Tag: security

Chips with built in security go postal

smartphones-genericABI Research believes that by the end of this year processors including embedded security technology will reach the billion mark.

Vendors are building in the Trusted Execution Environment (TEE) will reach 366 million as part of that figure.

The shipments are driven by governments, financial service companies and other enterprises largely to ensure secure ID and payments.

The market for TEE devices is still in its early stages, said ABI.  But shipments are bound to increase for them and for Host Card Emulation (HCE).

ARM is integrating TruZeone architecture into every Cortex-A family processor it licenses to vendors.

Unlike TEE devices, HCE depends on the cloud and lets banks introduce mobile NFC products without relying on smartphone SIMs.  ABI said that HCE support in smartphones is growing exponentially, and will account for shipments of 252 million by the end of the year.

Players in the game include ARM, Nok Nok Labs, NXP Semi, Infineon, Trustonic and Obertur Technologies.

Human error causes most data breaches

Detail showing fleeing Persians (King Darius centre) from an AncA request to the Information Commissioner’s Office (ICO) under the Freedom of Information Act has revealed that most data breaches are caused by human error.

Egress Software made the FOI request and the ICO revealed that only seven percent of breaches in the first three months of this year were because of technical glitches.

That means the fast majority were down to human error and carelessness by people.  And fines levied because of technical errors amounted to zero, while the ICO levied £5.1 million for companies that made the mistakes.

The data breaches are across many different sectors. The public sector showed healthcare organisations are top of the disgrace league, followed by local government and educational organisations.

The private sector also showed a rise in data breaches with the financial industry, the housing sector, telecoms and recruitment all showing big rises.

Tony Pepper, CEO of encryption company Egress Software, said: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt.”

Intel buys password company

Intel-logoChip giant Intel has bought a Canadian company that attempts to take the pain out of passwords.

Intel Security – which includes the McAfee unit – didn’t say how much it paid for PasswordBox, which only started business in June 2013.

It’s unclear how many of the company’s 44 employees will be employed by Intel.

Intel will give new and existing customers a premium subscription at no cost until it gets round to releasing products under its own branding.

PasswordBox has around 14 million users worldwide.  The software lets you coordinate different logins and passwords in a sort of digital wallet so you don’t have to remember – or write down – all those different passwords that are easy to forget.

Amnesty releases anti-spying software

amnestyHuman rights organisation Amnesty International said today it and other organisations have released software to detect spyware.

The software – called Detekt – scans PCs and detects surveillance software, some of which is used by governments to spy on journalists and other activists.

Marek Marczynski, head of military security and police at Amnesty said: “Goverments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remote turn on their computer’s camera or microphone to secretly record their activities.”

He claimed the used the technology “in a cowardly attempt to prevent abuses from being exposed”.

The software is being made available by Amnesty, by the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft.

Marczynski said: “Detekt is a great tool which can help activists stay safe but ultimately the only way to prevent these technologies from being used to violate or abuse human rights is to establish and enforce strict controls on their use and trade.”

Apple made into security lemon curd

LemoncurdAlthough the Tame Apple Press makes much of the security features of the iPhone, it is still the easiest phone to hack.

The Mobile Pwn2Own competition that took place alongside the PacSec Applied Security Conference in Tokyo on November 12-13 has a long tradition of knocking over the latest smartphones and always finds Apple smartphones the easiest.

If you believe the Tame Apple Press, the iPhone  with its sandbox technology was supposed to be super-secure. However it turns out that the iPhone continues to be a doddle. In fact, it has become traditional for the first day of the competition for Apple to be shown up.

In this case, members of the South Korean team lokihardt@ASRT “pwned” the device by using a combination of two vulnerabilities. They attacked the iPhone 5s via the Safari Web browser and achieved a full sandbox escape.

The competition, organised by HP’s Zero Day Initiative (ZDI) and sponsored by BlackBerry and the Google Android Security team, targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5.

Later in the day, Team MBSD from Japan hacked Samsung’s Galaxy S5 by using a near-field communications (NFC) attack that triggered a deserialisation problem in certain code specific to Samsung. Jon Butler of South Africa’s MWR InfoSecurity also managed to break the Galaxy S5 via NFC.

Adam Laurie from Aperture Labs hacked an LG Nexus 5 using NFC.  This was an interesting hack because it used a two-bug exploit targeting NFC capabilities on the LG Nexus 5 (a Google-supported device) to force BlueTooth pairing between phones.  This was a plot point on the telly show ‘Person of Interest’.

Kyle Riley, Bernard Wagner, and Tyrone Erasmus of MWR InfoSecurity used a combination of three vulnerabilities to break the Web browser on the Amazon Fire Phone.

Microsoft’s Nokia Lumia 1520 came out of the competition quite well with contestants only managing partial hacks. Nico Joly, managed to exfiltrate the cookie database, but the sandbox prevented him from taking complete control of the system.

Jüri Aedla of Estonia used a Wi-Fi attack against a Nexus 5, but failed to elevate his privileges, HP said.

 

Tor wonders how US spooks shut down sites

tor-browsingTor has been left scratching its encrypted head over how US and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used its technology.

Tor was set up, not to hide criminals, but to allow dissidents in autocratic countries to make contact with the real world. The fear is that if the US cops could break Tor, then lives could be at risk in countries whose governments would like to shut down dissident sites.

The websites were set up using a special feature of the Tor network, which is designed to mask people’s Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.

Tor—short for The Onion Router—also allows people to host ”hidden” websites with a special “.onion” URL, which is difficult to trace. But law enforcement appears to have figured out a method to find out where sites are hosted.

Last Week the Department of Justice shut down more than 410 hidden websites as part of ”Operation Onymous” and arrested more than 17 people, including Blake Benthall, 26, who is accused of running the underground marketplace Silk Road 2.0.

However, Tor is broke and does not have the cash to play a cat and mouse game with the well-funded European and US cops.

Andrew Lewman, the project’s executive director, in a blog post said that it was a miracle that its hidden services have survived so far.

It is possible that a remote-code execution vulnerability has been found in Tor’s software, or that the individual sites had flaws such as SQL injection vulnerabilities.

“Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents,” he wrote.

Microsoft software is unsafe again

Stained Glass - picture Mike MageeExpect a slew of critical updates to Microsoft Windows and other Microsoft software this week.

The company last week warned that much of its software needed patches to be safe and sound.  Many will need you to restart your machine or machines.

At the same time Microsoft will release an upgrade to its Malicious Software removal tool, its update services and the download centre.

Affected software includes Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, Windows Technical Preview and Windows Server Technical Preview.

Microsoft doesn’t support Windows XP anymore so you are on your own unless like the NHS or people that use point of sale (POS) embedded software you have additional security built in. You can find the whole sorry tale at the Microsoft site, here.

Heartbleed bug still compromises websites

The Bleeding Heart Dove - Wikimedia CommonsA bug that compromised systems in April this year still poses threats despite patches made to cover the security hole.

According to researchers at the University of Maryland, website administrators are still at threat from the Heartbleed bug.

The malefic sofware compromises the OpenSSL (secure sockets layer) making it possible for those with a malicious bent to read the memory of systems.

The Maryland researchers looked at a million sites in the United States in a bid to discover whether sys admins applied the correct protocols to prevent the bug.

While nearly 93 percent of web administrators patched the hole within three weeks of the arrival of Heartbleed, the researchers found only 13 percent followed up with other measures to make their systems bulletproof.

Sys admins should have patched OpenSSL software, revoke current certificates and re-issue new ones, said the researchers.

If these measures hadn’t been taken, attackers with a website private key could still pose as a website.

Renesas intros anti car hacking devices

modeltSemiconductor manufacturer Renesas said it has introduced an automotive controller aimed for advanced self driving car systems.

The microcontroller incorporates sensor fusion gateway and advanced chassis system applications and includes safety tech, security tech and vehicle control network technology.

The safety features are fault diagnostic functions with error checking and data correcting features.  The chip can detect faults in the different fault detection systems.

The security features are intended to prevent people from hacking into cars and includes data encryption, random number generation as well as providing information on road conditions.

The sensor facility can support up to 8MB of flash memory, up to 960K of RAM and can steam along at 240MHz.

Communications support includes ethernet, CAN, LIN, CSI and FlexRay functions and can pick up complex control of chassis systems using a vehicle network or a gateway.

The family of chips has the not so catchy name of RH850/P1x-C Series with samples being available in February 2015 with an emulator device costing $1,000 a unit.  Mass production will start in September 2016 and volume will reach two million units a month by January 2020, Renesas claims.

IBM claims first for intelligent cloud security

clouds3Big Blue claimed it is the first company to build an intelligent security profile that protects data, applications and people in the cloud.

The offerings it announced use what IBM described as advanced analytics to react to threats across enterprise, public, private and mobile clouds  – so called hybrid clouds.

IBM said that while the cloud is being rapidly adopted worldwide, attackers are more sophisticated and more able to hide their activities.  Indeed, IBM claims that three quarters of security breaches take days, weeks or months to be discovered.

Its managed security services platform is intended to protect IBM customers as well as customers of firms like Amazon Web Services and Salesforce.

It said that its intelligent threat protection monitors the cloud environment, analysing billions of security events and including correlation and external data feeds.

IBM estimates that nearly half of large enterprises will use hybrid clouds by the end of 2017 and claims that it is the largest hybrid cloud vendor.

GCHQ head hits out at IT companies

GCHQ buildingThe newly appointed head of spy outfit GCHQ has said computer companies like Facebook and Twitter are not doing enough to help security services catch criminals and terrorists.

Robert Hannigan went a little further than that and accused technology outfits of being “command and control networks for terrorists and criminals”.

The Islamic State, for example, used the web as a channel to promote itself, frighten people and radicalise new recruits.

Hannigan said: “But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism.”

He also criticised the security of communications saying that encryption methods which were once the domain of nation states are now commonplace.  For example, Apple and Google include encryption in their mobile operating systems as a way of protecting people’s security and privacy.

He wants the tech companies to provide more support.

Security experts rubbish CBS hacking claim

face-palmSecurity experts have poured cold water on CBS hackettes Sharyl Attkisson’s claim that she was being hacked by the government,

In her new book Stonewalled, Attkisson claims that both her personal Apple laptop and a CBS News-issued Toshiba laptop were hacked in late 2012 while she was reporting on the Benghazi terrorist attacks.

In June 2013, CBS News confirmed that the CBS News computer was breached, using what the network said were “sophisticated” methods and unnamed sources confirmed for Attkisson that an unnamed government agency was behind the attack.

However Attkisson released a video she took with her mobile of one apparent hack of her personal Apple laptop. The video shows words typed into a Microsoft Word document rapidly disappearing. During the video, Attkisson’s voice can be heard saying she’s “not touching it.”

Computer security experts who reviewed the video have told Media Matters that Attkisson’s computer had a broken backspace key.

Matthew Brothers-McGrew, a senior specialist at Interhack was quoted as saying sometimes computers “malfunction, a key can get stuck, sometimes dirt can get under a keyboard and a key will inadvertently be held down.”

Brad Moore, also a senior specialist at Interhack said that based on what he saw and was able replicate, there were multiple explanations for this sort of action and a stuck backcase key was the easiest.

Peter Theobald, computer forensics investigator with TC Forensics said that if a hacker tried to infiltrate her laptop and delete her files there would be better ways to do it and it it wouldn’t be so obvious to her.

 

Amazon invests in German datacentres

amazonsMany people might think that Amazon is where you buy your books, your Hue lights and your CDs but behind the scenes it is  becoming a major player in the datacentre business.

And now, according to the Financial Times, Amazon will build several datacentres in Frankfurt in a bid to allay customers’ fears that their data is housed in places where security and privacy are not as high a priority as in Germany.

The FT reports that the EU has much stricter data protection laws than other territories.  And, of the EU countries, Germany has the best privacy control.

A senior VP of Amazon Web Services told the FT that many of its German customers would prefer to have their data held locally. Although a figure hasn’t been placed on the German infrastructure investment, it’s believed that such a project will require a multimillion dollar investment.

US providers like Google, Rackspace and others compete with Amazon but are based in the USA.  Amazon is believed to generate revenues from its cloud business amounting to over $5 billion during 2014.

Microsoft soothsayers say “beware of zero day”

soothsayer-resized-600Software giant Microsoft is warning its users about a new zero-day vulnerability in Windows that is being actively exploited in the wild.

The vulnerability is a risk to users on servers and workstations that open documents with embedded OLE objects.

It is currently being exploited via PowerPoint files as some companies are still trying to use these in meetings to bore staff to death without actually helping the company develop.

Apparently these specially crafted files contain a malicious OLE (Object Linking and Embedding) object which can be exploited by cybercriminals. What makes this nasty is that the vulnerability affects the latest fully patched versions of Windows.

Microsoft points out that users have to be involved in the email attack scenario.

For this attack to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.

The attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability.

“In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”

A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.

The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.

Otherwise, do not open Microsoft PowerPoint files, Office files, or any other files received or downloaded from untrusted sources.

 

US thinks it is legal to invade foreign servers

Battle_erieThe US government claims it has a constitutional right to hack the servers of foreign companies based overseas.

Apparently when the French-backed terrorists usurped their legitimate King it was with the sole aim of ruling the world and committing illegal acts in other countries.

The Justice Department made the announcement in the ongoing prosecution of Ross Ulbricht. The government believes that Ulbricht is the operator of the Silk Road illicit drug website.

The case involves how the US government found the Silk Road servers in Iceland. Ulbricht said government claims that a leaky CAPTCHA on the site’s login led them to the IP address was “implausible” and that the government may have unlawfully hacked into the site. His view is backed by Nicholas Weaver, a Berkeley computer scientist who said the story is full of holes.

Assistant US Attorney Serrin Turner countered (PDF) said that even if it were a lie such an investigative measure would not have run afoul of the Fourth Amendment.

The SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise so it is acceptable.

Turner added, “Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to ‘hack’ into it in order to search it, as any such ‘hack’ would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary.”

The FBI denied using wiretaps in the FBI’s investigation. Ulbricht did not even become a suspect in the FBI’s investigation until well after the SR Server was searched. No information collected from Ulbricht, through a wiretap, was ever used to locate the SR Server.

Still it must be a little worrying for US citizens to know that their constitutional protection from US spooks stops at the border.