Lionytics Security Blog Lionytics Security Blog Hacker can backdoor your computer
PoisonTap, the latest creation of hacker and developer Samy Kamkar, has a long list of wicked slick capabilities, including the fact that after an attacker removes the device from a USB port, a backdoor and remote access will persist on both your computer and your router.

When inserted into a USB port, PoisonTap tricks a computer into believing it was just plugged into a new Ethernet connection that takes over all internet traffic.]]>
Wed, 16 Nov 2016 09:45:04 -0700 (Administrator)
Tor Cloud service is no more
One lesser known project from the same stables is the Tor Cloud service, and Tor has announced that it is closing down.

Based on the Amazon EC2 cloud computing platform, Tor Cloud provided a way to share computing resources and allow faster uncensored access to the internet. However, the project is plagued with `at least one major bug … that makes it completely dysfunctional` and after failing to find anyone to undertake the work, the decision was taken to shut Tor Cloud.

This does not mean that Tor itself is dead – far from it – and developers are being encouraged to create their own forked versions of Tor Cloud.

It is still possible to manually install Tor bridges on Amazon EC2 and other cloud platforms, but it is now not as simple as it was with Tor Cloud. Any existing instance of Tor Cloud remain unaffected by the closure of the service as all of the necessary settings are already in place. There is still the problem of numerous known bugs, but this is something that users and developers are free to work on.

In a blog post, Tor said:

`We have tried to find a new maintainer for Tor Cloud for months, but without success. There have been offers to send us patches, but we couldn’t find a Tor person to review and approve them.

`We encourage everyone who stepped up to start their own cloud bridges project under another name (`Onion Cloud`?), possibly forking the existing Tor Cloud code that will remain available. Tor Cloud is still a good idea, it just needs somebody to implement it.`]]>
Wed, 13 May 2015 18:00:00 -0700 (Administrator)
Trump Hotels Infected
The breach, first reported by security reporter Brian Krebs in June, affected seven hotels and resorts in the chain, according to a Trump Hotel spokesperson. But the company`s executives claim that they have found `no forensic evidence` that credit card data was actually stolen, despite the fact that several banks have claimed a pattern of fraudulent charges stemming from transactions at the hotels.

`Between May 19, 2014, and June 2, 2015, we believe that there may have been unauthorized malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels managed by the Trump Hotel Collection,` a company spokesperson wrote in a statement on the Trump Hotel website. `For those customers that used credit or debit cards to make purchases during this time, we believe that the malware may have affected payment card data including payment card account number, card expiration date and security code.` At the Trump hotels in Las Vegas and Waikiki, the data may have also included customers` first and last names.

However, the chain claimed that an independent forensic investigation of its computer systems `did not find any evidence that any customer information was removed from our systems.` Trump Hotel Collection is offering `one year of complimentary identity protection services through Experian` to customers who may have been affected, but this is merely out of caution, the company spokesperson said.

Trump`s hotels were among a number of high-profile, luxury hotels hit by credit card breaches this year. Mandarin Oriental Hotels disclosed a breach in March, and the White Lodging hotel management company announced in April that it had suffered its second breach in two years—one that affected the same systems that had been previously breached in some cases.

The type of malware used in the attack on Trump captures credit card swipe data at a point-of-sale system. The systems attacked were pin gift shops, restaurants, and front desk terminals with credit card scanners. These types of attacks are why credit card issuers are pressing for retailers to adopt EMV chip-based point-of-sale systems, which use cryptography on the card`s chip to create a one-time confirmation code for each transaction. That data is passed directly to the financial institution that issued the card and isn`t retained by the retailer.

While effective in some contexts, this system doesn`t protect against fraud in transactions where the card data is read by traditional means (a magnetic swipe) or when the card is not present (given over the phone, for example).]]>
Wed, 7 Oct 2015 09:00:00 -0700 (Administrator)
Casino Breach Continues
Firekeepers is in the process of investigating a possible data security incident involving its point of sale systems that may have impacted its payment processing system for the casino, hotel, restaurants and shops. Any information submitted through the website was not part of the breach, it said in a statement.

Given the high value customers casinos serve, stolen credit and debit cards from this sector are prized by attackers. According to Mark Bower, global director of product management for HP Security Voltage, high spend limits and top-tier cards with a proven rapid `stolen data-to-cash` cycle make casinos a prime target for attacks.

`The truth is that there are rarely any investments in security, or process around cyber-defense; as well as little concern about the defense of their customers,` he said in a note. `The fault here could be laid at the door of the CEO and board of directors that failed to provide leadership and direction to protect the company and its customers.`

The casino said that it doesn’t yet know what information may have been impacted—but it’s taking a few, well-worn steps: hiring an IT forensics team and working with law enforcement. It’s also installing new PoS equipment and `encouraging` patrons to check for fraudulent transactions.

`Their breach of point of sale systems with no knowledge of scope or the event itself is typical of companies that have only concentrated on auditor satisfaction rather than operational cyber-defense capabilities,` said Philip Lieberman, CEO, Lieberman Software, in an email. `Each breach follows a typical pattern of hiring a forensic company and getting a report that the attack was beyond any reasonable care that the casino or other company could have provided.`

The incident follows other attacks, on the Hard Rock in Vegas and the Sands. And it was recently determined that the RAWPoS seven-year-old malware is still being used today, most recently to attack casinos and resort hotels.

`I would expect to hear about more casinos being hit. Usually criminal syndicates don`t attack just a single organization, but an entire segment or industry, as they are able to identify common vulnerabilities across them,` said Ken Westin, senior security analyst at Tripwire, in a note. `The casinos themselves should identify any common denominator be it a payment or service provider, specific applications, or trusted business partners that might be the source of a key vulnerability. It can also simply be the case of the criminal syndicates going where the money is.`]]>
Wed, 13 May 2015 19:00:00 -0700 (Administrator)
Experian Data Breach
`Experian has taken full responsibility for the theft of data from its server,` T-Mobile stated in a FAQ.

The exposed data includes names, addresses and birthdates, as well as encrypted Social Security numbers and/or encrypted driver`s license or passport numbers. `Experian has determined that this encryption may have been compromised,` T-Mobile CEO John Legere wrote in an open letter to those affected.

`Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,` Legere added. `I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.`

All those affected are being offered two years of credit monitoring services from ProtectMyID.

`The information that was exposed could lead to an increased risk of identity theft,` Experian stated in a FAQ. Although we have no evidence suggesting your personal information has been misused, we take our obligation to help you protect your information very seriously, and deeply regret that this has happened. We encourage all eligible consumers to enroll in the complimentary identity resolution services we have offered.`

Fasoo vice president Ron Arden told eSecurity Planet by email that the breach should be a wakeup call for any business that provides third parties with access to sensitive customer data. `T-Mobile is ultimately responsible for protecting all sensitive data throughout its supply chain and has to rely on the security systems of its downstream partners to protect information,` he said. `Unless they did a security audit on those partners and are satisfied they will maintain sensitive data in a safe way, they are vulnerable. The service provider should apply strong encryption to the data that is controlled through persistent, dynamic security policies that can restrict its use to only authorized people.`

`This incident highlights that while an enterprise can go to extraordinary lengths to implement a mature security program, it must also recognize that the security posture of its business partners and supply chain is equally important,` Norse CEO and co-founder Sam Glines added.]]>
Mon, 5 Oct 2015 09:00:00 -0700 (Administrator)
Padlocks4Less breach
How many victims? Undisclosed.

What type of personal information? Names, addresses, phone numbers, email addresses and payment card data.

What happened? Payment cards and other personal information used on the Padlocks4Less website may have been accessed without authorization.

What was the response? The website was taken down and measures to prevent similar attempts in the future have been implemented. An FBI investigation is ongoing. All potentially affected individuals are being notified.

Details: The FBI notified Frank J. Martin Company that credit card data used on the Padlocks4Less website may have been accessed without authorization. The FBI believes the information was potentially accessed between June 3 and Aug. 26. It is unclear how the information could have been accessed and who may have accessed it.

Quote: `We are not aware of any connection between this breach and cases of fraud,` a notification letter said.]]>
Thu, 1 Oct 2015 06:00:00 -0700 (Administrator)
Medical Kit Flaws
Presenting at the DerbyCon conference at the weekend, Scott Erven and Mark Collao, revealed that a simple search via Shodan – a search engine for public internet-connected machines – returned thousands of healthcare organizations with discoverable equipment.

Choosing one in particular, they found at least 68,000 exposed systems including MRI scanners, drug infusion systems, cardiology and anesthesia systems.

Typical security issues included legacy devices which were not updated or patched – many running on outdated operating systems like Windows XP. Weak default or hard-coded admin credentials were also common.

In fact, in some cases the manufacturer’s advice to customers was not to change these passwords or maintenance staff wouldn’t be able to provide support, the researchers said.

In some cases, they found easily interceptable unencrypted data streams between device and web server.

These not only raise privacy but also `adverse patient safety issues,` Erven argued.

And such issues do not necessarily need to involve cybercriminals.

He gave the example of two Austrian patients who managed to get hold of the hard-coded credentials of their own drug infusion pump and increased their dosage of morphine to dangerously high levels.

With the information provided by many of these unsecured devices – right down to host names and physical location in the hospital – hackers could also craft phishing attacks, said Collao.

The researchers even managed to attract tens of thousands of log-in attempts and hundreds of malicious payloads to their honeypots, designed to mimic the behavior of medical devices.

Although the hackers in those instances apparently didn’t seem to know they were hitting mission critical medical devices, they were still attacking them, the research duo said.

Erven claimed the research highlights the urgency of `building security into the engineering and design phase of these devices.`

Caroline Rivett, director at KPMG’s cyber security practice, agreed.

`Otherwise devices are vulnerable to hackers causing a safety issue and loss of confidential patient information,` she argued. `Solving this will require co-ordination between device manufacturers and healthcare regulators.`]]>
Wed, 30 Sep 2015 10:00:00 -0700 (Administrator)
Linux BotNet
The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

`In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines,` a separate writeup on the botnet explained. `The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).`

XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There`s no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai`s advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware.

`Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,` Stuart Scholly, senior vice president and general manager of Akamai`s Security Business Unit, said in a statement. `XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.`]]>
Wed, 30 Sep 2015 09:00:00 -0700 (Administrator)
Hilton Hotels Data Breach
The apparent breach—the numbers affected are not yet known—includes the company’s flagship Hilton locations, and brands Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts across the United States.

Independent security researcher Brian Krebs, who reported the situation, said that Visa originally picked up on the fraud, and after further investigation with five different banks, it was determined that the commonality in all of the transactions was the Hilton (and related properties) location.

For its part, Hilton has issued a statement to media:

`Hilton Worldwide is strongly committed to protecting our customers’ credit card information,` the company said. `We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.`

It appears that the guest reservation system was not compromised—rather, the fraud stems from hacked point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

`Hackers use different attack vectors to exploit businesses, and many recent breaches have involved malware that, once installed, exfiltrates sensitive data,` said managed security expert Kevin Watson, CEO of Netsurion, a Houston-based security firm, in an email. `There’s no silver-bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn’t leave the network without the admin’s knowledge and if data is sent out, it only goes to verified Internet addresses.`

He advised, `Security must be layered with a properly managed firewall, data encryption, network segmentation, passwords and access controls, software updates and anti-virus/anti-malware software,` advised Watson. `Along with protecting incoming traffic and preventing access by malicious actors, it’s critical to limit outbound Internet traffic as well.`

This is the latest in a string of hotel heists, including breaches at Mandarin Oriental properties, Hard Rock Las Vegas and others.]]>
Mon, 28 Sep 2015 11:00:00 -0700 (Administrator)
US and China Deal
The agreement was issued on Friday and also includes a commitment at a law enforcement level to share more intelligence on data breaches as well as `provide timely responses to requests for information and assistance concerning those activities.`

It noted:

`The United States and China committed that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.`

The Department of Justice and FBI representatives will co-chair a high-level dialogue mechanism on cybercrime to ensure that these commitments will be honored, with representatives from China’s Ministry of Public Security, Ministry of State Security, Ministry of Justice and the State Internet and Information Office also in attendance.

`This dialogue will enable both sides to periodically assess our progress; address any issues related to investigative cooperation or information exchanges; and outline means for relevant agencies on both sides to enhance cooperation,` the DoJ said.

The agreement will also establish a hotline between the two superpowers in the event that an urgent matter has not been resolved by conventional means.

The US was at pains to point out that the joint agreement did not `resolve all our challenges with China on cyber issues,` but claimed it was a `step forward.`

However, many will be skeptical about the chances of such a deal discouraging Beijing from what has been an extremely successful strategy thus far.

Whilst always denying state-sponsored hackers regularly infiltrate foreign companies to steal IP for the betterment of China PLC, the practice is widely acknowledged.

Last year, the DoJ even indicted five PLA soldiers for their part in such cyber-attacks.

President Xi Jinping repeated the same mantra heard so many times before from officials in an interview ahead of his trip to the US last week.

`Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions,` he argued.

One recent report claimed that the value of US IP stolen by Chinese hackers could be as much as $5trillion each year. ]]>
Mon, 28 Sep 2015 10:00:00 -0700 (Administrator)
Hackers Access iPhone
The hack reportedly works on iOS version 9.0.1, which Apple released Wednesday, although some people say they are unable to reproduce it. The vulnerability makes it possible for someone who gets even a brief moment with an iPhone to rifle through contacts and photos without entering the password.

It works by entering an incorrect password four times. Then, immediately after the incorrect password is entered for the fifth time, the attacker holds down the home button before the device can lock the attacker out. The Siri personal assistant pops up and the attacker uses it to bring up the inbuilt clock. The attacker then taps the clock and presses the + icon, giving access to search capabilities. From there, the attacker gets access to iMessage.

Once in iMessage, the attacker has the ability to read, delete, or add contacts, but there`s also a way to access photos stored on the device by adding a profile. Other parts of the phone remain off-limits, so the bypass is only partial.

It`s not clear yet why so many people report the hack works while others say it doesn`t. There may be some sort of configuration setting at play, but so far no one seems to have identified it. At any rate, the partial bypass hack can be prevented by preventing Siri from being accessed from the lock screen. To do this, access settings, choose Touch ID & Passcode, enter the device password, scroll down to `Allow access when locked` and disable it.]]>
Mon, 28 Sep 2015 09:00:00 -0700 (Administrator)
Kardashian Website Security
A 19-year-old developer, Alaxic Smith, poked around in the code and found that he could access the information of users who signed up for Kylie Jenner’s website, and could pull similar user data from the other websites. He also said that the flaw would allow an attacker to create and destroy user profiles, and access and delete photos, videos and more.

`I’ll admit I downloaded Kylie’s app just to check it out,` he wrote on his blog site. `I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.`

But he then logged into the website with his own user name and password and was able to gain access to a web page that contained the first and last names and email addresses of the 663,270 people who had signed up for the site, he says. And, he found that he could use the same API call across each of the other sisters’ websites.

Suni Munshani, CEO of Protegrity, a data security platform and solutions provider, told Infosecurity via email that `every CEO should wish it was a Kardashian` but that, unlike CEOs, the sisters are exhibiting basic security bad practice by using an unsecured API.

`The impressive money-making machine that is the Kardashian empire, credited to their business savvy managerial styles, has the kind of growth and popularity most CEOs dream of,` he noted. `Their ‘exclusive’ photos rake in the top dollar, their apps see hundreds of thousands of downloads in the first few days and people are actively trying to find security flaws in their websites and apps. Their success results in a lot of collected data, and with big data, comes big responsibility. In the future, data security will be important for keeping critical business issues under wraps and to help the empire continue to grow.`

The company that built the site, Whalerock, confirmed that the API is now closed and that there’s no indication of nefarious access]]>
Wed, 23 Sep 2015 11:00:00 -0700 (Administrator)
CVS employee steals data
How many victims? 54,203.

What type of personal information? Names, CVS IDs, CVS ExtraCare Health Card numbers, Member IDs, Rx Plan numbers, Rx Plan states, and start dates and end dates.

What happened? A former CVS employee took personal information related to Molina Healthcare members from CVS` computers and sent it to his personal computer.

What was the response? CVS is issuing new CVS ExtraCare Cards with new account numbers for affected individuals who are current Molina Healthcare members with an OTC benefit. All potentially affected Molina members are being notified, and offered a free year of identity theft protection services.

Details: CVS notified Molina Healthcare on July 20 that the incident occurred. The former CVS employee took the personal information on or about March 26, and CVS believes he did this to fraudulently obtain OTC products from CVS. Molina Healthcare has notified current and former members in California, Florida, Illinois, Michigan, New Mexico, Ohio, Texas, Utah, Washington and Wisconsin.

Quote: `Although the former CVS employee was found to have placed fraudulent OTC orders with respect to 182 Molina Medicare members in Texas, CVS has not detected any fraud with respect to any of the other affected Molina Medicare members,` a Molina Healthcare statement said.]]>
Wed, 23 Sep 2015 10:00:00 -0700 (Administrator)
Serious Imgur exploit
The result: the browsers of people who viewed certain Imgur-hosted images linked on one or more Reddit sections automatically executed code of the attacker`s choice. That malicious JavaScript code in turn reached out to 8chan and exploited two additional but completely separate vulnerabilities on that site. From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests, although some researchers aren`t convinced a denial-of-service on 8chan was the objective of the hack.

Worm-like properties

The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic and millions and millions of new infections. It never got to that point, because Imgur fixed the Web-application bug on its site Tuesday morning, while 8chan temporarily blocked the execution of files based on Adobe`s Flash media player. With the immediate threat averted, the question security researchers` asked was, why was a vulnerability so potentially powerful as the one exploited against Imgur squandered on such a limited number of people?

The attacker `had a delivery mechanism on one of the most popular sites on the Internet, and he used it to target a very small minority of his peers,` Arshan Dabirsiaghi, chief scientist at security firm Contrast Security, told Ars. `He could have turned this into money on the black market in several ways. Instead, he just used it for a prank.`

The cross-site scripting (XSS) vulnerability affecting allowed attackers to attach malicious JavaScript to images uploaded to the site. The same weakness could have been used to expose people to off-the-shelf attack code that exploited vulnerabilities in browsers and browser plugins. Such exploits are one of the chief ways criminals surreptitiously install keyloggers and other types of malware on end user computers. A vulnerability like the one exploited against Imgur could have landed the attacker a hefty sum in malware affiliate fees.

Persistent browser infection

The unknown attacker who exploited the vulnerability either took a decidedly more innocuous path or was stopped short before achieving a more malevolent outcome. The only evidence that Dabirsiaghi and others have gathered so far shows the Imgur exploit interacting with booby-trapped Flash images hosted on 8chan. Those SWF images, in turn, installed their own XSS-based attacks in the HTML5 local storage databases of users` browsers. From then on, infected browsers would contact a command and control server each time an 8chan page was loaded. And with each one, the browsers would ping 8chan hundreds more times.

Dabirsiaghi said the control server has yet to issue any commands, so it`s unclear if the objective of the attack was to flood 8chan with junk traffic or to do something much more sinister. What remains clear is that anyone who clicked on one of the booby-trapped Imgur links will continue to host malicious code inside their local storage database. Until they clear their browser history, their browsers will continue to hail the attacker-controlled server each time they visit an 8chan page.

The attack was discussed here, here, and here, among other places, although not all of the statements or observations turned out to be accurate. The hack demonstrates a potential weakness introduced by HTML5. By allowing visited websites to store JavaScript and other code inside a browser`s local storage database, the newly adopted protocol gives attackers a way to invoke malicious commands with each return visit. Fortunately, those commands are subject to the same-origin policy and other security controls enforced by modern browsers. Still, as this case shows, HTML5 can provide attackers with a persistent way to force other people`s browsers to behave in unintended and potentially malicious ways.]]>
Wed, 23 Sep 2015 09:00:00 -0700 (Administrator)
Trojan targets poker sites
Now there`s evidence to suspect that the hunch is real when it comes to two of the world`s most popular online gambling portals. `Several hundred` gamblers on the Pokerstars and Full Tilt Poker platforms have been hit with a cheating trojan, according to ESET security researcher Robert Lipovsky.

Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the `common` malware categories that we encounter every day—such as ransomware, banking trojans, or targeted attacks (APTs)—just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats—a trojan devised to target players of online poker.

The latest Windows malware discovery, called Odlanor, comes two years after ESET warned of the PokerAgent botnet propagating on Facebook in connection to the Zynga Poker app.
PokerStars and Full Tilt Poker did not immediately respond for comment.

Here`s how the latest trojan works, according to ESET:

Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors. This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent. In other cases, it was loaded onto the victim’s system through various poker-related programs—poker player databases, poker calculators, and so on—such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.

Once executed, the Odlanor malware will be used to create screenshots of the window of the two targeted poker clients—PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.

Afterwards, the screenshots can be retrieved by the cheating attacker. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.

We are unsure whether the perpetrator plays the games manually or in some automated way.

ESET said it has discovered `several versions` of this malware dating back to March of this year. Online gamblers in the Czech Republic, Poland, and Hungary appear to be the biggest victims, ESET said. The research firm said it believes `several hundred` users have been infected.

ESET cautioned that `the trojan poses a potential threat to any player of online poker.`]]>
Mon, 21 Sep 2015 09:00:00 -0700 (Administrator)
Sutter Health breach In a Sept. 11 statement, the California healthcare delivery system says the billing documents for 2,582 patients that were inappropriately emailed included names, dates of birth, insurance identification numbers, dates of services and billing codes. For one patient, compromised information also included a driver`s license number. For another, the a driver`s license number and Social Security number were included.

Sutter Health includes 24 hospitals, 27 ambulatory care facilities and a network of more than 5,000 physicians in Northern California. Previously, the organization reported three other breaches, including a 2011 breach involving the theft of an unencrypted desktop computer containing information on 4.1 million patients (see Another Sutter Health Breach).

The organization says it discovered the email-related incident during a review of the former employee`s email activity and computer access. Sutter launched an investigation on Aug. 27 after the organization learned of possible `improper conduct` by the former employee, who worked at Sutter Physician Services, which handles billing for Sutter Health`s physician medical foundations.

Most of the patients whose data was involved in the April 26, 2013, incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation, Sutter Health says. The California healthcare provider says it has no evidence that any of the patient information was misused or disclosed to others. But it`s offering affected patients are being offered free credit monitoring services for one year.

Taking Precautions

`Sending any confidential information to a personal email account is strictly prohibited,` Sutter Health says in a statement provided to Information Security Media Group. `Sutter Health now has sophisticated software that helps block confidential information from leaving the organization unless appropriate safeguards are in place to securely send the information. Employees are also required to annually acknowledge and sign Sutter Health`s confidentiality agreement, which states that the employees agree to abide by and protect Sutter Health`s confidential data.`

A Sutter Health spokeswoman tells ISMG that the former employee emailed copies of the information without authorization before more technology safeguards were installed - and that Sutter Health now uses encrypted email.

`Sutter works hard at protecting patient information, including implementing new technologies to enhance protection. I cannot provide specific details of those technologies - that`s among our safety efforts,` she says.

Common Problem

Unfortunately, privacy breaches involving unsecured email - as well as text messages - are a common problem in the healthcare arena, security experts say.

`My experience is that doctors and medical practice employees send PHI through unsecure e-mail all the time,` says security and privacy expert Mike Semel, founder of Semel Consulting.

`During our assessments, we often hear that doctors and nurses text each other all day with no concern that the information is PHI,` he says. `When we explain that PHI is any communication that includes a patient identifier and information about their treatment, diagnosis or payment for healthcare, and not just the information in the chart, we are often met with surprise.`

Besides implementing encrypted email communication, such as by using the `Direct Exchange` protocol, healthcare entities can take other steps to safeguard patient information. For example, they can use data loss prevention programs that scan emails and documents containing sensitive data, such as Social Security numbers, before they`re transmitted, security experts say. Depending on the technology, the sensitive data can either be blocked from transmission or automatically encrypted (see Preventing Email Breaches).

Organizations also need to be wary of employees who work around measures that have been put in place to prevent breaches involving email, Semel stresses.

`When doctors have privileges in multiple hospitals, it is easy to use free webmail for communications wherever they are,` he says. `Even if you have a secure e-mail server in your practice that allows for secure messaging within your organization, sending a message to someone else, like a specialist, using webmail is not secure.`

Employees and clinicians need to be educated on the secure methods for sending communication involving PHI, Semel says.

Independent HIPAA attorney Susan Miller says many breaches involving unsecured communication likely aren`t being reported to the Department of Health and Human Services` Office for Civil Rights, which tracks healthcare data breaches.

`I think they are as under-reported as sending a fax the wrong way,` she says. Tips on the do`s and don`ts related to email encryption are `not part of any training that most staff get,` she says. `I have been talking to my clients about just use WinZip for some protection,` she notes, referring to the zip utility web application, which encrypts email.]]>
Thu, 17 Sep 2015 11:00:00 -0700 (Administrator)
Android lockscreen hack
The hack involves dumping an extremely long string into the password field after swiping open the camera from a locked phone. Unless updated in the past few days, devices running 5.0 to 5.1.1 will choke on the unwieldy number of characters and unlock, even though the password is incorrect. From there, the attacker can do anything with the phone the rightful owner can do.

The following video demonstrates the attack in action. The technique begins by adding a large number of characters to the emergency call window and then copying them to the Android clipboard. (Presumably, there are other ways besides the emergency number screen to buffer a sufficiently large number of characters.) The hacker then swipes open the camera from the locked phone, accesses the options menu, and pastes the characters into the resulting password prompt. Instead of returning an error message, vulnerable handsets unlock.

The vulnerability has been fixed in the `LMY48M` Android 5.1.1 build Google released last week for the Nexus 4, 5, 6, 7, 9, and 10. But as most people know, it can take months or years for updates to hit the masses, and some devices never receive security patches. Indeed, neither of the Nexus 5 phones this Ars reporter uses have received the over-the-air build update from last week.

Fortunately, the vulnerability was introduced in version 5, so the number of affected handsets is only a small fraction of the overall Android user base. Vulnerable users who can`t get an update or don`t want to wait for one to become available can switch to a PIN or pattern-based lockscreen, neither of which is susceptible to the hack. And while we`re on this topic of Android lock patterns, readers may be interested in recently presented research showing that many of them are surprisingly predictable.]]>
Thu, 17 Sep 2015 10:00:00 -0700 (Administrator)
Seven years of malware
Characterized by F-Secure researchers as a `well resourced, highly dedicated and organized cyberespionage group,` the Dukes have mixed wide-spanning, blatant `smash and grab` attacks on networks with more subtle, long-term intrusions that harvested massive amounts of data from their targets, which range from foreign governments to criminal organizations operating in the Russian Federation. `The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,` the F-Secure team wrote. `Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.`

The first known targets of the Dukes’ earliest-detected malware, known as PinchDuke, were some of the first known targets were associated with the Chechen separatist movement, by 2009 the Dukes were going after Western governments and organizations in search of information about the diplomatic activities of the United States and the North Atlantic Treaty Organization. While most of the attacks have used spear phishing emails as the means of injecting malware onto targeted systems, one of their attacks have spread malware through a malicious Tor exit node in Russia, targeting users of the anonymizing network with malware injections into their downloads.

The known components of the Duke malware family, in the order they have been detected by malware researchers at F-Secure, Kaspersky, Palo Alto Research and others, are:
•PinchDuke: First detected in 2008, and last seen in 2010, this malware primarily targeted credentials for services such as Yahoo, Google Talk, and, as well as credentials stored in the Outlook and Mozilla Thunderbird e-mail clients and the Firefox browser. First seen used in conjunction with fake web sites supporting Chechen insurgents, PinchDuke was also used to target government agencies in Georgia, Poland, the Czech Republic, Turkey, Uganda, and a US foreign policy think-tank. The delivery vehicle was a malicious Microsoft Word or Adobe Acrobat file. PinchDuke was based on an openly-available malware kit, and was likely an opening experiment by the group in cyberespionage.
•GeminiDuke: Designed to primarily collect configuration information about the targeted system, this malware appeared in January 2009 and was last detected active in December 2012. The malware reported back on user accounts, network settings, what software was running on the infected system, Windows environmental variables, and the names of files and folders in users’ home folders, My Documents. It also reported back recently accessed files, directories and programs. The malware was likely used as a reconnaissance tool to target victims for further attack. It also had some code that attempted to stay persistent on the infected system.
•CosmicDuke: first spotted in January 2010, and still known to be active as recently as this summer, CosmicDuke is a more thorough information stealer, logging keystrokes and taking screenshots as well as stealing any data that gets copied to the Windows clipboard for pasting, It also searches for files with a specific extension to steal, and grabs usernames, passwords, and any crypto keys it finds on the system. CosmicDuke also uses some persistence techniques that are based on the same approach used in GeminiDuke.
•MiniDuke: A multi-stage malware tool that uses a combination of loaders—some of which were used in conjuction with other malware in the family seen as early as July 2010. The main payload, first detected and analyzed in May 2011, was a backdoor that obtained its command and control server information via a Twitter account. The loader was seen active as recently as this spring; the backdoor hasn’t been seen since the summer of 2014.
•CozyDuke: Also known as EuroAPT, CozyBear, CozyCar and Cozer, this modular malware implant can retrieve and run modules from a command and control server on demand, making it a bit of a chameleon. In addition to being a persisitent backdoor, it has provided kelogging, screenshots, password stealing, and has stolen NT LAN Manager password hashes as well—possibly giving the malware the ability to spread laterally across local networks. `CozyDuke can also be instructed to download and execute other, independent executables,` F-Secure reported. `In some observed cases, these executables were self-extracting archive files containing common hacking tools, such as PSExec and Mimikatz, combined with script files that execute these tools. In other cases, CozyDuke has been observed downloading and executing tools from other toolsets used by the Dukes such as OnionDuke, SeaDuke, and HammerDuke.`
•OnionDuke: A backdoor first known to be active in February 2013 delivered by a dropper injected into web downloads, OnionDuke got its name from the source of the injection—a malicious Tor exit node. Like CozyDuke, OnionDuke is modular, and has been used for a range of information stealing operations as well as to deliver distributed denial of service attacks and generate social media spam. It has also been distributed wrapped with legitimate software via Torrent files. OnionDuke was still active as recently as this spring.
•SeaDuke and HammerDuke: Both of these recent backdoor malware apopear to be installed as a secondary infection by CozyDuke. Its main purpose seems to be providing persistence and a backup backdoor in case the initial malware infection is detected. SeaDuke was first spotted in October 2014, and HammerDuke in January of this year.
•CloudDuke: a new downloader and malware loader, with two variants that also act as backdoors, CloudDuke was spotted first this June. While one variant uses a web address controlled by the malware developers to get downloads, CloudDuke gets its name from its primary method of accessing files: a Microsoft OneDrive account.

A number of factors have led to the belief by researchers that the Dukes group is based in Russia and at least tangentially associated with the Russian government. First, the targets have been aligned with Russian government interests. There are also a number of Russian-language artifacts in some of the malware, including an error message in PinchDuke: `?????? ???????? ??????! ???????? ?????? ?????? ?????? ???? 4 ?????!` (which translates essentially as `Error in the name of the module! Title data section must be at least 4 bytes!`). GeminiDuke also used timestamps that were adjusted to match Moscow Standard time.

There is also the timing of some of the attacks that suggests at least a Russian state sponsor was behind the group. In 2013, before the beginning of the Ukraine crisis, the group began using a number of decoy documents in spear phishing attacks that were related to Ukraine, including `a letter undersigned by the First Deputy Minister for Foreign Affairs of Ukraine, a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of Foreign affairs and a document titled `Ukraine’s Search for a Regional Foreign Policy,`` the researchers noted. `It is...important to note that, contrary to what might be assumed, we have actually observed a drop instead of an increase in Ukraine-related campaigns from the Dukes following the country’s political crisis.` That would indicate that the campaign was part of an intelligence-gathering effort leading up to the crisis.

`Based on our establishment of the group’s primary mission,` F-Secure’s researchers wrote, ` we believe the main benefactor (or benefactors) of their work is a government. But are the Dukes a team or a department inside a government agency? an external contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We don’t know.` Whoever it might be, based on how long the group has been operating, it would seem that the Dukes have substantial, reliable financial support. And because their campaigns appear to have been well-coordinated over time, with no apparent cases of overlap between attacks or interference between malware, the F-Secure team concluded, ` We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.`

Such an organization operating in Russia would most likely require state acknowledgement, if not outright support.]]>
Thu, 17 Sep 2015 09:00:00 -0700 (Administrator)
TLS Flaw Exposed
Experts at Austria-based IT services provider Research Industrial Systems Engineering (RISE) presented their findings last month at the USENIX conference. Additional details on the attack method along with a video demonstrating its practicality have been published on Monday.

TLS is designed to protect sensitive communications against cyberattacks. However, numerous research papers have been published over the past period to demonstrate the existence of various vulnerabilities that expose encrypted communications, including Logjam and Bar Mitzvah.

The new method, dubbed `Key Compromise Impersonation (KCI) attack,` leverages a vulnerability in the protocol specification of TLS. The technique allows an MitM attacker to gain complete control over the client-side code running in the victim’s browser. Malicious actors can eavesdrop on communications, replace legitimate elements on a website with arbitrary content, and even perform actions on the victim’s behalf.

In the first phase of the attack, the attacker tricks the user into installing a TLS client certificate for which they possess the private key. Then, by interfering with the initialization of the TLS protocol between the client and the server, the attacker can trick the client into believing that it’s communicating with the legitimate server when in reality it’s talking to the attacker.

By initiating a normal, encrypted connection to the server, the attacker can control the data that goes from the client to the server and vice versa.

`For many web and mobile applications, a successful attack means that a user`s session or profile is completely compromised and under the control of the attacker from this point on: Electronic payments may be initiated and re-directed to the attacker`s account, private messages could be read and spoofed, etc. Possible damage is in most cases only limited by the attacker`s imagination and creativity,` researchers explained.

A proof-of-concept (PoC) video published by experts shows a KCI attack scenario in which the attacker targets hotel guests using a rogue Wi-Fi network. The attacker tricks the victim into installing the malicious certificate by informing them that the certificate is needed to access the hotel’s Internet connection.

Once the certificate has been accepted, the attacker interferes with the initialization of the connection to Facebook and forces the client to use an insecure handshake with client authentication. The attacker then replaces the pictures and other elements on the victim’s Facebook profile with arbitrary content.

According to researchers, the problem affects services that support a certain class of key agreement and authentication methods, namely non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication.

Experts said they reported their findings to Google, Microsoft and Apple before public disclosure so users running popular web browsers on recent operating system versions should be safe. Facebook has also taken steps to protect users against potential KCI attacks.

`The immediate impact is not as serious as, for example, the one from the recent Logjam attack, because support for the necessary options in TLS clients and servers (both is necessary) is currently not as widespread as a malicious attacker would hope for,` researchers explained. `However, without adequate measures, this situation could change anytime in the future: Recently, OpenSSL developers have just added support for the vulnerable fixed DH handshake to the newest branch (1.0.2) of the library, and they seemed to be on track for also adding support for the fixed ECDH handshake option.`]]>
Tue, 15 Sep 2015 11:00:00 -0700 (Administrator)
Mohu website breach
How many victims? Approximately 2,500.

What type of personal information? Names, addresses, email addresses, phone numbers, credit card numbers, expiration dates and CVV codes.

What happened? An attacker penetrated Mohu`s security systems, inserted malicious code into Mohu`s computer systems, and removed the personal information.

What was the response? Mohu is conducting a review of potentially affected computers systems. Mohu has implemented additional security measures to prevent a similar attack and to protect the privacy of customers. All affected individuals are being notified, and offered a free year of credit monitoring services.

Details: Mohu detected and removed the malicious code from its systems on July 28. Mohu`s computer systems were compromised between June 3 and July 28. At least one Twitter user reported fraudulent use of their credit card that seems to be a result of the attack.

Quote: `Mohu has hired two security consulting firms to review and make recommendations for further improving Mohu`s electronic security measures,` a notification letter sent to the Office of the New Hampshire Attorney General said.]]>
Wed, 16 Sep 2015 06:00:00 -0700 (Administrator)
Chinas IP Theft
A two-year investigation by anti-communist title Epoch Times taps known information and intelligence gleaned from security experts.

It alleges that while stories of Chinese hacking have so far concentrated on individual military units like the infamous 61398 – five members of which the US indicted for their role in economic theft last year – the scale of the operation goes far further.

Specifically, the report argues that Chinese state-sponsored operatives steal trade and military secrets, after which they are sent into a nationwide network of transfer centers where they are reverse engineered.

The resulting products either serve the Chinese military or are sold back to markets like the US at a fraction of the price of the original.

A few of these officially sanctioned transfer centers include the State Administration of Foreign Experts Affairs under the State Council, the Science and Technology Office under the Overseas Chinese Affairs Office, and the National Technology Transfer Center under the East China University of Science and Technology.

Crucially, rather than try to reverse engineer a product straight from stolen designs, the Chinese system requires researchers to first find publicly available info on earlier generations of the product and learn how to build those first.

Then they send students abroad to study and work in the targeted industry to give them a broad base of knowledge which enables them ultimately to reverse engineer the targeted product – a much quicker process, according to the report.

Experts quoted by Epoch Times estimate the US is losing around $5 trillion each year thanks to Chinese spying – or around 30% of its GDP.

Aside from improving the revenue and competitiveness of China PLC, another driver for this large scale IP theft and tech transfer network is the PLA, which is forced to find 30% of its operating expenses itself.

There are an estimated 3,000+ front companies operated by the PLA in the US which exist solely to steal American tech, the report alleged, quoting official government sources.

One of the most powerful organizations behind cyber-espionage is the 61 Research Institute, which operates under the PLA’s Third Department of the General Staff Department, the report claimed.

This is the body which oversees the ‘61’ units like 61398 which are prolific military hackers, and is said to be one of the main centers of power in the Chinese communist regime.

An infographic explains the complex web of state, military, academic institutions and state-controlled companies which allow for this large scale information theft and reverse engineering model.

It’s rumored that US president Barack Obama is planning an unprecedented set of economic sanctions against Chinese companies and individuals who’ve benefited from US IP theft.

But the difficulty as always will be attribution, with Beijing ever careful to ensure enough plausible deniability if specific culprits are named.]]>
Tue, 15 Sep 2015 10:00:00 -0700 (Administrator)
Intel Takes On Car Hacking
After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.

The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.

Demonstrations like one earlier this year where two security researchers showed how attackers could take wireless control of a 2014 Jeep Cherokee’s braking, steering, and transmission control systems, have exacerbated those concerns greatly and lent urgency to efforts to address the problem.

Intel also released a whitepaper describing a preliminary set of security best practices for automakers, component manufactures, suppliers, and distributors in the automobile sector.

An Intel press release described the ASRB as a forum for top security talent in the area of cyber-physical systems. `The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions,` for the auto industry, the release noted.

ASRB members will have access to Intel automotive’s development platforms for conducting research. Findings will be published publicly on an ongoing basis, Intel said. The member that provides the greatest cybersecurity contribution will be awarded a new car or cash equivalent.

Intel’s security best practices whitepaper, also released today, identified several existing and emerging Internet-connected technologies in modern vehicles that present a malicious hacking risk.

Modern vehicles have over 100 electronic control units, many of which are susceptible to threats that are familiar in the cyber world, such as Trojans, buffer overflow flaws, and privilege escalation exploits, Intel said. With cars connected to the external world via Wi-Fi, cellular networks, and the Internet, the attack surface has become substantially broader over the last few years.

The whitepaper identifies 15 electronic control units that are particularly at risk from hacking. The list includes electronic control units managing steering, engine, and transmission, vehicle access, airbag and entertainment systems. `Current automotive systems are vulnerable,` Intel noted. `Applying best-known practices and lessons learned earlier in the computer industry will be helpful as vehicles become increasingly connected.`

Concerns have been growing in recent times about critical security weaknesses in many of the Internet-connected components integrated in new vehicles these days. Chrysler for instance, recalled 1.4 million vehicles after two security researchers showed how they could bring a Jeep Cherokee traveling at 70 mph to a screeching halt by hacking into its braking system from 10 miles away.

A report released by Senator Edward Markey (D-MA) in February, based on input from 16 major automakers, revealed how 100 percent of new cars have wireless technologies that are vulnerable to hacking and privacy intrusions. The report found that most automakers were unaware or unable to say if their vehicles had been previously hacked while security measures to control unauthorized access to control systems were inconsistent.

Craig Hurst, director of strategic planning and product management at Intel Transportation Solutions Division’s Internet of Things Group says a holistic approach is required to address security issues in Internet connected vehicles.

`Automotive security must be approached from a system-level perspective, and not from a single attack surface or platform ingredient alone,` he says. Collaboration and contribution across the entire automotive ecosystem are critical to ensuring better security, he says.

`Security begins with the design of the car where hardware, software, and network security technologies can be deployed,` he says. Organizations in the automobile sector have to start thinking about institutional processes such as security development lifecycle and secure supply chain management from a cyber risk standpoint. And processes need to be in place to ensure that vehicles continue to be protected as new threats emerge over its life time,` Hurst says.

`The complexity of the automotive ecosystem requires an industry effort, and there’s a positive momentum building,` he said. `The most important aspect is that security must be observed, designed, tested, and enhanced from a system-level view.` ]]>
Tue, 15 Sep 2015 09:00:00 -0700 (Administrator)
Excellus Healthcare Breach
The breach affected around 7 million `members, patients or others who’ve done business` with BlueCross BlueShield, with the remainder Lifetime Health Care customers.

The plans affected are BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.

This incident also affected members of other plans who sought treatment in the firm’s 31-county upstate New York service area.

`Individuals who do business with us and provided us with their financial account information or Social Security number are also affected,` the firm’s president and CEO, Christopher Booth, said in a statement.

Booth revealed that his IT team first discovered the `sophisticated attack` on 5 August 2015, and has been working since with Mandiant and the FBI.

However, the attack actually began over a year and a half ago – on 23 December 2013 – he admitted.

What’s more, the information stolen is highly sensitive, as he explained:

`Our investigation determined that the attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.`

As is the norm on such occasions, Excellus is offering free identity theft protection services to affected customers for two years.

However, Booth claims there’s no evidence the data has been used `inappropriately` thus far.

Fortscale CEO Idan Tendler, a former cyber warfare commander of the Israeli Defense Forces, claimed the incident is a `textbook case study in how hackers are able to stay under-the-radar and go undetected for long periods of time.`

`The hackers’ ability to go unnoticed and gain unauthorized access to the company’s IT systems and the personal information of potentially thousands of people does not come as a surprise,` he added.

`We’ve seen this scenario play out in breach after breach, underscoring the need for organizations to constantly monitor their networks and be proactive in detecting and responding to suspicious user activity to prevent these types of breaches from occurring.`

Netsurion CEO, Kevin Watson, added that Excellus would likely suffer loss of customer trust and brand equity because of the breach.

`As cyber-criminals increasingly target personally identifiable information other than credit card or financial data, more and more businesses will need to be vigilant of their data security,` he argued.

`What many businesses fail to recognize are the myriad of points of entry and egress from a network, including every branch and remote office location.`

Excellus is the latest in a long line of US healthcare breaches – following most notably Anthem (78 million customers) and Premera (11 million).

It’s suspected that potentially state-sponsored Chinese hackers could be behind those attacks as they continue to build up a huge database containing the digital identities of US government employees.

Security experts have been warning for years that healthcare providers have under-invested in information security.

According to the Identity Theft Resource Center, healthcare providers accounted for more breaches (42.5%) than any other sector in 2014, continuing a three-year trend.]]>
Mon, 14 Sep 2015 11:00:00 -0700 (Administrator)
Lloyds Premier Breach
The data went missing on a storage device taken in July from insurer Royal Sun Alliance (RSA), which provides emergency home cover to the £25-per-month account customers.

The breach affects those who made a claim between 2006 and 2012, according to the Daily Telegraph.

In a brief notice on its website last week, RSA apologized, claiming it had informed its regulators and was in the process of contacting affected customers.

`Unfortunately a data storage device has been reported as stolen from one of our data centers,` it said.

`We are working with the police on a full investigation and although there is no evidence to suggest that this data has been misused in any way, we are offering identity protection with Cifas for two years to provide reassurance to these customers.`

The insurer added that the incident `should never have happened` and revealed that the stolen storage device contained names and addresses, bank account and sort code details.

A statement sent to the paper from the Financial Conduct Authority (FCA) said the watchdog was liaising with the affected firms to ensure customers are protected.

`We will also work with them to look at the root causes of the data loss, since we expect all regulated firms to have adequate systems and controls in place so that customers’ data is not left at risk,` it added.

A new report from Gemalto last week claimed that the UK saw more data breaches in the first half of the year than any other European nation. There were 63 reported incidents in 1H 2015 as opposed to just eight in second placed Germany and six in the Netherlands.

However, despite the high tally, just 8.3 million records were exposed in these breaches – only 3.4% of the global total. By comparison, the US accounted for 49% of all compromised records globally.

With no breach disclosure laws until the coming European General Data Protection Regulation is enacted, it’s likely the scale of the problem in the UK and across the region will remain unknown.]]>
Mon, 14 Sep 2015 10:00:00 -0700 (Administrator)
MITs bad security
`One of the most prestigious and recognized schools of higher learning in the world, Massachusetts Institute of Technology, is not displaying strength in its security posture,` the SecurityScorecard researchers reported. `With nearly 80,000 IP addresses discovered in the SecurityScorecard platform, the Cambridge college is showing a plethora of security risks, vulnerabilities, and weaknesses. To receive an overall ‘D’ grade, an organization needs to rank poorly in many of the 10 categories captured in SecurityScorecard. In this case, MIT has four ‘F’ grades, and two ‘D’ grades out of ten.`

Of course, whether the grading criteria really apply to a university network with a huge public IP address is open to interpretation.

Based on data collected in late August, MIT scored low in:
•IP reputation: a score based on incidents of malware detected coming from the IP range of the institution. MIT had an average malware infection duration on IP addresses scanned of 1.678 days, `which is higher than 80% of the education vertical,` the researchers noted.
•Network security: a score based on the number of vulnerable services running directly exposed to the Internet, based on a scan that audits version numbers of exposed software and open ports on those systems correlated with a database of known exploits, according to SecurityScorecard Chief of Research Alex Heid.
•Hacker chatter: a score based on the frequency with which the school was mentioned in hacker forums, and amount of user credentials, e-mail addresses and other breached data circulating on those forums over the observed period.
•Password exposure—the degree to which students, faculty, and employees are using weak passwords). This score was in part based on the user credential data discovered in hacker chatter.`Our signals and sensors found 6 credentials for accounts associated with student and employee email discovered in 4 data leaks,` SecurityScorecard reported.
•Patching cadence—how quickly known vulnerabilities in software are patched as they are announced over the period of the scan.
•Susceptibility to social engineering.

MIT wasn`t alone in weakness on patching software. For seven of the bottom 10 schools in the survey, there were 51 or more individual pieces of software that were unpatched. `In one of the most extreme cases in this bottom grouping, our platform detected 67 insecure software instances,` the authors of the study reported. And saving MIT from an overall failing grade, however, were the school`s A grades in Web application security, the health of its DNS records, and the quality of its endpoint security.

Ars reached out to MIT for comment on the survey, but the school was unable to supply a response in time for publication. We will update this story when one becomes available.]]>
Mon, 14 Sep 2015 09:00:00 -0700 (Administrator)
Chrysler Second Recall
The recall will update software in about 7,810 of its new 2015 Jeep Renegade cars, which feature 6.5-inch touchscreens. Chrysler said that since the Renegade is a new model, about half the affected vehicles are still in the hands of dealers.

It also said that the radio in question is different from the ones that security researchers Charlie Miller and Chris Valasek were able to exploit—with an unsuspecting journalist driving 70 mph on the freeway. In time for last month’s Black Hat conference, they showed that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering. The vehicles covered by the first recall include the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs.

The new vulnerabilities would be costly to exploit and would take likely months and extensive technical prowess to accomplish, Chrysler emphasized.

`The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,` the company said in the statement. `No defect has been found. FCA US is conducting this campaign out of an abundance of caution.`

The National Highway Traffic Safety Administration (NHTSA) has meanwhile launched an investigation to assess whether the recall was likely to be effective.

`Launching a recall is the right step to protect Fiat Chrysler`s customers, and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities,` NHTSA Administrator Mark Rosekind said in a statement.]]>
Thu, 10 Sep 2015 11:00:00 -0700 (Administrator)
UK Tops Data Breach Table
The digital security and SIM card vendor claimed in its latest Breach Level Index (BLI) report that there were 63 data breaches in the UK in the first six months of the year – a huge jump from second-placed Germany (8) and third-placed Netherlands (6).

However, just 8.3 million records were exposed in those breaches, which is only 3.4% of the global total of 246 million. This pales in comparison with the US, which accounted for nearly half (49%) of all compromised records, and Turkey (26%).

The 888 data breaches suffered globally in the first half of 2015 is a 10% increase on the same period a year ago, although the number of records stolen declined 41% thanks to fewer mega breaches, the report claimed.

However, the likes of Anthem (79m), the US Office of Personnel Management (21m), and Turkey’s General Directorate of Population and Citizenship Affairs (50m) kept the numbers pretty high.

Although identity theft-related breaches accounted for the vast majority of records compromised (75%), state-sponsored attackers showed they are becoming increasingly effective.

Despite accounting for just 2% of breach incidents during the period, nation state operatives stole 41% of all records compromised, according to Gemalto.

By industry, healthcare (34%) and government (31%) accounted for the vast majority of compromised records during the first half of the year, with retail seeing a massive drop – from 38% during the first six months of 2014 to just 4% during this period.

Gemalto security expert, Paul Hampton, warned that the findings disclosed in the report are likely to represent just the tip of the iceberg when it comes to global breaches – as they record only those announced publicly.

`It seems safe to assume that for every breach that is made public there are others that aren’t announced,` he told Infosecurity.

`These numbers are likely to change once the European disclosure rules come into effect, as organizations will have to collect, store, access and secure data in new ways. Most importantly, they will have to notify both authorities and affected individuals when a data breach occurs.`

What’s more, many organizations are incapable of detecting the increasingly sophisticated targeted breaches aimed at their networks, he added.

`Given that attackers perpetrating identity theft breaches are usually only intent on obtaining a copy of confidential data rather than on causing malicious damage to systems, it is quite possible that many organizations haven’t even noticed that a breach has occurred,` Hampton argued.]]>
Thu, 10 Sep 2015 10:00:00 -0700 (Administrator)
Excellus BlueCross hacked
The attack was discovered after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company`s IT systems in the wake of multiple health insurers - including Anthem, Premera Blue Cross, and CareFirst Blue Cross Blue Shield - belatedly discovering that their systems had been breached and member data stolen.

In the case of the Excellus breach, the 10.5 million affected individuals include 7 million health plan members and 3.5 million individuals whose data was contained in systems of Excellus` holding company, the Lifetime Healthcare Companies, a Excellus spokesman says. Among the affected individuals are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus. `Individuals who do business with us and provided us with their financial account information or Social Security number are also affected,` according to an Excellus statement.

Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot, a company spokesman says.

FBI Confirms Investigation

The FBI has confirmed that it has launched a related investigation. `The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter,` the FBI says in a statement, Reuters reports.

The FBI adds: `Individuals contacted by the companies should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI`s Internet Crime Complaint Center.`

Excellus says attackers may have gained access to member information - including names, addresses, birthdates, Social Security numbers, health plan ID numbers, financial account information, as well as claims data and clinical information - although says it has seen no evidence that the information has been used for fraudulent purposes.

`We are fully cooperating with the FBI`s investigation,` Excellus says in its statement. `Our investigation has not determined that any data was removed from our systems. To date there is no evidence that any data has been used inappropriately. The security of personal information is a top priority, and we are taking proactive steps to address this issue.`

The company, which serves 31 upstate New York counties, is offering breach victims two years of free credit monitoring and identity theft monitoring services.

In addition, Excellus says it is continuing to work with Mandiant to finish a comprehensive investigation into the breach. `We have moved quickly to close the vulnerability, remediate our IT systems and to strengthen and enhance the security of our IT systems moving forward.`]]>
Thu, 10 Sep 2015 09:00:00 -0700 (Administrator)
Whatsapp Vulnerability
Discovered by Check Point security researcher Kasif Dekel, the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user. As soon as the seemingly innocent vCard is opened in WhatsApp Web, the malicious code in it can run on the target machine.

This vulnerability allows cybercriminals to compromise the affected computer by distributing all types of malware, including ransomware, bots, and remote access tools (RATs), Check Point’s researcher explains.

The underlying issue lies in the improper filtering of contact cards that are sent using the popular ‘vCard’ format. `By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,` the Check Point researcher explained in a blog post.

An attacker can inject a command in the name attribute of the vCard file, separated by the ‘&’ character. Windows automatically tries to run all lines in the file, including the injection line, when the vCard is opened.

This attack does not require XMPP interception of crafting, due to the fact that anyone can create such a contact with an injected payload, directly on the phone, Check Point notes. As soon as the contact is ready, the attacker only needs to share it through the WhatsApp client to unsuspicious users.

Check Point also explains that WhatsApp failed to validate the vCard format or the contents of the file, and that even an exe file could have been sent this way. Even more, malware could have been attached to a displayed icon, opening a vast world of opportunity for cybercriminals and scammers

Over the past several years, WhatsApp has grown to become one of the popular messaging services on mobile phones, with over 900 million users as of this month, and it has extended to the desktop as well, where it has over 200 million users.

WhatsApp Web provides users with access to all of the messages that they have sent or received, including includes images, videos, audio files, locations and contact cards, and keeps all content synchronized with the phone, so that users can access it on both desktop and mobile devices.

Additionally, the web-based interface allows users to view all of the sent or received attachments, as long as they are accessible through the mobile application, including images, audio and video files, location info, and contact cards.

To connect with other people on WhatsApp, users need to know the phone number associated with their accounts, and cybercriminals can take advantage of this to target individuals when exploiting the newly discovered vulnerability.

According to the security firm, WhatsApp has acknowledged the security issue and released a fix for it on Aug. 27. Users of WhatsApp Web should update their software as soon as possible to ensure that their computers are protected. WhatsApp Web v0.1.4481 and later include the fix for this vulnerability.]]>
Wed, 9 Sep 2015 10:00:00 -0700 (Administrator)
Whatsapp Vulnerability
Discovered by Check Point security researcher Kasif Dekel, the vulnerability can be exploited by simply sending a vCard contact card containing malicious code to a WhatsApp user. As soon as the seemingly innocent vCard is opened in WhatsApp Web, the malicious code in it can run on the target machine.

This vulnerability allows cybercriminals to compromise the affected computer by distributing all types of malware, including ransomware, bots, and remote access tools (RATs), Check Point’s researcher explains.

The underlying issue lies in the improper filtering of contact cards that are sent using the popular ‘vCard’ format. `By manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file,` the Check Point researcher explained in a blog post.

An attacker can inject a command in the name attribute of the vCard file, separated by the ‘&’ character. Windows automatically tries to run all lines in the file, including the injection line, when the vCard is opened.

This attack does not require XMPP interception of crafting, due to the fact that anyone can create such a contact with an injected payload, directly on the phone, Check Point notes. As soon as the contact is ready, the attacker only needs to share it through the WhatsApp client to unsuspicious users.

Check Point also explains that WhatsApp failed to validate the vCard format or the contents of the file, and that even an exe file could have been sent this way. Even more, malware could have been attached to a displayed icon, opening a vast world of opportunity for cybercriminals and scammers

Over the past several years, WhatsApp has grown to become one of the popular messaging services on mobile phones, with over 900 million users as of this month, and it has extended to the desktop as well, where it has over 200 million users.

WhatsApp Web provides users with access to all of the messages that they have sent or received, including includes images, videos, audio files, locations and contact cards, and keeps all content synchronized with the phone, so that users can access it on both desktop and mobile devices.

Additionally, the web-based interface allows users to view all of the sent or received attachments, as long as they are accessible through the mobile application, including images, audio and video files, location info, and contact cards.

To connect with other people on WhatsApp, users need to know the phone number associated with their accounts, and cybercriminals can take advantage of this to target individuals when exploiting the newly discovered vulnerability.

According to the security firm, WhatsApp has acknowledged the security issue and released a fix for it on Aug. 27. Users of WhatsApp Web should update their software as soon as possible to ensure that their computers are protected. WhatsApp Web v0.1.4481 and later include the fix for this vulnerability.]]>
Wed, 9 Sep 2015 10:00:00 -0700 (Administrator)
Windows 10 Abandons Privacy
You can read all you want about Windows 10 powerful new privacy features, but that doesn`t mean you have them.

The Windows 10 reviews are pouring in and the general consensus seems to be that it rocks (especially over Windows 8). It’s feature-rich, fun, and best of all, free. So why then is calling it a privacy nightmare in dire need of reform? Because most of the powerful privacy settings are turned off by default. Yikes. Forget Clippy ever happened. There’s a new Microsoft sheriff annoying users in town.

The issue comes down to your personal information. Microsoft is acting as if it wants to collect lots of yours, more than it ever has before. And it’s not telling us why. In an Edward Snowden world, that scares people, as well it should. Sure, in certain instances it makes logical sense. Take Cortana for example, your friendly neighborhood personal digital assistant. Just like Apple’s Siri, in order to give you good ideas, Cortana needs to get to know you, your interests, and where you like to hang out. You can play with her settings if you choose, but the onus rests entirely on you. And therein lies the fundamental flaw of Windows 10: everything is on you.

You can read all you want about Windows 10 privacy features, but that doesn’t mean you have them. It’s kind of odd. A company builds powerful privacy into its application but then leaves it up to you to become Sherlock Holmes to find them. Even worse, Microsoft doesn’t highlight this fact. There’s no FYI; no `just in case you’re wondering.` Most people will never know what’s missing or in fact what they’ve got.

To those who know about the privacy issue and want to resolve it, there’s another mountain to climb: changing the settings. This is not a one-click procedure. If you have the time and patience and want to go all techno-geek, then you can probably get there. If not, you’re kind of screwed. The end result is that everyday people won’t bother. They’ll opt for leaving well enough alone over being mired in some techno-hell. Isn’t that why most of us stick too long with technology, even when we know change would be for the better?

So what was Microsoft thinking? On the one hand, there’s the whole issue of keeping up with the Jones’s. Apple, Facebook, Google, all of Microsoft’s main competitors, collect information about you. Microsoft does too for that matter. But Apple and its CEO Tim Cook, as shown in recent speeches and blogs, suggest they want to change their tune. Microsoft looks like it potentially does too, but it sounds like the wrong song.

Secondly, as Forrester Research’s Tyler Shields points out, it’s simple addition. Microsoft makes money off of its value-added services. If you offer those services as an opt-in, something that requires action and thought, most people tend to opt-out. If you reverse the equation, then most people are already opted-in and either uninformed about or uninterested in taking the time to reverse the settings.

Here’s what I recommend. Take care of business yourself. First off, start with an easy action item. Turn off Wi-Fi Sense, which is on by default. Wi-Fi Sense connects you to trusted Wi-Fi networks around you that your friends use. Hey, I get it. Not all of us have data plans. Sometimes we exceed our limits. And it’s kind of cool to chill in a room with friends and share the same network. But Wi-Fi Sense automatically shares access with everyone in your Outlook address book as well as your frenemies on Facebook whom you want to make feel small with exaggerations of your high life.

Next, stick with your own local account. Microsoft wants you to create a Microsoft account (formerly known as a Live ID). It’s all part of the wave that companies such as Facebook and Google ride where your whole life sits in a single account. They tell you it’s so easy and convenient, that you can access your stuff on any device. It also means they can lump your data together, making it easier to collect. I don’t trust that idea myself, not without clear protection of data and a transparent privacy policy, which is what I set up at my own social media company, MeWe.

Finally, I would fire Cortana. Take her off everything, except maybe your phone. If she’s on your phone, then minimize what you want her to know. Keep her as a work friend, one who only needs to know one aspect of your life instead of the entire you.

Microsoft is not the first to follow such user-unfriendly practices, nor will they be the last. That’s why we need to continue to demand that companies clearly inform users about the information they collect, how they use it, and where it goes. Only use companies and applications that follow such practices. In these modern times, actions really can speak much louder than words. In this case, yours can impact how Microsoft responds in this instance and others in the future. ]]>
Wed, 9 Sep 2015 09:00:00 -0700 (Administrator)
Hawaii credit union Breach
How many victims? Undisclosed.

What type of personal information? Names, addresses, Social Security numbers and bank account numbers.

What happened? An unauthorized individual may have gained access to a Hawaii First Federal Credit Union employee`s email account, and could have had access to the personal information.

What was the response? Access to the email account was immediately terminated and all passwords were reset. Hawaii First Federal Credit Union is conducting a comprehensive review of its information security practices and procedures. All potentially affected individuals are being notified, and offered a free year of identity theft protection services.

Details: Hawaii First Federal Credit Union learned of the incident on June 1.

Quote: `While we have received no reports that your information has been used in any manner that would compromise your identity or credit, out of an abundance of caution, we want to let you know this happened and assure you that we take it very seriously,` a notification letter said.]]>
Tue, 8 Sep 2015 12:00:00 -0700 (Administrator)
MS researchers claim to crack CryptDB
CryptDB was originally developed at MIT. It functions as an addition to a standard, unmodified SQL database and is intended to allow applications to interact with encrypted data using Structured Query Language. By using layers of encryption, CryptDB can allow certain properties of data to be revealed to applications processing the queries while keeping the data itself protected. In theory, the encryption prevents the database administrator (or anyone who attacks the database by gaining trusted access) from being able to view the contents of the database. Data from different users is encrypted with different keys.

CryptDB has been used with the open-source MySQL and PostgreSQL databases, and Google uses it to provide an encrypted version of its BigQuery cloud database. SAP and other large database vendors are looking to apply the technology to their own databases as well. And the federally funded MIT Lincoln Laboratory (PDF) has worked with CryptDB as an additional interface to the Apache Accumulo NoSQL database—the same database originally developed by the National Security Agency to store NSA`s multi-level security `big data.`

While CryptDB protects against a compromise of the database server application itself, with data at rest always being encrypted, it isn`t designed to protect against an attack on applications used to access the data. However, it is designed to partially mitigate this kind of attack by limiting the breach to only data accessible by any of the keys that might be compromised. There`s also some `leakage` of data required for the SQL server to do some processing, so intercepting queries sent to the server could also reveal some data—depending on the way queries are structured.

The appeal of this sort of system to anyone in the cloud software business is obvious: CryptDB could allow for greater security of data stored in shared cloud environments. That would allow applications such as electronic medical record systems and other sensitive databases to move to cloud environments without having to rely on expensive, purpose-made database systems.

The Microsoft Research team sought to burst that bubble by going after the weakest link in CryptDB: the Order Preserving Encryption (OPE) and Deterministic Encryption (DET or DTE) schemes. OPE is used to make it possible for SQL queries such as `ORDER BY` to execute. DTE encryption allows databases to be searched for matching values, as described in the original paper by its developers, `by deterministically generating the same ciphertext for the same plaintext. This encryption layer allows the server to perform equality checks, which means it can perform selects with equality predicates, equality joins, GROUP BY, COUNT, DISTINCT, etc.` These schemes are the ones most prone to data leakage in CryptDB.]]>
Tue, 8 Sep 2015 11:00:00 -0700 (Administrator)
Serious https bug
A nine-month scan that queried billions of HTTPS sessions from millions of IP addresses was able to obtain leaked data for 272 keys, reports Red Hat security researcher Florian Weimer in a research paper published this week. Because the scan surveyed only a very small percentage of the overall number of transport layer security protocol handshakes, many more keys and manufacturers are likely to be affected by the leakage. Vulnerable hardware includes load balancers from Citrix as well as devices from Hillstone Networks, Alteon/Nortel, Viprinet, QNO, ZyXEL, BEJY, and Fortinet.

Enter Chinese Remainder Theorem

The leakage is the result of insecure implementations of the RSA public key cryptosystem, which is one of several that HTTPS-protected websites can use to exchange keys with visitors. A 1996 research paper by researcher Arjen Lenstra warned that an optimization based on what`s known as the Chinese Remainder Theorem sometimes causes faults to occur during the computation of an RSA signature. The errors cause HTTPS websites that use the perfect forward secrecy protocol to leak data that can be used to recover the site`s private key using what`s known as a side-channel attack.

As a result, someone monitoring the connection between a visitor and site who happens to witness the rarely occurring fault (or even the visitor themselves) can cryptographically impersonate the website. Most developers heeded Lenstra`s call to introduce countermeasures that check for the signature faults and prevent them from spilling the sensitive mathematical data, but a variety of HTTPS software—including GNUTLS, PolarSSL, and libgcrypt—by default contain no such hardening. And even when software implements the checks by default, certain types of configurations can turn them off.

`This report shows that it is still possible to use Lenstra`s attack to recover RSA private keys, almost two decades after the attack has been described first, and that fault-based side-channel attacks can be relevant even in scenarios where the attacker does not have physical access to the device,` Red Hat`s Weimer wrote in this week`s paper. `The net effect is that a passive observer with visibility into global Internet traffic is likely able to recover quite a few RSA keys in a completely non-attributable fashion.`

Much like the odds of winning a lottery, the chances of witnessing an RSA signature fault are astonishingly small, and there`s no way an attacker can produce key leaks for a given site at will. Still, Weimer`s nine-month experiment demonstrates that patient adversaries who are interested in impersonating a wide range of sites will eventually succeed, and success will only grow with time and with the number of simultaneous scans that are carried out. The obvious beneficiary of this technique would be the National Security Agency and other state-sponsored spy groups that are in a position to monitor huge amounts of Internet traffic.]]>
Tue, 8 Sep 2015 10:00:00 -0700 (Administrator)
Botnets linked to breaches
Security ratings firm BitSight has performed an analysis of the risk factors that make up its BitSight Security Ratings against publicly disclosed data breaches. What emerges from its study is the important role which botnets play in attacks.

The report notes that, `Although a botnet compromise may not always equate to data loss, it invariably means that one or many protective controls have failed and that at least some data or system confidentiality, integrity, or availability is at risk`.

For each area of risk BitSight assigns an overall letter grade (A-F), indicating the company`s performance relative to others. The grade takes into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria.

The study shows that BitSight botnet grades -- which are a component of the top-level security rating -- can serve as a key metric in predicting the likelihood of a breach. Among companies with botnet grades of A, the percentage having breaches was only 1.7 percent; for those with a B or lower grade, the incidence of breaches was more than twice as high at 3.7 percent.

Looked at by industry, financial companies are most likely to have an A botnet grade (74 percent) and those in the education sector the least (23 percent, with 33 percent getting the lowest F rating). Retail, healthcare and utilities all fall somewhere in between with around 50 percent getting A scores.

The report concludes that, `The implications for organizations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks`.]]>
Thu, 30 Apr 2015 20:00:00 -0700 (Administrator)
UCLA Health Breach
How many victims? 1,242.

What type of personal information? Names, medical record numbers and health information used to help prepare patient treatment plans.

What happened? A laptop computer belonging to a UCLA Health faculty member was stolen, and it contained personal information.

What was the response? UCLA Health is enhancing its security policies and retraining those involved with the incident. All affected individuals are being notified.

Details: The laptop, which was password protected, was reported stolen on July 3.

Quote: `At this time, there is no evidence that any individual`s personal or medical information stored on the laptop has been accessed, disclosed, or used,` a news release said.]]>
Thu, 3 Sep 2015 10:00:00 -0700 (Administrator)
Critical PayPal XSS
Hegazy found the Stored XSS Vulnerability on back in the middle of June, and was able to demonstrate how it could be exploited. More than two months later, PayPal has addressed the issue and plugged the security hole.

Describing himself as an `ethical hacker`, Hegazy reported his discovery to PayPal on 16 June. He found that it was possible to engineer an HTML page that intercepted data entered on a secure PayPal page and transmit it to another server as plain text. This information was then available for exploitation in whatever way the attacker saw fit. Worryingly, Hegazy says that it would be possible for all of this to happen invisibly in the background -- a victim could make a regular PayPal payment which would clear, but there could also be an extra payment made to the attacker.

The bug was reported through PayPal`s bug bounty program, and Hegazy praised the company for responding to emails quickly. As well as ensuring that the security flaw was fixed, he also managed to bag himself PayPal`s top bounty reward of $750 for his troubles.]]>
Tue, 1 Sep 2015 06:00:00 -0700 (Administrator)
Browsers and privacy
In the browser’s case, this is due to personal preference or ease of IT administration. Search privacy is not always top of the agenda, but should it be?

Browsers collecting user search and browsing data is not a new practice, but it is a topic that continues to receive regular attention in the press and by campaigners. There are contrasting opinions as to whether data collection really helps the user experience or if it intrudes upon personal privacy.

Whichever side of the fence you occupy, everyone should ask themselves two simple questions when using their web browser or search engine: where is the information being stored and am I happy with this practice?

Google, combined with Chrome, is one of the most common choices by users and serves as an interesting case study. For example, any time you research a sales prospect, look at a competitor’s website or plan a sensitive business trip, your search history is stored by Google. The company never forgets what you looked at or where you have been online.

If this scenario fills you with dread, take a moment to think about your IT team, which has to guard a company’s corporate data and its users’ privacy. That said, just because someone else is tasked with protecting your data should not mean you can overlook your own responsibilities.

Everyone should consider how they can ease the burden on the IT department. This is particularly relevant for smaller businesses with less in-house IT security expertise.]]>
Mon, 31 Aug 2015 10:00:00 -0700 (Administrator)
Uber hires carhackers
Miller and Valasek`s research on Fiat Chrysler`s Uconnect system exposed vulnerabilities in the design of the system that allowed them to take remote control of many of the systems of a targeted vehicle—as they demonstrated by shutting down the throttle of a 2014 Jeep Cherokee while it was being driven on an interstate by Wired reporter Andy Greenberg. The research, coordinated with Fiat Chrysler, led to the distribution of a fix by Chrysler and blocking of vulnerable ports by Sprint, the mobile carrier providing the network for Uconnect. But the attention garnered by the video led to Chrysler announcing a recall of 1.4 million vehicles to accelerate the installation of the software patches.

Uber announced grants to the University of Arizona to fund autonomous vehicle technology earlier this week. The hiring of Miller and Valasek is likely part of an effort to ensure that Uber`s autonomous vehicle development work remains secure and may be partially prompted by the findings of the UCSD researchers Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage. The group presented research at the Usenix Security conference two weeks ago that showed a telematics device used by Uber and some auto insurers could be compromised to take remote control of systems in a similar fashion to Miller and Valasek`s hack of the Jeep.]]>
Mon, 31 Aug 2015 09:00:00 -0700 (Administrator)
Akron Childrens Hospita breach
How many victims? 7,664.

What type of personal information? Names, ages, genders, birth dates, medical record numbers, locations, transfer times, physician names, and chief medical complaints.

What happened? A hard drive of back-up transport voice recordings – which contained personal information – has gone missing.

What was the response? Akron Children`s Hospital has taken steps to ensure all mobile devices are encrypted, and transport voice recordings are no longer being stored on mobile devices. All potentially affected patient families are being notified.

Details: The hard drive – which was locked in a secure area of the hospital`s Akron campus – was discovered missing on June 30. It contained voice recordings of communications between dispatchers and medical staff at community hospitals, physician offices and Akron Children`s emergency departments prior to or during the transport of patients between Sept. 18, 2014, and June 3.

Quote: `We have no evidence the recordings have been misused or accessed,` a notification posted to the Akron Children`s Hospital website said. `The recordings are not searchable and no other hospital or physician office data is affected. We do not believe that patients are at risk for identity theft.`]]>
Thu, 27 Aug 2015 11:00:00 -0700 (Administrator)
Symantec Car Security
Car security has hit the headlines this year with security researchers demonstrating the remote take-over of a car’s braking system, and BMW revealing a flaw that enables, among other problems, the remote unlocking of car doors.

The latter issue is tackled head-on in Symantec’s Building Comprehensive Security into Cars white paper which proposes that applying security updates to cars is problematic given that the traditional mechanism of applying security patches in IT infrastructure does not apply.

Solutions, Symantec explains, must be `in a context that works both within the car, and at scale for carmakers.` Real-time, over-the-air (OTA) patching, for example, is in conflict with the multi-year safety certification processes currently required by the automotive industry.

Symantec also argues that many keyless entry systems, which work by detecting the proximity of virtual key to car, are not satisfactorily capturing position and proximity data with proper precautions. Symantec advises `healthier combinations of Global Positioning System (GPS), cellular, Wi-Fi, and accelerometer telemetry, all properly digitally signed by both the car and the car keys.`

The simpler signal-strength triangulation mechanism deployed in many systems is open to relay attacks, whereby a would-be carjacker can relay the key signal to the car and vice versa with a phoney key. By deploying `digital capture of location, signing data on capture, and using secure boot and code signing to ensure that firmware isn’t tampered,` carmakers could mitigate this, the report states.

The security firm also highlighted the threats posed by in-vehicle Bluetooth implementations and vulnerabilities in systems that stream entertainment and navigation data.

`As cars begin to stream entertainment over wireless interfaces, they increase their exposure to countless threats,` Symantec writes.

Many of the problems with in-car security as it stands result from inadequate authentication between components and sensors, according to the report. However, Symantec highlights that many of the fundamental solutions are, unfortunately, only achievable long-term:

Today’s cars have a great number of layers… Protecting the whole `stack` from top to bottom with comprehensive security will take many years, given the complexity of spanning supplier relationships. All sensitive chips will need hardware support for secure boot and credential storage to prevent spoofing and tampering via OTA attack paths.]]>
Fri, 28 Aug 2015 06:00:00 -0700 (Administrator)
Password Alternatives
Consumers would be very much behind the elimination of passwords from the online environment if retailers, banks and other services could get it together to institute an alternative, according to a new survey out this week.

The study showed that, as things stand, most consumers are not confident in online brands or the efforts they`ve made so far to supplement password security. And, like many password surveys before it, this one shows once again that part of that mistrust stems from consumers` admitted inability to effectively manage password hygiene for their own accounts.

`Passwords are inherently insecure as a method of authentication, and their e?cacy relies on end users, developers, system administrators, and the applications themselves, all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyberattacks around the world,` says Geoff Sanders, CEO of LaunchKey, which conducted the survey among 589 respondents.

The report confirms similar numbers from past surveys. For example, 68 percent of respondents reuse passwords across multiple accounts and 77 percent often forget passwords and have to write them down. This comes largely from the volume of login details they must remember. Nearly half of respondents have to manage more than 10 passwords at a time.

In spite of many major brands working on efforts to institute two-factor authentication, nearly two-thirds of consumers are still unfamiliar with these additional authentication methods and only about 20 percent believe they are easy to use, according to the survey.

Another survey out this week by Ponemon Institute shows that growing awareness of two-factor methods have started to up the ante on consumer perception of password security online environments. Looking at what drives consumer confidence in online brands, the study showed that 31 percent of consumers don`t trust websites that only rely on passwords to identify and authenticate them.

Tellingly in the LaunchKey survey, 52 percent of survey respondents said they had little to no confidence in online retailers and 76 percent feel their data would be more secure with an alternative form of verification. Just over half of them support the idea of getting rid of passwords altogether. Approximately 59 percent of respondents say they`d prefer using fingerprint scans over passwords.

`The future of authentication is free from traditional passwords,` Sanders said. `We must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversi?ed landscape of use cases, end users and threats.`]]>
Thu, 27 Aug 2015 10:00:00 -0700 (Administrator)
New Tor weakness
As Ars reported last month, the technique requires the adversary to control the Tor entry point for the server hosting the hidden service. It also requires the attacker to have previously collected unique network characteristics that can serve as a fingerprint for that particular service. Still, once that bar is met, the attack has an 88-percent accuracy rate. Hidden services are sites that are accessible only from within the Tor, which conceals IP addresses of servers and users.

`We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again,` operators of Agora, a hidden service that markets everything from illicit drugs to unlicensed firearms, wrote in various online forums, including this post on Pastebin. `However, this is only a temporary solution.`

The message said operators were working on a solution to block the attacks and planned to bring Agora back online once it was ready. In the meantime, they said, it would be unsafe to continue conducting business as usual.

The suspension comes as a surprise, since Tor Project officials have downplayed the novelty of the new attack method and the likelihood it could be carried out in practice. The Agora operators didn`t describe precisely what evidence they had that the weakness in the Tor protocol was being actively exploited. Still, their warning is worth considering since the suspension will presumably cost them money while the site is out of operation.]]>
Thu, 27 Aug 2015 09:00:00 -0700 (Administrator)
Password Authentication
The survey taken in the US in August 2015 also found that demands on users are exacerbated by the fact that such systems require them to change passwords frequently. LaunchKey`s survey also highlighted disquiet about systems that require users to create passwords that do not fit the model of one they regularly use. Over two-thirds surveyed re-use passwords for multiple accounts while just over three-quarters said they often forget passwords or have to write them down. Over a quarter (27%) of survey respondents admitted sharing their passwords with someone else.

The demand for alternatives to passwords is high, with three-quarters feeling that their data would be more secure with other verification. Three-fifths would choose fingerprint scans over passwords. Respondents also took a dim view of the traditional methods of authentication, regarding two-factor authentication (2FA) as insufficient. Nearly two-thirds did not even know what 2FA was, while only a fifth said it was easy to use. There was also a feeling that many current 2FA solutions on the market today represent a noticeable cost and logistical burden.

Probably given the high number of recent data breaches in retail stores, 52% of survey respondents expressed little to no confidence in retail stores being able to properly secure personal information, and 43% had little to no confidence in online retailers. Just under half expressed high confidence in banks being able to protect personal information.

`Today, the pace of security breaches directly related to stolen passwords and bypassed authentication is increasing along with the severity of their consequences,` commented LaunchKeyCEO Geoff Sanders. `Passwords are inherently insecure as a method of authentication, and their e?cacy relies on end users, developers, system administrators, and the applications themselves, all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyberattacks around the world…We must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversived landscape of use cases, end users and threats.`]]>
Wed, 26 Aug 2015 11:00:00 -0700 (Administrator)
Keyless Cars
Convenience always seems to come at a cost and never more so than with the keyless car. News emerged last week that car manufacturers using the Megamos Crypto transponder electronic vehicle immobiliser, used by Audi, Citroen, Fiat, Honda, Volvo, and Volkswagen in over 100 models of car, had suppressed information on a security flaw for two years. The argument for public non-disclosure was to prevent compromises but is this a case of manufacturers putting their heads in the sand?

Well, yes and no.

It`s not that manufacturers have a cult of secrecy when it comes to publicly disclosing security issues. It’s more that they need a decent time window in which to assess and remediate problems. Think of the complexity of identifying exactly what the problem is, depending on how a researcher approaches a manufacturer and what sort of information they provide. Then consider the logistics of putting together and deploying a patching/update solution that`ll work perfectly 100% of the time. Automakers may also need to change a range of product roadmaps for other models and for future releases. It`s a big job, and not one that I envy.

One big challenge is deploying security updates to the vehicle. Tesla, for example, has the ability to roll out over the air (OTA) updates, which makes fixing bugs relatively easy. Others without this facility are reliant on updating the car when it comes in for a service, or a costly recall. That could mean a year or more before it gets an update.

OTA also comes with challenges: Does it encourage an attitude of security complacency -- `It’s OK, we can fix bugs later` -- rather than `get it right first time?` Yes, to a certain extent, although, as we all know, it’s tough for any developer to write code that defends against all current and future security issues.

At Pen Test Partners, we`ve privately disclosed similar vulnerabilities to manufacturers in the past and have had varied responses, ranging from those eager to hear us out and implement a solution to the apathetic or downright hostile. In my mind, private, responsible disclosure to a manufacturer is always the right thing to do. Sitting on information simply widens the window for the vulnerability to be discovered, publicly disclosed, and exploited. Procrastinating for two years, after which just a single sentence was removed from the research teams’ paper presumably for legal reasons, has made these manufacturers look out-of-step with security and unwilling to put the customer first.

So how should the Megamos Crypto vulnerability have been handled? These are all huge brands and the fallout could be highly damaging both in terms of customer confidence and product recall. Even more important, the recall cost could have gone into more proactive security initiatives such as a bug disclosure program. A nice example is the United Airlines bug bounty program, which gives away frequent flyer points to researchers who point out flaws. A simple web page, an email address, and someone to handle it are all it takes to create a clear avenue for bug disclosure, in effect giving the manufacturer access to a free resource of intelligence.

But what do you do if, like me, you’re one of those that owns a keyless car? How do you ensure you don’t become a victim of car theft, given that four out of ten thefts in London last year were down to electronic hacking, and that’s before this exploit was publicized? (One could argue that these statistics alone should have motivated the manufacturers to disclose). Unfortunately, as with any product, the customer is very much at the mercy of a manufacturer notifying customers of security vulnerabilities and software updates.

Still, there are steps individuals can take to protect themselves. For one thing, we recommend that owners of `keyless` cars treat the smart key differently than regular keys. Consider getting a radio frequency (RF)-shielded pouch to keep your smart key in, and only get it out when you want to get in your car. Keep your smart key far away from your parked car, i.e. not in the hallway that is two metres from your car outside on the drive. I`m rolling both of these ideas into one and having a key cabinet made for my kitchen: it`ll be lined with shielding fabric and it`s at the back of the house, so it should do the job nicely.

With reports suggesting there’s up to 100 million lines of code in the average modern car and set to increase to 200-300 million in future years, we have to accept that security vulnerabilities – and patching them – will become as normal for our car as our PC. The car industry can help make this more streamlined by implementing disclosure programs rather than burying information. And we as consumers will also have to take precautionary measures until they up their game.]]>
Wed, 26 Aug 2015 10:00:00 -0700 (Administrator)
Major Android vulnerabilities
While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point, it shows that the vulnerability caused by insecure OEM and cell carrier software meant to provide remote access to devices for customer service engineers has already been exploited by `legitimate` phone applications—and the method used to bypass Google’s security checks could be used for more malicious purposes on millions of devices. And there’s no easy way for Google or phone manufacturers alone to patch the problem.

At the Black Hat security conference in Las Vegas earlier this month, Check Point’s Ohad Bobrov and Avi Bashan presented research into an Android vulnerability introduced by software installed by phone manufacturers and cellular carriers that could affect millions of devices. Labeled by Bobrov and Bashan as `Certifi-Gate,` the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.

Check Point has provided a free scanning application to allow individuals to determine if their Android device was vulnerable. Michael Shaulov, Check Point’s head of mobility product management, told Ars that there had been more than 100,000 downloads of the scanning app from Google Play, and more than 30,000 users had opted to provide anonymous scan results from their products. In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.]]>
Wed, 26 Aug 2015 09:00:00 -0700 (Administrator)
Totally Promotional Breach
How many victims? Undisclosed. Totally Promotional did not return a request for the information.

What type of personal information? Names, mailing and email addresses, payment card account numbers, expiration dates and verification codes.

What happened? Attackers forced their way into Totally Promotional`s systems and gained access to some customer payment card data and other information.

What was the response? The attack was stopped, the access point used by the attackers was closed, and the malware the attackers left behind was removed. Totally Promotional hired security experts to investigate, and the company submitted to a series of internal and external security audits. Steps were taken to strengthen and enhance security. All potentially affected individuals are being notified.

Details: Totally Promotional received calls on July 6 from customers who used their cards on the Totally Promotional website and then saw unauthorized charges on their card. Following an investigation, Totally Promotional determined that customer information may have been accessed from June 23 to July 10.

Quote: Totally Promotional has communicated `that our customers will have zero liability for any fraudulent charges arising from this breach of information,` according to a notification.]]>
Tue, 25 Aug 2015 09:00:00 -0700 (Administrator)
University of Rhode Island
How many victims? Approximately 3,000 current and former students.

What type of personal information? Names, dates of birth, email addresses and passwords, and some private email addresses – Gmail, Yahoo and Hotmail – and passwords. There is evidence indicating that some Facebook accounts were accessed.

What happened? URI learned of a breach involving the inappropriate collection and possible use of information related to some URI email accounts, as well as personal email and Facebook accounts.

What was the response? URI is notifying all affected individuals, and asking them to change their passwords.

Details: An investigation is ongoing, including into the timeline of the incident.

Quote: `Some reports implied that someone hacked into our email system and stole the data,` a URI spokesperson said. `There`s currently no evidence to suggest that. All we know is that the perpetrator accessed individual email accounts, not necessarily the system itself.`]]>
Mon, 24 Aug 2015 11:00:00 -0700 (Administrator)
Thomson Travel Breach
The BBC is reporting that a data protection breach by the company has revealed the home addresses, telephone numbers and flight dates of nearly 500 customers. The corporation claims to have seen an email sent on 15 August showing the personal details of 458 people from across the UK were shared.

The BBC quotes Thomson as apologizing for making a `genuine error` but adding that it would not offer customers any compensation.

The Thompson statement said: `We are aware of an email that was sent in error, which shared a small number of customers` information. The error was identified very quickly and the email was recalled, which was successful in a significant number of cases. We would like to apologize to our customers involved and reassure them that we take data security very seriously. We are urgently investigating the matter to ensure this situation will not be repeated.`]]>
Mon, 24 Aug 2015 10:00:00 -0700 (Administrator)
Highway to hack
That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.

While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land. Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.

And all this has played out as the auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run. The industry`s insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. In some cases, car companies have even sued researchers to shut them up.

Sticker shock

In contrast, Tesla has embraced a coordinated disclosure policy. The company recently announced a vehicle security bug bounty program that offers $10,000 for reproducible security vulnerabilities. Tesla even participated in the presentation of vulnerabilities discovered by outside researchers in the Tesla S`s systems at DEF CON. The company`s chief technology officer JB Straubel appeared on stage with the researchers who performed the penetration test of the Tesla S—Marc Rogers of Cloudflare and Lookout Security CTO and co-founder Kevin Mahaffey—in order to present them with Tesla `challenge coins` for their work.

But no one from Fiat Chrysler was anywhere near the stage when Charlie Miller and Chris Valasek presented their findings on Uconnect. And it might be a while before any other carmaker makes a move to embrace the security community in the wake of the Chrysler recall.

It`s not like Miller and Valasek caught Fiat Chrysler by surprise. Miller told Ars that he worked with Fiat-Chrysler throughout his many months of research, advising them of what he and Valasek found. The company had already issued a patch to fix the problems, but it was only a voluntary update to be performed using USB. Sprint moved to block remote access to the network connection on Chrysler vehicles that Miller`s and Valasek`s attack exploited just before the pair revealed their research at Black Hat. ]]>
Mon, 24 Aug 2015 09:00:00 -0700 (Administrator)