samsung’s Galaxy S5 by using a near-field communications (NFC) attack that triggered a deserialisation problem in certain code specific to Samsung. Jon Butler of South Africa’s MWR InfoSecurity also managed to break the Galaxy S5 via NFC.

Adam Laurie from Aperture Labs hacked an LG Nexus 5 using NFC.  This was an interesting hack because it used a two-bug exploit targeting NFC capabilities on the LG Nexus 5 (a Google-supported device) to force BlueTooth pairing between phones.  This was a plot point on the telly show ‘Person of Interest’.

Kyle Riley, Bernard Wagner, and Tyrone Erasmus of MWR InfoSecurity used a combination of three vulnerabilities to break the Web browser on the Amazon Fire Phone.

Microsoft’s Nokia Lumia 1520 came out of the competition quite well with contestants only managing partial hacks. Nico Joly, managed to exfiltrate the cookie database, but the sandbox prevented him from taking complete control of the system.

Jüri Aedla of Estonia used a Wi-Fi attack against a Nexus 5, but failed to elevate his privileges, HP said.


Tor wonders how US spooks shut down sites

tor-browsingTor has been left scratching its encrypted head over how US and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used its technology.

Tor was set up, not to hide criminals, but to allow dissidents in autocratic countries to make contact with the real world. The fear is that if the US cops could break Tor, then lives could be at risk in countries whose governments would like to shut down dissident sites.

The websites were set up using a special feature of the Tor network, which is designed to mask people’s Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.

Tor—short for The Onion Router—also allows people to host ”hidden” websites with a special “.onion” URL, which is difficult to trace. But law enforcement appears to have figured out a method to find out where sites are hosted.

Last Week the Department of Justice shut down more than 410 hidden websites as part of ”Operation Onymous” and arrested more than 17 people, including Blake Benthall, 26, who is accused of running the underground marketplace Silk Road 2.0.

However, Tor is broke and does not have the cash to play a cat and mouse game with the well-funded European and US cops.

Andrew Lewman, the project’s executive director, in a blog post said that it was a miracle that its hidden services have survived so far.

It is possible that a remote-code execution vulnerability has been found in Tor’s software, or that the individual sites had flaws such as SQL injection vulnerabilities.

“Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents,” he wrote.

Microsoft software is unsafe again

Stained Glass - picture Mike MageeExpect a slew of critical updates to Microsoft Windows and other Microsoft software this week.

The company last week warned that much of its software needed patches to be safe and sound.  Many will need you to restart your machine or machines.

At the same time Microsoft will release an upgrade to its Malicious Software removal tool, its update services and the download centre.

Affected software includes Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, Windows Technical Preview and Windows Server Technical Preview.

Microsoft doesn’t support Windows XP anymore so you are on your own unless like the NHS or people that use point of sale (POS) embedded software you have additional security built in. You can find the whole sorry tale at the Microsoft site, here.

Heartbleed bug still compromises websites

The Bleeding Heart Dove - Wikimedia CommonsA bug that compromised systems in April this year still poses threats despite patches made to cover the security hole.

According to researchers at the University of Maryland, website administrators are still at threat from the Heartbleed bug.

The malefic sofware compromises the OpenSSL (secure sockets layer) making it possible for those with a malicious bent to read the memory of systems.

The Maryland researchers looked at a million sites in the United States in a bid to discover whether sys admins applied the correct protocols to prevent the bug.

While nearly 93 percent of web administrators patched the hole within three weeks of the arrival of Heartbleed, the researchers found only 13 percent followed up with other measures to make their systems bulletproof.

Sys admins should have patched OpenSSL software, revoke current certificates and re-issue new ones, said the researchers.

If these measures hadn’t been taken, attackers with a website private key could still pose as a website.

Renesas intros anti car hacking devices

modeltSemiconductor manufacturer Renesas said it has introduced an automotive controller aimed for advanced self driving car systems.

The microcontroller incorporates sensor fusion gateway and advanced chassis system applications and includes safety tech, security tech and vehicle control network technology.

The safety features are fault diagnostic functions with error checking and data correcting features.  The chip can detect faults in the different fault detection systems.

The security features are intended to prevent people from hacking into cars and includes data encryption, random number generation as well as providing information on road conditions.

The sensor facility can support up to 8MB of flash memory, up to 960K of RAM and can steam along at 240MHz.

Communications support includes ethernet, CAN, LIN, CSI and FlexRay functions and can pick up complex control of chassis systems using a vehicle network or a gateway.

The family of chips has the not so catchy name of RH850/P1x-C Series with samples being available in February 2015 with an emulator device costing $1,000 a unit.  Mass production will start in September 2016 and volume will reach two million units a month by January 2020, Renesas claims.

IBM claims first for intelligent cloud security

clouds3Big Blue claimed it is the first company to build an intelligent security profile that protects data, applications and people in the cloud.

The offerings it announced use what IBM described as advanced analytics to react to threats across enterprise, public, private and mobile clouds  – so called hybrid clouds.

IBM said that while the cloud is being rapidly adopted worldwide, attackers are more sophisticated and more able to hide their activities.  Indeed, IBM claims that three quarters of security breaches take days, weeks or months to be discovered.

Its managed security services platform is intended to protect IBM customers as well as customers of firms like Amazon Web Services and Salesforce.

It said that its intelligent threat protection monitors the cloud environment, analysing billions of security events and including correlation and external data feeds.

IBM estimates that nearly half of large enterprises will use hybrid clouds by the end of 2017 and claims that it is the largest hybrid cloud vendor.