Saturday, March 30, 2013

How to secure mobile comm? Cut out the trusted third party.

The new secure communications service offered by Silent Circle intends to solve the BYOD security challenge by harnessing the computing power of smart phones for crypto key management, cutting the middle man out of the equation.

“We’ve pushed the key management out to the endpoints,” said company CTO Jon Callas. “We never have the key.”
For a $20 monthly subscription users can communicate securely with each other by downloading a suite of apps for peer-to-peer encryption. Calls, texts and video are routed through the Silent Circle network, but keys are generated on the mobile devices when a call is initiated and are not held on a central server. All security information is deleted from the device when the call ends.
Much has been made of the fact that this model could make it impossible for law enforcement and intelligence agencies to listen in to calls or look at data, images and video being exchanged between secured phones. But company executives say that instead of pushback, government has been an early adopter of the service, particularly U.S. military and intelligence agencies.
“This is not 1991,” said Philip Zimmermann, the company’s president and creator of PGP (Pretty Good Privacy), the widely used e-mail encryption software.
Zimmermann is a veteran of the crypto wars of the 1990s, when the National Security Agency threatened the emergence of strong cryptography being developed commercially. “Times have changed,” he said. “Today you’re in trouble if you don’t use strong crypto.”

Wednesday, March 27, 2013

Web slows under 'biggest attack ever'

Millions of people around the world have been affected by slow internet speeds after an unprecedented attack.

A Dutch web-hosting company caused disruption and the global slowdown of the internet, according to a not-for-profit anti-spam organization.
The interruptions came after Spamhaus, a spam-fighting group based in Geneva, temporarily added the Dutch firm, CyberBunker, to a blacklist that is used by e-mail providers to weed out spam.
Cyberbunker is housed in a five-story former NATO bunker and famously offers its services to any website “except child porn and anything related to terrorism". As such it has often been linked to behaviour that anti-spam blacklist compilers have condemend.
It retaliated with a huge 'denial of service attack'. These work by trying to make a network unavailable to its intended users,overloading a server with coordinated requests to access it. At one point, 300 billion bits per second were being sent by a network of computers, making this the biggest attack ever.
The attack was particularly potent because it exploited the 'domain name system', which acts like the telephone directory of the internet and are used every time a web address is entered into a computer.

Monday, March 25, 2013

Is your car spying on you?

Is your car spying on you?

If it's a recent model, has a fancy infotainment system or is equipped with toll-booth transponders or other units you brought into the car that can monitor your driving, your driving habits or destination could be open to the scrutiny of others. If your car is electric, it's almost surely capable of ratting you out.
You may have given your permission, or you may be the last to know.

At present, consumers' privacy is regulated when it comes to banking transactions, medical records, phone and Internet use. But data generated by cars, which these days are basically rolling computers, are not.

All too often,"people don't know it's happening," says Dorothy Glancy, a law professor at Santa Clara University in California who specializes in transportation and privacy. "People should be able to decide whether they want it collected or not."

Try as you may to protect your privacy while driving, it's only going to get harder. The government is about to mandate installation of black-box accident recorders, a dumbed-down version of those found on airliners - that remember all the critical details leading up to a crash, from your car's speed to whether you were wearing a seat belt. The devices are already built into 96% of new cars.

Digital cameras easily turned into spying devices, researchers prove

Users' desire to share things online has influenced many markets, including the digital camera one. 

Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them.

But, as proven by Daniel Mende and Pascal Turbing, security researchers with German-based IT consulting firm ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices.

Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.

In this presentation from Shmoocon 2013, they explained in detail how they managed to mount the attacks, and have also offered advice for users on how to secure their cameras and connections against these and similar attacks.


More here:

Apple can now track you indoors

Still recovering from the backlash to its flawed Maps app, Apple is looking to beef up the iPhone’s indoor location capabilities by acquiring WiFiSlam. According to The Wall Street Journal, which first reported the deal, Apple paid $20 million to scoop up the two-year-old startup based in Silicon Valley.
As per usual for Apple, which made a splash when it bought Siri back in 2010, the company didn’t provide any details as to why the company made this acquisition. A spokesperson told the Journal only that Apple “buys smaller technology companies from time to time.” But there are plenty of reasons why this small investment could prove to be a big deal in the stage of the location-based services war.

Read more:

Friday, March 22, 2013

Hackers use legit remote IT support tool in spy attack

Hackers have been discovered using a tampered-with version of a legitimate remote access tool to target activists, industrial, research and diplomatic targets.
Hungary-based security firm CrySys Lab discovered an attack on diplomatic targets in Hungary which installs legitimate software first, but then remotely alters the program to enable it spy on victims.
The ongoing campaign uses a legitimate software package from a German vendor that offers remote control, file transfer and other administrative tools for Apple, Windows, Linux, iOS and Android.
Kaspersky Lab has provided its own detailed analysis (PDF) of the "TeamSpy crew" behind the attack, which it says has been in operation since 2008, and has hit a variety of targets, ranging from activists and political figures to heavy industry and national information agencies.
"The attackers control the victim's computers remotely by using [a] legal remote administration tool," Kaspersky Lab explains in its own analysis of the surveillance kit.
"This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch [the program] in memory to remove all signs of its presence."
CrySys' report states that targets include a high-profile victim in Hungary, multiple victims in Iran, and the Ministry of Foreign Affairs of Uzbekistan. The company said it was asked to investigate the malware by the Hungarian National Security Authority (NBF).

Wednesday, March 20, 2013

Decade-old espionage malware found targeting government computers

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.
TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."
Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

HONOLULU -- U.S. officials say the 27-year-old university student from China started a relationship with a civilian defense contractor more than twice her age and then found out classified information on U.S. nuclear weaponry, missile defenses and war plans.
But is she a spy?
It is clear the Justice Department believes the woman's boyfriend broke the law, but the criminal complaint that outlines the charges against him never formally accuses her of any crime. It just paints a picture of a young woman who seems to be involved in espionage.
A Justice Department official who spoke on condition of anonymity because the investigation is ongoing says the government knows the woman's location and is continuing to investigate her role. Her identity and whereabouts haven't been released, and U.S. authorities also haven't said publicly whether they believe she is working for the Chinese government.
She lives in the United States as a student on a J-1 visa, according to an affidavit the FBI filed this week by the FBI in U.S. District Court in Honolulu.

Read more here:

Cybersecurity Experts Warn Many Cos May Have Had IP Stolen

Wall Street Journal (03/19/13) Ensign, Rachel L.

Experts who testified at a U.S. Senate Armed Services subcommittee hearing on March 19 warned that thousands of U.S. and Western European firms had their intellectual property stolen by hackers believed to be linked to the Chinese military. 

Mandiant CEO Kevin Mandia and CSO Richard Bejtlich, spoke about how the corporate espionage they had witnessed while researching a report on alleged Chinese hacking could impact U.S. business. The men said the goal of the hackers was not to shut down a business but rather to steal documents related to product development and business plans. 

Mandia said this information theft could be linked to the surge in Chinese knock-off stores replicating products made by Western chains. Bejtlich, meanwhile, said the cost of defending against such cyber espionage attacks can be too high for smaller companies. "Unless you are a top company who can hire top talent and scale it out … you cannot afford defenses that will stop a Chinese military unit or a Russian unit or anyone else," he said.

More here:

Saturday, March 16, 2013

System for Award Management (SAM) "Software Glitch"

The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.

Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure.  As a precaution, GSA is taking proactive steps to protect and inform SAM users.

The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.

More here:

Wednesday, March 13, 2013

Top US spying coordinator says cyber attacks more threatening than terror hits

A top US intelligence official has emphasized that cyberattacks on American networks represent worse of a threat to the country than a ground attack by a ‘terrorist group.’

The warning came on Tuesday in an annual report to the US Congress by Director of National Intelligence James Clapper, who also described North Korea’s nuclear program as a “serious threat” to the United States.  The warning came on Tuesday in an annual report to the US Congress by Director of National Intelligence James Clapper, who also described North Korea’s nuclear program as a “serious threat” to the United States. 

“Attacks, which might involve cyber and financial weapons, can be deniable and unattributable,” said Clapper in remarks before the Intelligence Committee of the US Senate. 

“Destruction can be invisible, latent and progressive,” he added. 

Expressing concerns about the growing instrumental use of the Internet by nations and “terror groups,” the top US official tasked with coordinating spying operations by various American intelligence agencies further announced that foreign intelligence and security agencies have “penetrated numerous computer networks” run by the government and private corporations in the United States. 

Creepy "Ratters" Spying on Women Through Their Webcams and Stealing Sexy Photos

Using remote administration tools, this community of hackers is making women the unsuspecting victims to prying eyes.

Ars Technica  reported this weekend on how hackers have been spying on women through their webcams using RATs (remote administration tools). It’s an unsettling read, revealing how “RAT operators have nearly complete control over the computers they infect; they can (and do) browse people’s private pictures in search of erotic images to share with each other online. They even have strategies for watching where women store the photos most likely to be compromising.”
The online community of RAT operators, “ratters,” Ars Technica notes, is almost exclusively male. They share the fruits of the computers they compromise — largely intimate images of women swiped from computer files or caught on webcam — on aboveground hacker forums. They call the women they spy on “slaves.” RAT technology is not new, but has become vastly more sophisticated and undetectable by victims.

Tuesday, March 12, 2013

The Six Lines of Code that Could Bring Down a Hospital

The software flaw that allowed a duo of cybersecurity researchers to bring down a Philips XPER hospital management system with 6 lines of code is still a problem in current XPER machines, Philips

Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips(NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.

The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.

Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.

Cyber espionage: China and the US look for talks

After a war of words with mutual accusations flying between the two parties, it seems that the frontlines of the cyber espionage battle between the US and China may be softening up. Last week, China signalled a willingness to talk to the international community, especially the US. The Chinese Foreign Ministry has been quoted, by various sources including the Washington Post, as saying "Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States". 

According to the message, as reported by Chinese News Agency ChinaDaily, Chinese Foreign Minister Yang Jiechi supports international rules under a United Nations framework and proposes concrete initiatives in that arena. Yang also protested at the criticism of his country; reports of hackers in China, backed by the government or military, were "built on shaky ground". Yang said the Chinese government was active in the fight against cyber-crime and had introduced laws to explicitly outlaw such activity.

More here:

Syria, China worst for online spying: RSF

PARIS: Syria, China, Iran, Bahrain and Vietnam are flagrantly spying online, media watchdog RSF said today, urging controls on the export of Internet surveillance tools to regimes clamping down on dissent.

A new report entitled "Enemies of the Internet" also singled out five companies -- Gamma, Trovicor, Hacking Team, Amesys and Blue Coat -- that it branded "digital era mercenaries," who were helping oppressive governments.

Syria's estimated five million Internet users are subject to rampant state spying, Reporters Sans Frontieres (RSF, Journalists without Borders) said in the report, which coincides with the World Day Against Cyber-Censorship. Noting that 22 journalists and 18 Internet users had been jailed, it said the network was controlled by two entities including the Syrian Computer Society (SCG) founded by President Bashar al-Assad.

The SCG, it said, controlled Syria's 3G infrastructure, while the Syrian Telecommunications Establishment (STE) controlled the majority of the fixed connections.

"When the government orders the blocking of a word, of an URL, or of a site, STE transmits the order to service providers," it said, publishing a leaked 1999 bid invitation from STE to install a national Internet system in Syria.

The requirements include recording of online and offline activities, copying of all e-mail exchanges from within Syria, and the ability to detect, intercept and block any encrypted data.

Monday, March 4, 2013

Survey: Investors Crave More Cyber Security Transparency

As corporate America continues to grapple with the mounting cyber threat, a new survey reveals investors want more information about security practices and may even shun stocks of companies with a poor cyber track record.
The survey, conducted by Zogby Analytics and released by HBGary, raises difficult questions facing C-Suites as regulators push for greater cyber transparency, while CEOs are leery of generating negative PR.
According to the survey of 405 U.S. investors, more than 70% of investors are interested in reviewing public company cyber security practices and almost 80% would likely not consider investing in a company with a history of attacks.
Interestingly, respondents indicated they were twice as worried about a company having a breach of customer data (57%) than theft of intellectual property (29%).
“Consumer data breaches grab the headlines and the large liability settlements. But the lack of concern for IP theft, underscores the need for broader education about the financial risk IP theft poses to a company," Jim Butterworth, HBGary chief security officer, said in the report. "The pilfering of American company trade secrets and other sensitive data is happening every day  – costing our corporations billions of dollars in lost revenue."

Read more:

Friday, March 1, 2013

Sudden death of U.S. engineer in Singapore linked to cyber espionage?

For years, the U.S. intelligence community has warned that cyber attacks from China and other countries are the biggest threat to our national security. Now, some are wondering whether the death of an engineer from California could be linked to cyber espionage.
In 2010, 29-year-old Shane Todd moved to Singapore for an engineering job with a government research firm called the Institute of Micro Electronics or IME.
"He was a young man that wanted an adventure and thought it would be super-cool to live in a foreign country and he really liked it when he first got there," Mary Todd, his mother, recalled.
But 18 months later in June of 2012, Shane Todd was found dead inside his apartment. Police and the coroner believe Todd hanged himself in the bathroom, leaving two suicide notes on his computer. But his family doubts that story.
"We have already gone to Singapore twice now, once to pick up our son's body, and realize that nothing lined up with what were told," Mary Todd said.
The Todd family believes Shane was murdered, but why? Todd's parents says their son was under pressure from his employers at IME to get sensitive technology from the U.S. delivered to China, technology he believed could endanger our national security.
"He started calling us and saying, 'Mom if you don't hear from me every week, email me right away. If I don't call you, call the U.S. Embassy. My life is being threatened,' and that's when he said that he felt he was being asked to compromise U.S. security," his mother said.
His father, Rick Todd, recalled, "I said, 'Shane, if you truly believe that, you need to come home now,' and he said, 'Dad, I can't.'"