Tag: security

Chinese snoop on iPhone protesters

apple fanboysThe Chinese government appears to be cracking down on Hong Kong protesters who use an iPhone or iPad.

Cybersecurity researchers have uncovered a computer virus that spies on Apple Inc’s iOS operating system for the iPhone and iPad, and they believe it is targeting pro-democracy protesters in Hong Kong.

Dubbed Xsser, the software can steal text messages, photos, call logs, passwords and other data from Apple gear.

Researchers with Lacoon Mobile Security uncovered the spyware while investigating similar malware for Google Android operating system last week that also targeted Hong Kong protesters.

Lacoon Chief Executive Michael Shaulov said that Xsser is the most sophisticated malware used to date in any known cyberattack on iOS users.

It is not clear what the Chinese government hopes to learn from an Apple fanboy’s account, there is just so much you can learn from a complete Coldplay collection and an undeletable U2 album.

It is unclear how iOS devices get infected with Xsser, which is not disguised as an app particularly as Apple claims that its software is super secure.

The code used to control that server is written in Chinese. The high quality of the campaign and the fact it is being used to target protesters suggests that it is coming from a sophisticated attacker in China.

“It is the first time in history that you actually see an operationalized iOS Trojan that is attributed to some kind of Chinese entity,” Shaulov said.

Lacoon said on its blog that it is possible the attackers might have deployed the Trojan in other places, in addition to spying on pro-democracy protesters in Hong Kong.

“It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they said in their bog.

 

Security incidents soar by 48 percent

PwC logoA report from PwC said the number of reported security incidents with tech rose 48 percent in 2013 to hit 42.8 million attacks.

That, said PwC, is equal to 117,339 attacks every day.  The Global State of Information Security Survey said the compound annual growth rate (CAGR) has increased by 66 percent year over year since 2009.

But the reported security breaches and the cost are probably just the tip of the iceberg, according to David Burg, PwC’s cybersecurity supremo.  “The actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents,” he said.

PwC said that large organisations with annual revenues of $1 billion or more detected 44 percent more incidents this year.  But medium sized organizations, which PwC defines as having revenues of $100 million to $1 billion saw a 64 percent increase.

But even though the breaches have increased, the amount of money devoted to security fell by four percent compared to 2013.

But high profile attacks by nations, gangsters and competitors are the lest frequent incidents yet the fastest growing. The survey claimed a compromise by nation states increased by 86 percent, while there was a 64 percent increase in security incidents associated with competitors.

Only 49 percent of respondents said their organisations had a cross enterprise team to dicuss, coordinate and communicate info security concerns.

Apple not worried about being Shellshocked

tim-cook-securityWhen the Shellshock security hole was revealed, Apple users were warned that it would affect all users of the Mac operating system.

Given that Apple can send out updates, and the Shellshock vulnerability is comparatively simple to fix, one would expect Jobs’ Mob to send out an update smartly.

Apple has made a statement that it was “working to quickly provide a fix” to the vulnerability. However, a company spokesperson said that most Mac OS X users have nothing to fear as Apple gear was invulnerable to any attack.

“OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

Chet Ramey, the maintainer of bash, said in a post to Twitter that he had notified Apple of the vulnerability several times before it was made public, “and sent a patch they can apply” and “several messages”,

However Jobs’ Mob has not already packaged that fix for release and has largely ignored the problem.  The problem is that Apple refuses to trust anyone and is insisting that its own developers make modifications to the bash code.

 

BT: business doesn’t trust the cloud

Every silver has a cloudy liningA survey commissioned by BT showed that 70 percent of businesses worldwide are adopting storage and web apps in their organisations.

But they’re far from confident about cloud security, the survey revealed.

Over three quarter of the IT decisions makers surveyed said security is the main problem about using cloud services.  Half of the respondents said they were “very” or “extremely” anxious about security surrounding their cloud services.

Half think enterprise cloud apps and services are too expensive. Half think trusting third parties a problem while as many as 40 percent think all cloud services are inherently insecure.

Why is BT interested in this? Well, you’ve guessed it –  BY has its own portfolio of cloud products and services which is – yes, you’ve guessed it again, inherently secure.

The survey was carried out for BT last July with 640 IT decision makers in the UK, France, Germany, Spain and other countries.  The companies each has 1,000 plus employees.

Linux security Bashed

linuxA remotely exploitable vulnerability in Linux has been found and it could be really nasty for those who depend on the operating system.

Stephane Chazelas, who found the vulnerability, has named it CVE-2014-6271, but has been dubbed Shellshock by those who like their viruses to be a little more like a Marvell super-villain.

The flaw is in Bash, which supports exporting shell variables as well as shell functions to other bash instances. It has been a feature of Linux for a long time.

Web applications like cgi-scripts may be vulnerable especially if calling other applications through a shell, or evaluating sections of code through a shell.

The problem is fixed by upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.

However it could be a while before word gets out that bash is vulnerable and a lot of Linux systems are vulnerable.

Security experts say that this vulnerability is very bad and it will be a race to get systems upgraded before someone has a working exploit.

Tod Beardsley, engineering manager from Rapid7, said it was difficult to write a “bash bug” exploit, but not impossible.

“It’s quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example — routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed,” he said.

Cisco rules the security appliance roost

ciscologoWhile there was only moderate growth for security appliances in EMEA during the second quarter of this year, Cisco has the most market share.

That’s according to technology market research company IDC, which said the market in Q2 was worth $654.80 million, a rise compared to the same quarter in 2013 of 6.2 percent.

Cisco has 20.2 percent revenue share, up one percent year on year.

The runners up in shipments during the quarter were Check Point (17.5%), Fortinet (8.5%), McAfee (6%) and Juniper (5.5%), with the others commanding 42.3 percent.

However, McAfee’s growth between Q2 2013 and Q2 2014 was a massive 66.9 percent, IDC said.

Unified threat management (UMT) was the fast growing security appliance product category – that’s the eighth consecutive quarter and UTM appliances account for 48.4 percent of total vendor revenue.

Cisco throws weight behind firewall

Cisco FirewallNetworking giant Cisco claims it has introduced the first threat focused firewall.

Cisco ASA with FirePOWER Services uses contextual awareness and controls to automatically assess threats, provide intelligence and improve defences to protect network.

Aimed at large enterprises, it includes Sourcefire’s Advanced Malware Protection and Next Generation Intrusion Prevention Systems.

The software management gives authorised users dashboards and drill down reports of discovered hosts, dodgy applications, threats and indicators of compromised systems.

Cisco claims its firewall is enterprise class, and supports VPN, advanced clustering and granular application layer and risk based controls.  Open source integration with Snort, OpenAppID and ClamAV let companies customise security.

No details of pricing are available.

Doom for hacked printer

doom_sprite_wallpaper_by_bobspfhorever78-d6lij4oIn what has to be the best proof of concept hacking of a printer, Context Information Security analyst Michael Jordon managed to get a Canon Pixma printer to run the game Doom.

Jordon said that Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates.

He found that the interface doesn’t need any sort of authentication to access and while you would think that the worst that anyone could do is print off hundreds of test pages and use up all of the printer’s ink, Jordon found a hacker could do a lot more damage.

The interface lets you trigger the printer to update its firmware. It also lets you change where the printer looks for the firmware update.

A hacker could create a custom firmware that spies on everything that printer prints, it can even be used as a gateway into the network.

To show what was possible Jordon got the printer to run Doom.

Canon offers very little protection against this. If you can run Doom on a printer, you can do a lot more nasty things. In a corporate environment, it would be a good place to be.

Who suspects printers?  Well other than Nigel from accounts and he thinks aliens are trying to take over the coffee machine.

Canon has promised that it is working on a fix and is taking a chainsaw to the problems highlighted by Contecxt.

“All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected,” Canon said.

 

Majority of mobile apps are insecure

SmartphonesA Gartner report claimed that 75 percent of mobile applications fail the most basic security tests.

That poses threats for corporations, it said.  Enterprise employees download apps and also use mobile apps to access business networks. Such apps can violate enterprise policies and expose enterprises to threats.

Dionisio Zumerle, a principal analyst at Gartner said: “Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance  Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”

He claimed that vendors supplying static and dynamic application testing can prevent problems on the enterprise.  And a new test, called behavioural analysis, is emerging for mobile apps.

He added: “Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” said Mr Zumerle. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”

Often the biggest problem is misconfiguring devices, so for example by misusing personal cloud service through apps on smartphones and tablets.

Pishing Eskimo twitches to steal Steam Wallet

Greenland in the 19th century - picture Wikimedia CommonsA new piece of pishing malware has taken over Twitch’s user pool tempting users to go into a fake sweepstake or lottery, so that it can nick cash from their Steam Wallets.

For those who came in late, Twitch is a video game-centric website on which people show live streams of game play to others. Amazon bought the site and it has about 50 million users, paying $970 million in cash.

Dubbed Eskimo, the malevolent bot does not look out of place to usual visitors to the streaming site — live streamers, who earn cash via viewer subscriptions, frequently use bots in the chat area of their channels to push donations, inspire supporters and run promotions.

However one of the bots has been cleaning out Steam inventories, which might hold rare digital collectibles, and Steam Wallets, which are source by real-world funds to purchase games on Valve’s admired distribution platform.

F-Secure said Eskimo can wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market. Earlier variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount — to sell the items faster.

According to F-Secure, Eskimo requests users to track a link to fill out a form for a raffle, which it claims provides them an opportunity to win digital weapons and collectibles for Counter-Strike: Global Offensive.

As it has the right to use a Steam account, will get screenshots, add new friends on Steam, accept friend requests, deal with new friends, buy items with Steam funds, send trade offers and accept trades, F-Secure says Eskimo. Once all of a user’s money has been used to purchase collectibles, the malware will trade all of the victim’s digital items to their new “friends.”

F-Secure says, “It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will help in lessening the damages done by this kind of threat.”

 

LTE poses security threat

locksThe rise of the internet of things, which is likely to mean billions of devices are connected to LTE has security fallibilities that need to be quickly addressed.

That’s according Dr Martin Nuss, chief technical officer of Vitesse Semi, speaking to an audience at 4G World.

Nuss said that small cells are an integral part of LTE, LTE-A deployments and Carrier Heterogenous Networks. Their accessibility makes them easy to hack, he said.

Even though LTE networks are far more secure than wi-fi hotspots, but small cell based stations using LTE and located at street level is a new security risk.

Small cell backhauls are also likely to happen over third party access provider networks that don’t have the same standards as wireless operators.

Nuss also warned of timing security. Small cell susceptibility t GPS jamming and spoofing is another problem.

By 2018, he said, small cells will be everywhere and so implementing them is a matter of careful network planning and awareness of the risks.

Scientists develop malware tool

Malware, Wikimedia CommonsA team of researchers at the Universidad Carlos III de Madrid (UC3M) claims to have developed a tool to analyse numbers of apps to trace the origin and family of malware.

Guillermo Suarez de Tangil, a researcher at the computer science department at the university, said malware can be in smartphones and even in washing machines.

“The amount of malware is constantly increasing and it is becoming more intelligent for that reason,” he said.  “Security analysts and market administrators are overwhelmed and cannot afford exhaustive checking for each app.”

The tool is called Dendroid and will track down the family and nature of the malware.  “Developers generally reuse components of other malwares, and that precisely is what allows us to construct this genetic map,” he said.

He said antivirus software used in smartphones use detection engines based on signatures and its effectiveness is questionable, largely because smartphone resources are limited compared to a PC.

Storage software gets boost

emcRevenues from the worldwide storage software market rose by 6.3 percent in the second quarter of this year, according to figures from IDC.

It said revenues during Q2 2014 came to nearly $3.8 billion.

The leaders in the pack were  EMC, IBM and Symantec which had markt shares of 25.9 percent, 16 percent and 13.3 percent respectively.

Data protection and recovery software showed bigger growth, up 10.2 percent in the quarter, compared to the same quarter in 2013.  Revenues for those totalled $1.45 billion. storage infrastructure sales amounted to $448 million.  Storage and device management software sales rose by 4.1 percent to stand at $708 million.

Eric Sheppard, research director of storage software at IDC said there was broad growth over most markets.

”Sales of data protection and recovery software accounted for almost 60 percent of the spending during the quarter, driven by a market wide move to improve application resiliency, continued uptake in appliance based offering and healthy attach rates within the integrated systems market”, he said.

Homes to be packed with gizmos

chateauIn just eight years time, ordinary family homes will be bursting with technology.

That’s a prediction market research firm Gartner is making for 2022.  Its report said a home in affluent societies, at least, could have over 500 smart devices.

So what are these devices to be?  It estimates a wide range of domestic equipment will become “smart”, inasmuch as they’ll include some level of sensing and intelligence and the ability to communicate wirelessly.

And such vacuum cleaners and washing machines won’t cost more to have “smartness”, with semiconductor economies of scale meaning that a chip won’t cost more than about one US dollar.

Your cooker will be smart, your TVs will be smart, your fitness equipment will be smart, your security will be smart, your toaster will be smart. Everything will be smart as the internet of things starts to cast its spell over our world.

But it won’t be all plain sailing, because ordinary people might not want all this “smartness”.  Products which incorporate intelligence must be easy to use and not require a degree in geekiness. And if smartness can’t be relied upon and start failing – well your house might not be such a home.

HP beefs up security

HPAccessData and HP are to get closer to each other by increasing security assessment and quick fixes for global organisations.

HP’s service arm, Rapid Incident Respons Services is intended to help corporations quickly investigate what’s gone wrong after a hack and provide forensic evidence of incidents.

HP will now provide further services using AccessData’s Resolution One to give advance warning of security threats and provide alerts to prevent networks, endpoints, mobile devices and applications being compromised.

AccessData claims its ResolutionOne offering will extend HP’s own service with capabilities including root cause analysis, full packet capture network forensics, data on hardware, assessment of malware, and auditing across enterprises.  ResolutionOne also lets security and response teams collaborate in real time with automated batch processing to eradicate threats.

AccessData says it has over 130,000 users in law enforcement, at law firms, government agencies and corporations.