Tag: security

Heartbleed bug still compromises websites

The Bleeding Heart Dove - Wikimedia CommonsA bug that compromised systems in April this year still poses threats despite patches made to cover the security hole.

According to researchers at the University of Maryland, website administrators are still at threat from the Heartbleed bug.

The malefic sofware compromises the OpenSSL (secure sockets layer) making it possible for those with a malicious bent to read the memory of systems.

The Maryland researchers looked at a million sites in the United States in a bid to discover whether sys admins applied the correct protocols to prevent the bug.

While nearly 93 percent of web administrators patched the hole within three weeks of the arrival of Heartbleed, the researchers found only 13 percent followed up with other measures to make their systems bulletproof.

Sys admins should have patched OpenSSL software, revoke current certificates and re-issue new ones, said the researchers.

If these measures hadn’t been taken, attackers with a website private key could still pose as a website.

Renesas intros anti car hacking devices

modeltSemiconductor manufacturer Renesas said it has introduced an automotive controller aimed for advanced self driving car systems.

The microcontroller incorporates sensor fusion gateway and advanced chassis system applications and includes safety tech, security tech and vehicle control network technology.

The safety features are fault diagnostic functions with error checking and data correcting features.  The chip can detect faults in the different fault detection systems.

The security features are intended to prevent people from hacking into cars and includes data encryption, random number generation as well as providing information on road conditions.

The sensor facility can support up to 8MB of flash memory, up to 960K of RAM and can steam along at 240MHz.

Communications support includes ethernet, CAN, LIN, CSI and FlexRay functions and can pick up complex control of chassis systems using a vehicle network or a gateway.

The family of chips has the not so catchy name of RH850/P1x-C Series with samples being available in February 2015 with an emulator device costing $1,000 a unit.  Mass production will start in September 2016 and volume will reach two million units a month by January 2020, Renesas claims.

IBM claims first for intelligent cloud security

clouds3Big Blue claimed it is the first company to build an intelligent security profile that protects data, applications and people in the cloud.

The offerings it announced use what IBM described as advanced analytics to react to threats across enterprise, public, private and mobile clouds  – so called hybrid clouds.

IBM said that while the cloud is being rapidly adopted worldwide, attackers are more sophisticated and more able to hide their activities.  Indeed, IBM claims that three quarters of security breaches take days, weeks or months to be discovered.

Its managed security services platform is intended to protect IBM customers as well as customers of firms like Amazon Web Services and Salesforce.

It said that its intelligent threat protection monitors the cloud environment, analysing billions of security events and including correlation and external data feeds.

IBM estimates that nearly half of large enterprises will use hybrid clouds by the end of 2017 and claims that it is the largest hybrid cloud vendor.

GCHQ head hits out at IT companies

GCHQ buildingThe newly appointed head of spy outfit GCHQ has said computer companies like Facebook and Twitter are not doing enough to help security services catch criminals and terrorists.

Robert Hannigan went a little further than that and accused technology outfits of being “command and control networks for terrorists and criminals”.

The Islamic State, for example, used the web as a channel to promote itself, frighten people and radicalise new recruits.

Hannigan said: “But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism.”

He also criticised the security of communications saying that encryption methods which were once the domain of nation states are now commonplace.  For example, Apple and Google include encryption in their mobile operating systems as a way of protecting people’s security and privacy.

He wants the tech companies to provide more support.

Security experts rubbish CBS hacking claim

face-palmSecurity experts have poured cold water on CBS hackettes Sharyl Attkisson’s claim that she was being hacked by the government,

In her new book Stonewalled, Attkisson claims that both her personal Apple laptop and a CBS News-issued Toshiba laptop were hacked in late 2012 while she was reporting on the Benghazi terrorist attacks.

In June 2013, CBS News confirmed that the CBS News computer was breached, using what the network said were “sophisticated” methods and unnamed sources confirmed for Attkisson that an unnamed government agency was behind the attack.

However Attkisson released a video she took with her mobile of one apparent hack of her personal Apple laptop. The video shows words typed into a Microsoft Word document rapidly disappearing. During the video, Attkisson’s voice can be heard saying she’s “not touching it.”

Computer security experts who reviewed the video have told Media Matters that Attkisson’s computer had a broken backspace key.

Matthew Brothers-McGrew, a senior specialist at Interhack was quoted as saying sometimes computers “malfunction, a key can get stuck, sometimes dirt can get under a keyboard and a key will inadvertently be held down.”

Brad Moore, also a senior specialist at Interhack said that based on what he saw and was able replicate, there were multiple explanations for this sort of action and a stuck backcase key was the easiest.

Peter Theobald, computer forensics investigator with TC Forensics said that if a hacker tried to infiltrate her laptop and delete her files there would be better ways to do it and it it wouldn’t be so obvious to her.

 

Amazon invests in German datacentres

amazonsMany people might think that Amazon is where you buy your books, your Hue lights and your CDs but behind the scenes it is  becoming a major player in the datacentre business.

And now, according to the Financial Times, Amazon will build several datacentres in Frankfurt in a bid to allay customers’ fears that their data is housed in places where security and privacy are not as high a priority as in Germany.

The FT reports that the EU has much stricter data protection laws than other territories.  And, of the EU countries, Germany has the best privacy control.

A senior VP of Amazon Web Services told the FT that many of its German customers would prefer to have their data held locally. Although a figure hasn’t been placed on the German infrastructure investment, it’s believed that such a project will require a multimillion dollar investment.

US providers like Google, Rackspace and others compete with Amazon but are based in the USA.  Amazon is believed to generate revenues from its cloud business amounting to over $5 billion during 2014.

Microsoft soothsayers say “beware of zero day”

soothsayer-resized-600Software giant Microsoft is warning its users about a new zero-day vulnerability in Windows that is being actively exploited in the wild.

The vulnerability is a risk to users on servers and workstations that open documents with embedded OLE objects.

It is currently being exploited via PowerPoint files as some companies are still trying to use these in meetings to bore staff to death without actually helping the company develop.

Apparently these specially crafted files contain a malicious OLE (Object Linking and Embedding) object which can be exploited by cybercriminals. What makes this nasty is that the vulnerability affects the latest fully patched versions of Windows.

Microsoft points out that users have to be involved in the email attack scenario.

For this attack to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.

The attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability.

“In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”

A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.

The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.

Otherwise, do not open Microsoft PowerPoint files, Office files, or any other files received or downloaded from untrusted sources.

 

US thinks it is legal to invade foreign servers

Battle_erieThe US government claims it has a constitutional right to hack the servers of foreign companies based overseas.

Apparently when the French-backed terrorists usurped their legitimate King it was with the sole aim of ruling the world and committing illegal acts in other countries.

The Justice Department made the announcement in the ongoing prosecution of Ross Ulbricht. The government believes that Ulbricht is the operator of the Silk Road illicit drug website.

The case involves how the US government found the Silk Road servers in Iceland. Ulbricht said government claims that a leaky CAPTCHA on the site’s login led them to the IP address was “implausible” and that the government may have unlawfully hacked into the site. His view is backed by Nicholas Weaver, a Berkeley computer scientist who said the story is full of holes.

Assistant US Attorney Serrin Turner countered (PDF) said that even if it were a lie such an investigative measure would not have run afoul of the Fourth Amendment.

The SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise so it is acceptable.

Turner added, “Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to ‘hack’ into it in order to search it, as any such ‘hack’ would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.”

The FBI denied using wiretaps in the FBI’s investigation. Ulbricht did not even become a suspect in the FBI’s investigation until well after the SR Server was searched. No information collected from Ulbricht, through a wiretap, was ever used to locate the SR Server.

Still it must be a little worrying for US citizens to know that their constitutional protection from US spooks stops at the border.

 

McAfee dabbles in democracy

McAfee HQ in Satan ClaraSecurity company McAfee, which is a subsidiary of the Intel Corporation, has given us its thoughts about how we could vote online or e-vote in the future.

Online voting isn’t particularly new – Baltic country Estonia held national elections using an e-voting system.  Other countries including India, France, Brazil and Australia have introduced electronic voting machines.

Yet Michael DeCare, president of McAfee said that wasn’t quite enough.  He said: “A greater emphasis on security could empower a new era in digital democracy.  People need to have trust and confidence in the process. Pilot programmes could be the route to earning public trust on a small scale.”

He claims obstacles to online and e-voting are largely hard to overcome and has little public acceptance.

People, he said, are worried about hacking and “lost votes cannot be regained”.

He doesn’t seem to have an answer to this question of public trust. But as people are wary following the thousands of security breaches that take place every year, it’s down to vendors like McAfee not to pose such questions but to provide the answers.

Smartgun inspires smart mouse

Mighty_Mouse_Sig_by_PanaCA security contractor working for defence outfit Raytheon has solved a problem relating to computer authentication after reading about an effort to use pressure sensitive gun grips to authenticate a gun owner.

According to Computer World  Glenn Kaufman wondered if something similar might work for a computer mouse and after four years has been awarded a patent for a biometric pressure grip that describes how a mouse can be used to authenticate someone.

One of the difficulties in high security defences is that serious attackers can by-pass them without anyone being aware of it. Smartcards can be stolen, fingerprints lifted off surfaces, passwords cracked and photographic substitutes used to defeat facial recognition and retina scans.

But a pressure sensitive mouse “is a lot harder to defeat” because it works from a neurological pattern versus a physical pattern, such as a facial scan. The way people hold a mouse, along with the amount of pressure they apply, is unique.

Kaufman built a mouse with pressure sensors and tested it on 10 people. He extrapolated the results to indicate a failure rate of one in 10,000, which is similar to what the pressure gun grip researchers had discovered.

It means that if someone wants to hack into your computer they need to have you sitting next to them with your hand on your mouse. They cannot cut your hand off because a dead hand will not hold the mouse in the same way.

Chinese snoop on iPhone protesters

apple fanboysThe Chinese government appears to be cracking down on Hong Kong protesters who use an iPhone or iPad.

Cybersecurity researchers have uncovered a computer virus that spies on Apple Inc’s iOS operating system for the iPhone and iPad, and they believe it is targeting pro-democracy protesters in Hong Kong.

Dubbed Xsser, the software can steal text messages, photos, call logs, passwords and other data from Apple gear.

Researchers with Lacoon Mobile Security uncovered the spyware while investigating similar malware for Google Android operating system last week that also targeted Hong Kong protesters.

Lacoon Chief Executive Michael Shaulov said that Xsser is the most sophisticated malware used to date in any known cyberattack on iOS users.

It is not clear what the Chinese government hopes to learn from an Apple fanboy’s account, there is just so much you can learn from a complete Coldplay collection and an undeletable U2 album.

It is unclear how iOS devices get infected with Xsser, which is not disguised as an app particularly as Apple claims that its software is super secure.

The code used to control that server is written in Chinese. The high quality of the campaign and the fact it is being used to target protesters suggests that it is coming from a sophisticated attacker in China.

“It is the first time in history that you actually see an operationalized iOS Trojan that is attributed to some kind of Chinese entity,” Shaulov said.

Lacoon said on its blog that it is possible the attackers might have deployed the Trojan in other places, in addition to spying on pro-democracy protesters in Hong Kong.

“It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they said in their bog.

 

Security incidents soar by 48 percent

PwC logoA report from PwC said the number of reported security incidents with tech rose 48 percent in 2013 to hit 42.8 million attacks.

That, said PwC, is equal to 117,339 attacks every day.  The Global State of Information Security Survey said the compound annual growth rate (CAGR) has increased by 66 percent year over year since 2009.

But the reported security breaches and the cost are probably just the tip of the iceberg, according to David Burg, PwC’s cybersecurity supremo.  “The actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents,” he said.

PwC said that large organisations with annual revenues of $1 billion or more detected 44 percent more incidents this year.  But medium sized organizations, which PwC defines as having revenues of $100 million to $1 billion saw a 64 percent increase.

But even though the breaches have increased, the amount of money devoted to security fell by four percent compared to 2013.

But high profile attacks by nations, gangsters and competitors are the lest frequent incidents yet the fastest growing. The survey claimed a compromise by nation states increased by 86 percent, while there was a 64 percent increase in security incidents associated with competitors.

Only 49 percent of respondents said their organisations had a cross enterprise team to dicuss, coordinate and communicate info security concerns.

Apple not worried about being Shellshocked

tim-cook-securityWhen the Shellshock security hole was revealed, Apple users were warned that it would affect all users of the Mac operating system.

Given that Apple can send out updates, and the Shellshock vulnerability is comparatively simple to fix, one would expect Jobs’ Mob to send out an update smartly.

Apple has made a statement that it was “working to quickly provide a fix” to the vulnerability. However, a company spokesperson said that most Mac OS X users have nothing to fear as Apple gear was invulnerable to any attack.

“OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

Chet Ramey, the maintainer of bash, said in a post to Twitter that he had notified Apple of the vulnerability several times before it was made public, “and sent a patch they can apply” and “several messages”,

However Jobs’ Mob has not already packaged that fix for release and has largely ignored the problem.  The problem is that Apple refuses to trust anyone and is insisting that its own developers make modifications to the bash code.

 

BT: business doesn’t trust the cloud

Every silver has a cloudy liningA survey commissioned by BT showed that 70 percent of businesses worldwide are adopting storage and web apps in their organisations.

But they’re far from confident about cloud security, the survey revealed.

Over three quarter of the IT decisions makers surveyed said security is the main problem about using cloud services.  Half of the respondents said they were “very” or “extremely” anxious about security surrounding their cloud services.

Half think enterprise cloud apps and services are too expensive. Half think trusting third parties a problem while as many as 40 percent think all cloud services are inherently insecure.

Why is BT interested in this? Well, you’ve guessed it –  BY has its own portfolio of cloud products and services which is – yes, you’ve guessed it again, inherently secure.

The survey was carried out for BT last July with 640 IT decision makers in the UK, France, Germany, Spain and other countries.  The companies each has 1,000 plus employees.

Linux security Bashed

linuxA remotely exploitable vulnerability in Linux has been found and it could be really nasty for those who depend on the operating system.

Stephane Chazelas, who found the vulnerability, has named it CVE-2014-6271, but has been dubbed Shellshock by those who like their viruses to be a little more like a Marvell super-villain.

The flaw is in Bash, which supports exporting shell variables as well as shell functions to other bash instances. It has been a feature of Linux for a long time.

Web applications like cgi-scripts may be vulnerable especially if calling other applications through a shell, or evaluating sections of code through a shell.

The problem is fixed by upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.

However it could be a while before word gets out that bash is vulnerable and a lot of Linux systems are vulnerable.

Security experts say that this vulnerability is very bad and it will be a race to get systems upgraded before someone has a working exploit.

Tod Beardsley, engineering manager from Rapid7, said it was difficult to write a “bash bug” exploit, but not impossible.

“It’s quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example — routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed,” he said.