We Live Security » Languages » English http://www.welivesecurity.com News, Views, and Insight from the ESET Security Community Thu, 21 Aug 2014 12:06:57 +0000 en-US hourly 1 Scareware: It’s back, and now it’s even scarier http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/ http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/#comments Thu, 21 Aug 2014 12:06:57 +0000 Scareware: It’s back, and now it’s even scarier http://www.welivesecurity.com/?p=49995 ‘Scareware’ - fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC - is back, with a new, even more annoying trick.

The post Scareware: It’s back, and now it’s even scarier appeared first on We Live Security.

]]>
‘Scareware’ – fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC – is back, with a new, even more annoying trick.

V3 reports that the new strain of scareware reverses a “dropping trend” in fake AV with a new way of making money – blocking the user from using the internet until they pay for the ‘product’.

Threatpost says, “Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.”

Scareware: Antivirus that isn’t ‘anti’

Rogue AV is still found – indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products – but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.

Variants on the tactic are still used, but the classic scareware warning inciting victims to download AV products that are, in fact, malware, is less common.

On Android, ESET researchers discovered a Trojan packaged to look like antimalware products, “This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.”

Microsoft researcher Daniel Chipiristeanu says, “Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It’s likely this has happened due to the anti-malware industry’s intense targeting of these rogues in our products, and better end-user awareness and security practices.”

Chipiristeanu says that “education” has played a part – but new gangs have simply moved on to new methods to target victims.

Stops you using internet – until you pay

“The big malware “players” are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gapRogue:Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites.”

The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, ““Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene.”

Naturally, the ‘cure’ is to pay, Threatpost says. Thus far, the malware largely targets Russian-speakers.

“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click “Pay Now”. This will lead them to a payment portal called “Payeer” (payeer.com) that will display payment information (see Figure 3). But of course, even if the user pays, the system will not be cleaned,” says Chipiristeanu.

“The user can clean their system by removing the entry value from the “run” registry key, delete the file from disk and delete the added entries from the hosts file. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one.”

The post Scareware: It’s back, and now it’s even scarier appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/21/scareware-back-now-scarier/feed/ 0
Flight MH370 – did cyber attack steal its secret? http://www.welivesecurity.com/2014/08/21/flight-mh370/ http://www.welivesecurity.com/2014/08/21/flight-mh370/#comments Thu, 21 Aug 2014 12:02:24 +0000 Flight MH370 – did cyber attack steal its secret? http://www.welivesecurity.com/?p=49985 Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after it vanished.

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

]]>
Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after the disappearance of the still-missing aircraft.

The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.

“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,” CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.

Flight MH370: ‘Confidential data’

“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.”

Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).

It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.

‘Very sophisticated attack’

Department of Civil Aviation, the National Security Council and Malaysia Airlines were among those targeted by the hacker, the Telegraph reports. The infected machines were shut down, but “significant amounts” of information on Flight MH370 had been stolen.

“This was well-crafted malware that antivirus programs couldn’t detect. It was a very sophisticated attack,” Amirudin said.

CyberSecurity Malaysia suspects the motivation may have been curiosity about supposedly “secret” information held by the Malaysian government on Flight MH370.

“At that time, there were some people accusing the Government of not releasing crucial information,” Amirudin said.“But everything on the investigation had been disclosed.”

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/21/flight-mh370/feed/ 0
Traffic light – ‘easy’ to hack whole city’s systems http://www.welivesecurity.com/2014/08/20/traffic-light/ http://www.welivesecurity.com/2014/08/20/traffic-light/#comments Wed, 20 Aug 2014 13:19:40 +0000 Traffic light – ‘easy’ to hack whole city’s systems http://www.welivesecurity.com/?p=49936 The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), where the heist involves paralyzing Turin via its traffic control system - but the reality is much easier.

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

]]>
The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), a caper movie where the heist involves paralyzing Turin via its traffic control system. The plan’s author, played by Michael Caine, says, “It’s a very difficult job and the only way to get through it is we all work together as a team. And that means you do everything I say.”

The reality, it turns out, is much easier – at least according to researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.

“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.

An attacker focused, like the film’s ‘crew’ on robbery could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.

Traffic light: Blow the bloody doors off

“Once the network is accessed at a single point, the attacker can send commands to any intersection on the network,” the researchers write.

“This means an adversary need only attack the weakest link in the system. The wireless connections are unencrypted and the radios use factory default user-names and passwords.”

Traffic light controllers also have known vulnerabilities, and attacks could paralyze cities: a traffic DDOS could, the researchers suggest, turn all lights to red, and cause “confusion” across a city.

Lights ‘go green automatically’ as thief escapes

“An attacker can also control lights for personal gain. Traffic lights could be changed to be green along the route the attacker is driving,” the researchers write.

“Since these attacks are remote, this could even be done automatically as she drove, with the traffic lights being reset to normal functionality after she passes through the intersection.”

“More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response,” they write.They also suggest measures including encrypted signals and firewalls which could improve current systems.

Perhaps a film reboot is in order: after all, the 1969 version ends with Caine saying, “Hang on, lads; I’ve got a great idea.”

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/20/traffic-light/feed/ 0
PIN number: Police want codes on ALL devices http://www.welivesecurity.com/2014/08/20/pin-number/ http://www.welivesecurity.com/2014/08/20/pin-number/#comments Wed, 20 Aug 2014 13:15:20 +0000 PIN number: Police want codes on ALL devices http://www.welivesecurity.com/?p=49926 Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number into ALL handsets to 'target-harden' devices.

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

]]>
Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number as a default into new handsets, with the British police unit responsible for phone theft wanting to “target-harden” phones.

Currently, up to 60% of phones have no form of password protection, said the National Mobile Phone Crime Unit.This not only makes it easier to resell the gadgets, but hands over personal data – including, potentially GPS data showing the locations of homes, as well as passwords and banking details, according to The Register’s report.

DCI Bob Mahoney of the NMPCU said, “We are trying to get [PIN number systems and other codes] to be set as a default on new phones, so that when you purchase it you will physically have to switch the password off, rather than switch it on.”

The NMPCU said in a statement to Motherboard that PIN-protected phones were less valuable to thieves.

PIN number: Less valuable to thieves

“We have been talking to the industry and government. This is one of the main ideas among a range of measures we are trying to push to protect personal data. All of the industry has been engaged at all levels – and government too.”

“We have intelligence that shows a phone with personal information is worth more than other mobiles, because the thief can sell it on to anyone who can make use of that info,” the DCI said.

“On an unlocked phone, you can find a person’s home address, home telephone number, their partner’s details, diary, Facebook and Twitter account. This allows thieves to know when a target is not going to be at home or perhaps use their details to set up banking loans. They could destroy a person’s life.”

‘This can destroy lives’

We Live Security has written a guide to securing mobile devices (including tips such as ensuring screen time-outs are lowered before a PIN number is required so a thief is less likely to get access to an ‘unguarded’ handset).

PR efforts from major phone companies tend to focus on novel protection methods such as biometrics, but Get Safe Online, a government organization focused on cyber safety, said that passwords, when rolled out widely were an effective measure. “Fingerprint recognition offers a degree of safety, but there is still no substitute for a well-devised and protected password or PIN.”

Techradar said that Samsung had been in discussion with government. Mahoney said the discussions had been underway for two years and the “idea was gaining traction.”

Mahoney said, “If you have to get into the phone to switch something on, our research indicates people are less likely to do it. The industry are very supportive.”

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/20/pin-number/feed/ 0
Banking security – new apps ‘know’ your touch http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/ http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/#comments Tue, 19 Aug 2014 16:41:31 +0000 Banking security – new apps ‘know’ your touch http://www.welivesecurity.com/?p=49868 Everyone hates passwords - even the guy who invented them - but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.

The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.

]]>
Everyone hates passwords – even the guy who invented them – but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.

Password theft – on a massive scale – has become a near-weekly happening, and biometrics have their own disadvantages – such as inaccurate scanners which won’t work when wet, as well as hacks with latex fingerprints and other such gizmos.

But customers at Danske bank have been trialling a new “behavioral” form of identification, according to Forbes magazine. Rather than simply ID a customer using a PIN, the app tracks the pressure and speed they use to type it in.

Banking security: Touch too much?

The theory is that even if a PIN is weak, or stolen, the thief cannot mimic the distinctive pattern of pressure the user types theirs in with.

“Eventually mobile security may no longer hinge on whether a password is long enough, but on how well the device knows the user,” ComputerWorld comments.

“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec,. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”

‘How well the device knows you’

As a security solution, it’s low-cost (it uses sensors already present in the phone) and demands nothing of the customer. The trial has been such a success that multiple banks in Sweden, Norway and Denmark will use similar apps shortly. The app scored 99.7% session acccuracy.

“Multilayered security can be achieved by combining the three pillars: something you have (i.e., the phone as a token), something you know (like your PIN), and something you are which is your physical or behavioral metrics,” says Behaviosec.

At present, Behaviosec’s technology can pick up a ‘false’ user within 20 to 60 seconds. The company said it could also have wider applications such as preventing children accessing inappropriate content on tablets.

The start-up is now investigating further behavioral tracking – such as monitoring the way in which a user picks up a smart device, using the gyroscope.

Our own daily routines could even be used as “passwords” some researchers believe. Google’s “predictive” Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a “password”?

“Most people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,” says Markus Jakobsson of the Palo Alto Research Centre.

Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.

Jakobsson claims that by combining techniques, it’s possible to lock out up to 95% of adversaries, even, “an informed stranger, who is aware of the existence of implicit authentication and tries to game it.”

The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/banking-security-new-apps-know-touch/feed/ 0
Phishing emails: U.S. nuke authority hit three times http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/ http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/#comments Tue, 19 Aug 2014 10:52:57 +0000 Phishing emails: U.S. nuke authority hit three times http://www.welivesecurity.com/?p=49840 America’s Nuclear Regulatory Commission was successfully attacked three times within the past hree years, by unknown attackers, some foreign - and largely using standard phishing emails.

The post Phishing emails: U.S. nuke authority hit three times appeared first on We Live Security.

]]>
America’s Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques, according to the news site NextGov.

Two of the incidents have been traced to unknown foreign individuals, and another to an unidentifiable attacker, as records have been lost.

CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,” hosted on “a cloud-based Google spreadsheet.” The information was obtained through a specific request by NextGov.

Phishing emails: Lethal targets

A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.

The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.

“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action. It’s also unclear how far the attackers got,” the Verge reports.

‘Team thwarts most attempts’

NRC spokesman David McIntyre said that his security team “thwarts” most such attempts.

“The few attempts documented in the OIG (Office of the Inspector General) cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken,” he said, speaking to CNET.

Slashgear reports, “The reasons for the hacks aren’t known, but are suspected to be an effort to harvest details about the nation’s nuclear infrastructure – another suggestion is that the NRC might not be a specific target, but instead swept up by chance in a more general attack by an individual hacker rather than a foreign nation’s government.”

A recent report on America’s energy agencies said such incidents were increasing 35% between 2010 and 2013.

The report, “INFORMATION SECURITY Agencies Need to Improve CyberIncident Response Practices.” said, “Our sample indicates that agencies demonstrated that they completed their eradication steps for the majority of cyber incidents. Specifically, our analysis shows that for about 77 percent of incidents governmentwide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents.”

The report made 25 suggestions about how agencies could improve responses, including that agencies should, “revise policies for incident response to include requirements for defining the incident response team’s level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance.”

The post Phishing emails: U.S. nuke authority hit three times appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/phishing-emails-u-s-nuke-authority-hit-three-times/feed/ 0
Twitter hacked – Cricket legend ‘Beefy’ Botham exposed http://www.welivesecurity.com/2014/08/19/twitter-hacked/ http://www.welivesecurity.com/2014/08/19/twitter-hacked/#comments Tue, 19 Aug 2014 07:46:24 +0000 Twitter hacked – Cricket legend ‘Beefy’ Botham exposed http://www.welivesecurity.com/?p=49832 One of England’s greatest-ever cricketers, Sir Ian Botham, appeared to have been the victim of a Twitter hack yesterday as an obscene picture unexpectedly appeared on the sportsman’s feed.

The post Twitter hacked – Cricket legend ‘Beefy’ Botham exposed appeared first on We Live Security.

]]>
One of England’s greatest-ever cricketers, Sir Ian Botham, appeared to have had his offficial Twitter hacked yesterday as an obscene picture unexpectedly appeared on the sportsman’s feed, according to the Evening Standard.

The single post was accompanied by the message, “What are you thinking…. xx”.  Botham was rapidly warned by friend and Welsh football pundit Robbie Savage that he had had his Twitter hacked, “Mate I think you’ve been hacked.”.

Botham rapidly regained control of the account, and Tweeted, “I would like to thank the hacker….I’ve just got 500 hits in 20 mins !!”

Twitter hacked: ‘Beefy’

In his column in the Daily Mirror newspaper, ‘Beefy’ said, “For those of you on Twitter who may have seen a distasteful photo from my account yesterday, let me assure you it was the result of someone hacking into it. I’ve played a few jokes in my time, but this was pathetic.”

“My old mate and fellow Mirror columnist Robbie Savage was straight on to me to change my password – which I’ve done. I’ve also asked the boffins in the Sky tech department to see how I can stop it happening again.”

Veteran security writer and researcher Graham Cluley wrote, “Let’s hope that Sir Ian Botham has now properly secured his Twitter account and other social media assets more effectively. It would be terrible if future hacks would cause his fans to boycott his future tweets.

The only silver lining is that Ian Botham is now trending on Twitter.”

More followers after picture

Botham too saw the silver lining to the hack, saying, “If some keyboard warrior has nothing better to do than post silly pictures, more fool them. The only impact it has had on me bizarrely is to give me more followers – strange.”

A We Live Security guide to how and why passwords can be hacked – and how to stop it – can be found here.

The post Twitter hacked – Cricket legend ‘Beefy’ Botham exposed appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/19/twitter-hacked/feed/ 0
Privacy: Workers “would pay” to stop snoopers http://www.welivesecurity.com/2014/08/18/online-privacy-4/ http://www.welivesecurity.com/2014/08/18/online-privacy-4/#comments Mon, 18 Aug 2014 11:17:02 +0000 Privacy: Workers “would pay” to stop snoopers http://www.welivesecurity.com/?p=49803 Online privacy has gone from being a minority concern to something that worries the man in the street - after a study of 2,000 people found a majority believed they were being listened to online, and nearly a third would pay to stop it.

The post Privacy: Workers “would pay” to stop snoopers appeared first on We Live Security.

]]>
Online privacy has gone from being a minority concern to something that worries the man in the street – after a study of 2,000 people found a majority believed they were being listened to online, and nearly a third would pay to stop it.

The research, carried out with a group of 1,000 employees in the UK and 1,000 in Germany, was commissioned by Blackphone, the “ultra-private” encrypted Android handset which was “hacked” on stage in five minutes at DEF CON (the company promised to patch the issue). Silent Circle, the company behind BlackPhone – and the widely used PGP encryption standard  – clearly wishes to highlight that privacy is becoming a mainstream issue.

Privacy issues have become an increasing concern outside the security community – in part thanks to revelations of government surveillance, as discussed by ESET researcher Stephen Cobb. Silent Circle carried out the survey in May this year, via OnePoll and found that 88% of UK workers believe their calls and texts are being listened to, versus 72% of Germans – it’s not clear by whom.

Who is listening in?

Nearly a third – 31% – of Germans would pay for a service which guaranteed their texts and calls were not being listened to. In Britain, 21% would do so. Germany is traditionally more privacy-conscious – services such as Google StreetView are not permitted there.

The scandal over Facebook’s Messenger app – and the overstated responses of many media outlets, served to highlight this. Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.” Cosmopolitan had not been previously known for its concern with online privacy.

Users are already anxious over the list of permissions granted to Facebook’s main app  - which has expanded. Many apps – such as Facebook’s, have come under fire for Permissions which change after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off.

Veteran online privacy writer and researcher and We Live Security contributor Graham Cluley said, “The world has changed. People who would have imagined ten years ago that “identity theft” was something from a sci-fi film, now have a genuine concern about their private data being stolen from the online companies they deal with, their web traffic tracked, and their communications being snooped upon.”

No such thing as a “free” app

Cluley says that consumers are realizing that ‘free’ software is often paid for through a loss of online privacy, “Additionally, users are becoming more suspicious of free apps and asking themselves how the developers might be planning to earn money, and are nervous of sharing too much information.  There probably is a market out there for more products which charge a little bit of money for a whole lot more security and privacy.”

Silent Circle, creators of the PGP encryption standard, admitted their errors after BlackPhone’s highly public hacking, saying, “No hard feelings — things get fixed by being found.”

Vic Hyder, Revenue Chief for Silent Circle suggests, “These figures confirm that many consumers recognize mobile communications are no longer private. It’s also reassuring that almost a quarter of the UK respondents, and a third of Germans, value their privacy enough to acquire assistance. This is a trend we’re seeing dramatically increase as individuals start to realize that they do have an option to privacy erosion.”

The post Privacy: Workers “would pay” to stop snoopers appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/18/online-privacy-4/feed/ 0
Gamescom: How gaming grew up into a target for crime http://www.welivesecurity.com/2014/08/15/gamescom/ http://www.welivesecurity.com/2014/08/15/gamescom/#comments Fri, 15 Aug 2014 20:31:20 +0000 Gamescom: How gaming grew up into a target for crime http://www.welivesecurity.com/?p=49761 Video games have gone since the late 1970s and early 1980s from being a small offshoot of the "traditional" computing industry to becoming a full-fledged multi-billion dollar industry - with its own brand of criminal.

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

]]>
With over double the attendance of San Diego’s Comic-Con (340,000 attendees last year, compared to Comic-Con’s 130,000), gamescom highlights not just how pervasive video games have become in our lives, but also how video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles; and there is a burgeoning market for dedicated gaming hardware for PCs ranging from specialized graphics processors from companies like AMD (formerly ATI) and Nvidia to exotic cooling solutions using liquid nitrogen and metalized thermal interface materials; to the creation of AAA games such as Electronic Arts‘ fifteen year old (and still going strong) The Sims franchise, and Blizzard‘s World of Warcraft, which redefined MMORPG gaming.

Gaming by the numbers

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

Game Crime

gamescom

As gaming has moved online, as with next-gen consoles such as Xbox One, crime has moved in

As it actually turns out, there’s actually quite a bit of undesirable activity that can occur online, such as trolling or griefing, which have occurred for as long as people have been playing games online.  The exact nature of these activities varies between games, as do their consequences, but while some online behavior is horrifying, it is not always clear whether an actual crime, prosecutable outside of cyberspace, has occurred and, if so, in what jurisdictions.  Likewise, cheating, while unsportsmanlike, may be a violation of a game’s acceptable-use policy, but not a criminal offense.

Doing time, online

Computer game companies police their virtual worlds to various degrees, as unwanted or objectionable in-game behavior could cause paying customers to leave en masse, with a corresponding drop in revenue.  If warnings are not sufficient, the usual sentence for abusive users is to ban them from playing the game for a fixed amount of time.  Repeat offenders, or those who may have done something especially offensive, may find themselves permanently banned from the game and their accounts closed.

Real thieves in a virtual world

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well:

Theft of Goods

The longer you play a MMORPG, the more likely you are to get items which are rare, limited edition, unique or otherwise contain powerful buffs for your character.  Game companies create these kinds of items and adjust their scarcity because it helps encourage gamers to pay real money, either for the items themselves, or for in-game currency.  Or the developer may charge a subscription fee to play the game.  And that use of real money is what makes some games lucrative targets for thieves.

In some games’ player-versus-player (PvP) combat, the losers of fights may drop items that they were using in their inventory or currency, upon their in-game death.  In some games, this has led to the creation of gangs or “mafias” who often target new players, either to “loot their corpses” or merely to threaten them with looting in order to obtain their items or currency.

In the real world, gamers are regularly targeted by criminal gangs with phishing emails, as well as password stealing software, in order to gain access to their account credentials.  From there, it is a simple matter for the criminals to empty out the gamer’s account, akin to taking the jewels out of some kind of high-tech safe deposit box.

While some game companies employ sophisticated geolocation tracking and even two-factor authentication systems identical to those employed by banks, others do not, and this makes those game accounts not only vulnerable to being emptied out, but to being stolen themselves.  It can take years of grinding away at some games to reach the upper levels.  For some unsporting game players, that represents an almost irresistible target.

Counterfeiting items

The amount of virtual items (including virtual currencies) is usually carefully calculated by gaming companies, even to the point of employing economists, to help ensure the stability of their virtual economy.  Unfortunately, as in the real world, some virtual worlds are subject to counterfeiting, where in-game items or currency is duped (“duplicated”) over and over again by criminal gangs by exploiting vulnerabilities or bugs in the game, network connection or timing issues, and so forth.

If an in-game item can be duped ad nauseam, it can generate a lot of money, especially if it is the in-game currency that is being copied, and not some scarce or unique item.  While item duping may not be enough to disrupt the in-game economy if the item is not being sold, it does disrupt game play and fairness when characters become seriously overbalanced.

Regardless of why it is being done, counterfeiting can be difficult to deal with, especially if the recipient of a duped item is not aware of its provenance.  This may not stop game admins from removing counterfeit items or currency from a gamer’s account, or even banning the gamer, though.

Gold farming

Although in-game currency is not always golden coins, gold farming is the generic term used to describe players who do nothing but play a game in order to generate in-game currency, which they sell online for real-world currency.  This is particularly problematic in China, where there have been reports that prisoners are used as slave labor to generate revenue for prison authorities.

As with item duping, gold farming is disruptive to gaming economies because it leads to inflation.  Aside from that, it also leads to other problems, both in-game and in the real world, with being spammed with advertisements for gold.  And, as with selling counterfeit or stolen goods, one runs the risk of having the items removed by the game admins or even being banned for having received counterfeit or stolen virtual property.

Companies under assault

Of course, computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the SONY breach in this article.  Readers should be aware that this sort of problem is not unique to SONY, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and—this author thinks—more responsible fashion.

The point here is that that computer game companies and their associated services face real threats from criminals:  If they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.  But even if they don’t charge customers, their systems might still be targeted by criminals seeking access to accounts for the reasons mentioned in the preceding section.  Game companies recognize this, of course, and as a result their security practices have improved greatly over the past couple of years.

Final thoughts

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

I would also suggest reading our Comic-Con 2014: Eight super-powered digital safety tips article.  While Comic-Con is not exactly the same type of conference as gamescom, going to any type of conference with your computer, tablet, smartphone and various digital devices poses similar risks these days, and you may find some helpful information in that article.

Thanks to my colleagues Bruce P. Burrell, David Harley and Righard Zwienenberg for their assistance with this article.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher, ESET

 

Selected Bibliography

For further reading, here is a fairly complete compendium of gaming-related articles from We Live Security:

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/gamescom/feed/ 0
5 ways to avoid credit card fraud http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/ http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/#comments Fri, 15 Aug 2014 16:55:03 +0000 5 ways to avoid credit card fraud http://www.welivesecurity.com/?post_type=post_video&p=49759 Your credit card information is highly sensitive and always at risk of theft. Check out our 5 ways of avoiding credit card fraud.

The post 5 ways to avoid credit card fraud appeared first on We Live Security.

]]>
Your credit card information is highly sensitive and always at risk of theft. Check out our 5 ways of avoiding credit card fraud.

The post 5 ways to avoid credit card fraud appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/5-ways-avoid-credit-card-fraud/feed/ 0
5 tips for sharing an iPad or Android tablet in your home http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/ http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/#comments Fri, 15 Aug 2014 16:49:42 +0000 5 tips for sharing an iPad or Android tablet in your home http://www.welivesecurity.com/?post_type=post_video&p=49756 You don’t need to buy a tablet for every member of the family. Our insider tips will help you share a tablet rather than having to buy more than one device.

The post 5 tips for sharing an iPad or Android tablet in your home appeared first on We Live Security.

]]>
You don’t need to buy a tablet for every member of the family. Our insider tips will help you share a tablet rather than having to buy more than one device.

The post 5 tips for sharing an iPad or Android tablet in your home appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/5-tips-sharing-ipad-android-tablet-home/feed/ 0
Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars http://www.welivesecurity.com/2014/08/15/security-news/ http://www.welivesecurity.com/2014/08/15/security-news/#comments Fri, 15 Aug 2014 16:44:23 +0000 Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars http://www.welivesecurity.com/?p=49683 Blackphone, billed as a privacy tool to keep the puplic safe ruled the headlines when it was is hacked in five minutes, Meanwhile, Wi-Fi routers were also shown up - and Android users face a toothy new threat,

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

]]>
It’s still high season for security news, with the last days of DEF CON 22 luring out the best in the business – and causing controversy (as, of course, it should).

The biggest draw was a hack which knocked out the “ultra-private” encrypted Blackphone in just five minutes – although there was much discussion of the techniques used. Silent Circle, creators of the PGP encryption standard, took a secure, dignified response.

They patched – fast – and admitted their errors, saying, “No hard feelings — things get fixed by being found.”

Android versus RAT: Rodent wins

Android users in Russia were offered a bundle of free apps – with one catch. Each had been tweaked to hide malware – a RAT built to steal information. Remote Access Trojans (found on both PCs and Adroid devices) allows an attacker access to data – in the case of Android/Spy.Krysanec, GPS location, contacts lists, web history, contacts lists and more.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security. Naturally, it was shared through third-party app stores and social sites – not Google Play.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network.

ESET’s Robert Lipovsky says: “users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Wi-Fi: The skies are safe once more

The good news – your aeroplane will not plunge from the skies thanks to hackers armed with iPads – and the idea of hacking planes via Wi-Fi is silly. The bad news: things ARE getting worse.

Black Hat is no stranger to world-changing hacks – but Ruben Santamarta’s talk was described by CNET as “the hacking presentation that will get the most attention”, claiming that plane security could be hacked wirelessly, by Wi-Fi or even SMS.

The debunking didn’t take long. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners. He also recruited an even more qualified but anonymous pilot to help.

Short answer: planes cannot be hacked wirelessly – any model ever built. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

Several companies have already said wireless hacks were “impossible”, and that access to wired systems restricted: “In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said one.

Polstra warned, however, that “increasing automation” may lead to problems in the future.

Security news: Your router is a time bomb

No wonder cybercrime gangs target routers – yet another “live fire” test against the devices proved they were packed with vulnerabilities. More than a dozen were found in the challenge at DEF CON – and one router-hunter found 11 on his own.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – and a second challenge, to extract information from the devices, proved equally easy for the contestants.

Cyberjacking: It’s a word, and it’s happening (soon)

Two researchers who have previously demonstrated hacks against cars declared a new threat this week – in-car web browsers.

In an exhaustive analysis of top car brands, the researchers found that while it WAS possible to compromise systems, the results were limited. A BlueTooth hack, for instance, would not compromise the vehicle – but allow attackers to ‘pair’ devices.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

 

Two-factor security: We want it now!

Millions of Americans were directly affected by the breach at Target – and as cybercriminals increasingly take aim at POS terminals, similar tragedies look likely in future.

But American banks and card companies have been slow to reassure customers with measures such as two-factor security systems.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

An ESET video explains what two-factor is, and why it works, here.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

 

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/security-news/feed/ 0
Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/ http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/#comments Fri, 15 Aug 2014 15:41:21 +0000 Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide http://www.welivesecurity.com/?p=49734 Sick-hearted scammers have proven themselves to have no morals once again, exploiting the death of Robin Williams with their latest Facebook scam.

The post Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.

]]>
Be on your guard against yet another Facebook scam, this time exploiting the tragic death of comic actor Robin Williams.

The scam, which you may see shared by your Facebook friends oblivious to the fact that they are helping fraudsters earn money, claims to be a ghoulish video of Robin Williams making his last phone call before committing suicide earlier this week.

Of course, you might be fooled into believing it is genuine. After all, you have seen one of your Facebook friends share it on their wall.

But the truth is that they have been duped into sharing it by a simple social engineering trick, and you would be wise not to fall into the same trap.

The first thing you see is a post made by one of your Facebook friends:

Robin Williams Facebook scam

ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE

If you click on the link you are taken to a third-party website, which claims to have a phone video made by the award-winning comedian in the minutes before his death:

Robin Williams Facebook scam

EXCLUSIVE VIDEO: ROBIN WILLIAMS SAYS GOODBYE WITH HIS CELL PHONE BEFORE HANGING HIMSELF WITH A BELT AND CUTTING HIMSELF WITH A POCKET KNIFE. HE CAN STILL MAKE EVERYONE LAUGH WITH THIS VIDEO BUT IT WILL MAKE EVERYONE CRY A RIVER AT THE END.

You would have to be pretty ghoulish to proceed any further, but the truth is that the internet has deadened our sensitivities and made many of us all too willing to watch unpleasant things on our computer screens.

However, the truth is also that no such video is known to exist, and if you click to watch it you will be told that you have to share the link on your Facebook wall – encouraging your friends and family to go through the same process that you have – and ordered to complete an online survey before you may watch the footage.

Robin Williams Facebook scam

And that’s the point of the scam.

By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash.

Because every survey that is taken earns them some cents – and the more people they can drive towards the survey (even if they use the bait of a celebrity death video), the more money will end up in their pockets. In other cases, scammers have used such tricks to install malware or sign users up for expensive premium rate mobile phone services.

The scammers have no qualms about exploiting the death of a famous actor and comedian to earn their cash, and give no thought whatsoever to the distressed family he must have left behind.

Always be extremely wary about what links you click on on social networks, and never Share or Like something before you have seen it for yourself, and decided whether it warrants sharing with your online friends.

Because you might not just be putting yourself at risk, you could also be endangering your friends and family.

The post Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/robin-williams-suicide-phone-call-scam/feed/ 0
Russian PM has his Twitter account hacked, announces “I resign” http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/ http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/#comments Fri, 15 Aug 2014 14:15:59 +0000 Russian PM has his Twitter account hacked, announces “I resign” http://www.welivesecurity.com/?p=49693 There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

]]>
There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.

The hackers tweeted out a resignation message from the Russian PM

I resign. I am ashamed for the actions of the government. I’m sorry

If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.

But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.

According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.

The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.

A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.

Shaltay Boltay's Twitter account

Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.

In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.

And there lies the problem.

Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.

It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.

Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.

If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.

And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/russian-pm-twitter/feed/ 0
‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/ http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/#comments Fri, 15 Aug 2014 13:47:44 +0000 ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords http://www.welivesecurity.com/?p=49661 Biometrics are touted as a replacement for the passwords and PINs we all know and hate - and Intel’s new earbuds could be the most discreet way of authenticating a user ever.

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

]]>
Biometrics such as fingerprints or eye-scans are touted as a replacement for the passwords and PINs we all know and hate – and Intel’s new smartphone earbuds could be the most discreet way of authenticating a user ever.

The earbuds, designed with SMS Audio, harvest heart-rate information using optics inside the ear – monitoring blood pulses and eliminating “noise” according to Business Insider.

The SMS Audio Fitness buds are built for fitness fans, but Intel plans further applications – and is vocal in its opposition to passwords. Other gadgets, such as the Bionym bracelet, already use heart-rate as an identifier: it’s more unique than fingerprints, and the SMS Audio buds could be a step towards a wearable “password” you can almost forget.

“A built-in optical sensor that continuously measures heart rate during intense exercise, states of relaxation and every moment in between – while dynamically removing noise signals caused by body motion and ambient light,” says Intel in a statement.

In the past month, We Live Security reported five major database leaks, usually of passwords.

Passwords: Let there be light?

Gizmodo reports that biometric devices have so far failed to gain widespread acceptance in part because of their bulk – whereas the SMS Audio devices charge themselves using motion, removing the need for extra batteries or chargers.

“In the wearable space, we see a lot of hype. I don’t think the market is ever going to be that big if all we have are just square cellphones taped to your wrist,” says Mike Bell, General Manager of Intel’s New Devices Group.

There are competitors which use the reading – but the Bionym bracelet relies on being charged, unlike Intel’s, which communicates directly with smartphones via the audio jack.

It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym chief executive Martin said. “The modern research into practical systems goes back about 10 years or so. What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

For you, no charge

ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Intel said, “The complexity of keeping digital identities safe grows as mobile applications and devices become a more important part of our daily lives. Intel’s intent is to intensify our efforts dedicated to making the digital world more secure, and staying ahead of threats to private information on mobile and wearable devices.”

TechCrunch reports that, “additional application support” will be added. Intel is reaching out to developers to make apps:  “Intel has created an SDK called the Intel IQ Software Kits for any companies that want to use the features that Intel developed while building the circuitry inside the BioSport.”

 

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/biometric-earbuds-passwords/feed/ 0
Gamescom 2014: World of Malware? http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/ http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/#comments Fri, 15 Aug 2014 08:36:12 +0000 Gamescom 2014: World of Malware? http://www.welivesecurity.com/?p=49274 The gaming industry keeps growing, and the crowds at Cologne's Gamescom 2014, show why big game titles are rapidly becoming a target for cybercrime. Our tips will help you enjoy the latest games - without hackers declaring 'Game Over'.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.

]]>
The gaming industry keeps growing in terms of popularity, and the large population of gamers, and the crowds at Cologne’s Gamescom 2014, represents an opportunity for miscreants to make money. In this blog post, we will explore various attacks specifically tailored to gamers, by starting with trojanized legitimate games, then by exploring some malicious software and targeted attacks against the video games industry. Finally, we will describe some recent exploits found in video games.

Gamescom 2014: Bitcoin Miners

Recent years have seen the introduction of Bitcoin, Dogecoin and other trendy and trending cryptographic currencies. These currencies are created by solving computationally-intensive cryptographic challenges, which require a lot of processing power. As gaming rigs are built with powerful processors and cutting-edge video cards, they can be considered one of the most efficient environments in which to “mine” these digital currencies, with the advantage of being widely spread among the Internet-using population.

In 2013, an employee of the ESEA Counter-Strike league silently introduced a Bitcoin miner into their anti-cheating software, which every member of the league had to install in order to participate. Fortunately the stratagem was uncovered rather quickly, and less than $4,000 worth of bitcoins were ‘earned’ by the malicious employee. More recently, a pirate version of the game ‘WatchDogs’ included a bitcoin mining Trojan which made a profit for the torrent’s author.

Keyloggers and Information Stealers

As the size of the gamer population has increased, some in-game goods have acquired some real monetary value. High-level/high-value characters, in-game currency, legendary items or even hats can be purchased with real money. But when something is worth money, it also means that for some people, it is worth stealing. Consequently, some malicious software focuses on stealing video games credentials. These information stealers are usually distributed under false pretenses, hiding behind so-called “game experience enhancers” or disguised as legitimate tools.

Keyloggers are the most prevalent type of malware in the gaming world, identified as Win32/PSW.OnLineGames by ESET. These programs can be pretty simple but have proven to be very effective at stealing players’ credentials, in order to resell items and characters. So many accounts are compromised that games editors are used to it and have implemented an FAQ and process to handle this situation.

To counter this type of malware, some MMORPG creators, such as Blizzard (who publish World Of Warcraft), have introduced two-factor authentication – and new titles introduced at Gamescom 2014 will do the same. This two-factor authentication takes the form of an electronic device (or a smartphone application) delivering unique six-digit codes that are active and valid only for a limited time before a new code has to be generated.

At the beginning of this year, malicious software named Disker was able to bypass this double-authentication mechanism. Disker appears to be as complex as malicious software that focuses on stealing banking information and it has the ability to steal both the victim’s account credentials and his or her authenticating six-digit passcode.

But as the passcode remains valid only for a short period of time, the attacker has to be behind his keyboard when the information is exfiltrated so as to be able to use it. So Disker implements a way to circumvent this problem: as it leaks the 6-digit passcode to the attacker, it will actually send a wrong passcode to the World Of Warcraft server, preventing the user from logging in. At this point, the victim will almost certainly disable the two-factor authentication in order to enjoy his game. Once this is done, the attacker is no longer restricted to operating within a short period of time.

Targeted Attacks

Players are not the only target in the gaming ecosystem, games companies can also be specifically attacked. For example Kaspersky discovered last year a malware targeting no less than 30 MMORPG game companies. In this case the attack was intended to:

  1. Deploy malware on gamers’ computers by using the MMORPG update server
  2. Manipulate in-game currencies
  3. Steal digital-certificate to create signed-malware, making the malware easier to propagate
  4. Steal the MMORPG source code to deploy it on rogue servers

Exploits

MMORPGs are not the only targeted type of games, other kinds of multiplayer games are also potential targets. Recently, security researchers Luigi Auriemma and Donato Ferrante have been looking for vulnerabilities in games and game engines.

The results are impressive: they found vulnerabilities in the Source Engine, making any game based on this engine vulnerable, such as the famous Counter-Strike Source, Team Fortress 2 and Left 4 Dead. Those vulnerabilities could be used to execute code on a player’s computer without their knowledge and consent, potentially leading to installation of malware without requiring any action from the user other than his usual gaming activity.

Today, no known malware spreads using vulnerabilities in games but the rising value of in-game goods could motivate malicious people enough to use this kind of attack to spread game-targeted malware.

Conclusion

The emergence of such malware shows that the high value of in-game goods is appealing to bad guys – and the titles shown at Gamescom 2014 will be high-value targets.

The complexity of these types of malware, and the implementation by Blizzard of protective measures similar to those used by banks, indicate that we are at the beginning of an arms race between criminals and the gaming world. In this race, everyone has a role to play, editors by securing players’ accounts adequately, and players by educating themselves about the dangers, the existing solutions, and how to behave in order to enjoy safer gaming.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/15/gamescom-2014-world-malware/feed/ 0
Phone scams: card fraud with that steak, Sir? http://www.welivesecurity.com/2014/08/14/phone-scams/ http://www.welivesecurity.com/2014/08/14/phone-scams/#comments Thu, 14 Aug 2014 17:04:28 +0000 Phone scams: card fraud with that steak, Sir? http://www.welivesecurity.com/?p=49557 A new telephone scam in upscale restaurants in London, has “convincing” scammers calling restaurant staff and tricking them into believing there's a problem with the card system - and insisting customers call a bogus phone line.

The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.

]]>
A new telephone scam has been targeting upscale restaurants in London, with “convincing” scammers calling restaurant staff and tricking them into believing there’s a problem with their payment system – according to a report issued by Financial Fraud Action. The scammers have targeted restaurants in affluent areas such as the West End and Twickenham.

The fraudsters give staff a phone line to call for customers to make payments, the Telegraph reports. Transactions are then funneled through the fraudulent phone line – restaurant owners have been warned to phone banks on a number known to be legitimate to check before changing payment methods. Katy Worobec, Director of Financial Fraud Action UK, said “It’s important that restaurant owners are alert.  Fraudsters can sound very professional – don’t be fooled.”

Phone scam: ‘Classic social engineering’

To customers, Financial Fraud Action said, “If you receive any calls from your bank claiming there’s a problem with payments, make sure you phone them on an established number to confirm the request is genuine. In addition, always wait five minutes to ensure the line is clear, as fraudsters will sometimes try to stay on the phone line and pretend to be your bank.” The tactics used are variations of those in many current phone scams. In the common ‘courier scam’ used to obtain cards and PINs, the caller waits on the phone and pretends to be a new connection after the caller dials.

Phone scams: Old tricks

ESET senior researcher David Harley says, “The ‘staying on the phone line’ gambit is worth mentioning: it’s certainly been used a lot in the context of other scams.” The tactic works simply because few users take measures to ensure the caller is not waiting – and when they dial, they are still connected. All that happens is the fraudster hears a series of beeps. Harley suggests ‘interrupting’ the call by hanging up and dialing another number – or calling on a different phone.

Action Fraud said,”When the restaurant calls the phone number, the fraudster asks to speak with the paying customer and then goes through their security questions. Once sufficient security details have been obtained from the customer, the fraudster will instruct the restaurant to put the transaction through.” The fraudster then subsequently calls the customer’s bank – usually within five minutes – and attempts to transfer funds, the Daily Mail said.

The scam is not new – and several elements are “classic social engineering” says ESET Senior Research Fellow David Harley – but it has spiked in the past six weeks, “Certainly there’s a problem with the concept of answering security questions over the phone unless the bank or other caller has already authenticated themselves to you,” Harley says.

Harley says the key to avoiding such scams is not to place trust in unknown callers. If unsure, hang up, and call back on a known number. “In this case, a restaurant that falls for this has clearly failed to verify the credentials of the ‘bank’ and a customer who goes along with it has put too much trust in the restaurant. The ‘security questions’ must persuade the customer to give quite a lot of information away if they have any hope of persuading the bank to make the fraudulent transaction over the phone. One would hope…”

The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/14/phone-scams/feed/ 0
Will web browsers turn cars lethal? http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/ http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/#comments Thu, 14 Aug 2014 17:00:02 +0000 Will web browsers turn cars lethal? http://www.welivesecurity.com/?p=49611 Two researchers have launched a petition to change how car companies and technology cmpanies work together - with a new villain: in-car web browsers.

The post Will web browsers turn cars lethal? appeared first on We Live Security.

]]>
Two researchers have launched a petition to change how car companies and technology companies work together – with a new villain: in-car web browsers.

“We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,” the researchers say via Change.org.

A paper presented at Black Hat, shows a danger crossing the line from “proof of concept” to reality. The researchers point out that while hacking a car to give total control is extremely hard, it’s easier to, for instance, attack individual systems, such as commuications or navigation, both of which could be lethal.

Car code is complex, and often bespoke – which means attacks tend towards the level of disabling locks, or affecting electric windows, rather than outright destruction. Even Bluetooth – often hyped as the Achilles’ Heel.

Internet of Things: Car crash ahead?

“Bluetooth has become ubiquitous within the automotive spectrum, giving attackers a reliable entry point to test,” they write. But hacks would be of the level of adding an unauthorized device – not outright control.

When CNN Money devotes a section to the year’s “most hackable cars”, automotive security is clearly a real issue – a prize won by the Cadillac Escalade and 2014 Toyota Prius incidentally.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

Nick Bagot, Motoring Editor of the Mail on Sunday says, “Web browser obviously considerable safety issues – and it’s questionable why they’re needed. The inclusion of browsers in cars may well be to do with the convenience of advertising, and lucrative tie-ups with car brands and particular browsers, than it is for delivering value to the consumer.”

“Google is, primarily, an advertising company. Google products are built to feed into Adwords. Self-driving cars are an incredible technology – but what is it for?”

Safety first?

Car technology ignites passions from many sides. Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Most in-car innovations have a clear point – car cameras are part of the technology revolution, but increase safety. Which Magazine writes “The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness – but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.

The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness- but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.”

Other innovations bring less clear benefits, reports The Register. “The problem is that cars are becoming more heavily computerized and that leads to more networking so the driver and passengers can get access to up-to-date information while on the move: most newish cars have a Bluetooth system hidden inside, a connection to the cellular data network, and so on,” the site said.

On the researchers’ page, I am the Cavalry, they say, Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.

The post Will web browsers turn cars lethal? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/14/will-web-browsers-turn-cars-lethal/feed/ 0
2FA – are big banks failing America? http://www.welivesecurity.com/2014/08/13/2fa/ http://www.welivesecurity.com/2014/08/13/2fa/#comments Wed, 13 Aug 2014 16:04:49 +0000 2FA – are big banks failing America? http://www.welivesecurity.com/?p=49418 The Target breach caused real damage to millions of American card users - but big financial institutions are doing little to remedy security issues by offering extra security such as 2FA.

The post 2FA – are big banks failing America? appeared first on We Live Security.

]]>
The Target breach caused real damage to millions of American card users – but big financial institutions are doing little to remedy security issues, according to the New York Times.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

2FA: Big savings – for banks

The opinion piece, a plea for increased adoption of two-factor authentication systems, has ignited debate.

Computer World discusses if there are any “silver bullets” for a world where passwords are stolen in industrial quantities. Some attacks such as a recent attempt against PayPal have attempted to bypass these systems – but they are still another hurdle for gangs to clear.

The below ESET video explains what two-factor is.

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.

2FA: Why are banks failing us?

Information Week says that 2FA systems are a key part of ensuring corporate security: “Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere. Any company that takes its security seriously should protect privileged accounts with strong two-factor authentication (2FA).”

recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk.

Two-factor systems can help small businesses by allowing home working – and cutting overheads such as office space.

Bank attacks – safety tips

Both Information Age and Computer World suggested further measures – with Computer World suggesting Google Chromebooks as ideal for banking.

“Like private browsing, guest mode erases all traces of your browsing activity when you’re done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated,” the magazine writes.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

Many sites – including Twitter, Gmail and Dropbox – offer two-factor systems already, free, although you have to enable them yourself – it’s usually found under Settings or Privacy, and most sites walk you through the process.

It’s worth doing so if you keep any private information in such accounts – and particularly if you store sensitive business information.

Two-factor authentication makes it far more difficult – although not impossible – for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in” – you have to go to settings, and add your authentication method manually.

 

The post 2FA – are big banks failing America? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/2fa/feed/ 0
Wɑit! Stοp! Is that ℓιηκ what it claims to be? http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/ http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/#comments Wed, 13 Aug 2014 14:20:23 +0000 Wɑit! Stοp! Is that ℓιηκ what it claims to be? http://www.welivesecurity.com/?p=49437 Can you tell the difference between exɑmple and example?

Google adds non-Latin support to Gmail, and we explain why characters matter when it comes to protecting yourself from spam, phishing and other attacks.

The post Wɑit! Stοp! Is that ℓιηκ what it claims to be? appeared first on We Live Security.

]]>
The human brain is a funny old thing, and remarkably smart.

But sometimes it’s too smart for its own good.

Take, for instance, the infamous “Face on Mars” photographed by the Viking 1 Orbiter in 1976, which lead to rampant speculation and excitable headlines in the media that it must be evidence of intelligent extraterrestrial life.

Face on Mars

But was it really an ancient giant statue left by former inhabitants of the Red Planet?

Or was it, in reality, evidence that humans are hardwired to seeing human faces, based upon minimal data, and are prone to seeing faces – in clouds, on the moon, on the surface of Mars – where none really exists? Scientists call this psychological phenomenon pareidolia.

Observations by other spacecraft visiting the Cydonia region of Mars in the decades since have revealed that there is no giant face carved into the rock. Our eyes decided us, and we saw what we wanted to see.

And, perhaps surprisingly, this is relevant to computer security.

Because, just as people can see a face where none is present – so people can be duped by fraudsters and online criminals into believing they are reading one thing when in fact they are not.

Take this URL for instance:

http://www.exɑmple.com

Nothing wrong with that, right?

Wrong.

You see, that’s not a link for example.com. It’s a URL for exɑmple.com.

UnicodeYour mind read “a”, when it was actually an “ɑ”.

And when it comes to computers there is a world of difference between Unicode character U+0061 (an “a”) and U+0251 (“ɑ”).

http://www.exɑmple.com and http://www.example.com are going to take you to entirely different places on the internet. And it could mean the difference between you visiting the right website, or visiting one created by cybercriminals to infect your computer with malware or phish your login credentials.

All this talk of extended character sets and the opportunities for abuse is relevant, because last week Google announced support for non-Latin characters in Gmail.

Fortunately, Google is aware that some scoundrels might take the development as an opportunity to make more effective spam campaigns.

As Google describes in a blog post, it’s trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links:

Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims.* Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

And it’s not just links, of course. I’ve lost count of the number of times that I’ve received emails mentioning vιαgяα. I instantly know that the bad guys are referring to the little blue pills that enhance bedroom performance, even though they didn’t spell it v.i.a.g.r.a.

Some attempts, naturally, are more sophisticated than others.

Spam enlargement

The truth is though that they don’t always have to fool you, the user.

The first task of any spam campaign is to fool the computer – most of them actually *want* to be human-readable, but they don’t want to be easily interpreted by the computer program that is filtering your inbox for spam.

As Google explains, its Gmail service will now be rejecting suspicious letter combinations that could have been deliberately used in spam and phishing attacks:

The Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

Iτ’s gяεατ το sεε Gοοgℓε τακε sτερs το βεττεя ρяοτεςτ τнειя gмαιℓ μsεяs. Iτ ωιℓℓ βε ιητεяεsτιηg το sεε нοω ωεℓℓ ιτ ωοяκs, αηδ ωнετнεя sραммεяs ωιℓℓ ƒιηδ ηεω мετнοδs το gετ τнειя мεssαgεs ιη ƒяοητ οƒ мιℓℓιοηs οƒ ελεβαℓℓs.

Lετs нορε τнατ οτнεя οηℓιηε sεяvιςεs ƒοℓℓοω Gοοgℓε’s εχαмρℓε, αηδ ςοηsιδεя ωнατ sτερs τнεy ςαη мακε το βοτн sμρροяτ α мοяε “gℓοβαℓ” ωεβ, αηδ ατ τнε sαмε τιмε ςμяταιℓ τнοsε ωнο τяy το αβμsε ιτ.

Feel free to leave a comment below. You get extra points (sorry, no prizes) if you manage to use some εχτεηδεδ ςнαяαςτεяs in your response that we have to decode.

The post Wɑit! Stοp! Is that ℓιηκ what it claims to be? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/link-non-latin-gmail/feed/ 0
Wi-Fi security – routers “like fish in a barrel” http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/ http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/#comments Wed, 13 Aug 2014 13:52:37 +0000 Wi-Fi security – routers “like fish in a barrel” http://www.welivesecurity.com/?p=49395 Researchers flexed their hacking muscles at DefCon 22 to hunt the technology world’s most defenceless beasts - routers. More than a dozen new vulnerabilities were found.

The post Wi-Fi security – routers “like fish in a barrel” appeared first on We Live Security.

]]>
Researchers flexed their hacking muscles at DefCon 22 for a hunting competition against the technology world’s most defenseless beasts – routers. Sure enough, more than a dozen new vulnerabilities were found.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – with more than a dozen new vulnerabilities found at the DEF CON 22 competition, according to ISP Review.

The SOHOpelessly Broken contest challenged researchers to crack into routers with zero-day attacks, and extract information from others. In total, 15 new flaws were found – eleven by one researcher.

Routers have come under scrutiny from security researchers in the past year, after a series of demonstrations showed ways to break into the devices.

Wi-Fi security: ‘Hopelessly broken’

Many popular models of wireless router from brands such as Linksys and Netgear were vulnerable  to a ‘backdoor’, which could allow attackers access to the router’s admin controls, according to a report by Ars Technica – offering full access to the network.

The backdoor, in various models of wireless DSL router, could allow an attacker to reset the router and, “commandeer a wireless access point and allow an attacker to get unfettered access to local network resources,” Ars reported. “The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users.”

The report follows the discovery of a serious “backdoor” vulnerability in various D-Link models. Another report suggested a majority of the top-selling routers on Amazon had known vulnerabilities.

The SOHOpelessly Broken contest aims to highlight these flaws. The Electronic Frontier Foundation hopes to create open-source firmware for routers which will offer increased security.

“By demonstrating that the issues persist and that consumers are still exposed, pressure will be applied to the manufacturers to take the necessary action to better protect their customers who are currently not empowered to protect themselves,” says Steve Bono, founder of ISE (Independent Security Evaluators).

Routers often have low profit margins, and thus are shipped with known vulnerabilities, particularly the cheaper models known as small office/home office routers, ISE claims.

 Wi-Fi attacks: Fighting back

Even normal home routers don’t have to be totally defenseless: ESET offers a video guide, and rule one is “change that password.” If it’s ‘password’, your neighbor can get in, never mind criminals.

Failings by IT staff worsen these risks, the report found, according to Infosecurity Magazine‘s report. A study of 653 IT and security professionals and 1,009 remote workers found that 30% of IT professionals and 46% of remote workers do not change default passwords on their routers, and that nearly half of workers polled use WPS, an insecure standard that makes it easy for criminals to ‘crack’ passwords.

But simply changing your username is a first step: ESET Senior Research Fellow David Harley says that users should always, “Change default router administrator usernames and passwords, and change the default SSID.”

The SSID is the name of the network – which is broadcast to anywhere within Wi-Fi range. Leaving it as a default can broadcast information that is useful to an attacker – such as the model of router you are using, or whether you are using one supplied by your ISP. When choosing a new network name, avoid any personally identifying information such as your name or house number.

It’s worth considering making yours a “hidden network” – disabling the broadcast of the SSID’s name. That way you’re less visible to attackers – and to connect new devices, simply type in your network’s name on the gadget.

Harley warns that these precautions can be wasted if your router’s software is updated – which can occasionally revert settings to the default. “After any update, check these settings have not reverted,” he says.

 

The post Wi-Fi security – routers “like fish in a barrel” appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/wi-fi-security-routers-like-fish-in-barrel/feed/ 0
‘Secure’ Blackphone hacked in 5 minutes http://www.welivesecurity.com/2014/08/13/online-privacy-3/ http://www.welivesecurity.com/2014/08/13/online-privacy-3/#comments Wed, 13 Aug 2014 08:52:31 +0000 ‘Secure’ Blackphone hacked in 5 minutes http://www.welivesecurity.com/?p=49375 An ultra-secure phone claimed to be the first privacy-focused smartphone on sale swiftly fell victim to a security researcher - who hacked the “super secure” Blackphone in just five minutes.

The post ‘Secure’ Blackphone hacked in 5 minutes appeared first on We Live Security.

]]>
An ultra-secure phone claiming to be the first privacy-focused smartphone on sale swiftly fell victim to a security researcher – who hacked the “super secure” Blackphone in just five minutes according to Slashgear. The hack allowed root access to the phone – and was performed on stage at the DEF CON security conference, according to Gizmodo. TeamAndIRC found three vulnerabilities according to Tweaktown – although each had its own weakness. One required an unpatched version of PrivatOS and another required direct user interaction. Slashgear reported that users faced no “imminent danger.”

Online privacy – Blackphone cracked?

BlackBerry has previously described Blackphone as, “Consumer-Grade Privacy That’s Inadequate for Businesses. Blackphone responded via blogging platform Medium: “As I mentioned in my earlier post — we took on the challenge of building a secure and private smartphone system. TeamAndIRC threw a proverbial jab to the jaw, and well, our jaw is not made of glass. Kudos to @TeamAndIRC for explaining the exploit. No hard feelings — things get fixed by being found.” Nonetheless, we have a vulnerability and it is important to Blackphone to resolve this vulnerability fast. We pride ourselves on being able to provide a quick turnaround to security problems. We control the complete OTA process, and are able to fix issues as soon as they are disclosed, if they haven’t been pre-emptively fixed.” Slashgear said, “Blackphone still may be the most secure open-source smartphone around.” One patch has already been pushed out, and another is coming shortly.

‘Our jaw is not made of glass’

As well as a best-selling author and an ex-U.S. Navy Seal, Silent Circle features Phil Zimmerman, who wrote PGP (Pretty Good Privacy) in 1991, still the most widely used email encryption software on Earth. Encrypted phones have been on sale before – such as the GSMK Cryptophone – but have been complex to use, and expensive. Silent Circle hope that the steady flow of news about state spying could catalyze a sea-change in attitudes towards privacy. British-based security expert Graham Cluley, a 20-year veteran of the industry, said at the launch that the goals of Blackphone are laudable, “Most of us could take greater steps to make our lives more private, and make it harder for unauthorized parties (including governments) to spy upon our activities.”

The post ‘Secure’ Blackphone hacked in 5 minutes appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/13/online-privacy-3/feed/ 0
Krysanec trojan: Android backdoor lurking inside legitimate apps http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/ http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/#comments Tue, 12 Aug 2014 12:21:31 +0000 Krysanec trojan: Android backdoor lurking inside legitimate apps http://www.welivesecurity.com/?p=49332 One of the most important pieces of advice we give Android users is to refrain from downloading applications from dubious sources and to stick to the official Google Play store, where malware does show up from time to time but is much better controlled, thanks to the Google Bouncer, than on alternative app stores.

The post Krysanec trojan: Android backdoor lurking inside legitimate apps appeared first on We Live Security.

]]>
Figure 1 - Screenshot from Sberbank mobile banking app misused in order to distribute Android/Spy.Krysanec

Figure 1 – Screenshot from Sberbank mobile banking app misused in order to distribute Android/Spy.Krysanec

One of the most important pieces of advice we give Android users is to refrain from downloading applications from dubious sources and to stick to the official Google Play store. Malware does show up from time to time there, but it is much better controlled, thanks to the Google Bouncer, than on alternative app stores.

We discovered an interesting piece of Android malware that serves as a good example to emphasize the advice above. We found a RAT (Remote Access Trojan) masquerading as several legitimate Android applications.

Let’s take a closer look at how the malware spreads, what it does, and at its connection to a story that made recent news headlines.

Distribution vectors

One of the most common infection vectors for Android malware is to disguise itself as a popular legitimate app – from various games to other more or less useful pieces of software. Quite often the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a trojan horse. And quite often the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule.

Figure 2 - Spaces.ru account hosting Android/Spy.Krysanec

Figure 2 – Spaces.ru account hosting Android/Spy.Krysanec

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.

The Android app ecosystem offers a reliable countermeasure against such unwarranted and malicious modifications, and that is by digitally signing applications with the actual developers’ certificates.

Obviously, the masqueraded Krysanec variants did not contain valid certificates. Needless to say, though, not all users carefully examine the applications they install on their smartphones, especially those who search for apps from dubious sources, whether they’re looking for cracked versions of paid apps, or whatever other reason.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network. The screenshots below show an account that was used to host the trojan lurking inside legitimate apps.

Figure 3 - Spaces.ru account hosting Android/Spy.Krysanec

Figure 3 – Spaces.ru account hosting Android/Spy.Krysanec

Functionality

The infected applications contained the Android version of the Unrecom RAT (Remote Access Trojan), a multi-platform remote-access-tool.

In particular, the Android/Spy.Krysanec malware is able to harvest various data from the infected device, connect to its Command & Control (C&C) server and download and execute other plug-in modules.

The modules give the backdoor access on the device to:

  • Take photos
  • Record audio through the microphone
  • Current GPS location
  • List of installed applications
  • List of opened webpages
  • List of placed calls
  • Contact list
  • SMS (regular or Whatsapp)
  • And so on…
Figure 4 - Screenshot from Android/Spy.Krysanec control panel

Figure 4 – Screenshot from Android/Spy.Krysanec control panel

C&C servers

Interestingly, some of the samples that we analyzed connected to a C&C server hosted on a domain belonging to the dynamic DNS provider no-ip.com. No-IP was in the news recently when Microsoft’s Digital Crimes Unit took over 22 of the company’s domains that were used to distribute malware. Microsoft, however, subsequently dropped the case.

While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.

The post Krysanec trojan: Android backdoor lurking inside legitimate apps appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/12/krysanec-trojan-android/feed/ 0
Facebook privacy – is Messenger watching you? http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/ http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/#comments Mon, 11 Aug 2014 15:38:03 +0000 Facebook privacy – is Messenger watching you? http://www.welivesecurity.com/?p=49301 Facebook's new Messenger app has spared privacy concerns after a list of Permisssions appears to show the app could be taking video of users in secret, according to the Washington Post.

The post Facebook privacy – is Messenger watching you? appeared first on We Live Security.

]]>
Facebook’s Messenger app has people worried about their privacy – lots of people. A list of Permissions appears to show the app could be taking video of users in secret, according to the Washington Post.

Users of both the iPhone and Android versions of Facebook’s app have found the main app altered so that a second app – Messenger – is required to send person-to-person messages.Without the extra app, the function is removed – sparking further concerns over Facebook privacy.

Security-wise, there are serious issues with Messenger – clearly visible on Android, where apps are required to list Permissions showing what they are allowed to do.

Cosmopolitan writes, “Basically, it can control your whole phone. And, most scarily of all, CALL PEOPLE.”

Facebook privacy: Spy in your pocket?

Metro noted that the app – which attempts to take over SMS functions as well as in-app messaging – can record users with their camera, and send texts without permission.

“As we’ve said, our goal is to focus development efforts on making Messenger the best mobile messaging experience possible and avoid the confusion of having separate Facebook mobile messaging experiences,” a Facebook spokeswoman said.

“Messenger is used by more than 200 million people every month, and we’ll keep working to make it an even more engaging way to connect with people.”

The full list of Permissions is here:

  • Change the state of network connectivity
  • Call phone numbers and send SMS messages
  • Record audio, and take pictures and videos, at any time
  • Read your phone’s call log, including info about incoming and outgoing calls
  • Read your contact data, including who you call and email and how often
  • Read personal profile information stored on your device
  • Access the phone features of the device, like your phone number and device ID
  • Get a list of accounts known by the phone, or other apps you use.

But there may be another explanation, the FT says. The split may herald a move towards person-to-person messaging – after Facebook’s failed purchase of Snapchat.

“Snapchat over-indexes with the very segment where Facebook has cited falling engagement: teenagers,” said Geoff Blaber, of CCS Insight. “The continued introduction of new services, either organically or by acquisition, is essential to maintaining user engagement.”

Facebook – expanding even further?

Video functions were added to Snapchat recently, as were text messages and video calling.

Users are already concerned over the list of permissions granted to Facebook’s main app  - which has expanded. Many apps – such as Facebook’s, have come under fire for Permissions which change after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off.

Protecting against apps which ask for further permissions after install is difficult. Apps built to go online update frequently, for perfectly valid security reasons – and often without alerting the users, at least not as clearly as the alerts on Android’s built-in Permissions menu.

“As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control,” commented The Register.

The post Facebook privacy – is Messenger watching you? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/11/facebook-privacy-is-messenger-watching-you/feed/ 0
Wi-Fi security: Flight systems “are safe… for now” claims expert http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/ http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/#comments Mon, 11 Aug 2014 13:30:30 +0000 Wi-Fi security: Flight systems “are safe… for now” claims expert http://www.welivesecurity.com/?p=49280 An aircraft security expert has eased the worries of a lot of frequent flyers this week -- by reassuring them that aircraft are not “hackable” in mid flight. The claim was made at Black Hat last week.

The post Wi-Fi security: Flight systems “are safe… for now” claims expert appeared first on We Live Security.

]]>
An aircraft security expert has eased the worries of many frequent flyers this week — by reassuring them that aircrafts are not “hackable” in mid flight. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners.

“Lots of bold claims concerning the feasibility of cyber-hijacking – and bold claims get lots of press. Most people don’t know enough to evaluate these claims. Whether you feel safer or even more scared should be based on facts,” he says.

Polstra’s collaborator, “Captain Polly” is also an academic dealing with avionics.

Santamarta’s presentation focuses on major brands, and widely used systems, and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test, according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

Wi-Fi security: Death in the skies?

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

The Black Hat security conference last week was dominated by one terrifying assertion – that avionics systems were vulnerable to hacks which could be set off as simply as by sending an SMS or via Wi-Fi.

Polstra’s presentation debunks the Wi-Fi hack threat, step by step. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

The Register reports, “Firstly, no commercial airliner’s avionics systems can be accessed from from either the entertainment system or in-flight Wi-Fi. Avionics systems are also never wireless, but always wired, and don’t even use standard TCP/IP to communicate.”

Physical access – not Wi-Fi signals

FAA rules state: “The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.”

Several companies have already said that the research was flawed: Cobham said wireless hacks were “impossible”, and that a hacker would require physical access to systems.

“In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said Caires.

At least one company has already come forward to state that the Wi-Fi hack used would be impossible in a “real world” situation. Other vendors have dismissed the risks as “very small”.

Polstra says, however, that increasing computerization may lead to future problems.“Increasing automation while continuing with unsecured protocols is problematic. Airliners are relatively safe (for now),” he concludes.

The post Wi-Fi security: Flight systems “are safe… for now” claims expert appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/11/wi-fi-security-flight-systems-are-safe-for-now-says-expert/feed/ 0
Week in security: FBI malware, billion password leak – Chinese hotel goes mad http://www.welivesecurity.com/2014/08/08/week-in-security/ http://www.welivesecurity.com/2014/08/08/week-in-security/#comments Fri, 08 Aug 2014 22:52:23 +0000 Week in security: FBI malware, billion password leak – Chinese hotel goes mad http://www.welivesecurity.com/?p=49266 With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week - but revelations about FBI malware and a trove of a billion passwords inspired furious debate too.

The post Week in security: FBI malware, billion password leak – Chinese hotel goes mad appeared first on We Live Security.

]]>
With Black Hat 2014 in full swing in Las Vegas, it was never going to be a quiet week in the world of security – with hacks ranging from the surreal to the terrifying demonstrated, and vicious argument over the week’s most controversial presentation – which claimed that aeroplane communication systems could be hacked via in-flight Wi-Fi.

Even outside the presentations at the Mandalay bay, ripples were spreading through the secret world of Tor, with suspicions seemingly confirmed that the FBI had been using malware against site users on the hidden service to identify the MAC addresses of “hidden service” users.

Visit the wrong site – get malware from Feds

The story, broken by  Wired’s Kevin Poulsen offered adetailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind thepowerful Tor anonymity system.”

Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.

The FBI’s technique relied on a now-replaced version of the Tor browser bundle but used malware to send addresses to a server in Virginia, according to The Tor Projecct – but raised legal questions over what a government agency was doing using malware against suspects, malware which remained on computers “for years”, according to Poulsen. Even Tor’s most ardent defenders find “hidden” child pornography services difficult to define as “freedom  of speech” – but there are legal questions to be answered about the FBI’s methods.B

X marks the spot: Billion-password trove is ‘biggest ever’

Passwords are often posted online in thousands or millions – but this week, a security company revealed the existence of a treasure-trove thought to be the biggest in history: 1.2 billion usernames and passwords, along with 542 million email addresses.

The stolen credentials were in the possession of “CyberVor” – “vor” meaning “thief” in Russian – and had been stolen from 420,000 different websites, before being unveiled by Milwaukee Firm Hold Seurity, along with the New York Times.

Others were a little more skeptical of this hoard, the cyber equivalentP of finding both the Ark of the Covenant and the Holy Grail in one place – with Forbes questioning why the main use of this awe-inspiring collection of data had been thus far to send spam, and selling passwords to allow others to send more spam. This is not high-profit business – and with a billion passwords, you should surely be able to do soemething a bit bigger. It’s also unclear how new the credentials really are. Forbes also questioned Hold Security’s role as the company is a small player, with much to gain from publicity.

Point of sale terminals under assault

Point of sale systems are becoming scarier by the week – after  last week’s article here on We Live Security, Lysa Myers reports another very good reason not to use plastic to pay for anything in American stores.
A new PoS malware warning was issued this week by Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),

The malware, which had already been detected for some time by ESET (Win32/Spy.Agent.OKG) is referred to as “Backoff” by US-CERT. Thetechnical details can be found here. There is also a report you can download as a PDF (click cover on the right).

Backoff brute-forces its way onto remote desktop access systems that have access to Point-of-Sale systems, and installs a RAM scraper which harvests credit card numbers. This sort of malware is multiplying – as Myers puts it, POS terminals are “low-hanging fruit”, and small businesses a particular target.

Myers’  guide to securing POS systems can be found here.

 DoS is dead: Cybercriminals prefer malware

America’s Computer Emergency Response Team has made headlines with grim regularity for years – but the British version just celebrated its 100th birthday. (A hundred days, this is).
The new agency has a firm grasp of fashions in cybercrime – claiming htat denial-of-service attacks were on the way out, and malware was “in”, with 25% of incidents reported to the agency related to malware, in what it described as a “cat and mouse” game between gangs and corporations.

During its first 100 days, the organization has dealt with 500 businesses, and says communication is critical in cases such as the co-ordinated action against GameOver Zeus. CERT said that it was ‘critical’ that, “information flows freely between Government and industry”No security conference would be complete without a few attacks against defenseless household appliances – last year, an e-toilet fell victim, and a Tesla Model S was hacked in motion by a group of Chinese students only last week. So Black Hat had to go one better: a presentation claimed that in-flight Wi-Fi could be used to hack aeroplane systems, and similar hacks could baffle ships and lead soldiers into ambushes.
Santamarta’s presentation focuses on major brands, and widely used systems – and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test,according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

The companies concerned responded quickly to expalin that while such hacks might work in the lab, the world was a rather more complex place

 Internet of Evil Things

Meanwhile, the Internet of Things once again fell victim to a hacker – who turned an entire Chinese hotel mad using only an iPad. Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China via an aging ‘internet of things’ system – switching off lights, changing the TV channel, raising blinds and fiddling with the temperature, according to Sky News.

Security researcher Jesus Molina said that his hack was pulled off using an in-room iPad and the hotel’s ‘internet of things’ system, and began simply because he was “bored”.  “I thought about looking to see if a similar system controlled the door locks but got scared,” says Molina, according to Wired’s report.

That did not stop him from switching on and off the “Do Not Disturb” signs on hotel rooms, according to the South China Morning Post.

The post Week in security: FBI malware, billion password leak – Chinese hotel goes mad appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/week-in-security/feed/ 0
Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/ http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/#comments Fri, 08 Aug 2014 22:31:03 +0000 Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo http://www.welivesecurity.com/?p=49261 Yet another “connected” device was outed as a potential spy this week - as researchers showed how Google’s Nest thermostat could be turned into a “fully-fledged spying device”.

The post Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo appeared first on We Live Security.

]]>
Yet another “connected” device was outed as a potential spy this week – as researchers showed how Google’s Nest thermostat could be turned into a “fully-fledged spying device”.

Tom’s hardware acknowledged that Nest, designed by Tony Fadelll, a product expert known as “the father of the IPod” is among the more secure connected devices – but said that physical access could turn it into a spy device which could inform attackers of when you were home – and provide access to the home Wi-Fi credentials.

The result: “A house fully controlled by the attackers.”.

The researchers say that measures put in place to prevent wireless hacks against the Internet of Things icon actually allow a simpler, wired hack by pressing the power button, then inserting a USB Flash Drive. “However, the smartness of the thermostat also breeds security vulnerabilities, similar to all other smart consumer electronics.”

Internet of Things: Feel the heat

The hack is not the first against Google’s successful Internet of Things thermostat device – and like the earlier attack, it requires physical access to the Nest.

Yahoo News reports, though, that the scope of the attack is wide-rangng: “”Entering into that mode allows you to upload your own code, your custom code, which allows you to attack existing code, implant your own and reboot normally, but maybe have something else running in the background. We have access to the device on the highest level, and we can send stuff that Nest sends to us as well.”

House fully controlled by attackers

Nest has previously been hacked, again using a USB device – allowing “total control” over the gadget. Any attacker would need physical access to the device, but once installed, the proof of concept code would allow an attacker to “make changes without ANY restrictions”,the researchers write.

ESET’s 2014 Mid-Year Threat Reportis to discuss the increasing security concerns over internet-connected devices in a segment entitled, “The Internet of (Infected) Things”. The full talk is available to download viahttps://www.brighttalk.com/webcast/1718/110971.

The post Internet of Things: Google’s Nest hacked into “full-fledged” spy gizmo appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/internet-of-things-nest-hacked/feed/ 0
Flash Memory Card Risks http://www.welivesecurity.com/podcasts/flash-memory-card-risks/ http://www.welivesecurity.com/podcasts/flash-memory-card-risks/#comments Fri, 08 Aug 2014 16:40:20 +0000 Flash Memory Card Risks http://www.welivesecurity.com/?post_type=post_podcast&p=49319 The post Flash Memory Card Risks appeared first on We Live Security.

]]>
The post Flash Memory Card Risks appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/flash-memory-card-risks/feed/ 0
The state of healthcare IT security: are Americans concerned enough? http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/ http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/#comments Fri, 08 Aug 2014 16:20:46 +0000 The state of healthcare IT security: are Americans concerned enough? http://www.welivesecurity.com/?p=49243 The privacy and security of medical records is a matter of concern to many Americans now that most are now stored electronically, but is there cause for concern? And who is most concerned?

The post The state of healthcare IT security: are Americans concerned enough? appeared first on We Live Security.

]]>
With the health records of most Americans now stored, in whole or in part, on computers, it seems timely to ask how people feel about that. Are they happy with this aspect of healthcare evolution? Are they concerned? Do they have reasons to be concerned? This article examines these questions and supplies some numbers that may provide answers.

[Update, August 18, 2014: "Hack of Community Health Systems Affects 4.5 Million Patients" is reported in the New York Times, which cites the figure of 24,800 medical records exposed per day in 2013, detailed in this article.]

Cause for concern: numbers

When you ask people how they feel about anything health-related you tend to get a wide range of responses and some of them are, understandably, personal and even emotional. So let’s start with some relatively clinical facts, like 24,800. That is the average number of Americans who, by my calculation, had their Protected Health Information (PHI) exposed, per day, in 2013.

I refer to this as my calculation because I derived it from a spreadsheet that I built out of the database that is published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the web page known in the healthcare IT world as “the wall of shame” (seriously, just Google: OCR wall of shame). The database contains all of the reports of PHI exposure required under the Health Insurance Portability and accountability Act of 1996 also known as HIPAA.

Every time I quote that figure of 24,800 records breached, per day, on average, I go check my formulas to make sure I have this number right, and I’m pretty sure I do, with a couple of caveats,

  • First, the official title of the page is Breaches Affecting 500 or More Individuals, and that describes the content of the database they publish, which covers 2009 through May of this year. In other words, that average of 24,800 for 2013 does not include breaches that year which affected less than 500 people, of which there were scores if not hundreds.
  • Second, my count is based on the year of the breach, or the final year in the case of a multi-year breach. Obviously, this could be different from the year in which the breach came to light. That’s one reason I am quoting 2013, because the numbers for 2014 are not going to be anything like “complete” until at least mid-2015.*
  • For reference, my total count for 2013 is 9,054,35. The total for all reports, from late 2009 to the most recent posting I captured (Minneapolis VA Health Care System, 5/22/14) came to: 33,738,538. So far in 2014, the count is about 1.5 million, but sadly the year is yet young in terms of breaches coming to light.

To be clear, I am not equating breaches with harm, but harm definitely occurs in some cases (a good source for insight on this would be the Ponemon Institute Survey on Medical Identity Fraud which estimated the financial impact to consumers at $12 billion in 2013). Many of the millions of records that are exposed each year don’t end up in the hands of bad people, but we know for sure that some do, and nobody has a good handle on exactly how many. For a well-documented example of how criminals sell and exploit personal information stolen from medical companies, see Brian Krebs’ article on the doctors hit by tax fraud earlier this year.

I definitely think the current state of IT security in the healthcare world is cause for serious concern, although some would say medical data breach statistics pale in comparison to the number of premature deaths associated with preventable harm to patients (recently estimated at more than 400,000 per year). However, data breaches and medical errors are not unrelated, particularly when greater use of IT systems and digital devices is often put forward as a way to reduce preventable medical errors. That is not reassuring, given some of the attitudes toward information security that I have observed in different parts of the medical world.

Cause for Concern: Attitudes

The recent SANS Health Care Cyber Threat Report, sponsored by threat intelligence vendor Norse and reported in detail by Dan Munro on Forbes, contains not only troubling numbers about healthcare IT security, but also reminds us that medical devices, many of which are actually computers, are at risk. For example, I am writing this article at Black Hat, an annual security event in Las Vegas known for revealing new vulnerabilities in digital devices and systems. Yesterday I had a chance to talk to Jay Radcliffe, the man who opened a lot of eyes to the vulnerability of medical devices when he hacked his own insulin pump at Black Hat in 2011. So I asked Radcliffe, himself a Type 1 diabetic, if things had changed since then, “Not really,” said Radcliffe, who has tried to raise awareness of security issues among medical device makers, adding, “In fact, that’s the main reason I no longer use an insulin pump.” (You can read more about Radcliffe on the blog of Boston-based cybersecurity firm Rapid7 where his job title just happens to be the same as mine: Senior Security Researcher.)

Right before Black Hat, I was at an event called ChannelCon, put on CompTIA, the computer trade industry association. Channelcon is a great place to meet the people who actually sell and deliver IT products and services, from enterprises to small businesses. Those products and services include security, including firewalls, antivirus, encryption, authentication, backup and recovery and threat intelligence. I asked a number of IT integrators and managed service providers about selling security in the medical sector, specifically doctors’ offices. The answer I heard loudest and most often? “Doctors don’t care.” When I asked “But what about HIPAA?” The answer was: “They just don’t care.”

Obviously this is not true of all doctors, but I’ve now heard this refrain enough times to think there is a real problem here. After all, aren’t doctors required to protect electronic health records by professional ethics as well as law? Is there some sort of collective denial going on here? I think that question has probably come up at OCR, which continues to find that even large and well-funded hospital systems not meeting HIPAA privacy and security requirements. And before anyone says these are too onerous or were imposed too quickly, consider this:

“We are looking at a federally-mandated standard for security practices within companies involved in healthcare or handling health-related information. Note that these are considered practices necessary to conduct business electronically in the health care industry today. In other words, normal business costs, things you should be doing today…”

That is a direct quote from my first conference presentation on the importance of getting ready for HIPAA’s privacy and security requirements, delivered in March of 2001. That’s right, more than 13 years ago. The point being, health information on computer systems should have been protected in 2001, before the rules and regulations were finalized, before the compliance deadlines, before the first fines were levied, before the multimillion dollar fines, of which we are likely to see more before the year is out.

Signs of Concern

With all these causes for concern, how concerned are Americans? Not to be glib, but the answer really depends on whom you ask. For example, earlier this year we asked 1,734 American adults if they were concerned about the security and privacy of their electronic patient health records and 40 percent said they were, while 43 percent said they were not. However, the other 17 percent said that, to their knowledge, their health records were not in electronic format. So if we take them out of the equation, the “concerned or not?” question breaks down as 48 percent yes, versus 50 percent no.

Within these numbers, there are some interesting demographic variations. For example, those aged 45-54 are more likely to be concerned than those 18-44 years. Concern was greater among those with college education and among those with children in the household (54 percent vs. 46 percent). Concern was expressed more often among those at the upper and lower ends of the household income scale, with those in the $75K to 90K range concerned less often (45 percent).

I should point out that this survey population may not be entirely representative of the whole adult population. For a start, it is a subset of the 2,034 people to whom we put this question: “How familiar, if at all, are you with the recent NSA news about secret government surveillance of private citizens’ phone calls, emails, online activity, etc.?” The people we quizzed about medical records were “at least somewhat aware” of the Snowden/NSA revelations, about 85 percent of the original sample.

Just under half of American adults who are sufficiently in touch with news and technology tend to be aware of both the Snowden revelations and the fact that their health records are stored electronically are concerned about the privacy and security of those records. Shouldn’t we be seeing a greater level of concern than this? In my opinion, the answer is yes, but that alone is not likely to change many minds. What will change minds is something like the Snowden or Target of electronic health records, a revelation or incident so far-reaching and egregious that just about everyone in the country sits up and takes notice. If that happens there will be headlines, accusations, letters to congress, recriminations, investigations, jobs lost and eventually huge fines and damage awards.

It would be very sad to something like that embroil see the healthcare industry in America, in which so many people work so hard to improve the lives of others. But unless attitudes change and numbers improve, and unless our government decides to get serious about reducing cybercrime, the outlook is stormy at best.

 

Note that additional results from the survey referred to in this article, which was conducted by ESET in conjunction with Harris Interactive, were published here and additionally here.

*The issue of when breaches occur versus when they come to light can be seen in this article in Health IT Outcomes about the 2013 statistics. It was written early in 2014 and cites a smaller number of total breaches: 8 million versus the 9 million that are listed as “2013″ by July 0f 2014 (to paraphrase the Dude: “New breaches have come to light”). However, the article goes on to quote a very interesting source that asserts the total breach numbers are way higher than is reported.

The post The state of healthcare IT security: are Americans concerned enough? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/healthcare-it-security-americans-concerned/feed/ 0
Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/ http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/#comments Fri, 08 Aug 2014 16:18:31 +0000 Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms http://www.welivesecurity.com/?p=49207 Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China - switching off lights, changing the TV channel, raising blinds and fiddling with the temperature.

The post Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms appeared first on We Live Security.

]]>
Today’s fashion for high-end electronics in luxury hotels allowed a hacker to wreak havoc in 200 suites at once in a five-star hotel in China via an aging ‘internet of things’ system – switching off lights, changing the TV channel, raising blinds and fiddling with the temperature, according to Sky News.

Security researcher Jesus Molina said that his hack was pulled off using an in-room iPad and the hotel’s ‘internet of things’ system, and began simply because he was “bored”.  “I thought about looking to see if a similar system controlled the door locks but got scared,” says Molina, according to Wired’s report.

That did not stop him from switching on and off the “Do Not Disturb” signs on hotel rooms, according to the South China Morning Post.

The Register reports that Molina’s hack was possible due to an aging home automation system – KNX/IP – which dates from the Nineties. It’s still used widely in the Far East and in some hotels in Europe. Molina’s results formed part of the Black Hat security conference in Las Vegas.

Internet of Things: Tool for thermostatic war

Molina found that the iPads – handed out in the five-star St Regis in Shenzhen – connected to one another via the hotel’s network, he was able to access other rooms and cause (mild) mayhem. The SCMP reported that a “digital butler” app allowed Molina to control electronics at will – and map out the IP addresses of each room.

Shenzhen, the SCMP reports, is considered the “Silicon Valley” of China, and plays host to wealthy tech executives. In a previous case, a Spanish hacker seized control of automated rooms in another hotel via its Internet of Things system.

“Guests make assumptions that the channel they are using to control devices in their room is secure,” Molina says. But the protocol used in the St Regis is not. “The KNX/IP protocol provides no security so any hotel or public space that have deployed it on an insecure network will make it easy to exploit.”

‘Ever had the urge to create mayhem?’

Molina’s presentation, ‘Learn How To Control Every Room At A Luxury Hotel Remotely’ is not a “hack”as such – it takes advantage of an old communication system without modern protection. Earlier this year, veteran security reporter Brian Krebs reported that hotel business centers were plagued with keylogger malware.

Hacks against hotels and their wealthy clientele are not rare in China. Earlier this year, a huge amount of private information harvested via hotel Wi-Fi networks went on sale in China – including phone numbers, dates of birth and addresses from hotel guests who logged in to networks in their rooms.

“People rushed to check hotel bookings by celebrities and their family members,” says Patrick Boehler, a journalist for the South China Morning Post,who worked on the story, speaking to WeLiveSecurity.

Molina’s hack penetrated deeper into the hotel’s Internet of Things systems – and he says the protocol is still used in well-known hotels in the West.

“Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?” Molina asked. ” I was able to create the ultimate remote control: The attacker does not even need to be at the hotel – he could be in another country.”

The post Internet of things: Hacker unleashes “mayhem” in 200 hotel rooms appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/08/internet-of-things-mayham-in-200-room-hotel-hack/feed/ 0
Common password mistakes we all make http://www.welivesecurity.com/videos/common-password-mistakes-make/ http://www.welivesecurity.com/videos/common-password-mistakes-make/#comments Fri, 08 Aug 2014 14:58:50 +0000 Common password mistakes we all make http://www.welivesecurity.com/?post_type=post_video&p=49244 Passwords are critical to safeguarding our personal and financial information, but when using them so often it can be easy to make mistakes. Follow these five simple steps from We Live Security to keep your passwords safe.

The post Common password mistakes we all make appeared first on We Live Security.

]]>
Passwords are critical to safeguarding our personal and financial information, but when using them so often it can be easy to make mistakes. Follow these five simple steps from We Live Security to keep your passwords safe.

The post Common password mistakes we all make appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/common-password-mistakes-make/feed/ 0
Online privacy – FBI ‘using malware’ to track site visitors http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/ http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/#comments Thu, 07 Aug 2014 15:02:24 +0000 Online privacy – FBI ‘using malware’ to track site visitors http://www.welivesecurity.com/?p=49174 For several years, FBI agents have been taking an unusual approach to detective work online - using malware against suspects who have not been proven guilty, just visited the wrong Tor site.

The post Online privacy – FBI ‘using malware’ to track site visitors appeared first on We Live Security.

]]>
For several years, FBI agents have been taking an unusual approach to detective work online – using malware against suspects who have not been proven guilty, just visited the wrong site.

Wired’s Kevin Poulsen has a detailed analysis of the attacks, and their context: “For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”

If true, the technique is at least controversial, and possibly questionable in legal terms. The technique, which Poulsen’s sources claim has been in use for years, relies on a “drive-by download” where site visitors are infected with malware – in this case, to de-anonymize users of child pornography sites.

Most high-profile arrests of the administrators of Tor “hidden service” sites have relied on alleged perpetrators leaking information in the real world – as in the case of the arrest of alleged Silk Road founder Ross Ulbricht.

Online privacy: Tor users targeted

Tor’s security – best understood as a layered onion skin – hence the name ‘Onion Router’ – bounces signals round thousands of relays, making sites and users hard to trace.

It is claimed that the FBI malware not only logged MAC addresses, but persisted on victim computers for years after they had visited “hidden services” alleged to host child pornography.

Designed with the help of U.S. military experts, The Tor Project is still heavily funded by the U.S. government – even the NSA grudgingly admits it is “the king” of anonymity – but its dark web sites are now full of discussions about thieves, informers, hackers, and PGP keys.

Tor is a privacy tool which allows users to access “hidden” sites, with the .onion suffix, which cannot be accessed via regular web browsers – users instead use customized bundles of open-source browsers. It’s used by political activists – but also plays host to markets selling child pornography, hacked data, drugs and weaponry.

Online drug bazaars

Forbes commented: “Because looking at child porn is a crime, it’s a fairly unobjectionable deployment of FBI spyware but the method — which the FBI calls the “network investigative technique” — raises questions about when else law enforcement might feel it has the right to drop spyware on your computer just for visiting a website. Will browsing an online drug bazaar get you reported to the cops even if you don’t buy?”

Tor has been in the news constantly after an alleged attack aimed at de-anonymizing users, which was due to be part of a presentation at Black Hat 2014, but was pulled amid legal concerns.

“This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”

Anonymity under threat?

Several high profile arrests have been linked to suspected outbreaks of ‘de-anonymizing’ malware on Tor. 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, was arrested after unknown software harvested PC MAC addresses and sent them to a remote webserver.

It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” Tor said in its official post.

Wired’s Threat Level blog claimed the information was being sent to an address in Virginia, home of the FBI.

Poulsen’s in-depth report claims that agents installed the malware on “hidden services” after arresting an American man for hosting child pornography. Visitors to his sites then had their MAC and IP address logged – big news on Tor. Poulsen reports that “over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result” according to Gizmodo.

Slashdot users were dismissive – one said ,”In a nutshell, they simply had any computer that contacted the web site send back the computer’s real IP address and its MAC address. The actual security of the Tor wasn’t affected. Just that compromising information was sent through the Tor network. Just as any other data would be sent through the Tor network.”

 

The post Online privacy – FBI ‘using malware’ to track site visitors appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/07/online-privacy-fbi-using-malware-track-site-visitors/feed/ 0
CyberVor hacking gang steals 1.2 billion usernames and passwords http://www.welivesecurity.com/2014/08/06/cybervor-hacking-gang/ http://www.welivesecurity.com/2014/08/06/cybervor-hacking-gang/#comments Wed, 06 Aug 2014 20:40:17 +0000 CyberVor hacking gang steals 1.2 billion usernames and passwords http://www.welivesecurity.com/?p=49162 Somewhere in a small city in south central Russia, a group of men in their twenties have got away with what some are describing as one of the biggest cyber-heists in history.

The post CyberVor hacking gang steals 1.2 billion usernames and passwords appeared first on We Live Security.

]]>
Somewhere in a small city in south central Russia, a group of men in their twenties have got away with what some are describing as one of the biggest cyber-heists in history.

The gang, which has been dubbed “CyberVor” (“vor” means “thief” in Russian) by security researchers, is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses.

And the data has been stolen from some 420,000 different websites.

That’s the astonishing claim being made this week by Milwaukee firm Hold Security, who have used the backdrop of the Black Hat and Def Con conferences taking place in Las Vegas this week to announce their discovery, with a little help from reporters at the New York Times.

And naturally the company isn’t being entirely altruistic with its announcement – it’s also using the opportunity to promote its penetration testing and identity monitoring services. I must admit, how they have gone about things has left a bad taste in my mouth.

Frustratingly, Hold Security isn’t saying what sites have been hacked, or given users any method to determine if their account credentials might have been included in the haul. So quite how the average computer user is supposed to respond to an announcement with such a lack of actionable detail is anybody’s guess.

All the researchers said is that the gang amassed its treasure trove by using botnets to identify websites with SQL injection vulnerabilities, and scooping up their data.

It seems unlikely that all of the websites have been informed of the problem either, considering the number said to have suffered breaches. Hold Security’s founder Alex Holden told the New York Times that websites around the world have been affected, including ones in Russia where the hackers are said to hail from.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”

I have no doubt that the scale of the CyberVor hacking gang’s ill-gotten gains will make numerous headlines over the coming days, but what I would rather see is Hold Security share comprehensive details of what it has discovered with the public, and for clear advice to be shared with organisations and individuals on how to avoid becoming victims in future.

Website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws.

It’s also a shame that Hold Security didn’t work with a service like haveibeenpwned, created by researcher Troy Hunt, that helps users determine if any of their accounts had been compromised. Mind you, the scale of the alleged find might have made that problematical.

For the average man and woman in the street to determinine how best to protect the details they share with third-party websites is tricky.

Whenever you create accounts online you are putting trust in the hands of web developers that they are properly securing your information. The very best you can do is enable additional security measures (such as multi-factor authentication when made available), and ensure that you never reuse the same password nor choose a password that is easy to guess or crack.

Because one thing is clear: The Russian CyberVor gang may or may not be sitting on one of the largest cybercriminal hauls in history, but unless we all work harder to keep our private information safe and secure, this is not going to be the last time that you’re waking up to newspaper headlines of stolen passwords.

The post CyberVor hacking gang steals 1.2 billion usernames and passwords appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/06/cybervor-hacking-gang/feed/ 0
Malware behind 25% of cyber attacks – and DoS is ‘so last year’ says CERT team http://www.welivesecurity.com/2014/08/06/malware-behind-25-cyber-attacks-dos-last-year-says-cert-team/ http://www.welivesecurity.com/2014/08/06/malware-behind-25-cyber-attacks-dos-last-year-says-cert-team/#comments Wed, 06 Aug 2014 17:14:39 +0000 Malware behind 25% of cyber attacks – and DoS is ‘so last year’ says CERT team http://www.welivesecurity.com/?p=49124 Cybercriminals are waging a game of ‘cat and mouse’ with corporations, well-armed with malware protection AV software but facing adversaries who scan constantly for weak points, according to the first quarterly report released by the UK’s new Computer Emergency Response Team.

The post Malware behind 25% of cyber attacks – and DoS is ‘so last year’ says CERT team appeared first on We Live Security.

]]>
Cybercriminals are waging a game of ‘cat and mouse’ with corporations, well-armed with malware protection AV software, but facing adversaries who scan constantly for weak points, according to the first quarterly report released by the UK’s new Computer Emergency Response Team. The key to winning this malware protection war, the organization says, is “communication” between governments and corporations.

The report hinted at a decline in the damage caused by DDoS attacks, according to CyberParse’s report. CERT commented that companies either had dedicated teams to deal with such attacks, or relied on specialist companies, according to Computer Weekly.

“Some organizations are able to handle the incident through existing capabilities, while others decide to bring in a cyber incident response-certified company to assist them,” said CERT-UK.

“DoS attacks have risen in prominence over the last few years, and the mitigation advice relating to them is well established,” UK CERT said.

Malware protection far better than DoS shields

“The low level of incident reports received by CERT-UK could be indicative that businesses are now well prepared to mitigate this attack, and so no longer need to seek assistance if afflicted by a DoS attack.”

The first 100 days of the new agency saw the Heartbleed bug, which the agency’s report said, “highlighted how important it is to have an accurate inventory of software installed on devices and to keep abreast of vulnerabilities in that software.”

The number of social media account compromises reported to the agency were “very low”- CERT speculated that this could be due to the fact that such incidents were often dealt with by law enforcement.

The agency commented that malware continued to evolve in “sophistication and advanced functionality” but that AV vendors kept pace with this.

Malware protection: Old enemy still behind 25% of incidents

“Securely configuring endpoint,devices, whether desktop, laptop, tablet or mobile can go a long way in preventing malware from compromising your network,” says CERT.

During its first 100 days, the organization has dealt with 500 businesses, and says communication is critical in cases such as the co-ordinated action against GameOver Zeus. CERT said that it was ‘critical’ that, “information flows freely between Government and industry”

In a detailed blog post describing the takedown of the notorious botnet ESET researcher Stephen Cobb writes, “We would all like technology to solve the cyber crime problem but it cannot. Reducing cyber crime will take sustained law enforcement efforts, at all levels, from the local to the international, plus cooperation from companies and consumers playing their part to stop the spread of malware and stop unauthorized access to systems and data. That means consistent use of strong anti-malware, strong authentication, and strong encryption. Together, we can make a difference.”

The post Malware behind 25% of cyber attacks – and DoS is ‘so last year’ says CERT team appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/06/malware-behind-25-cyber-attacks-dos-last-year-says-cert-team/feed/ 0
Wi-Fi security – can inflight internet REALLY hack planes? http://www.welivesecurity.com/2014/08/05/wi-fi-security-can-inflight-internet-hack-planes/ http://www.welivesecurity.com/2014/08/05/wi-fi-security-can-inflight-internet-hack-planes/#comments Tue, 05 Aug 2014 22:13:01 +0000 Wi-Fi security – can inflight internet REALLY hack planes? http://www.welivesecurity.com/?p=49110 Aircraft communications equipment can be hacked via Wi-Fi and inflight entertainment systems, allowing access to communications systems aboard aircraft in flight - and even military systems could be at risk.

The post Wi-Fi security – can inflight internet REALLY hack planes? appeared first on We Live Security.

]]>
Aircraft communications equipment can be hacked via Wi-Fi security and in-flight entertainment systems, allowing access to  communications systems aboard aircrafts in flight – and other satellite systems, including military devices are also vulnerable. The revelations about weaknesses in satellite communication systems are one of the most talked-about presentations at the security conference, according to Reuters.

The vulnerability lies in satellite communications systems used widely in passenger aircraft, shipping and other industries – and if proven true, could prompt a global overhaul of those systems.

Black Hat is no stranger to world-changing hacks – this year has seen the revelation of a technique that would allow any USB port to become a portal to inject invisible malware, or extract data. CNET described Ruben Santamarta’s talk as “the hacking presentation that will get the most attention”.

Santamarta’s presentation focuses on major brands, and widely used systems – and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test, according to RT. Some attacks can be performed with an SMS, Santamarta claims.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.

“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”

Wi-Fi security: A deadly weakness?

“These devices are wide open. The goal of this talk is to help change that situation,” Santamarta told Reuters. Santamarta outlined several scenarios where the attacks could cause serious damage or loss of life.

Russia Today quotes Santamarta as saying, “The ability of the victims to communicate vital data or ask for support to perform a counter-attack is limited or even cut off. In the worst-case scenario, loss of lives is possible.”

Military communications at risk?

Among the systems tested were BGAN satellite units used in the field by the military. One unit, used by NATO forces, could allow an attacker to stage ambushes against forces. “The vulnerabilities found in the RF-7800B terminal allow an attacker to install malicious firmware or execute arbitrary code. A potential real-world attack could occur.”

Another model, in use by forces today, was vulnerable to attacks which exposed units’ GPS coordinates: “An attacker can take complete control of these devices by exploiting a weakness in their authentication mechanism using either direct access or scripted attacks (malware).”

The tests were carried out in the laboratory, and based on reverse-engineering the firmware (software similar to a computer OS) of various systems for air-to-ground and ship-to-ship communication.

At least one company has already come forward to state that the Wi-Fi hack used would be impossible in a “real world” situation. Other vendors have dismissed the risks as “very small”.

The post Wi-Fi security – can inflight internet REALLY hack planes? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/05/wi-fi-security-can-inflight-internet-hack-planes/feed/ 0
Dark web II: Tor’s markets ramp up security – and business booms http://www.welivesecurity.com/2014/08/05/dark-web-tor-ramps-up-security/ http://www.welivesecurity.com/2014/08/05/dark-web-tor-ramps-up-security/#comments Tue, 05 Aug 2014 21:36:04 +0000 Dark web II: Tor’s markets ramp up security – and business booms http://www.welivesecurity.com/?p=49016 Since a recent claim researchers could “uncloak” Tor users for less than $3,000, there has been a flurry of activity in the “anonymous” online service - but in the form of new adverts, new markets, and new security.

The post Dark web II: Tor’s markets ramp up security – and business booms appeared first on We Live Security.

]]>
Ever since two researchers announced they had a method to “uncloak” Tor users on dark web sites for less than $3,000, there has been a flurry of activity in the “anonymous” online service, particularly the markets that fit the description of a ‘dark web’ – new rules, new technologies, new addresses.

But new shops are opening, slicker than ever – and business is booming.

Designed with the help of U.S. military experts, The Tor Project is still heavily funded by the U.S. government – even the NSA grudgingly admits it is “the king” of anonymity – but its dark web sites are now full of discussions about theives, informers, hackers, and PGP keys.

Tor is a privacy tool which allows users to access “hidden” sites, with the .onion suffix, which cannot be accessed via other browsers – users instead use customised bundles of open-source browsers such as Firefox. It’s used by political activists – but also plays host to some of the most terrifying classified ads ever made. Even worse than the ones in local newspapers.

One Tor user – who wished to remain anonymous – said that the new dark web markets (dozens of them) were often bourgeois and upscale, offering premium, imported marijuana with high-end customer service. Sites such as Tor Bazaar openly shun weapons and pornography.

One market, Middle Earth, offers competitions with free Ecstasy pills as prizes. Others have adverts: “Honest Cocaine: Life May Not be Honest But Our Cocaine Always Is.”

dark web

Contrary to mainstream media reports, the Silk Road bust did little to stem the trade. Tor itself pointed out that the suspects were “found through actual detective work.”

The Tor Project continues to improve security (new measures defending against the relay attack were revealed this week). New dark web markets and new ads continue to sprout up.

This week, easily accessible via a Reddit thread, were: Behind Blood Shot Eyes, Farmer1, Bungee54, Dutchy Anonymous, Onionshop, The Majestic Garden, Pandora, Russian Anonymous Market, Silk Street, Acorah, Andromeda. Blue Sky Black Bank, The Pirate Market, Outlaw market, Hydra, Agora.

Many dark web sites have shifted their URLs, and restructured their finances – Bitcoins are transferred through “multi-sig” transactions for security. The Pirate Network advises: “When signing up NEVER use your actual email address, remember to keep your darknet alias completely separate from your actual identity.”

V3 reported that Tor warned users to “assume” they had been affected. They have – but as these adverts show, business continues as usual.

Dark web: Estate Agents made to look “even worse”

“Please do not contact us regarding regular SEO work” begs an agency who specialize in making businesses burn – and can even make estate agents look more untrustworthy than they already are. It seems unlikely that anyone would, given how they describe themselves.

“Our team of dedicated hackers have over five years of experience in doing this professionally. Hit the first page on Google under any name or company name while trashing their reputation. Advertise warning about a business where it hurts them most (eg. real estate websites, yellow pages etc… depending on the business). Prices are discussed in private.” All you need is a PGP key for privacy, around $5000, and a complete lack of morals.

dark web

For sale: 1,000 friends – “perfect as slaves”

For anyone who has built up 1,000 Facebook friends, this may come as a shock – all that effort is woth £3, on Tor Bazaar. As an ESET guide explains, account details are valuable to cybercriminals – and this vendor offers email addresses and other detials as part of the deal.

“These accounts are perfect for getting ~500 slaves for your RAT’s botnets and such. All accounts are checked and in full working condition when delivered!” he promises. “If your account does not work PM me, I will check and if that’s the case I will replace your product with a working one otherwise a full-refund will be made!”

ESET’s guide to Facebook privacy and password hygiene may help prevent your hard-won 1,000 friends being sold for £3.

Tracking cellphones

Many hackers offer data sourced from insiders at companies – such as one which will trace a cellphone, presumably via a company insider. The trace is performed live.

“Track down any cellphone in the UK without the users permission or knowledge. Simply enter a number and get results directly from the cell company. Offered as a service or as source code,” the hackers offer.

Prices range from $150 for a trace to $1,000 for source code.

The hackers say, “Code must be used with a VPN as this is a live hack into cell network data.”

Special Offer: Free heroin

Free ‘tester’ packs of drugs are a standard sales techniique – for instance, vendors on Tor Bazaar offer 1/10 grams of cocaine for less than $10.

dark web

But one vendor goes further:  “You can snort, shoot and smoke it. They claim they have the best Heroin straight from Turkey.” All you need is to be in Holland, and willing to risk a rapid and pointless death if the heroin happens to be either A) too strong, or B) poison. Write a will bequeathing your Bitcoins to your loved ones first.

Buy an SUV – or assassinate a politician?

‘Dark markets’ are full of liars, cheats and thieves. Packages often fail to arrive, or vendors offer deals so utterly insane there are two possibilities. One: they are insane. Two: they will just run away into the sunset with your Bitcoins.

Political assassination is an expensive business – but a mysterious trio offer efficient kills, as long as no “Top 10” politicians are involved. “We are a team of 3 contract killers working in the US and Canada) and in the EU.Once you made a “purchase” we will reply to you within 1-2 days, contract will be completed within 1-3 weeks depending on target.Only rules: no children under 16 and no top 10 politicians.”

The price is around $20,000. Politicians just outside the top ten – transport officials for instance – should be safe from the deadly trio.

Uzi for sale – with free malware!

Many adverts on ‘dark markets’ are fakes – designed to lure unwary users into handing over account details or Bitcoins. One recent ad promised, “Im offering a 9mm (9x19mm) ERO UZI with Silencer with 5 Magazins each 32 rounds The Silencer is very quiet and doesnt need subsonic ammunition for normal use.” (sic.)

The vendor promised a unique, effective way of shipping the weapon across borders – and a library of pictures…. which attempted to install software on your machine each time you clicked. Each image was a URL on Tor which turned out to download an .exe file and at a guess, the software was probably not a free user guide thrown in by the kind vendor.

dark web

Hackers for hire: Skills high, sanity questionable

Banking Trojans are sold through most dark net markets – but it helps to have a command of Russian, as the latest tend to be on sale on Russian-language forums. Hackers aren’t team players, though. One advertiser says, “We hack Yahoo, Hotmail, Gmail, Facebook.”

Hackers offer Trojans, bespoke attacks (designed to attack a particular company), or RAT (Remote Access Tools), often used to spy on teenage girls via webcams. Others are professional spyware, whose uses are presumably industrial espionage: “This RAT was written by me and cannot be blocked. Tested with the strictest firewall policies. Cannot be reversed without the private key. Automatically maps all hard disks and network disks. Creates a map of files to browse even when the target is offline.”

Others are less professional – but much more scary: “”Ill do anything for money, im not a pussy :) if you want me to destroy some bussiness or a persons life, ill do it!  i can ruin them financially and or get them arrested, whatever you like. If you want someone to get known as a child porn user, no problem.”

 

The post Dark web II: Tor’s markets ramp up security – and business booms appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/05/dark-web-tor-ramps-up-security/feed/ 0
Sharing documents… without sharing secrets http://www.welivesecurity.com/videos/share-documents-without-sharing-secrets/ http://www.welivesecurity.com/videos/share-documents-without-sharing-secrets/#comments Tue, 05 Aug 2014 10:39:28 +0000 Sharing documents… without sharing secrets http://www.welivesecurity.com/?post_type=post_video&p=49082 Sharing documents through the web is essential in most occupations. When sharing sensitive information, though, it's important you take the necessary precautions to keep you and your data safe. Here's how to share documents without sharing secrets…

The post Sharing documents… without sharing secrets appeared first on We Live Security.

]]>
Sharing documents through the web is essential in most occupations. When sharing sensitive information, though, it’s important you take the necessary precautions to keep you and your data safe. Here’s how to share documents without sharing secrets…

The post Sharing documents… without sharing secrets appeared first on We Live Security.

]]>
http://www.welivesecurity.com/videos/share-documents-without-sharing-secrets/feed/ 0
Data breach burns Firefox – add-on creators hit by email leak http://www.welivesecurity.com/2014/08/04/data-breach-in-firefox-add-ons/ http://www.welivesecurity.com/2014/08/04/data-breach-in-firefox-add-ons/#comments Mon, 04 Aug 2014 15:24:07 +0000 Data breach burns Firefox – add-on creators hit by email leak http://www.welivesecurity.com/?p=49011 After a technical error on a Mozilla database, thousands of email addresses and encrypted passwords were exposed for nearly a month - leaving 78,000 Mozilla app developers vulnerable to hackers.

The post Data breach burns Firefox – add-on creators hit by email leak appeared first on We Live Security.

]]>
Thousands of email addresses and encrypted passwords were exposed for nearly a month – leaving 78,000 Mozilla app developers vulnerable to hackers. It’s not yet clear whether the vulnerability has been exploited, or whether this is a data breach, Mozilla sad.

The email addresses, plus 4,000 encrypted passwords were left on a publicly available server for 30 days from June 23, leading to the concerns over a potential data breach, according to Ars Technica’s report.

In an official blog post, Stormy Peters, Mozilla’s director of developer relations said,  “While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today.”

“Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected,” Peters said.

Data breach? Firefox’s add-on developers warned

VPN Creative said the breach had potentially exposed, “the email addresses and passwords of many of the top add-on programmers who have helped Firefox and its associated programs become one of the most customizable and sought after browsers available on the market today.”

Firefox is the third-most popular browser in the world after Chrome and Internet Explorer. The customizable nature of the browser – allowing add-ons to change the appearance and function of the software was revolutionary 10 years ago.

Writing on Mozilla’s add-ons blog, Amy Tsay says, “Anyone with coding skills could create an add-on and submit it to addons.mozilla.org (AMO) for others to use. The idea that you could experience the web on your own terms was a powerful one, and today, add-ons have been downloaded close to 4 billion times.”

Elite force in the browser wars

Popular Firefox add-ons such as Lightbeam have offered the general public a visual way to understand privacy – a graphic shows companies connecting to a machine as it browses, from third-party ad trackers to e-commerce companies.

ESET Researcher Stephen Cobb writes, “Last year’s ESET Threat Report demonstrated that online privacy had become something the world was worried about, in the wake of Edward Snowden’s revelations. I predicted an unprecedented level of interest in encryption products due to continuing revelations about state-sponsored surveillance of companies and consumers.”

Peters also invites developers who are concerned they may have fallen victim to contact Mozilla directly. Mozilla also created a forum for developers to voice concerns, and asked for advice from the wider security community.

The potential breach was caused by an automated process of “data sanitization” which left the information on an accessible server.

The post Data breach burns Firefox – add-on creators hit by email leak appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/04/data-breach-in-firefox-add-ons/feed/ 0
Malware is called malicious for a reason: the risks of weaponizing code http://www.welivesecurity.com/2014/08/01/malware-called-malicious-reason-risks-weaponizing-code/ http://www.welivesecurity.com/2014/08/01/malware-called-malicious-reason-risks-weaponizing-code/#comments Fri, 01 Aug 2014 20:21:56 +0000 Malware is called malicious for a reason: the risks of weaponizing code http://www.welivesecurity.com/?p=48722 The risks of using government use of malicious code in cyber conflict are examined in this paper by Andrew Lee and Stephen Cobb: Malware is called malicious for a reason: the risks of weaponizing code.

The post Malware is called malicious for a reason: the risks of weaponizing code appeared first on We Live Security.

]]>
Should malicious code be used as a weapon of war? This is not a hypothetical musing but a question that has been under serious discussion in military and diplomatic quarters for some time. We already know from U.S. National Security Agency documents leaked by Edward Snowden that for several years now the NSA has been deploying Computer Network Attack “implants,” an agency pseudonym for Trojan code, i.e. malware.

I think it is common knowledge that some people in the armed forces of the United States would like to add malware to their armory, and I’m pretty sure this is true of a wide range of countries. The military appeal of malicious software, with its potential to infiltrate and disrupt digital systems, with no obvious risk to your own troops, is perhaps understandable. However, if you ask the folks who spend every day defending against, and cleaning up after, real world malware attacks, you will hear a lot of reasons why military deployment of malicious code is very risky proposition (a common expression used with respect to this phenomenon is “What could possibly go wrong?”).

Thankfully, there are folks in the military who ‘get’ that deploying malware is very risky. To assist them, and advance the conversation about malware in the context of cyber conflict, I worked with Andrew Lee, CEO of ESET North America, to produce a paper on this topic, titled: Malware is Called Malicious for a Reason: The Risks of Weaponizing Code (PDF).

cycon-bookThe paper was recently published in the 6th International Conference on Cyber Conflict (CyCon) Proceedings, P. Brangetto, M. Maybaum, J. Stinissen (Eds.) IEEE, 2014. The full conference proceedings will soon be available online along with the proceedings from previous conferences (which make for great reading if this topic interests you).

Recently, I had the good fortune to present the paper in person at the annual CyCon conference in Estonia. The conference is organized by the NATO Cooperative Cyber Defence Center of Excellence or CCDCoE, which is located in Tallinn, the Estonian capital.

The CCDCoE is the entity responsible for the project that produced The Tallinn Manual on the International Law Applicable to Cyber Warfare (which can be read online here). A quick search for references to malware in that work will give you an idea of how seriously some people have been taking the issue of malicious code deployment in the context of cyber conflict, from a variety of perspectives, including legal, ethical, technical, strategic, economic, military and diplomatic.

The human networking that occurred at CyCon was an opportunity to validate my concerns about a “risk awareness shortfall” in some quarters when it comes to deploying malicious code for “righteous” ends. As we argue in the paper, such deployment carries great risk of unintended consequences, not to mention loss of control over the code. While cyber criminals do not feel restrained by such concerns, and appear undeterred by moral dilemmas like collateral damage and spreading code that can be used by unscrupulous persons for all manner of illegal purposes, we argue that legitimate entities considering the use of malware for “justifiable offense” or “active defense” must fully understand the issues around scope, targeting, control, blowback, and “arming the adversary”.

In our paper we researched existing open source literature and commentary on this topic to review the arguments for and against the use of “malicious” code for “righteous” purposes, introducing the term “righteous malware” for this phenomenon. In our research we were pleasantly surprised to find that the antivirus community’s longstanding objections to the notion of “a good virus,” which Vesselin Bontchev analyzed and published in his 1994 EICAR paper, Are ‘Good’ Computer Viruses Still a Bad Idea?, (Proc. EICAR’94 Conf., pp. 25-47) were not only still valid, but in some instances quite prescient.

We hope that our paper will help to inform and advance debate about the use of malicious code in cyber conflicts. If you like, you can download a PDF of the slides I used when presenting the paper. The slides are also available on slideShare. In addition, I highly recommend Andrew Lee’s 2012 Virus Bulletin paper: Cyberwar: Reality, Or a of Weapon of Mass Distraction?

BTW, if your are heading to BlackHat next week, you might want to catch Mikko Hypponen’s “Governments as Malware Authors: The Next Generation.” It’s in Mandalay Bay D at 14:15 on Wednesday, and in my diary.

(Big hat tip to all who provided input on this paper, including Lysa Myers, David Harley, Aryeh Goretsky, Cameron Camp, and Righard Zwienenberg).

The post Malware is called malicious for a reason: the risks of weaponizing code appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/01/malware-called-malicious-reason-risks-weaponizing-code/feed/ 0
Business Continuity Management 101 http://www.welivesecurity.com/podcasts/business-continuity-management-101/ http://www.welivesecurity.com/podcasts/business-continuity-management-101/#comments Fri, 01 Aug 2014 20:11:34 +0000 Business Continuity Management 101 http://www.welivesecurity.com/?post_type=post_podcast&p=48992 The post Business Continuity Management 101 appeared first on We Live Security.

]]>
The post Business Continuity Management 101 appeared first on We Live Security.

]]>
http://www.welivesecurity.com/podcasts/business-continuity-management-101/feed/ 0
Homeland Security warns of new Point of Sale attacks http://www.welivesecurity.com/2014/08/01/backdoor-malware-point-of-sale-pos/ http://www.welivesecurity.com/2014/08/01/backdoor-malware-point-of-sale-pos/#comments Fri, 01 Aug 2014 16:40:00 +0000 Homeland Security warns of new Point of Sale attacks http://www.welivesecurity.com/?p=48944 New malware targeting point of sale (PoS) systems, detected by ESET as Win32/Spy.Agent.OKG is described in a warning and analysis distributed by US-CERT, a reminder to increase security around PoS access.

The post Homeland Security warns of new Point of Sale attacks appeared first on We Live Security.

]]>
Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now. Hot on the heels of last week’s article here on We Live Security, a new PoS malware warning was issued this week by Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), in partnership with the United States Secret Service (USSS), and the Financial Sector Information Sharing and Analysis Center (FS-ISAC) along with Trustwave Spiderlabs.

Backoff - New Point of Sale MalwareThe malware, which had already been detected for some time by ESET (Win32/Spy.Agent.OKG) is referred to as “Backoff” by US-CERT. The technical details can be found here. There is also a report you can download as a PDF (click cover on the right).

As with numerous other PoS malware attacks, infection by Backdoor is through brute forcing the login of admin or other privileged accounts on a wide range of remote desktop applications. This access is used to enable command and control communication with the criminals executing these attacks. The PoS malware then performs RAM scraping and keystroke logging. A malicious stub is injected into explore.exe achieve persistence.

The fact that such a detailed report was pushed out with a relatively loud alert underlines the seriousness of this type of attack for the retail industry, and the growing importance of implementing appropriate security measures, especially when remote desktop software is used on the systems that have access to PoS devices. The Backdoor warning specifically refers to the following remote desktop solutions: Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.

Beyond those specific apps, it should be said that any sort of software that allows administrators to remotely access machines that are involved in financial transactions, or connected in any way to POS systems, should be given extra scrutiny and protection against potential intruders. Check out our advice in last week’s article on securing PoS systems and seriously consider adding two-factor authentication to any systems or services that can touch your PoS systems.

The post Homeland Security warns of new Point of Sale attacks appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/01/backdoor-malware-point-of-sale-pos/feed/ 0
Week in Security: Tor in turmoil, USB ports in a storm, Android app attack http://www.welivesecurity.com/2014/08/01/week-security-tor-turmoil-usb-ports-storm-android-app-attack/ http://www.welivesecurity.com/2014/08/01/week-security-tor-turmoil-usb-ports-storm-android-app-attack/#comments Fri, 01 Aug 2014 16:33:30 +0000 Week in Security: Tor in turmoil, USB ports in a storm, Android app attack http://www.welivesecurity.com/?p=48936 This week in security news saw the world’s researchers discover a whole new range of Achilles Heels for PCs, the online privacy service Tor, and even ‘connected’ gadgets such as internet fridges.

The post Week in Security: Tor in turmoil, USB ports in a storm, Android app attack appeared first on We Live Security.

]]>
This week in security news saw the world’s researchers discover a whole new range of Achilles Heels for PCs, the online privacy service Tor, and even ‘connected’ gadgets such as internet fridges – which, in an in-depth test of the most popular devices turned out, on average, to have 25 serious flaws each.

Such security news revelations are, of course, to be expected in the run-up to one of the biggest events in the security calendar – Black Hat USA 2014, scheduled for 2nd August in Las Vegas.

Security news: Tor users ‘sweating heavily’

The story that probably worried the most people – a new technique for identifying individuals within the anonymizing service Tor – broke when researchers decided NOT to talk at Black Hat.

The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000. Tor (a privacy tool which conceals the identity of users by “bouncing” traffic around the web), is widely used by political activists – as well as criminals. At the last moment, Cornell University legal counsel cancelled the talk. A later blog post from the Tor Project said that an attack against the network, lasting five months, appeared to be associated with the researchers.

“Hidden service operators should consider changing the location of their hidden service,” the Project’s blog advised.  The Tor Project also warned that the attack could pave the way for future attempts by other adversaries such as “large intelligence agencies.”

 All your USB port are belong to us

Even more spectacularly – given the sheer number of potential victims – another Black Hat speaker ‘uncloaked’ himself, and revealed that USB ports were not in fact a stable, reliable component – but a lethal back door by which malware could sneak into computers, with no current defense able to detect or stop it.

While current anti-malware services scan for malicious software on USB sticks, the devices also have firmware – to help the gadgets interact with PCs, for instance allowing a USB stick to download and upload files. Karsten Nohl of Berlin’s SR Labs says that this firmware can be spoofed – allowing devices to steal data, spy and control computers. Nohl said he would be “surprised” if the NSA were not aware of the technique.

Gizmodo reports that Nohl’s team wrote malware, titled BadUSB, specifically for the attack: “It can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”

ESET Senior Research Fellow David Harley says that computer mice and keyboards are probably safe – so far. “No cause for panic, as far as I can tell from the information I have so far,” Harley says. “It’s not as though your 10-year-old thumb drive will suddenly be infected by Stuxnet, at any rate via this vector.

Connected house of security horrors

While security-conscious gadget fans were still reeling from the news that USB ports were gateways through which malicious mice might attack, the rest of the “connnected home” was revealed to be a security house of horrors, too.

In the first in-depth survey of its kind, popular “Internet of Things” devices found that intelligence services almost certainly have access to critical data such as grocery listings, and thermostat settings. HP’s tests found gadgets revealed personal information, accepted weak passwords such as “1234” and failed to encrypt messages to the cloud, to apps, and to home networks.

HP found that 70% of the devices had critical vulnerabilities, and said that they seemed to combine all the weaknesses of networks, applications and mobile devices into something “new and even more insecure”. Early adopters are advised (by HP) to put the leaky devices on a separate network. Perhaps waiting a while before making a purchase may be equally effective.

Android ID loophole affects millions (in theory)

Android users – no strangers to security scares – were teased with details of a truly terrifying vulnerability – which leaves up to 80% of devices vulnerable to “bad apps” impersonating good ones. “It is very, very easy for malware to use this attack— it is silent, transparent, with no notifications to users,” Jeff Forristal of Bluebox Security, which uncovered the bug said. The bug allows apps to use digital signatures for other publishers and thus perform actions such as stealing data. Forristal will present more details of his research at Black Hat 2014, saying, “This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device.” Google has patched the bug, but only for handsets running Android 4.4 or later. Older Android owners will just have to wait, and hope Google’s beefed up defenses in Google Play are enough to prevent apocalypse.

The post Week in Security: Tor in turmoil, USB ports in a storm, Android app attack appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/08/01/week-security-tor-turmoil-usb-ports-storm-android-app-attack/feed/ 0
Tor ‘unmasked’ – but who is at risk? http://www.welivesecurity.com/2014/07/31/online-privacy-tor-unmasked-for-5-months/ http://www.welivesecurity.com/2014/07/31/online-privacy-tor-unmasked-for-5-months/#comments Thu, 31 Jul 2014 16:06:42 +0000 Tor ‘unmasked’ – but who is at risk? http://www.welivesecurity.com/?p=48900 Users of the online privacy service Tor - designed to allow users to access hidden sites anonymously - may have been unmasked after an attack lasting five months, crafted to de-anonymise traffic on the service.

The post Tor ‘unmasked’ – but who is at risk? appeared first on We Live Security.

]]>
Users of the online privacy service Tor – designed to allow users to access hidden sites anonymously – may have been unmasked after an attack lasting as long as five months, crafted to de-anonymize traffic on the service, according to the BBC’s report.

Tor is a privacy tool which allows users to access “hidden” sites and services, with the .onion suffix, which are accessed via customized versions of open-source browsers such as Firefox. It’s used by political activists – but also said to host child pornography, and illegal markets in everything from drugs to weaponry.

The Tor Project said that it had halted the attack on 4 July, but it may have been ongoing as long as five months. Business Insider said that it was not clear what data on users, or hidden services, the attackers had obtained.

V3 reported that Tor warned users to “assume” they had been affected.

Online privacy – ‘assume’ you are affected, users told

Usually, Tor users are extremely hard to track – the privacy tool  “bounces” information between 5,000 volunteer PCs to hide its tracks. Even America’s National Security Agency (NSA) described it as, “the King of high secure, low latency Internet anonymity.”

The service is used by whistleblowers, political activists and news organizations, but The Telegraph claims it is also “widely used” by criminals.

The Tor Project said it believed the attack had been carried out by two researchers due to give a talk at the Black Hat conference in Las Vegas next week. The presentation was cancelled by lawyers from Cornell University for unspecified reasons.

The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000.

Tor warns intelligence agencies may follow

Tor has since pushed out software updates to deal with the problem, but warned, “Hidden service operators should consider changing the location of their hidden service.” The Tor Project also warned that the attack could pave the way for future attempts by other adversaries such as “large intelligence agencies.”

“So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.

“On July 4 2014 we found a group of relays that we assume were trying to de-anonymize users,” the Tor Project said via its blogs.  They appear to have been targeting people who operate or access Tor hidden services. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.Unfortunately, it’s still unclear what “affected” includes.”

The Tor Project said, “So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.”

 

The post Tor ‘unmasked’ – but who is at risk? appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/31/online-privacy-tor-unmasked-for-5-months/feed/ 0
Malware: Every USB port is “defenseless” against new scam http://www.welivesecurity.com/2014/07/31/malware/ http://www.welivesecurity.com/2014/07/31/malware/#comments Thu, 31 Jul 2014 15:55:00 +0000 Malware: Every USB port is “defenseless” against new scam http://www.welivesecurity.com/?p=48889 The billions of USB ports in use in PCs are vulnerable to a new attack - which can undetectably install malware, steal data and seize control of machines.

The post Malware: Every USB port is “defenseless” against new scam appeared first on We Live Security.

]]>
Almost all desktop and laptop computers can be overtaken and stripped of data via malicious devices inserted into the USB port – a technique which bypasses all current security measures, and is described as “almost like a magic trick” by Karsten Nohl of Berlin’s SR Labs.

By inserting a control chip into a device’s USB connector (ie when plugging in a modified keyboard) an attacker could gain complete control of a machine, spy on a user using malware, and steal data. No current security measures could even detect the attack – which Wired described as having the potential to cause an “epidemic.”

Gizmodo reports that Nohl’s team wrote malware, titled BadUSB, specifically for the attack: “It can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”

Ever since the Nineties, the various evolutions of USB ports have become ubiquitous – used in almost every laptop and desktop, and relied on to connect gadgets such as phones and cameras to other machines. Billions of the ports are shipped each year. Current PC security measures do not scan the firmware of the devices – allowing for this new attack.

“You cannot tell where the virus came from. It is almost like a magic trick,” Nohl told Reuters.

Malware is ‘like a magic trick’

The attack is possible because current security measures do not inspect the firmware of devices connected to them – only (in some cases, such as USB sticks) for software programs. The problem, Karsten Nohl of SR Labs says, is that the controller chips used inside USB devices can be spoofed – ‘fooling’ a computer that, for instance, a USB drive is connecting, and thus it is OK to move data.

Nohl’s team experimented with different devices, and found that malware inserted via such devices could compromise machines entirely, or inject malware.

The researcher is to present his findings at the Black Hat security conference in Las Vegas. ESET Senior Research Fellow David Harley points out that, as yet, no such devices are known to be ‘in the wild’. Nohl, however, said he would be unsurprised to find out that intelligence agencies knew of the technique.

“No cause for panic, as far as I can tell from the information I have so far,” Harley says. “It’s not as though your 10-year-old thumb drive will suddenly be infected by Stuxnet, at any rate via this vector. Of course, lots of malware does propagate through USB and other removable media, but that’s just because they are media capable of carrying executable code. It’s not as though USB devices routinely get their firmware flashed when connected to a computer.”

USB malware – storm in a port

Problems would only arise if attackers were able to insert malicious devices into the supply chain – or a malicious insider substituted such devices for office equipmment.

“It’s really a supply chain issue: in principle, any hardware (or software supplied with it, as in the case of the Energizer DUO USB battery charger fuss a few years back) might be compromised at source. “

Nohl says, “USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now. USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user.”

Wired Magazine’s Threat Level blog described USB as “fundamentally broken” and suggested that devices based on Nohl’s technique could cause “an epidemic.”

The blog wrote, “The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.”

The post Malware: Every USB port is “defenseless” against new scam appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/31/malware/feed/ 0
Facebook privacy – the 20,000 who just logged out (and why) http://www.welivesecurity.com/2014/07/31/facebook-privacy-20000-just-logged-out/ http://www.welivesecurity.com/2014/07/31/facebook-privacy-20000-just-logged-out/#comments Thu, 31 Jul 2014 09:57:52 +0000 Facebook privacy – the 20,000 who just logged out (and why) http://www.welivesecurity.com/?p=48684 Set up in the wake of Facebook's controversial 'experiment', the 99 Days project aims to work out a more profound question: does the site make us happy?

The post Facebook privacy – the 20,000 who just logged out (and why) appeared first on We Live Security.

]]>
“I have had emails from all around the world – and they are all positive,” says Dutch Merijn Straathof, head of a project encouraging people to leave Facebook, in the wake of the recent privacy uproar over the site’s psychological experiment on its users.

The 99 Days project aims to work out a more profound question: does the site make us happy? Users are encouraged to change their profile to a countdown and not log in at all for the duration.

Every month, scientists from Cornell and Leiden universities will ask questions to assess their happiness, psychological state and relationship to the site. A We Live Security guide may help concerned site users control Facebook privacy and data use by the site – which, as Staarthof found out, is something users find hard to contemplate life without.

Facebook privacy: What happens when you leave

“People couldn’t imagine this world we live in now, where we look at this site all day,” says Straathof. “The step of leaving it forever is too big for people. That’s why we came up with 99 days.”

The 99 Days project was started by an advertising agency, and Straathof says that the relentless happiness of the site is one of the things he hopes to throw light on. You cannot “dislike” a post. People do not confess to being unhappy. People compete for attention – and scammers prey on this. This is a mode, Straathof says, that has fallen out of favor among advertisers – as too unsubtle.

“Most of the people who contacted me said they spend too much time on Facebook,” he says. “An hour a day. Two hours. Add that over a month, and it’s a small holiday – in this digital reality. People are thinking, ‘I don’t have the time to do this’.”

What has surprised Straathof is that Facebook ‘quitters’ are not worried about Facebook privacy as much as some perhaps expected.

“People don’t think about it – what the meaning of privacy is, or why we should cherish it,” says Straathof. “People say that they have nothing to hide. But if everything is digitized, it will still be there for decades. If it’s publicly archived, future governments will have all this data. Our current privacy discussion is not big enough to change things.”

People’s concerns with the site are simpler than worries over Facebook privacy – “They are not sure if they get happier. In America, families use it to stay in touch with people far away. In Holland, family tend to be near. This digital reality can cause negative feelings.”

The University of Michigan researchers behind a previous Facebook study used “experience-sampling” – questionnaires about well-being at random times five times a day – which is considered among the most reliable methods of judging how people feel, think and behave.

“This result goes to the very heart of the influence that social networks may have on people’s lives,” said Michigan cognitive neuroscientist John Jonides.

They found that the more participants used Facebook over the two-week study period, the more their life satisfaction levels declined over time – whereas interacting in the “real world” had the opposite effect.

Facebook privacy – ‘Alone together’

Previous books such as MIT Professor Sherry Turkle’s Alone Together interviewed users who felt they were creating a “false identity” on the site.

“I work in advertising,” says Staarthof. “This is staged happiness. Users are creating this persona, and they realize that other people are doing it. It’s not 100% reality. All those amazing things in your friends’ feeds – it’s narcissistic. People are just trying to be popular. No one ever posts, ‘I’m feeling sad.’ The only possible response is positive – sharing positive things.”

What is less clear is whether the “happiness” of Facebook is in any way real – or if the site can be altered to make its users happier.

“Is it a recipe to create happiness online?” asks Staarthof. “No. It’s staged happiness. I work in advertising – and it feels like adverts from years ago. Coca Cola is a brand that’s about happiness – and years ago, those adverts were people smiling, enjoying Coca Cola. Now it has to be more sophisticated – send a Coke to Africa, interact with the real world.”

“Can Facebook be altered to make people happier?” asks Staarthof. The first questionnaire will go out to participants in 19 days, with questions assessing the wellbeing and psychological effects.

“Facebook is a very attractive medium for advertisers,” says Staarthof. “But creating this presence, on your phone in a digital world – is it better to put the phone down and do something authentic?”

For a shorter term solution – try WLS’s video guide to how to get rid of ANY embarrassing post on the site.

The post Facebook privacy – the 20,000 who just logged out (and why) appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/31/facebook-privacy-20000-just-logged-out/feed/ 0
Internet of things – tests show almost all devices “riddled” with flaws http://www.welivesecurity.com/2014/07/30/internet-of-things/ http://www.welivesecurity.com/2014/07/30/internet-of-things/#comments Wed, 30 Jul 2014 17:18:21 +0000 Internet of things – tests show almost all devices “riddled” with flaws http://www.welivesecurity.com/?p=48841 A new report found hundreds of serious security flaws in some of the most popular Internet of Things gadgets - the problem is far deeper than thought, with 70% of the most popular such gadgets having serious security flaws.

The post Internet of things – tests show almost all devices “riddled” with flaws appeared first on We Live Security.

]]>
Isolated flaws in “connected” devices such as Wi-Fi lighting systems make headlines – but the problem is far deeper than thought, with 70% of the most popular such gadgets having serious security flaws according to a report by HP.

Devices under test included televisions, home thermostats and door locking systems – and on average, each had 25 serious flaws, some of which could hand private information to attackers, according to Phys.org..

The researchers did not name the products, saying their goal was not to “name and shame”.

Devices collected and stored private data such as names, email addresses and credit card details, and also failed to encrypt such data. Others allowed users to set weak passwords – with several devices allowing passwords such as “1234”. Half of the devices under test did not encrypt communications to the cloud, network or internet.

Internet of things – network of flaws

The study, described by EWeek as unique, focused not just on the devices themselves, but on the networks they interacted with.

A typical “connected device” will connect to a network, to a mobile device, and to a cloud service. Each of these connections poses risks. As yet, this troubling aspect of IoT devices has not been studied intensively.

Daniel Miessler, practice principal at HP, said: “The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces – network security, application security, mobile security and Internet-connected devices – and combine them into a new, even more insecure space, which is troubling.”

CBR said that the findings raised questions over the security of industrial control systems, which also integrate with other networks, and which may not have examined in such detail.

Internet of Things: A solution?

HP called for vendors to address security issues with their devices – and also suggested more radical solutions.

“You can put the IoT devices on another separate network,” Miessler said.”You should separate networks so that any IoT devices can’t interact with other things on the protected network.”

Recently, a vulnerability in LiFX, a well-known Kickstarter-funded lighting system where a network of bulbs can be controlled via smartphone app was described by Electronics Weekly as a “warning for all Internet of Things companies”.

Speaking toElectronics Weekly, Context’s Michael Jordon said, ““It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”

The post Internet of things – tests show almost all devices “riddled” with flaws appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/30/internet-of-things/feed/ 0
Android security flaw gives bad apps super-powers http://www.welivesecurity.com/2014/07/30/android-security/ http://www.welivesecurity.com/2014/07/30/android-security/#comments Wed, 30 Jul 2014 14:45:54 +0000 Android security flaw gives bad apps super-powers http://www.welivesecurity.com/?p=48775 A new Android flaw potentially affecting up to 80% of users could leave handsets vulnerable to rogue apps - leapfrogging the defenses used to ensure malicious developers are kept out.

The post Android security flaw gives bad apps super-powers appeared first on We Live Security.

]]>
A new Android flaw potentially affecting up to 80% of current handsets could leave users vulnerable to rogue apps – leapfrogging the defenses used to ensure malicious developers cannot sneak malware onto Android devices, according to the BBC’s report. 

“It is very, very easy for malware to use this attack— it is silent, transparent, with no notifications to users,” Jeff Forristal of Bluebox Security, which uncovered the bug said. The bug allows apps to use digital signatures for other publishers and thus perform actions such as stealing data.

Google has patched the bug – but only for a limited number of handsets. Mark James of ESET UK says, “Android has released a patch (April) for its latest versions but that still leaves over 80% of Android users that could be unprotected.” The Guardian reports that Google’s own figures show 82.1% of users are running an older version.

The flaw has been present in all Android devices shipped since January 2010, Forristal says.

Android security – signature flaw

The “Fake ID” flaw relies on digital signatures used by major publishers, some of whom have special privileges including the ability to inject code into other apps (in the case of Adobe, to add Flash player, Forristal conjectures).

“The vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM,” says Forristal.

Forristal will present more details of his research at Black Hat 2014, saying, “This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device.”

Forristal writes, “All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do.”

Google said in a statement, “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”

PC World points out that the fragmented nature of the Android market means that such measures can take extended periods to reach some networks – if they do at all.

Android security – what to do

ESET’s Mark James says, “This flaw was present on all Android versions up to and including 4.4, that’s a lot of potential Android users that could be effected and the key word here is “could”, Android has released a patch (April ) for its latest versions but that still leaves over 80% of android users that could be unprotected.

“Many phone users are unaware of the potential problems of older operating systems as there is rarely any focus on how quickly manufacturers update their phone software even at all.”

“Most Android phones are configured to notify you of updates but leave you to choose if you want to do so, a lot of Android users if asked have no idea what version they have or probably could not tell you the latest version, the most common cause of this is their manufacturer is running their own version of Android and has not updated to the latest versions for reasons only they are aware off.”

As yet, there is no evidence that this flaw has been used – at least not on a large scale. Drastic steps such as Factory Resetting handsets do not seem to be necessary at this stage.

Mark James of ESET says that basic handset hygiene is the best defense. “Ideally the best solution is to ensure your phone manufacturer updates its OS on a regular basis, check for updates yourself on a periodic basis and install any updates immediately, also try wherever possible to only download and install apps from the Google Play Store. Any other location must be checked for authenticity, usually if a paid for app on the play store is available free somewhere else it’s likely to be fake, if you do decide to download an app from another source do some research on the web address, owner and make sure you READ THE REVIEWS if any are available, my advice would be if no reviews then DON’T download it.”

The post Android security flaw gives bad apps super-powers appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/30/android-security/feed/ 0
Windows XP Doomed – hackers play classic shooter on ATM http://www.welivesecurity.com/2014/07/29/windows-xp/ http://www.welivesecurity.com/2014/07/29/windows-xp/#comments Tue, 29 Jul 2014 16:45:31 +0000 Windows XP Doomed – hackers play classic shooter on ATM http://www.welivesecurity.com/?p=48742 For computer hackers, making the classic first-person shooter Doom play on odd devices is a quest that never ends - but an Australian team may have won the game for good, by running Doom on an ATM.

The post Windows XP Doomed – hackers play classic shooter on ATM appeared first on We Live Security.

]]>
For computer hackers, making the classic first-person shooter Doom play on odd devices is a quest that never ends – but an Australian team may have ended the game for good, by running Doom on an ATM, as Mashable reports.

A YouTube video demonstration clearly shows the hellish landscapes of iD’s genre-defining shooter – and the team say they plan to customize it further, so it can be controlled via PIN pad according to The Inquirer’s report.

Windows XP – Doom comes at last

PC World points out that one cannot simply bypass the cash withdrawal screen and start fragging – specialized gaming circuit boards are required. The hack is (relatively) easy because like many ATMs, the model used runs a modified version of Windows XP.

“Playing Doom on an ATM is made easier because the machine, like so many other ATMs across the globe, is powered by a specialized version of Windows XP under the hood,” PC World says.

PIN pad used as controller

The Inquirer points out that the moment weapons selection is done via arrow buttons at the side of the screen – and the team plans to find a use for the receipt printer.

The site says, “it does appear that the Windows environment has been preserved with the possible addition of some sort of DOS emulator.”

Many banks face costly hardware upgrades to replace aging machines which cannot support Windows 7 – JP Morgan says 3,000 of its 19,000 ATMs will require “enhancements” to support Windows 7, according to Bloomberg.

ESET Distinguished Researcher Aryeh Goretsky offers a guide to using Windows XP safely after its “end of life”, with five tips for users to stay safe while using the OS. Goretsky warns, however, “While these tips will help, your main goal should be figuring out how to move away from Windows XP. If it’s simply a matter of replacing a critical application, work out the cost and build that into your operating budget, likewise for computer upgrades or even replacement computers. That may be a capital expense, and an unwanted one in this economy, however, it is still better than going out of business because outdated computers failed or critical data was stolen.”

The post Windows XP Doomed – hackers play classic shooter on ATM appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/29/windows-xp/feed/ 0
Microsoft denies it has ever been asked to plant a snooping backdoor into its products http://www.welivesecurity.com/2014/07/28/microsoft-backdoor/ http://www.welivesecurity.com/2014/07/28/microsoft-backdoor/#comments Mon, 28 Jul 2014 14:38:40 +0000 Microsoft denies it has ever been asked to plant a snooping backdoor into its products http://www.welivesecurity.com/?p=48681 If intelligence and law enforcement agencies have a genuine need to spy upon some communications then it should not be via a backdoor that could put millions of innocent, law-abiding users at risk.

The post Microsoft denies it has ever been asked to plant a snooping backdoor into its products appeared first on We Live Security.

]]>
Whether you like it or not, the authorities would like to see what people are saying to each other online.

It is, of course, a controversial issue with strongly held opinions on both sides.

Law enforcement and intelligence agencies argue that having insight into private conversations on social media sites like Facebook, via email and instant messaging chats, could help them gather information about organised criminal gangs and perhaps prevent a terror attack.

Many others, especially in the wake of Edward Snowden’s revelations in the last 12 months, believe that the authorities have overstepped the bounds of their authority by secretly monitoring conversations, hacking into innocent companies, weakening encryption standards, and even planting malware on IT hardware as was shipped to customers from manufacturers.

Aside from issues of the individual’s right for privacy and the need for transparency as to how our governments are choosing to treat the citizens who voted them into power, concerns have been expressed that big software companies might have worked in cahoots with the likes of the U.S. National Security Agency.

After all, wouldn’t it be much easier for the NSA to spy on communications sent via the internet if the very companies who created the software that facilitated, say, instant messaging or video chats, had built in a secret backdoor?

Unfortunately, any method to waltz past security (whether it be by exploiting a known weakness in a encryption standard or some secret method that grants a third-party access) could potentially be exploited by far more than just the law enforcement authorities.

In short, building a way to wiretap internet communications can lead to less secure systems for all of us.

So, I was pleased to see Scott Charney, Corporate Vice President for Microsoft’s Trustworthy Computing Group, confirm in a panel appropriately entitled “Striking the Right Balance between Security and Liberty” that his company has never been asked by the US government to backdoor its products, and if they ever were they would fight it “tooth and nail”:

Greg Miller, National Security Correspondent, The Washington Post posed the question:

Greg Miller: Can you tell us whether, in addition to the government being able to compel a company like yours to turn over data that is transiting through your networks, can it also compel you to change your code? Can it compel you to change your products to enable it to get access to products like Skype?

Scott Charney: So, one, they have never done that, and two, we would fight it tooth and nail in the courts. So, under the wiretapping statute in FISA you can be compelled to provide technical assistance. But if they said, for example, put in a backdoor or something like that, we would fight it all the way to the Supreme Court.

Look, if the government did that – and I really don’t think they would – it would be at the complete expense of American competitiveness. If we put in a backdoor for the US government we couldn’t sell anywhere in the world – not even in America.

It’s clear that Microsoft has been rattled by newspaper stories revealing the scale of its information sharing with the NSA, and is keen to differentiate between court-ordered requests from agencies that follow legal processes and software backdoors.

Last month, on the anniversary of Edward Snowden’s first revelations about NSA snooping, Microsoft called for the US government to reform the NSA by ending the bulk collection of telephone record data, committing not to hack data centers and to increase transparency.

Whether Microsoft is doing this because it genuinely believes this is the right thing to do, or because it realises it faces huge commercial hurdles if it is perceived to be in the pocket of the NSA, doesn’t really matter. I suspect it’s a bit of both.

I’m just pleased that they seem to be sticking up for us.

If intelligence and law enforcement agencies have a genuine need to spy upon some communications then it should not be via a backdoor that could put millions of innocent, law-abiding users at risk.

The post Microsoft denies it has ever been asked to plant a snooping backdoor into its products appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/28/microsoft-backdoor/feed/ 0
Identity fraud: How one email wiped out $300m – and sender walked free http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/ http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/#comments Mon, 28 Jul 2014 09:29:57 +0000 Identity fraud: How one email wiped out $300m – and sender walked free http://www.welivesecurity.com/?p=48659 A single email wiped $300 million off the value of an Australian mining company, after an environmental activist, Jonathan Moylan and sent a press release to media organizations.

The post Identity fraud: How one email wiped out $300m – and sender walked free appeared first on We Live Security.

]]>
A single email wiped $300 million off the value of an Australian mining company, after an environmental activist, Jonathan Moylan, created a “corporate email” address, used identity fraud to impersonate a press officer, and sent a press release to media organizations which suggested the company faced severe financial difficulties.

The Guardian reports that the activist sent an email from the domain, “media@anzcorporate.com” and used ANZ logos to make his fiction more convincing. He also had access to a group of media outlet contacts, which he used to perpetrate his scam.

The release, which used the name of ANZ’s serving press officer, with a phone number directed to Moylan, was picked up by media outlets. During trading thereafter, $300m was wiped off the mining company’s value.

Cybercriminal gangs use similar identity fraud tactics (as reported by We Live Security here) – aiming scam emails at contacts relating to news stories,  in the name of real companies, in the hope of earning money. Moylan’s lack of financial motive was a key factor in his suspended sentence, the judge said.

This summer, a similar tactic was employed against a leaked list of people who had enquired about the auction for Bitcoins from the “dark market”. Silk Road provided a target for phishing scammers – and at least one site fell for the scam emails.

Identity fraud – a potent weapon for cybercrime

A reported 100 Bitcoins ($63,300) were stolen from Bitcoin Reserve via a fake login page which harvested email credentials, according to TechCrunch’s report.

Coindesk reports that the scam targeted individuals on a list of people who had expressed interest in the auction for Bitcoins from Silk Road. The list was leaked after a member of the U.S. Marshals service used CC instead of BCC on an email.

‘Not a criminal in the classic sense’

The Register reports that the country’s supreme court gave Moylan a suspended sentence, saying that despite the fact that “Some investors lost money,” the activist was “not a criminal in the classic sense.”

The attack came in the form of a release claiming that ANZ Bank had withdrawn a loan from the mining company, totalling $1.2bn, relating to an open-cut coaline. Moylan added that the bank was withdrawing due to “corporate responsibility,” according to The Register.

Justice Davies said, “It is clear the offender has been prepared to break the law on a number of occasions to further the causes which he believes in.”

The post Identity fraud: How one email wiped out $300m – and sender walked free appeared first on We Live Security.

]]>
http://www.welivesecurity.com/2014/07/28/identity-fraud-anz-email-activist/feed/ 0