Malware Turns Computers Into Cellular Antenna

A team of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet.

They’ve figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.

While other research has shown it possible to steal data this way, some of those methods required some hardware modifications to the computer. This attack uses ordinary computer hardware to send out the cellular signals.

Their research, which will be featured next week at the 24th USENIX Security Symposium in Washington, D.C., is the first to show it’s possible to steal data using just specialized malware on the computer and the mobile phone.

“If somebody wanted to get access to somebody’s computer at home — let’s say the computer at home wasn’t per se connected to the Internet — you could possibly receive the signal from outside the person’s house,” said Yisroel Mirsky, a doctoral student at Ben-Gurion University and study co-author.

The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected. It’s believed this method was used to deliver Stuxnet, the malware that sabotaged Iran’s uranium centrifuges.

The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer’s CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.

The GSMem component that runs on a computer is tiny. “Because our malware has such a small footprint in the memory, it would be very difficult and can easily evade detection,” said Mordechai Guri, also a doctoral student at Ben-Gurion.

Source

Darkode Hacking Forum Shut Down

Law enforcement agencies from 20 countries collaborated to cripple a major computer hacking forum, and U.S. officials filed criminal charges against a dozen people associated with the website, the U.S. Department of Justice announced.

Darkode.com on is displaying a message saying the site and domain had been seized by the FBI and other law enforcement agencies.

Darkode, a password-protected online forum for criminal hackers, represented one of the gravest threats to the integrity of data on computers across the world, according to David Hickton, U.S. attorney for the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”

Five of the defendants face charges in Hickton’s district.

Darkode allowed hackers and other cybercriminals to sell, trade and share information and tools related to illegal computer hacking, the law enforcement agencies alleged.

Before becoming a member of Darkode, prospective participants were allegedly vetted through a process that included an invitation by a member, the DOJ said in a press release. The prospective member then pitched the skill or products he or she could bring to the forum.

Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware, the DOJ said.

The takedown of the forum and the charges announced Wednesday came after the FBI’s infiltration of Darkode’s membership.

Source

Is Mastercard Going With Selfies?

Mastercard has announced plans to roll out a verification technology that requires a selfie to process payments. The industry’s latest move in the shameless act of narcissism is a biometric face scanning technology that will let customers replace their PINs with their face, according to MasterCard chief product security officer, Ajay Bhalla. Bhalla told CNN Money that the multinational financial services corporation has teamed up with all the major phone manufacturers to deliver the technology. “The new generation, which is into selfies, I think they’ll find it cool. They’ll embrace it. This [app] seamlessly integrates biometrics into the overall payment experience,” he said. “You can choose to use your fingerprint or your face. You tap it, the transaction is OK’ed and you’re done.” The selfie payment feature will roll out on a trial basis first in the US, with a full scale deployment to follow at an unspecified date. The system requires users to blink when prompted once they have held their device at eye-level for the checkout process to complete. This ensures that potential cyber crooks cannot use a still image of the user to hack into their personal account. MasterCard announced last month that all retail outlets across Europe will accept contactless payments by 2020, paving the way for wider adoption of mobile payment solutions. Mike Cowan, head of emerging payments products at MasterCard, revealed at the company’s Future of Payments event in London that Europeans will soon be able to tap to pay anywhere. “From the beginning of 2016 any new payment terminal that gets deployed must accept contactless, and every single terminal must accept it by 2020,” he said. This means that new point of sale terminals must adhere to the new standard on deployment from 1 January 2016, while existing terminals that don’t yet support contactless payments must be replaced by 1 January 2020 at the latest. Source

Cisco Warns Of Bug In Virtual App

Cisco has warned of a default Secure Shell vulnerability in three of its virtual applications.

The flaw could allow attackers to decrypt traffic exchanged in the services, and has been detailed in a Cisco security advisory.

It affects Cisco’s Web Security Virtual Appliance (SMAv), Email Security Virtual Appliance and Security Management Virtual Appliance, which are already commercially available.

Cisco said that it “is not aware of any public announcements or malicious use of the vulnerabilities”, but warned that attackers who got hold of the private keys could decrypt communications with a man-in-the-middle attack.

The default private encryption keys were preinstalled on all three of the products, a move which is considered bad security practice.

“Successfully exploiting this vulnerability on Cisco SMAv allows an attacker to decrypt communication toward SMAv, impersonate SMAv, and send altered data to a configured content appliance,” the advisory said.

“An attacker can exploit this vulnerability on a communication link toward any content security appliance that was ever managed by any SMAv.”

Cisco has released a patch which deletes the preinstalled SSH keys and explains how customers can correct the problem.

The Cisco-sa-20150625-ironport SSH Keys Vulnerability Fix comes as part of several product upgrades, and must be manually installed from a command line interface.

Cisco’s advisory said that the patch is not required for physical hardware appliances, or for virtual appliance downloads or upgrades after 25 June.

Cisco revealed details of a new point of sale attack earlier this year that could part firms from money and customers from personal data.

The threat, called PoSeidon by the Cisco team, came at a time when eyes were on security breaches at firms like Target.

Cisco said in a blog post that PoSeidon is a threat that has the ability to breach machines and scrape them for credit card information.

Source

Facebook To Require Stronger Digital Signature

Facebook will require application developers to adopt a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.

As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.

Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.

“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.

SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.

The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.

Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.

The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.

Source

IRS Reducing Size Of Cybersecurity Staff

The Internal Revenue Service, which confirmed rumors of a breach of 100,000 taxpayer accounts, has been consistently reducing the size of its internal cybersecurity staff as it increases its security spending. This may seem paradoxical, but one observer suggested it could signal a shift to outsourcing.

In 2011, the IRS employed 410 people in its cybersecurity organization, but by 2014 the headcount had fallen by 11% to 363 people, according to annual reports about IRS information technology spending by the U.S. Treasury Department Inspector General.

Despite this staff reduction, the IRS has increased spending in its cybersecurity organization. In 2012, the IRS earmarked $129 million for cybersecurity, which rose to $141.5 million last year, an increase of approximately 9.7%.

This increase in spending, coupled with the reduction in headcount, is an indicator of outsourcing, said Alan Paller, director of research at the SANS Institute. Paller sees risks in that strategy.

“Each organization moves at a different pace toward a point at which they have outsourced so much that the insiders do little more than manage contracts, and lose their technical expertise and ability to manage technical contractors effectively,” said Paller.

An IRS spokesman was not able to immediately answer questions about the IRS’s cybersecurity spending.

This breach is drawing congressional scrutiny. On Tuesday, U.S. Senator Orrin Hatch (R-Utah), who heads the Senate Finance Committee, called the breach “unacceptable.”

The IRS’s total IT budget in 2014 was $2.5 billion, an increase from the prior year’s $2.3 billion, with 7,339 employees last year, little change from 7,303 reported in 2013.

The agency’s IT budget has fared better than the agency overall. Congress has been cutting spending at the agency. IRS funding has been reduced by $1.2 billion over the last five years, from $12.1 billion in 2010 to $10.9 billion this year. An IRS official told lawmakers earlier this year that the budget cuts have delayed critical IT investments of more than $200 million, which includes replacing aging IT systems.

Source

Are Cyber Criminals Hard To Catch?

Despite 100,000 cyber crimes being committed every year UK authorities only caught 12 hackers.

In fact on average just one person was convicted of an offence under the Computer Misuse Act every month for the past 23 years.

We assume that it was not the same bloke, because he would be the most luckless criminal ever.

Campaigners from the Digital Trust, which supports victims of online abuse, said police do not know how to cope with the problem.

Need more laws

Criminal justice expert Harry Fletcher, who is a director of the Digital Trust, said: “The police still concentrate their resources on traditional offences offline, but most people are more likely to be mugged online than in the street.

“The law needs to change. It should, for example, be an offence to use any technological device to locate, listen to or watch a person without legitimate purpose.

“In addition, restrictions should be placed on the sale of spyware without lawful reasons. It should also be against the law to install a webcam or any other form or surveillance device without the target’s knowledge.”

Of course just creating new laws is not going to mean that more hackers will be caught, it will just mean that there are more crimes which they could be arrested for.

The conviction rate against hackers are not bad, if the coppers do arrest someone. Between 1990 to 2006 only 183 defendants were proceeded against and 134 found guilty under the Computer Misuse Act.

Unfortunately the Trust did not see, to realize that a lot of the hacks against companies and individuals come from overseas, particularly Russian or China. Changing laws in the UK would not change anything.

Source

Medical Data Becoming Valuable To Hackers

The personal information stored in health care records fetches increasingly impressive sums on underground markets, making any company that stores such data a very attractive target for attackers.

“Hackers will go after anyone with health care information,” said John Pescatore, director of emerging security trends at the SANS Institute, adding that in recent years hackers have increasingly set their sights on EHRs (electronic health records).

With medical data, “there’s a bunch of ways you can turn that into cash,” he said. For example, Social Security numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures.

This could explain why attackers have recently targeted U.S. health insurance providers. Last Tuesday, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. Last month, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack.

Both attacks exposed similar data, including names, Social Security numbers, birth dates, telephone numbers, member identification numbers, email addresses and mailing addresses. In the Premera breach, medical claims information was also accessed.

If the attackers try to monetize this information, the payout could prove lucrative.

Credentials that include Social Security numbers can sell for a couple of hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers, said Matt Little, vice president of product development at PKWARE, an encryption software company with clients that include health care providers. Credit card numbers, which go for a few dollars, tend to work only for a handful of days after being reported stolen.

Source

Target Settles Security Breach

Target is reportedly close to paying out $10m to settle a class-action case that was filed after it was hacked and stripped of tens of millions of peoples’ details.

Target was smacked by hackers in 2013 in a massive cyber-thwack on its stores and servers that put some 70 million people’s personal information in harm’s way.

The hack has had massive repercussions. People are losing faith in industry and its ability to store their personal data, and the Target incident is a very good example of why people are right to worry.

As well as tarnishing Target’s reputation, the attack also led to a $162m gap in its financial spreadsheets.

The firm apologized to its punters when it revealed the hack, and chairman, CEO and president Gregg Steinhafel said he was sorry that they have had to “endure” such a thing

Now, according to reports, Target is willing to fork out another $10m to put things right, offering the money as a proposed settlement in one of several class-action lawsuits the company is facing. If accepted, the settlement could see affected parties awarded some $10,000 for their troubles.

We have asked Target to either confirm or comment on this, and are waiting for a response. For now we have an official statement at Reuters to turn to. There we see Target spokeswoman Molly Snyder confirming that something is happening but not mentioning the 10 and six zeroes.

“We are pleased to see the process moving forward and look forward to its resolution,” she said.

Not available to comment, not that we asked, will be the firm’s CIO at the time of the hack. Thirty-year Target veteran Beth Jacob left her role in the aftermath of the attack, and a replacement was immediately sought.

“To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” said Steinhafel then.

“As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation.”

“Transformational change” pro Bob DeRodes took on the role in May last year and immediately began saying the right things.

“I look forward to helping shape information technology and data security at Target in the days and months ahead,” he said.

“It is clear to me that Target is an organization that is committed to doing whatever it takes to do right by their guests.”

We would ask Steinhafel for his verdict on DeRodes so far and the $10m settlement, but would you believe it, he’s not at Target anymore either having left in the summer last year with a reported $61m golden parachute.

Source

ARM Buys Offspark For IoT

ARM has snaffled up Dutch Internet of Things (IoT) company Offspark.

The move is designed to improve ARM’s security credentials for IoT offerings.

Offspark is the creator of PolarSSL, a widely used protocol for IoT security products, and ARM hopes that the combined companies can offer a one-stop shop for IoT developers.

Krisztian Flautner, ARM’s IoT manager, said: “PolarSSL technology is already deployed by the leading IoT players.

“The fact that those same companies also use ARM Cortex processor and software technologies means we are now able to provide a complete bedrock solution for the industry to innovate from.”

The product will be renamed ARM Mbed TLS, but will remain open source, reports Tech Week Europe.

Paul Bakker, CEO of Offspark, added: “Security is the most fundamental aspect in ensuring people trust IoT technology and that is only possible with a truly tailored solution.

“Together, ARM and Offspark can provide security to the edge of any system and we look forward to working with our partners to help them deliver some exciting new projects.”

Developers will be able to license the technology for commercial use as well as embedding it into future ARM products.

Last week the company released the ARM Cortex-A72 processor, a 64-bit effort offering support for Android 5.x Lollipop and incorporating the big.LITTLE architecture that prioritises jobs to different processor cores based on their computational requirements.

A message on the Offspark website indicates that it has been taken down and redirects to ARM.

Source

« Previous Page — Next Page »