Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Cyber war stakes rising
http://www.controleng.com/single-article/cyber-war-stakes-rising/9ffc699849b218f4da01e5cc8e789640.html
U.S. intelligence officials have warned as nation-sponsored cyber warfare goes mainstream this year, attacks on U.S. installations and institutions could result not just in damage and theft but in fatalities.
U.S. intelligence officials have warned as nation-sponsored cyber warfare goes mainstream this year, attacks on U.S. installations and institutions could result not just in damage and theft but in fatalities.
They believe fatalities could occur and “that is the best estimate at this point,” said the former senior intelligence official.
U.S. security researchers have warned because of vulnerability in the firmware, attackers could tap into Voice over IP (VoIP) products from Cisco and other manufacturers.
By inserting malware into handsets the researchers said they could start eavesdropping on private conversations, “not just on the phone but also in the phone’s surroundings. It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” said project leader, Professor Salvatore Stolfo.
Last year, cyber attacks at the Iranian government were uncovered and Iran retaliated with “denial of service” attacks at U.S. banks and Saudi oil companies that are continuing today. Over 10 U.S. banks were under cyber attack by Iranian hackers for over a week, interrupting service.
The U.S. is not alone in suffering attacks as a Syrian government backed hacker group is now attacking Saudi government websites, particularly focusing on the Saudi Ministry of Defense. Several of the Saudi sites are down.
Defense contractors such as Lockheed Martin have become key targets as well, the report continued. At a November news conference, Chandra McMahon, Lockheed vice president and chief information security officer, said 20% of all threats aimed at the company’s networks were sophisticated, targeted attacks by a nation or a group trying to steal data or harm operations.
As ISSSource reported last week, U.S. builders of America’s most advanced combat aircraft, the F-35 Joint Strike Fighter, are still frantically rushing to put in place cutting edge technology that would secure the aircraft’s avionics from Chinese hacker attacks. The Chinese got hold of the plans three years ago.
The former senior U.S. intelligence official said the major U.S. contractors of the plane never thought of designing countermeasures that would act to repel China’s extensive hacking programs, and he said the security equipment was never installed.
Researchers said the hackers used botnets, which are inexpensive to rent for short periods. What made these botnets much more powerful was they were made up of Web servers and not just personal computers.
Tomi Engdahl says:
Software moles in your systems
http://www.controleng.com/single-article/software-moles-in-your-systems/5a0347ba765249f3926eb61201e7dd59.html
Old programs, utilities, and plug-ins languishing on your computer or control systems could threaten your security.
Moles may be living in your computer and control systems. They weren’t placed there deliberately, and they may not even realize that they’re moles, but they can be just as dangerous. In this context, we’re talking about software that has security vulnerabilities. One situation that has brought this to mind recently is Java, with reports that hackers have been able to exploit vulnerabilities in conjunction with dangerous websites.
Many computers still have Java installed, possibly an old version, even though the user may not be aware of it. If a hacker discovers that it is there, it can become the port of entry for breaking into the system. The software in this case is the mole. It’s been on the computer for who knows how long because nobody has checked to see what’s there. If it doesn’t get used, it probably doesn’t get updated, so older versions with well-publicized vulnerabilities may still be in place.
Java is certainly not unique in this sense. There are many other examples of programs that have been exploited in the same way. The U.S. Department of Homeland Security publishes alerts related to industrial software online at http://www.us-cert.gov/control_systems/ics-cert/#monthly-monitor. If you’ve never gone there and looked at the number of platforms that are compromised, brace yourself for a shock.
You need to know revision level because platforms go through various iterations, some of which are better than others. Generally, the assumption is that the most recent revision will have more of the vulnerabilities fixed.
Tomi Engdahl says:
Identity fraud in U.S. is on the rise, report
http://news.cnet.com/8301-1009_3-57570436-83/identity-fraud-in-u.s-is-on-the-rise-report/
Scammers are increasingly gaining access to people’s personal information through data breaches and malicious software attacks.
A new report by Javelin Strategy and Research shows that identity fraud has increased for the last three years in a row — affecting more than 5 percent of U.S. adults. In 2012, 12.6 million people were identity victims.
The report, “Data Breaches Becoming a Treasure Trove for Fraudsters,” details the types of identity fraud that are now on the rise. The two main scams are “account takeover fraud” and “new account fraud.” The account takeover fraud involves a criminal accessing an individual’s personal information and changing the contact information; whereas, new account fraud means a criminal using someone’s identity to open a new type of account, such as a credit card account.
New account fraud “poses a growing threat to consumer identities and private industry’s bottom line — especially as the total fraud loss has doubled from 2011, to $9.8 billion,” Javelin said, according to Computerworld.
Tomi Engdahl says:
Firefox Enables WebRTC, H.264 And MP3 Support By Default In Its Nightly Release Channel
http://techcrunch.com/2013/02/20/firefox-enables-webrtc-h-264-and-mp3-support-by-default-in-its-nightly-release-channel/
WebRTC, the plugin-free real-time video, audio and text chat protocol most browser vendors now support, is now activated by default in the latest bleeding edge Firefox Nightly release. While Mozilla has long backed WebRTC, it was only available as an option in the Nightly releases so far. Now that it is enabled by default, chances are that it will slowly make its way into the stable release channel over the next few months.
Tomi Engdahl says:
We’ve slashed account hijackings by 99.7% – Google
120-variable security checks + 2-factor auth = zapped interwebs pond scum
http://www.theregister.co.uk/2013/02/21/google_account_hijack_clampdown/
Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.
Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim.
“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time,” Mike Hearn, a Google security engineer explains in a blog post. “A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.”
Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.
Google’s commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.
Tomi Engdahl says:
NBC.com hacked, say security researchers
http://www.nbcnews.com/technology/technolog/nbc-com-hacked-say-security-researchers-1C8483074
Security researchers warned Web users against visiting NBC.com, saying that hackers added links to malware on the site. Google’s Chrome browser and others detected the threats, and deterred users from loading the page.
NBC released the following statement regarding the website, which promotes the entertainment offerings of the TV network: “We’ve identified the problem and are working to resolve it. No user information has been compromised.”
Additional security bloggers investigated and reported finding exploits. “There were two exploits links on the NBC website,”
“The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage,” said the blog.
Tomi Engdahl says:
Malware Attack on Apple Said to Come From Eastern Europe
http://www.bloomberg.com/news/2013-02-19/apple-says-a-small-number-of-mac-computers-infected-by-malware.html
At least 40 companies including Apple Inc., Facebook Inc. and Twitter Inc. were targeted in malware attacks linked to an Eastern European gang of hackers that is trying steal company secrets, two people familiar with the matter said.
Apple, one of three victims to publicly disclose attacks this month, said some of its internal Mac systems were affected by a malware attack. The hackers used an iPhone-developer website
The attack is part of the same series of invasions that also led to recently disclosed breaches at Facebook and Twitter, according to investigators working with the companies. Apple was the first to discover the attack, one of the people said.
Facebook said last week that it was subjected to a “sophisticated attack” by hackers who took advantage of weaknesses in a mobile-developer website.
In this case, the website was probably visited by software developers and other employees of technology companies, which would present attractive targets to hackers, according to Anup Ghosh, founder of the security firm Invincea Inc. The hackers, who don’t know ahead of time exactly who will be infected, then use those initial infections to burrow deeper into networks of companies that might have valuable data, Ghosh said.
Investigators suspect that the hackers are a criminal group based in Russia or Eastern Europe, and have tracked at least one server being used by the group to a hosting company in the Ukraine. Other evidence, including the malware used in the attack, also suggest it is the work of cyber criminals rather than state-sponsored espionage from China, two people familiar with the investigation said.
The New York Times Co. reported Jan. 30 that its computer network was hacked repeatedly by attackers in China.
Tomi Engdahl says:
Timeline: Hacks Related to Apple
http://www.f-secure.com/weblog/archives/00002507.html
Tomi Engdahl says:
Zendesk Security Breach Affects Twitter, Tumblr and Pinterest
http://www.wired.com/threatlevel/?p=54338
Customer service software provider Zendesk announced a security breach that allowed attackers into its system, where they could access data from three customers this week. Wired learned those three clients were Twitter, Pinterest and Tumblr.
Zendesk allows companies to outsource many of their customer service functions to it via software tools. It has more than 25,000 clients, according to its website.
Zendesk noted that a hacker downloaded e-mail addresses of users who contacted those three customers for support, along with the e-mail subject lines.
Tomi Engdahl says:
Analysis: The near impossible battle against hackers everywhere
http://www.reuters.com/article/2013/02/24/us-cybersecurity-battle-idUSBRE91N03520130224
(Reuters) – Dire warnings from Washington about a “cyber Pearl Harbor” envision a single surprise strike from a formidable enemy that could destroy power plants nationwide, disable the financial system or cripple the U.S. government.
But those on the front lines say it isn’t all about protecting U.S. government and corporate networks from a single sudden attack. They report fending off many intrusions at once from perhaps dozens of countries, plus well-funded electronic guerrillas and skilled criminals.
“They outspend us and they outman us in almost every way,” said Dell Inc’s chief security officer, John McClurg. “I don’t recall, in my adult life, a more challenging time.”
HUNDREDS OF CASES UNREPORTED
Industry veterans say the growth in the number of hackers, the software tools available to them, and the thriving economic underground serving them have made any computer network connected to the Internet impossible to defend flawlessly.
“Your average operational security engineer feels somewhat under siege,” said Bruce Murphy, a Deloitte & Touche LLP principal who studies the security workforce. “It feels like Sisyphus rolling a rock up the hill, and the hill keeps getting steeper.”
And most say that the increased mainstream attention on cyber security, even if it fixes uncomfortably on the industry’s failings and tenacious adversaries, will help drive a desperately needed debate about what do to internationally and at home.
Tomi Engdahl says:
Google’s Android Reborn as Network-Hacking Kit
http://www.wired.com/wiredenterprise/2013/02/pwnpad/
The folks at security tools company Pwnie Express have built a tablet that can bash the heck out of corporate networks. Called the Pwn Pad, it’s a full-fledged hacking toolkit built atop Google’s Android operating system.
Pwnie Express will be selling the cool-looking hack machines — based on Google’s Nexus 7 tablets — for $795. They’ll be introduced at the RSA security conference in San Francisco next week, but Pwnie Express is also releasing the Pwn Pad source code, meaning that hackers can download the software and get it up and running on other types of Android phones and tablets.
Some important hacking tools have already been ported to Android, but Pwnie Express says that they’ve added some new ones. Most importantly, this is the first time that they’ve been able to get popular wireless hacking tools like Aircrack-ng and Kismet to work on an Android device.
Tomi Engdahl says:
Microsoft gooses Windows XP’s custom support prices as deadline nears
http://www.computerworld.com/s/article/9237019/Microsoft_gooses_Windows_XP_s_custom_support_prices_as_deadline_nears?taxonomyId=125&pageNumber=2
And it’s not like Microsoft sprung the retirement date of XP on customers: It’s been hammering the April 2014 deadline for years.
But the large price increases will bust budgets of enterprises that had expected the older pricing model
Microsoft wants to turn custom support into a money maker, rather than simply recover its costs, which has been its philosophy in the past.
“End of the day, it could be a revenue generator,”
Rather than pay Microsoft for custom support in 2014 and beyond, Silver advised enterprises to spend money this year to migrate as many XP systems as possible to a supported operating system. Failing that, IT administrators should consider bringing all XP clients inside the network perimeter to lower the risk of Web-based attacks, or move the applications those XP PCs are running onto a supported server platform.
“But none of these are easy or inexpensive,” Silver admitted.
Tomi Engdahl says:
Samsung announces SAFE with Knox, details plans to secure the enterprise Galaxy (hands-on)
http://www.engadget.com/2013/02/25/samsung-safe-with-knox/
So what will you find within the Fort Knox of the smartphone world? It’s an IT manager’s pipe dream, of sorts. A comprehensive collection of features that include Security Enhanced (SE) Android, secure boot, TrustZone-based Integrity Monitoring (TIMA) for protecting the kernel, Single Sign On (SSO) and that application container concept made famous by BlackBerry, just to name a few. Best of all, Knox will ship preinstalled on select devices, all sold as one SKU — in other words, consumers and enterprise customers alike will be taking home identical handsets, simplifying the process significantly for BYOD (Bring Your Own Device) businesses.
Tomi Engdahl says:
Twitter Hackings Put Focus on Security for Brands
http://www.nytimes.com/2013/02/25/technology/twitter-hacks-force-companies-to-confront-security-on-social-media.html?pagewanted=all
Burger King’s Twitter account had just been hacked. The company’s logo had been replaced by a McDonald’s logo, and rogue announcements began to appear. One was that Burger King had been sold to a competitor; other posts were unprintable.
“Every time this happens, our sales phone lines light up,”
“For big brands, this is a huge liability,” he said, referring to the potential for being hacked.
What happened to Burger King — and, a day later, to Jeep — is every brand manager’s nightmare. While many social media platforms began as a way for ordinary users to share vacation photos and status updates, they have now evolved into major advertising vehicles for brands, which can set up accounts free but have to pay for more sophisticated advertising products.
Burger King and Jeep, owned by Chrysler, are not alone. Other prominent accounts have fallen victim to hacking, including those for NBC News, USA Today, Donald J. Trump, the Westboro Baptist Church and even the “hacktivist” group Anonymous.
Those episodes raised questions about the security of social media passwords and the ease of gaining access to brand-name accounts. Logging on to Twitter is the same process for a company as for a consumer, requiring just a user name and one password.
“Twitter and other social media accounts are like catnip for script kiddies, hacktivists and serious cybercriminals alike,”
Tomi Engdahl says:
The New Firefox Cookie Policy
http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
The default Firefox cookie policy will, beginning with release 22, more closely reflect user privacy preferences. This mini-FAQ addresses some of the questions that I’ve received from Mozillans, web developers, and users.
How does the new Firefox cookie policy work?
Roughly: Only websites that you actually visit can use cookies to track you across the web.
More precisely: If content has a first-party origin,1 nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
Tomi Engdahl says:
Bypassing Google’s Two-Factor Authentication
By Adam Goodman on February 25, 2013 · 0 Comments
https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/
TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP).
Google’s 2-step verification makes for an interesting case study in some of the challenges that go with such a wide-scale, comprehensive deployment of strong authentication. To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google’s engineers had to make a few compromises. In particular, with 2-step verification came a notion of “Application-Specific Passwords” (ASPs).
Some months ago, we found a way to (ab)use ASPs to gain full control over Google accounts, completely circumventing Google’s 2-step verification process. We communicated our findings to Google’s security team, and recently heard back from them that they had implemented some changes to mitigate the most serious of the threats we’d uncovered. Here’s what we found
Tomi Engdahl says:
New Document Sheds Light on Government’s Ability to Search iPhones
http://www.aclu.org/blog/technology-and-liberty-criminal-law-reform-immigrants-rights/new-document-sheds-light
Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique.
Last fall, officers from Immigration and Customs Enforcement (ICE) seized an iPhone from the bedroom of a suspect in a drug investigation. In a single data extraction session, ICE collected a huge array of personal data from the phone. Among other information, ICE obtained:
call activity
phone book directory information
stored voicemails and text messages
photos and videos
apps
eight different passwords
659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.
Before the age of smartphones, it was impossible for police to gather this much private information about a person’s communications, historical movements, and private life during an arrest. Our pockets and bags simply aren’t big enough to carry paper records revealing that much data. We would have never carried around several years’ worth of correspondence, for example—but today, five-year-old emails are just a few clicks away using the smartphone in your pocket. The fact that we now carry this much private, sensitive information around with us means that the government is able to get this information, too.
Tomi Engdahl says:
Adobe springs emergency Flash update, says hackers hitting Firefox
Second ‘out-of-band’ patch this month, fourth fix overall in 2013
http://www.computerworld.com/s/article/print/9237171/Adobe_springs_emergency_Flash_update_says_hackers_hitting_Firefox
Adobe today patched new vulnerabilities in Flash Player that hackers are now exploiting in attacks aimed at Firefox users, the company said.
Today’s surprise update to Flash Player was the second emergency fix this month, the third overall for February, and the fourth since the start of 2013.
Tomi Engdahl says:
Cryptography ‘Becoming Less Important,’ Adi Shamir Says
http://it.slashdot.org/story/13/02/26/2252211/cryptography-becoming-less-important-adi-shamir-says
“In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm”
‘We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense.
Tomi Engdahl says:
RSA Conference 2013: Experts Say It’s Time to Prepare for a ‘Post-Crypto’ World
https://threatpost.com/en_us/blogs/rsa-conference-2013-experts-say-its-time-prepare-post-crypto-world-022613
In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important and defenders need to start thinking about new ways to protect data on systems that they assume are compromised, one of the fathers of public-key cryptography said Tuesday.
“I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,” Shamir, of the Weizmann Institute of Science in Israel, said during the Cryptographers’ Panel session at the RSA Conference here today.
“I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,” Shamir, of the Weizmann Institute of Science in Israel, said during the Cryptographers’ Panel session at the RSA Conference here today.
“It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system,” Shamir said. “We need to think about security in a post-cryptography world.”
Tomi Engdahl says:
Are data centers making ‘market corrections’ on risk assessment?
http://www.cablinginstall.com/articles/2013/february/data-center-risk.html
A short report from DCD Intelligence, the research arm of DatacenterDyanamics, points out that data center administrators previously unconcerned about the costs associated with risk aversion are now taking such costs into consideration. As a result, they are now taking a harder look at their real risks and making budget-based decisions accordingly, in contrast to the previous common practice that probably amounted to overspending.
The research conducted for the report “strongly indicates that companies are more willing to take on risk than they were before the crisis,”
Hayes pointed out, “All of this is not to say that companies are taking unnecessary risks. Indeed it would appear that for the past decade companies have been overestimating risk-based concerns since when money was readily available this was the more cautious approach.”
“Now, even where a high degree of resilience is warranted, a Tier 3 facility is being looked on as sufficient to save on the significant cost of building a Tier 4 facility,”
Tomi Engdahl says:
Software moles in your systems
http://www.controleng.com/home/single-article/software-moles-in-your-systems/5a0347ba765249f3926eb61201e7dd59.html
Old programs, utilities, and plug-ins languishing on your computer or control systems could threaten your security.
Tomi says:
Stuxnet 0.5: The Missing Link
http://www.symantec.com/connect/blogs/stuxnet-05-missing-link
In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild.
The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.
Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.
Despite the age of the threat and kill date, Symantec sensors have still detected a small number of dormant infections (Stuxnet 0.5 files found within Step 7 project files) worldwide over the past year.
Tomi says:
Cloudmark
2012 Messaging Threat Report
Evolving Threats in the Messaging Landscape
http://www.cloudmark.com/releases/docs/threat_report/Cloudmark_2012_Annual_Threat_Report.pdf
SMS: The New Trust Vector
This inherent trust in mobile phones is not at all surprising, after all, telephones have been in our homes and widely trusted for generations.
Attackers are well aware of this wide acceptance and use this trust to their advantage. As an example, many believe that any communications via their smartphone – whether via traditional call or via SMS – must be from someone they know or have done business with.
Compounding the trust in the devices, mobile phones – particularly smartphones – tend to be always-on, giving us instant communications and connectivity regardless of where we are or what we might be doing. The combination can be lethal, resulting in hasty decisions and impulsive reactions that can – and often do – lead to compromise.
As much as 72% of adults indicated that they use their mobile device to send and receive SMS texts according to a study conducted on behalf of Cloudmark.
Equally important, SMS message open rates exceed approximately 90%.2 This contrasts to email, which averages an open rate of roughly 20-25% with an average wait time of 24 hours.3,4 The end result: SMS provides a ripe opportunity for scammers and attackers.
A recent study conducted on behalf of Cloudmark suggests that spammers have noticed the widespread adoption of SMS. Of adults in the U.S., 60% claim to have received spam SMS text messages within the last year. These campaigns are also seeing returns. Out of U.S. adults who received unsolicited text messages, 13% clicked the link provided. Similarly, 9% claimed that they have called the phone number given in an unsolicited text.
A key component to success of SMS spam is that the message appears fresh and original. Spammers pay keen attention to their return on investment (ROI)
Apple products were a clear favorite among scammers.
Unlike traditional phishing wrought via email, SMS phishing adds an air of
legitimacy by instructing recipients to dial a phone number as opposed to visiting a website. Using virtual voice systems, the recorded messages typically claim to be fraud service divisions for major banks.
SpamSoldier Android Botnet
The downloaded file contained an initial loader program and a pirated copy of the game. When run, the loader program set up a service to send SMS spam, delete its own icon and install the pirated game. The loader also added a filter to incoming SMS messages, to block any that did not come from phone numbers already on the user’s contacts list. (This presumably prevented notification from irate recipients of subsequent SMS spam sent from the infected device).
The spamming service then sent a series of HTTP GET requests to a command and control server
While SMS spammers employed many different scam and fraud campaigns, ‘Receive a Gift Card’ scams were the most prevalent, comprising nearly half of all SMS spam.
Another trend observed in 2012 was the increased use of “blended” threats spanning multiple messaging types. These attacks used a combination of emails, SMS messages, instant messaging conversations, and mining of social network relationships to send spam.
In affiliate webcam spam, a spammer sends a sequence of SMS messages
Once the conversation shifts to Yahoo Messenger, a second scripted
conversation continues
landing page opens two browser windows – one to an adult dating site and one to a webcam site. The webcam site is one of thousands owned by a single company; each cam site has the same content and offers an affiliate program that pays $40 per signup.
Fighting Back
To counter these projected trends, both subscriber and mobile network operator must join forces to actively combat SMS spam.
While email continues to be a steady source of spam, SMS text messaging may well be the new frontier.
Judging from the peaks and valleys in SMS types and pitches, it appears
spammers may still be testing the best methods to increase their ROI and get their bearings in this still relatively new medium.
Tomi says:
BlackBerry not as secure as believed, memo warns federal workers
http://o.canada.com/2013/02/26/blackberry-not-as-secure-as-believed-memo-warns-federal-workers/#.US53XXKAwvQ
The federal department charged with overseeing cyber-security has warned its workers to think twice before sending a BlackBerry message, suggesting that the device believed to be the most secure in the world is more vulnerable than users may believe.
The one-page policy memo from Public Safety Canada, updated in mid-January, attempts to dissuade government BlackBerry users from sending a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are “the most vulnerable method of communicating on a BlackBerry,” a Public Safety Canada presentation says.
Almost two-thirds of federal government mobile users in Canada prefer to use the BlackBerry, with the remaining one-third using either Apple’s iPhone or Google’s Android.
“Although PIN-to-PIN messages are encrypted, they key used is a global cryptographic ‘key’ that is common to every BlackBerry device all over the world,” the memo reads. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”
“PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties,” the memo warns.
Among the security suggestions in the presentation is this about mobile devices: “Cellular telephones/BlackBerrys/PDAs are not secure and are frequently monitored by amateurs and professionals alike.”
Tomi Engdahl says:
America’s Declared (& Undeclared) Cyberwar
http://www.ebnonline.com/author.asp?section_id=1162&doc_id=259235
President Barack Obama issued an executive order in mid-February to make it easier for “eligible critical infrastructure” companies and the US government to share information about network attacks.
US government is attempting to protect national interests from network attacks and data theft. It is also the latest development in the US’ reaction to increasingly common attacks that could have major implications on the world’s supply chain.
The main goal of the executive order is to create more efficient best-practices and policies for protection against “the cyber threat to critical infrastructure, which continues to grow and represents one of the most serious national security challenges we must confront.”
While previously largely limited to attacks against military and government networks, the National Counterintelligence Executive maintains that international cyberthieves are increasingly stealing US trade secrets from private firms and using them to gain an advantage in the undeclared economic war.
But as the US government seeks to shore up its cyberdefenses, it is not necessarily a passive participant in this undeclared cyberwar.
The French presidential and Stuxnet attacks are, of course, just two examples of attacks against foreign interests that supposedly originated in the United States. To the extent that the United States does apply its vast arsenal of defense spending to cybersurveillance and even cyberwarfare remains the stuff of chat room discussions and information that will remain classified for decades from now, if it ever does become known.
Tomi Engdahl says:
The birth of a new hashing standard: SHA-3
http://www.eetimes.com/electronics-blogs/other/4407248/The-birth-of-a-new-hashing-standard–SHA-3?Ecosystem=communications-design
A cryptographic hash function converts an arbitrary-length message into a fixed-length digest, and it is a fundamental step in the efficient implementation of electronic messages. Back in 2004, significant attacks on the standard hash functions of that time were getting published everywhere. These attacks almost completely broke MD5, SHA-0 and later on SHA-1.
At that time, NIST announced that it would phase out SHA-1 and replace it with the more stable SHA-2. However being algorithmically similar to SHA-1, NIST feared that SHA-2 might itself get broken in the near future, and in Nov 2007 announced a competition to select a new standard for cryptographic hashing, SHA-3.
The competition ended Oct 2012 and out of 64 submissions Keccak was declared the winner.
Later research on the cryptanalysis of hashing algorithms improved the confidence in SHA-2 showing that it can still be safely used.
It appears that NIST will keep the two algorithms as a backup for each other.
Tomi Engdahl says:
The “ban raises competition concerns; it raises innovation concerns,” FCC Chairman Julius Genachowski told
http://thehill.com/blogs/hillicon-valley/technology/285617-white-house-debating-actions-to-retaliate-against-cyberattacks
he White House is debating what actions will be taken to retaliate against individuals and countries that launch cyberattacks against the United States.
White House Cybersecurity Coordinator Michael Daniel on Thursday said officials might consider financial sanctions, visa restrictions and military action as tools to use against foreign hackers who target U.S. networks. However, the U.S. is still weighing when a cyber incident will prompt a response from the federal government.
“What I can say is that once we decide a federal response is warranted though, there’s still a broad spectrum of actions we could take.”
The cyber chief stressed that the U.S. government’s response to cyberattacks will be “cautious” and take into account the broader implications for foreign policy.
Daniel warned that the consequences of misattributing an attack in cyberspace can be steep.
Cyberattacks stemming from China have dominated headlines in recent days.
The administration has been cautious in its response to the report and a series of hacker attacks that hit The New York Times, The Washington Post, Apple and other companies.
Tomi Engdahl says:
RSA: The Pwn Pad is an Android Tablet-Based Penetration Tester (Video)
http://it.slashdot.org/story/13/02/28/2012211/rsa-the-pwn-pad-is-an-android-tablet-based-penetration-tester-video
“Pwn Pad, which is a highly-modified (and rooted) Nexus 7 tablet “which provides professionals an unprecedented ease of use in evaluating wired and wireless networks.” They list its core features as Android OS 4.2 and Ubuntu 12.04;”
Tomi Engdahl says:
“Administrators need to understand that traditional security devices are not enough to protect a network or the services it provides.”
(Source: Frost & Sullivan White Paper – Why Anti-DDoS Products and Services are critical for Today’s Business Environment)
The threat of Distributed Denial of Service (DDoS) attacks has grown in both size and complexity. While firewalls and IPS products are key elements of a layered security strategy, they are not designed to deal with today’s sophisticated and evolving DDoS Threats. Plus they’re designed to recognise only known attacks, so emerging threats often slip through.
Source: http://exclusive-networks.mailpv.net/a/s/10044338-125d818ee1c68b121e86573c98d715d7/306673
Tomi Engdahl says:
Koozoo turns any old iPhone into a 24/7 spycam
http://www.theverge.com/2013/2/28/4039572/koozoo-app-livestream-your-yard
One entrepreneurial student with a great view of the bar jerry-rigged his webcam to broadcast live from his bedroom window to a website, and the site went viral.
“to create a method for people to have this view of the line and get in faster without the hassle of waiting in the cold,”
“The problem was that it was a weekend project, was difficult to set up, and was hacked together,” says Drew Sechrist — who is today launching a free app called Koozoo that turns any old iPhone into a 24 / 7 livestreaming video machine.
Once you download Koozoo to an old iPhone or iPod Touch (and soon, Android devices), setting up a video stream over either Wi-Fi or 4G takes less than a minute. The company will even mail you a window suction cup mount to give your old device the best possible view.
“Today we have ubiquitous smartphones, but also ubiquitous old smartphones,” Sechrist says. “There are billions of dollars of smartphones sitting in sock drawers all over the world.”
One of the clever aspects of Koozoo is that your phone doesn’t actually broadcast all day and night. The phone takes a snapshot every few minutes to use as a thumbnail, and only broadcasts live when a viewer using the Koozoo app tunes in. Video streams out at between 200 and 800 kbps, depending on your internet connection, which can max out at about 720p fidelity video, Sechrist says.
Koozoo doesn’t transmit audio in order to preserve some semblance of privacy — a word the company should be paying close attention to.
“There’s never been anything like this that makes public spaces of our metro areas visible to all by making it super simple to do,” Sechrist says, which is exactly why the service is ripe for abuse.
Just like Instagram and Vine, Koozoo will face a never-ending struggle with users who cross the boundaries of what’s acceptable as public content. “There will be grey areas of what’s appropriate content and what’s not,”
Tomi says:
U.S. accuses China repeatedly to launch cyber-attacks – but USA is actually much worse
The United States has recently blamed China on cyber attacks. China has responded in kind, saying that most of the attacks come from the United States.
Perhaps the Yankees should take a look in the mirror a little bit.
According to a recent survey, 71 percent of malicious programs come from the United States (2 percent from China).
Bot Networks received 58 percent of orders from the United States (4 percent from China).
Europe, bot networks, distributed commands the Germans (nine per cent), the French and the Dutch equipment (both 7 percent).
The data is derived from Check Point Software Technologies’ annual security report.
Other data:
Contrary to popular belief, most vulnerabilities found in Apple products (260). Microsoft was runner up with 222 vulnerability.
Surprising was that the Firefox browser went past Adobe with 150 vulnerabilities.
Source: http://m.tietoviikko.fi/Uutiset/Yhdysvallat+syytt%C3%A4%C3%A4+toistuvasti+Kiinaa+kyberhy%C3%B6kk%C3%A4yksist%C3%A4+-+on+itse+paljon+pahempi
Tomi says:
HP Cyber Security Risk Report says that he vulnerabilities grew by a fifth last year.
The number of critical security holes decreased but they still remains a key threat. One in five holes allows the attacker complete control of destinations.
SCADA systems vulnerabilities have exploded to huge rise. In 2008 there were 22 of them. In year 2012 there were 191 holes in SCADA systems. This means 768 percent growth since 2008.
Source: http://m.tietoviikko.fi/Uutiset/T%C3%A4m%C3%A4+turva-uhka+on+r%C3%A4j%C3%A4ht%C3%A4nyt+k%C3%A4siin%3A+_plus_768%25
Tomi says:
Fun: Virus Venn Diagram
http://xkcd.com/1180/
Tomi Engdahl says:
A high degree of intrusion: the tens of millions of Evernote users need to change their password
Security Notice: Service-wide Password Reset
http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.
Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption.
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords.
As recent events with other large services have demonstrated, this type of activity is becoming more common.
Tomi Engdahl says:
Another Java zero-day exploit in the wild actively attacking targets
http://arstechnica.com/security/2013/03/another-java-zero-day-exploit-in-the-wild-actively-attacking-targets/
Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.
The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software.
The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits
A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can’t be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations.
Tomi Engdahl says:
Five-year-old runs up £1,700 iPad bill in ten minutes
A five-year-old boy ran up a £1,700 bill on his parents’ iPad in just ten minutes.
http://www.telegraph.co.uk/news/newstopics/howaboutthat/9901637/Five-year-old-runs-up-1700-iPad-bill-in-ten-minutes.html
Danny Kitchen had asked for the passcode for the device so that he could download a game, Zombie v Ninja, from the Apple store.
Greg and Sharon Kitchen eventually agreed and left their son alone with the tablet computer as they entertained friends at their home in Warmley, near Bristol.
But after downloading the free app Danny found his way into the game’s online store and innocently ordered dozens of costly add-ons – totalling £1,710.43.
His mother knew nothing about his spending spree until she saw a batch of emails from iTunes the following day listing what he had bought.
“He was crying, as the rest of the children were telling him we could have bought a house with the amount he had spent.
“Loads of parents in the playground said similar things had happened to them but for a lot less money. I can’t believe he was able to spend so much money.
“It was far too easy a thing for him to do and more should be done to limit stuff like this from happening. That game is very annoying – and who would spend more than £1,700 on a game?
An Apple spokesman said such incidents had to be reported as quickly as possible.
He said it was vital people kept their pass code, designed to stop unauthorised electronic purchases on its products, safe and said software was available to prevent children from using the iTunes store even if they have the password.
“Parental controls also give parents and guardians the option to turn off functionality such as purchasing from iTunes and the ability to turn off in-app purchases.
Tomi Engdahl says:
iTunes refund after Bristol boy’s £1,700 spending spree
http://www.bbc.co.uk/news/uk-england-bristol-21629210
The family of a five-year-old boy who spent £1,700 of his parents’ cash on iTunes has received a full refund.
Sharon Kitchen said Apple had been “fantastic” in helping with the refund.
Mrs Kitchen said “He was very upset when he realised what he had done.
“His brothers and sisters were telling him off, but of course he didn’t know what he did – he’s only five.
“To be honest, I’m not sure how he did it.”
Nathan Rae said iPads have security settings that can prevent children from accessing payment details
Martyn Landi, a writer with Apps magazine, said: “We are hearing stories like this all the time, so credit to Apple for paying the money back.
“But it is a risky strategy for parents to simply think they can claim the money back if all goes wrong.
Tomi Engdahl says:
Jailed hacker allowed into IT class, hacks prison computers
http://news.cnet.com/8301-17852_3-57572282-71/jailed-hacker-allowed-into-it-class-hacks-prison-computers/?part=rss&subj=news&tag=title
Nicholas Webber, serving five years for creating a hacker’s forum site, is somehow invited into an IT class in jail. The consequences are difficult.
Somehow Nicholas Webber found himself in an IT class while in jail. He’s serving five years for creating a site called GhostMarket, which allowed those interested in creating computer viruses, partaking of stolen IDs and enjoying private credit card data to congregate.
One might also have thought that inviting him to an IT class might encourage him to enjoy a little mischief.
As the Daily Mail reports, mischief did indeed occur.
“The perceived problem was there was a tutor who had been excluded by the prison and charged with allowing a hacking expert to hack into the prison’s mainframe.”
The slightly peculiar miscalculation that led to this hacking — which happened in 2011 — has come to light because the teacher running the IT class is suing the college that employed him for unfair dismissal.
Then another news related to the same Isis prison (was this due to faulty technology, usage error or hacking?):
Isis Prison ‘bedevilled’ by faulty technology
http://www.bbc.co.uk/news/uk-england-london-16654905
Faulty technology has “bedevilled” a new jail in south-east London, prison inspectors have claimed in a report.
The HM Inspectorate of Prisons’ report says this “severely disrupts” the work, education and training of prisoners.
During the five day inspection, the fingerprint-based roll call system broke every day.
Tomi Engdahl says:
Moscow police information network was attacked in February Trojans according to The Register and Izvestia magazines.
It got got the speeding traffic camera system supervising not working, so the cameras (144) were not operational for at least two weeks. The Trojan does not necessarily, however, was not alone to blame for the problems because there were also other problems in the system.
Moscow speeding cameras collect one hundred million rubles, or about 2.5 million per month in the form of fines.
Source: http://m.tietoviikko.fi/Uutiset/Troijalainen+rampautti+Moskovan+ylinopeuskamerat/2
Tomi Engdahl says:
Moscow’s speed cameras ‘knackered’ by MYSTERY malware
Infection spread from cops to traffic gear – report
http://www.theregister.co.uk/2013/02/28/malware_hobbles_moscow_speed_cams/
Malware has infected a Russian police computer network, knackering speed cameras in and around Moscow, according to reports.
Broadsheet daily Izvestia reckons a server operated by the Office of Traffic Police was infiltrated by an unidentified Trojan. The infection disabled parts of the cops’ Arrow-ST system used to monitor key highways in and around the Russian capital, we’re told.
Cleaning up the mess has been complicated by the transfer of a government contract for the equipment’s maintenance: SK Region, the supplier of the kit, handed the reins over to IntechGeoTrans earlier this year.
All this has sparked a massive political row: politicians blamed IntechGeoTrans for not sorting out the problem, but the company claimed it inherited a system in a state of chronic disrepair.
A virus infection may be a secondary cause of failure at many of the 144 camera sites on the network
Site visits also uncovered malware on the hard disks within one of the cameras
Izvestia suggested that the malware got onto speed cameras as a result of infection of the traffic police system.
Tomi Engdahl says:
The Pirate Bay – North Korean hosting? No, it’s fake.
https://rdns.im/the-pirate-bay-north-korean-hosting-no-its-fake
This is certainly interesting, however let me tell you: It is fake.
TBP is not hosted in North Korea (at least not now).
Now lets look closer at the AS131279, aka Ryugyong-dong, aka STAR-KP – the sole ISP in North Korea, state owned of course.
AS131279 has one Upstream, AS4837 aka China Unicom which we see also in the real North Korean traceroute.
The AS also shows 2 other peers, AS22351 (Intelsat) and AS51040 (Piratpartiet Norge) – This would mean North Korea DOES provide connectivity to The Pirate Bay, right?
No.
Anyone can hijack an AS number and not cause any issues for the real user – In this case The Pirate Bay set up a Sat dish in Phenom Penh, Cambodia – Intelsat gives them a BGP session there.
The peer net for BGP handoff is 175.45.177.217/30, .216 is Intelsats side and .217 is The Pirate Bay’s.
One can use ANY IP they wish for these handoffs, internal, their own, “hijacked” – In this case The Pirate Bay “hijacked” 2 IPs from the North Korean network which does not matter for them as this is only acessible from their side, not from the internet.
This is possible because either Intelsat does not filter BGP announcements (unlikely) or TBP wrote a fake LOA for this AS (likely).
Conclusion:
While it is one of the more advanced fake routings it is still pretty lame, a single drop to AS4737 (like a server in China with a BGP session) and it would look much more real, and much harder to detect.
I cannot certainly say where TPB is hosted now, but it must be Asia
Tomi Engdahl says:
Boeing 787s To Create Half a Terabyte of Data Per Flight
http://hardware.slashdot.org/story/13/03/07/0137239/boeing-787s-to-create-half-a-terabyte-of-data-per-flight
“IT director David Bulman said: ‘The latest planes we are getting, the Boeing 787s, are incredibly connected. Literally every piece of that plane has an internet connection, from the engines, to the flaps, to the landing gear. If there is a problem with one of the engines we will know before it lands to make sure that we have the parts there.”
Comment:
Connecting flight controls to “The Internet” would be the stupidest of all ideas. If they do this, anyone getting on board would be a candidate for the Darwin awards.
I’m sure they meant to say that all these systems are networked together, using ARINC or other aviation network technologies.
Tomi Engdahl says:
EU caves in to pressure on new data, privacy law changes; U.S. tech firms breathe sigh of relief
http://www.zdnet.com/eu-caves-in-to-pressure-on-new-data-privacy-law-changes-u-s-tech-firms-breathe-sigh-of-relief-7000012235/
Summary: After major U.S.-based technology companies lobbied European member states and politicians, many will wake up today able to breathe a sigh of relief, as the European Commission is forced to climb down on certain elements of the new proposed data protection and privacy law.
Tomi Engdahl says:
Malware-flingers can pwn your mobile with OVER-THE-AIR updates
German Fed-sponsored boffins: They have ways of hearing you talk
http://www.theregister.co.uk/2013/03/07/baseband_processor_mobile_hack_threat/
Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, according to El Reg’s mobile correspondent, Bill Ray, this would be extremely difficult to pull off.
A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors – AKA phone modems – in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim’s phone.
GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs
Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.
According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.
Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust.
GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone’s main CPU.
“Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command),” Rupp explained.
“Just like on PCs, modern (smart)phone designs are based on a shared memory architecture,” Rupp told El Reg.
“All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented.”
Tomi Engdahl says:
Information security experts demand exceeds supply – launch cyber-attacks witness
Burning Glass Technologies has released a study stating that the field of information security experts, the demand is growing in the United States 3.5 times faster than that of other workers in the IT sector. The increase is 12-fold when compared to all other areas of workers’ demand.
For this report, studies of the last five years left on recruitment ads.
Significant growth in demand for locomotives have been in the defense industry and the IT industry.
ISC2 Foundation has stated that next year there is globally need for 330 000 new security experts.
The Foundation asked 12 000 security professionals in the field, the lack of talent has been evident in recent times: media organizations continue to be significantly poor preparation for cyber-attacks and the slow recovery is due to the fact that the public sector and businesses do not find people to do the security work
Source: http://www.tietoviikko.fi/kaikki_uutiset/tietoturvaasiantuntijoiden+kysynta+ylittaa+tarjonnan++kyberhyokkaykset+todistavat/a884990?s=r&wtm=tietoviikko/-07032013&
Tomi Engdahl says:
Criminals are no longer interested in developing for Symbian
Nokia has thrown out Symbian, but the installed base has yet been given in the size. F-Secure threat according to the report’s enthusiasm for the Symbian malware is finally lowering – a favorite is now Android.
F-Secure Data Security Lab has released its report, which deals with mobile threats in the last quarter. During this period Symbian’s share of mobile malware was only 4 per cent. Even in the first three quarter of the year from an average of 26 per cent.
“ymbian malware strains are reduced as and when the old Symbian-based devices are replaced by devices that use other operating systems, especially Android. It is quite possible that the Symbian malware will be lost for the year 2013.”
According to F-Secure’s most Andoid-malware seeks monetary benefits through SMS scams. For example, they send SMS messages to expensive service numbers. Sometimes victims are associate with a SMS-based subscription service and the malware to remove services incoming messages and notifications, so often you find out what happened when you see the huge phone bill.
Source: http://www.tietokone.fi/uutiset/symbian_ei_enaa_kiinnosta_rikollisiakaan
Tomi Engdahl says:
Mobile Malcoders Pay to (Google) Play
http://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/
An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.
I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece.
Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey
The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.
This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.
Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.
Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up.
Tomi Engdahl says:
FTC dumps on scammers who blasted millions of text messages
http://www.networkworld.com/news/2013/030713-ftc-text-scam-267482.html?hpg1=bn
Federal Trade Commission says illegal texters blasted 180 million illegal messages in past year
The Federal Trade Commission today said it has filed eight court cases to stop companies who have sent over 180 million illegal or deceptive text messages to all manner of mobile users in the past year.
The messages — of which the FTC said it had received some 20,000 complaints in 2012 — promised consumers free gifts or prizes, including gift cards worth $1,000 to major retailers such as Best Buy, Walmart and Target. Consumers who clicked on the links in the messages found themselves caught in a confusing and elaborate process that required them to provide sensitive personal information, apply for credit or pay to subscribe to services to get the supposedly “free” cards. In some cases if users responded to the texts, they were subjected to other scams.
“Today’s announcement says ‘game over’ to the major league scam artists behind millions of spam texts,” said Charles Harwood, acting director of the FTC’s Bureau of Consumer Protection. ” The offers are, in a word, garbage.”
Tomi Engdahl says:
Malware devs offer $100 a pop for ‘active’ Google Play accounts
Underground market is full of Android wrongness
http://www.theregister.co.uk/2013/03/08/google_play_malfeasence/
Virus writers are paying top dollar for access to “active” Google Play accounts to help them spread mobile malware across the Android ecosystem.
Google charges $25 to Android developers who wish to sell their wares through the Google Play marketplace but a denizen of an underground cybercrime forum is offering to purchase these accounts for $100 apiece, a 300 per cent mark-up.
Denizens of the underground marketplace can purchase a custom application that targets one specific financial institution for $1,000, or a complete mobile malware creation toolkit for $15,000.