STE WILLIAMS

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as “Response” sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit’s relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function – in the worst case scenario – into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account — including a universal demonstration account – to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

“You just brute force everyone account, you can increment each one,” Temple told Vulture South.

“You could disable someone’s car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

“Most people would wire it this way, that’s the main point of it and the reason why mechanics sell it.”

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid’s watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children’s watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/hundreds_of_thousands_of_engine_immobilers_hackable_over_the_net/

Hackers have hosed an article published by The Guardian using the world’s nastiest exploit kit Angler to pop the machines of exposed readers.

The attack firmly answers the article’s headline positing the question ‘is cybercrime out of control’, based on arguments in a book by one Misha Glenny.

Angler is the most capable and prolific exploit kit in use by criminals. It allows attackers to run choice cuts of the latest Flash, Java, and browser exploits through which un=patched users can be targeted.

FireEye research trio J. Gomez, Kenneth Hsu, and Kenneth Johnson found hackers had dropped a gnarly URL into the syndication links portion of the page which loaded in the background and redirected users to Angler.

Yes.

“When the syndication link is loaded in the background, readers are eventually redirected to Angler’s landing page via injected HTML that crafts the request to the Angler landing page.

“A memory corruption vulnerability (CVE-2014-6332) in Windows Object Linking and Embedding Automation [is] triggered through VBScript with Internet Explorer.

“In this attack the exploit was based on a publicly available proof-of-concept where techniques were used to attempt arbitrary code execution.”

Angler seeks out any active anti-virus and security products and changes behaviour if the tools are found, forcing the attack to silently fail or run a benign script.

The Guardian says it is fixing the hack.

It comes as The Independent found one of its dusty unloved Word Press sites was hacked through a Flash exploit and was serving shoddy ransomware to a very small number of readers. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/grauniad_asks_is_cyber_crime_out_of_control_vxers_answer_with_hack/

The UK’s number two website hosting business, Easily.co.uk, has confirmed to customers it has fallen prey to cyber crims.

The NetNames-owned company, which hosts 100,000 sites including 65,000 in Britain, told punters yesterday IT systems were attacked by an “unknown third party”.

“A forensic investigation by independent experts has revealed that unauthorised access was gained to our internal systems. This included the placement of malware on those system,” NetNames’ COO Edwina McDowall stated.

The firm said it had taken remedial action to isolate and expunge the malware identified, but admitted the third party probe revealed domain names registered on behalf of customers had been accessed.

It added there was no evidence the account details, passwords or personal data were exposed in the breach. No credit card data is stored on Easily systems during the course of processing transactions, it said.

“However, as a precautionary measure, we recommend that you change the password which you use to log into easily.co.uk,” McDowall added.

One customer asked, “Why would you keep your business with a company that claims to ‘Protect your Brand Online’?”

NetNames did not reveal the number of customers impacted. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/easily_hacked/

Could it be that time spent by Microsoft on software security counts for naught?

Possibly – based on the findings of an investigation by enSilo that found some of the best-known AV names are susceptible to new vulnerabilities.

The results are alarming, suggesting an entire of ecosystem unwittingly opening a back door into systems for hackers and malware writers.

But what exactly is the problem and what’s the cause? We reported the breaking story here, but what are the details?

Well, the core problem stems from anti-virus products allocating a memory page write permissions at a fixed, predictable address.

enSilo cottoned on to the problem at a customer site in March 2015, after it investigated a snag involving its data exfiltration prevention platform and security technology from AVG, also installed in the customer’s environment.

An investigation by enSilo revealed a flaw in AVG Internet Security which effectively enabled a threat actor to exploit old vulnerabilities in a third party application (such as Acrobat Reader) in order to compromise the underlying Windows system. enSilo disclosed this issue to AVG, which promptly patched the vulnerability.

Follow-up research by enSilo has revealed that versions and builds of other anti-virus tools from Kaspersky and Intel Security are vulnerable to similar collisions.

The connecting issue was the use of that combination of memory page and predictable address.

This practice runs contrary to various security attack mitigation technologies Microsoft has introduced into Windows, namely the randomisation of memory (ASLR – Address space layout randomization) and preventing data from running in memory (DEP – Data Execution Prevention). Since the memory page allocated by antivirus-packages is at a constant predictable address, an attacker or hacking group can know where to write and run exploit code, potentially defeating Microsoft’s attack mitigation tools in the process.

The security flaw at play is serious, but less than critical. If present the bug bypasses mitigation, but it doesn’t allow for code execution by itself. “If someone runs a five year old Adobe Reader then what AV you run and whether it helps an attacker bypass ASLR isn’t your biggest concern,” an independent expert (who asked not to be quoted) told El Reg.

According to enSilo the issue arise with various versions of particular anti-virus packages, as listed below:

• McAfee Virus scan Enterprise version 8.8. The security snag crops up in the Anti Malware + Add-on Modules, scan engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659. enSilo states this issue is yet to be resolved – a claim firmly denied by Intel Security, which said it patched the bug in late August.
• Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342. Kaspersky silently fixed the issue with a patch dated 24 September, according to enSilo.
• AVG Internet Security 2015 build 5736 + Virus database 8919. AVG patched the bug on 12 March.

Intel Security and Kaspersky are yet to respond to El Reg’s request for comment on the issue.

“Multiple AVs providing ways to bypass DEP and ASLR – does not inspire confidence. Glad at least AVG patched quickly,” security blogger Kurt Wismer told El Reg.

Although enSilo suggests multiple other anti-virus packages and even other classes of security products might be vulnerable it hasn’t verified this itself, an omission criticised by some security observers we spoke to as potentially alarmist. “They’re slagging off a whole industry based on three products having issues,” one experts told us. “The problem with these over-the-top reports is that it doesn’t mean they are wrong, but it’s really hard to tell among a lot of FUD.”

Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.

Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.

“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”

Exploiting the vulnerability is far from a theoretical risk, according to enSilo. It argues that Tavis Ormandy from Google’s Project Zero exploited a vulnerability in Kaspersky’s technology back in September that he uncovered through fuzzing. All this really proves is that security products have flaws too, we’d counter-argue.

“These types of vulnerabilities clearly demonstrate the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defences, mitigations and enhancements to strengthen its system against compromise… [but] vulnerable third party applications can lead to the compromise of these same defences,” Tomer Bitton, VP of research at enSilo, argues in a blog post. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/anti_virus_trips_up_windows_defences/

A former US State Department official has pled guilty to breaking into the email accounts of young women and blackmailing them into committing crimes.

Michael Ford, 36, was arrested in Atlanta on charges of cyber-stalking and making interstate threats. He was about to board a flight back to the UK to resume his job at the American embassy in London. On Wednesday he pled guilty to the charges and could face years behind bars.

“Ford engaged in an international sextortion campaign,” said US Attorney of the Northern District of Georgia John Horn.

“He tormented numerous women by threatening to humiliate them unless they provided him with sexually explicit photos and videos, and in some cases, he followed through on his threats. This case demonstrates the need to be careful in safeguarding personal information and passwords, especially in response to suspicious e-mails.”

Shortly after Ford arrived at the UK embassy, where he was employed as an administrative support employee, he began sending out phishing emails to young women claiming to be from their email provider’s technical support section, and asking for their passwords.

Ford would then scan the email accounts he got into for risqué pictures and email them to the victims, threatening to send the images to their friends and family unless they took pictures of other “sexy girls” and sent them to him.

After one of the girls went to the police, the IP address of Ford’s emails was traced to the US embassy in London. IT staff traced it to Ford’s computer and, on searching the hard drive, found a spreadsheet detailing over 450 email accounts hacked from over 200 victims.

“With nothing more than a computer and a few keystrokes, modern predators like Michael Ford can victimize hundreds of people around the world,” said Assistant Attorney General Caldwell of the Justice Department’s Criminal Division. “While this criminal prosecution may never return the victims’ sense of security, I hope that today’s guilty plea brings them some peace of mind.”

Ford was charged under US law as the embassy is technically American soil. He will be sentenced in February. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/us_state_department_sicko_pleads_guilty/

Kiwicon Additional exemptions to the much-feared Wassenaar Arrangement will do nothing to protect far-flung security professionals critical to crushing dangerous Heartbleed-esque bugs, according to infosec policy-buff Katie Moussouris.

The Hacker One chief policy officer is spearheading the security industry’s global response to the Wassenaar Arrangement, a global agreement to limit the movement of weaponry that is being extended to cover security vulnerabilities, software, and exploits.

Moussouris (@k8em0) is the globe-trotter among a cadre of security types who are lobbying signature countries to ensure the Arrangement does not needlessly hinder the complex world of security vulnerability discovery and remediation.

Hackers fear the Arrangement will crimp vital security research and have lobbied signature countries to consider the ramifications of become signatories.

Speaking at the Kiwicon security confab in Wellington today, Moussouris said the Arrangement will, in its current form, severely hinder the identification and repair of major software security flaws that affect scores of people occur on a daily or weekly basis.

Katie Moussouris . Photo: Darren Pauli / The Register.

She said the Arrangement requires an overhaul, adding that so-called emergency exemptions that allow controlled goods to be quickly deployed – such as radar units to the 2010 Haiti earthquake – will not apply to globally-coordinated security vulnerability research that occurs daily.

“Multivendor vulnerability research are situations where you won’t know who the coordination partners are ahead of time – there was something 100 partners in the case of Heartbleed,” Moussouris says.

“Are they (Wassenaar officials) prepared to grant emergency exemptions like nine times a day for multi-vendor coordination? They didn’t have a good answer.

“There are places where the exemptions just won’t work and that means we have to go back and change Wassenaar – we have to get that piece removed that says intrusion software technology which is a drag net.”

Moussouris says even those countries that have to date managed to make Wassenaar largely compatible with their local industries are still at risk of butting heads with critical research should the US bork its implementation and not address the fallibility of exemptions.

She met with Australian defence officials last week ahead of Kiwicon and told Vulture South Canberra is on “the same page” with her concern over exemptions.

Moussouris says supply chain development is also under threat due to the global distribution of developers who could unbeknown to researchers be located in Wassenaar controlled countries.

Exemptions can work in some areas of the Arrangement; she has proposed fixes to remove a mind-blowing intra-company rules that could prevent staff from discussing vulnerabilities based on an employees’ country of origin.

The complexities of Wassenaar coupled with industry fear-mongering has resulted in some competent but un-named researchers no longer disclosing vulnerabilities for fear of prosecution.

Indeed some hackers did not attend the recent mobile pwn2own competition at PacSecWest since they would be carrying exploit material to the Tokyo event.

Canberra will meet later this month to discuss the latest proposals including Moussouris’ work and will move to set amendments in stone early next year. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/overhaul_wassenaar_or_ruin_next_heartbleed_fix_top_policy_boffin_says/

Google has extended its anti-social engineering Chrome tool to Android, making big efforts to reduce blacklists bandwidth costs along the way.

The Red Screen of malware Dearth officially branded Safe Browsing has long been a feature of Chrome desktop platforms where bandwidth and processing requirements are much less restrictive.

There the red splash screen has walled off all but the most persistent to be pwned users from websites known to have hosted malware, advertising injectors, or other web scum.

Safe Browsing and Chrome team bods Noé Lutz, Nathan Parker, and Stephan Somogyi say they have taken their time to beat the red screen into a form that is as light as possible such that users in bandwidth-sparse and patchy connectivity countries can receive at least the most critical blacklists.

“Bytes are big: our mantra is that every single bit that Safe Browsing sends a mobile device must improve protection,” the team says.

“Network bandwidth and battery are the scarcest resources on a mobile device, so we had to carefully rethink how to best protect mobile users.

“Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.”

Updates will push the most important blacklisted websites first so that failed connections have a chance to protect users from the most active and risky attacks.

They also hauled in the Choc Factory’s compression team to help make Safe Browsing “extra stingy” in respect to memory, processor, bandwidth, and battery use.

The protection comes activated by default with the latest version of Chrome on Android and with the recent Google Play Services version 8.1.

Android KitKat (version 4.4) is tragically still the most widely-used Android type running on more than a third of handsets. The combined Android Lollipop (versions 5.0 – 5.1.1) operating systems are found on 29.5 percent.

It is not clear what version of Play Services and Chrome those Android slackers can get, and therefore whether the Safe Browsing experience is open to them, but the trend to update to Lollipop is sweetening: In October, about 30 percent of users ran horrid Jelly Bean versions 4.1 to 4.3.1 and few ran the latest operating systems. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/11/extra_stingy_google_cloaks_android_in_red_screen_of_smallmalwaresmall_dearth/

FBI retreats a step, but makes stand on end-to-end encryption. Meanwhile, European Union gets ready with a rougher, tougher replacement for Safe Harbor.

Based upon what FBI Director James Comey told a Senate Judiciary Committee Wednesday, it seems the Bureau has backed off the idea of a “government backdoor” per se, as long as technology companies themselves can still access customers’ data (and thus surrender it to law enforcement when legally subpoenaed).

Comey’s main grievance, therefore, is end-to-end encryption.

“The government shouldn’t be telling people how to operate their systems,” Comey said. “We are in a place where we understand it’s not a technical issue; it’s a business model question.”

Amy Hess, the FBI’s executive assistant director for science and technology, used similar language in an interview with the Washington Post this week.

Firms that feared being tagged as tools of a privacy-invading government became less willing to assist in surveillance “because it was perceived as not a good business model to be seen as cooperating with the government,” Hess said.

It used to be, she said, that companies meeting a legal requirement to provide “technical assistance” generally would try to comply with wiretap orders. “Now all of a sudden we get hung up on the question of what, exactly, does that mean I have to provide to you?” she said.

American technology companies’ concerns that their cooperation with the U.S. government was bad for business were not entirely unfounded. In October, worries about NSA snooping and other surveillance caused the European Court of Justice to strike down Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinationals to store Europeans’ data in the U.S. if the companies agree to comply with Europe’s data privacy laws.

Today, the European Union’s Justice Commissioner said that the new data transfer pact that will replace Safe Harbor will give the EU the right to “pull the plug on the deal if it fears the United States is not safeguarding privacy enough,” Reuters reports.

 

Zero-days

In the interview with the Post, Hess also confirmed for the first time that the FBI uses zero-day exploits. From the story:

[Hess] said the trade-off is one the bureau wrestles with. “What is the greater good — to be able to identify a person who is threatening public safety?” Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable?

“How do we balance that?” she said. “That is a constant challenge for us.”

Read more at Reuters, the Washington Post, the Guardian, and DarkReading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/endpoint/fbi-tweaks-stance-on-encryption-backdoors-admits-to-using-0-day-exploits/d/d-id/1323526?_mc=RSS_DR_EDT

Asked why he did it, suspected burglar Arturo Galvan reportedly told police:

“I wish I knew.”

Computers, iPads, TVs: those valuable items make burglary sense.

But bras? Panties?

There was, apparently, a sexual component to the burglaries, police said.

In fact, the targets were college-aged female victims, and police believe that Galvan hunted them down by using the location data embedded in photos posted on various social media sites to pinpoint where they lived.

You know, the same geo-tagging data that revealed John McAfee’s whereabouts in Guatemala.

The same type of EXIF data that may well include precise GPS coordinates or other location information, as demonstrated rather dramatically by a project entitled I Know Where Your Cat Lives, made possible by all those location-revealing cat pictures we love to post.

Galvan, a 44-year-old Los Angeles man, was arrested last week, the Fullerton Police Department (FPD) said on Monday.

Police suspect that he’s responsible for six burglaries at four Los Angeles locations dating back to October. They also think that he is responsible for a similar number of burglaries near Chapman University in Orange, California, earlier this year.

Victims were home in some of the break-ins.

The FPD got a search warrant and searched Galvan’s home on Monday, finding what they said was “a garage-full” of stolen items belonging to 24 victims.

The police told the LA Times that the panties were in the garage, while the electronics were piled up in the house.

Beyond panties and bras, police allege that Galvan stole framed photos of women and jewelry from the homes and apartments he’s suspected of hitting.

Clean and snatched from drawers, dirty ones fished out of laundry baskets, the occasional male roommate’s undergarments mixed in, it didn’t matter: his alleged panty raids did not discriminate.

Galvan was released from jail Saturday after posting bail of $200,000.

He faces charges of burglary, receiving stolen property, and peeping and prowling.

When a tech titan on the run gets pinpointed by location data, it’s ironic.

When an artist creates a map of where to find all the posted cats in the world, all thanks to their owners not turning off location services, it’s cute and funny, although slightly alarming.

And when women are stalked and victimized with the assistance of location data, it’s a frightening wake-up call about the real-life dangers of geolocation information we post publicly for any stalker, burglar or other criminal to see.

Don’t put your location into cybercreeps’ hands.

Here’s one of many online guides that explains what EXIF data is and how to remove it from your photos.

For more details about managing geolocation on your phone, read our article on smartphone privacy and security.

And, please, set your social media to only be viewed by only your connections! Whether it’s Instagram or Facebook, you wouldn’t show a stranger in your street your photos, so why do it online?

Follow @NakedSecurity

Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d4Aw0yIC5jM/

DNS is short for Domain Name System, the online service that converts server names into network numbers.

Without it, you wouldn’t be able to refer to a server called example.com – you’d have to remember 93.184.216.34 instead.

Actually, it’s even worse than that, because busy websites like www.facebook.com don’t have just one network number.

Big web properties may have racks and racks of customer-facing servers in operations centres all over the world, giving them a wide variety of network number ranges on a wide variety of different networks.

Busy sites typically use DNS to direct you to a specific server based on load levels, maintenance schedules, your current location, and so on, in order to improve speed, spread load and avoid bottlenecks.

In other words, DNS is extremely important, to the point that the internet would be unusable without it.

For that reason, DNS is implemented as a hierarchical, distributed global database, which is a fancy way of saying that no one DNS server holds the entire database, and no one server is critical to the operation of all the others.

For example, to figure out where nakedsecurity.sophos.com lives, your own company’s (or ISP’s) DNS server takes a top-down approach:

• Ask the so-called root servers, “Who looks after the .COM domain name data?”
• Ask the .COM part of the hierarchy, “Who is officially responsible for DNS for SOPHOS?”
• Ask the SOPHOS name servers, “Where do I go to read NAKEDSECURITY?”

Each DNS reply contains a Time To Live number, or TTL, that says how long to remember the answer, typically somewhere from 1 minute to 1 hour, after which the result is thrown away.

That greatly reduces the number of times a full, top-down hierarchical query is needed, while ensuring that the system can recover automatically from incorrect or outdated answers.

As you can imagine, the root servers are the key to the entire DNS service, because all as-yet-unknown answers must be requested by starting at the top.

So there are 13 root servers, prosaically named A to M, operated by 12 different organisations, on 6 different continents.

In fact, each “server” actually consists of a server farm of many physical servers in multiple locations, for reliability.

Server L, for example, is mirrored in 128 locations in 127 towns and cities (San Jose, California, hosts two instances) in 68 countries, from Argentina to Yemen.

Because you need to consult a root server by number to look up where the root servers are by name, DNS servers themselves keep a static numeric list of all the root servers.

Generally speaking, only one root server IP number ever changes at a time, and such changes are rare, so even an old root server list will work, at least to start with.

A DNS server with an outdated list can try each of the 13 roots in turn, until it figures out where to update to the latest list.

In short: DNS is surprisingly resilient, by design, and DDoSing it is correspondingly hard.

A DDoS, or distributed denial of service attack, is where a cybercriminal deliberately and repeatedly generates time-wasting internet requests to bog down an online service. Like prank callers to 911 or other emergency service phone numbers, this gets in the way of genuine traffic, to the detriment of legitimate users. Extreme internet DDoS attacks may even cause the targeted server, or the network it is on, to crash.

Unsurprisingly, however, the root servers do get DDoSed from time to time, sometimes on an astonishing scale.

Indeed, the Root Server Operators recently reported a DDoS on the last day of November 2015, and the first day of December, that reached 5,000,000 bogus requests per second per root server letter.

The total attack time was just under four hours, so the DNS root servers would have experienced close to 1 trillion (10¹²) bogus requests during the two attack windows.

There was some bad news:

The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations.

But some very good news as well:

Several DNS root name servers were continuously reachable from virtually all monitoring stations for the entire duration of the incident.

Simply put, the DNS root servers took an unprecendented hammering, but nevertheless stood firm, keeping the global DNS fully functional throughout.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dQ-ql-A_4fA/