STE WILLIAMS

The tragi-comedy that is the extended US presidential election campaign has taken two turns into technological territory.

First, the trivial.

As reported by The Hill, last week’s debate among Republican candidates for the presidency offered the WiFi password “StopHillary” to members of the press.

The Democratic debate on Saturday raised the tone by offering the password “13MillionNewJobs”, a reference to President Obama’s time in office.

DNC WiFi network takes jab at RNC #demdebate pic.twitter.com/GxvrL4mfol

— Matthew Claiborne (@MattJClaiborne) November 14, 2015

From a technical standpoint, the Democratic password is more secure: it’s longer and mixes numerals and letters, getting it a little closer to the correcthorsebatterystaple ideal.

On the second and more serious note, leading Republican candidate Ted Cruz has announced an immigration policy that calls for a review of the United States’ H-1B visa. The H-1B visa is a Silicon Valley favourite, because it allows companies to bring in workers from offshore for up to six years.

Cruz wants to “suspend the issuance of all H-1B visas for 180 days to complete a comprehensive investigation and audit of pervasive allegations of abuse of the program.” Another Republican contender, Donald Trump, has pledged to legislate higher wages on H-1B workers so that the cost advantage to be had bringing workers from lower-paid countries diminishes. Neither Cruz nor Trump needs votes from India, but H-1B changes are not popular there are they are seen as deliberately targeting Indian IT workers. Opponents counter that Indian companies enjoy an unfair advantage because they can bring their own staff to the United States on H-1Bs and therefore enjoy lower costs.

That the visa has become a political football is remarkable in itself, seeing as there’s only around 85,000 issued each year, a drop in the ocean of the US workforce. Yet with political “debate” happy to include WiFi passwords, fights over small migration programs shouldn’t surprise. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/us_presidential_race_becomes_wifi_password_snark_battle/

The same team of security researchers who discovered that the Wi-Fi iKettle from Smarter blurted out wireless network credentials have found cause for concern over a Wi-Fi Coffee Machine, and iKettle 2.0, from the same manufacturer.

Pen Test Partners mapped and hacked insecure connected iKettles across London, proving they can leak Wi-Fi passwords, as previously reported.

Things have improved with the Wi-Fi Coffee Machine from Smarter (which is passionate about “tea, coffee and technology”, according to its website) but not to the extent that it’s completely secure, according to preliminary findings from Pen Test Partners’ research.

On the plus side the mobile app has had a significant update and the “ridiculous static/short PIN bug doesn’t appear to be present”, Pen security researchers reported.

However, the unconfigured coffee machine, at least, is hackable, according to preliminary results from ongoing research from the UK-based security consultancy.

Prior to being hooked up to the mobile app, the unconfigured coffee machine works as a Wi-Fi access point. The iKettle, for comparison, operates as an ad-hoc Wi-Fi device.

The iKettle communicates on TCP ports 23 and 2000 but the coffee machine is silent on those ports, something that might be explained by the use of a different Wi-Fi module from the VSD03 as found in the iKettle.

The Wi-Fi Coffee Machine chats on TCP UDP port 2081 instead, using what appears to be a simple binary protocol, the security researchers discovered.

The device broadcast a status message every five seconds which contains details about the iThing’s status, including the fill level on the water reservoir, number of cups, and coffee strength.

Somewhat like the iKettle, the Wi-Fi Coffee Machine is designed to save users precious seconds waiting for coffee to brew by allowing the device to be operated using a smartphone app.

Pen Test Partners looked at the traffic generated by the coffee machine, using the mobile app for clues before fuzzing the protocol. This allowed them to discover that the Wi-Fi module in use is the ESP8266, based on the command set in play.

Knowing the Wi-Fi module being used allowed Pen Test Partners to use the coffee machine to discover Wi-Fi networks. This isn’t a big issue by itself but the idea of Wi-Fi stumbling by coffee machine was sufficiently offbeat to amuse the security researchers.

What is of concern is that hackers in geographical proximity to a device might be able to drive past a user’s house and take control of their coffee machine and start it brewing, as a blog post by Pen Test Partners illustrates.

Whilst the user is out, if they haven’t configured the Wi-Fi on their coffee machine, we can have it brew to order. Nasty stale coffee anyone? Empty water container? All the coffee grounds used?

It’s also a trivial matter to remotely force the Wi-Fi Coffee Machine into upgrading its firmware, making the machine temporarily unavailable in the process. Triggering a firmware upgrade has the effect of factory resetting the Wi-Fi module, at minimum creating a confusing nuisance for users.

Without a hard reset (user holds down ‘start’ button for 10 secs) the Wi-Fi module won’t operate, according to Pen Test Partners.

But a separate (as yet undiscovered) hack would be needed to change what software is actually download as part of the firmware upgrade, something that might be used to trick the iThing into running rogue firmware code developed by hackers. Pen Test Partners is in the process of investigating the firmware upgrade process to look for possible holes.

Configured coffee machines do not exhibit the same set of risks, according to Ken Munro, a director at Pen Test Partners.

“The issue is that we’ve currently only got a vulnerability in an unconfigured coffee machine,” Munro told El Reg. “It’s a legitimate attack, but not the killer Wi-Fi PSK theft that we had with the iKettle … yet.”

“Plenty of attack vectors to investigate, but we need more time,” he added. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/icoffee_kit_hackable_smarter_ikettle/

This will not be fun: the graphics processing library libpng has a vulnerability and needs to be patched.

The problem for that is that libpng is everywhere – in browsers, anything that processes photos to produce thumbnails, file browsers, music players, in applications in every operating system.

The bug is a simple denial-of-service at this stage, but that won’t be where it ends, since bugs that let attackers crash applications are a favourite starting point for more effective nastiness.

Libpng’s custodian Glenn Randers-Pehrson asked for the CVE for the bug here. He writes:

“I request a CVE for a vulnerability in libpng, all versions, in the png_set_PLTE/png_get_PLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.

“libpng versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 were released today (12 November 2015) to fix this vulnerability. See libpng.sourceforge.net”.

(Note: when The Register tried to check the Sourceforge page, it had been hosed by worried software developers.)

The bug has a base CVE score of 7.5. It’s easy to exploit, network exploitable, and as NIST notes, it “allows unauthorised disclosure of information; allows unauthorised modification; allows disruption of service”.

Hacker News has a long discussion of possible impacts here. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/15/png_pongs_critical_bug_patched_in_ubiquitous_libpng/

This is really no surprise: embedded system vendors aren’t good at carrying out quality assurance on their firmware images, and their embedded Web server software is what you’d expect from something written in the last 20 minutes of Friday afternoon.

And it’ll be no surprise to The Register’s readers that the bugs land in all sorts of stuff, from SOHOpeless broadband devices to CCTV cameras and VoIP phones.

That’s the conclusion of researchers from Eurecom, in collaboration with Ruhr-University Bochum. Their study, on Arxiv here, tested Web interfaces in products from 54 vendors, and found that a quarter of those vendors had vulnerable implementations.

At the product level, things were marginally better. The researchers said that of 1,925 individual firmware products, buggy and insecure Web servers were present in 185 images.

The research found that cross-site scripting vulnerabilities were the most common, followed by file manipulation, and in third place, command injection.

The tool they created, they write, is designed to perform “full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices.”

There are some caveats that apply to the study: so it was of manageable scope and scale, they focussed on firmware that they were able to obtain as an online download, and the research was biased toward ARM, MIPS and MIPSel firmware, to fit within their Debian-based QEMU emulation environment.

The Web server sources tested in the research included minihttpd, lighthttpd, boa, thttpd, and Empty Banner. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/badware_in_the_firmware_all_over_the_place/

As genome research – and the genomes themselves – get passed around the scientific community, the world’s woken up to the security and privacy risks this can involve. A Microsoft research quintet has therefore published ways to help scientists work on genomic data while reducing the risk of data theft.

The team published an informal manual to help scientists and other researchers to use the Simple Encrypted Arithmetic Library (SEAL).

Homomorphic encryption is a technique in which software can operate on encrypted data without decrypting it. This would let hospitals and labs to work on encrypted data hosted on untrusted clouds, receiving only the decrypted results for analysis.

This the teams help could assist with secure and private outsourcing of personal health records and predictive services for disease risk.

The Redmond research team of Nathan Dowlin; Ran Gilad-Bachrach; Kim Laine; Kristin Lauter; Michael Naehrig, and John Wernsing describe the findings in the paper Manual for Using Homomorphic Encryption for Bioinformatics [pdf] spotted by ITnews. Here’s a sample of their thinking:

A wealth of personal genomic data is becoming available thanks to scientific advances in sequencing the human genome and gene assembly techniques. Hospitals, research institutes, clinics, and companies handling human genomic material and other sensitive health data are all faced with the common problem of securely storing, and interacting, with large amounts of data. … we present new methods for encoding real data which lead to concrete improvements in both performance and storage requirements.”

They say previous homomorphic encryption deployments were hand-tuned, inflexible, and private in-house works.

Research into the security threats against medical devices and separately the data it holds has been increasing.

In September researchers Scott Erven and Mark Collao detailed how they found exposed online thousands of critical medical systems, including Magnetic Resonance Imaging machines and nuclear medicine devices.

The pair found a “very large” unnamed US healthcare organisation exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.

Technical information on how the encryption works is available in the paper. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/16/microsoft_boffins_build_better_crypto_for_secure_medical_data_crunching/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Android, App Store, Apple, bust, extradition, Google, Google Play, hack, InstaAgent, ios, JP Morgan Chase, Linux, Malware, password stealer, ransomware, UNIX

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/72k0Bhqfj2A/

A US IT security company says it found copies of the Conficker malware infecting police body cameras.

Florida-based iPower reports that body cameras it received from supplier Martel Electronics were loaded with 2009’s baddest botware.

Researchers Jarrett Pavao and Charles Auchinleck found that when plugged into a PC, the Martel cameras attempted to execute the Worm:Win32/Conficker.B!inf variant.

While any PC running an even remotely up-to-date antivirus package would be able to detect the Conficker attempt, unguarded machines could still be infected. What’s worse, iPower says the malware was present in the cameras before it received the units.

“In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses’ network activity using Wireshark,” iPower said.

“The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites.”

iPower says it tried to contact the california-based electronics supplier with its findings but have yet to receive any response. El Reg similarly tried to contact Martel, and though we were unable to get comment we can confirm the company’s on-hold music to be relatively pleasant and inoffensive.

First discovered in late 2008, the Conficker virus made headlines in 2009 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

The deadline came and went without incident, but the infection lingered on for months after, and even resurfaced in 2013 when a batch of new PCs in Germany were found to be carrying the malware. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/14/remember_conficker_its_back_and_its_infecting_police_body_cams/

The Federal Aviation Administration has warned of a dangerous escalation in laser strikes on aircraft, with Wednesday night alone registering a record 20 incidents.

“Nearly two dozen aircraft were hit by lasers last night,” the FAA reported. “Shining a laser at an aircraft is a federal crime. It can harm the pilot and passengers. If you see someone pointing a laser at an aircraft, call 911.”

Laser-wielding morons hit aircraft across the continental United States: New York airports were particularly badly affected, as were two airports in Kentucky. Three aircraft in final descent coming into Dallas Love Field in Texas also reported attacks. Thankfully no one was harmed.

There were some related arrests. In two cases, roving news helicopters that were also painted by laser pointers were able to track down the source, leading to the arrest of three people.

Flashing lasers at aircraft presumably seems like a fun idea to those that do it but it is also fantastically dangerous: a fact that is reflected in how seriously the FBI takes it. You can be fined up to $250,000 and face up to 20 years in prison for trying to illuminate aircraft and the FBI has offered a $10,000 bounty to anyone who lets them know when a dangerous idiot is on the loose with lasers.

Commercial laser pointers are unlikely to permanently blind pilots, but they can – and do – cause temporary flash blindness in the cockpit which could prove fatally distracting during a tricky landing.

Despite the warnings and the heavy penalties, it hasn’t stopped a small number of people from carrying out the attacks. In fact the numbers are growing. As of October 16 the FAA reports there have been 5,352 cases of laser strikes on aircraft in flight. At that rate, it is only a matter of time before something catastrophic happens. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/13/laser_strikes_on_aircraft_break_record/

A UK man has been given eight and a half months in prison for launching a series of distributed denial-of-service attacks in 2013.

The Liverpool court gave Ian Sullivan the 34-week sentence for conducting more than 300 denial of service attacks on various government, political and financial sites in 2013. Sullivan admitted to the charges earlier this year.

The 51 year old father of six had targeted sites including the UK Conservative Party, British Airways and a number of banks by flooding their websites with traffic and knocking them offline, a technique known as a distributed denial of service (DDoS) attack.

Though Sullivan had been connected with Anonymous, the personal nature of the targets chosen (such as social service and housing authorities in the UK) suggest the DDoS attacks were more of a personal vendetta than an organized group effort.

Police were able to track Sullivan down in part because of his use of a Twitter account to announce the attacks. That account, @anonian01, has since been suspended but was reported to have included ‘tango down’ messages with the names of the targeted sites.

The UK National Crime Agency (NCA) has maintained that the attacks were limited to the DDoS flood and that no other systems were breached during the traffic floods.

Writing for security company ESET, analyst Graham Cluley noted that while DDoS attacks are relatively simple to perform and hardly fall under the banner of actual “hacking”, the stunts are taken quite seriously.

“It’s extraordinary how many people believe that participating in or indeed actually co-ordinating a denial-of-service attack can be done across the internet with no risk of the authorities determining your identity,” he wrote.

“Although it’s far from always possible to determine the perpetrators of an attack and bring them to justice, there are plenty of people who have been put behind bars because of this modern-day crime.” ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/13/brit_gets_eight_months_for_ddos_spree/

The use of encryption and authentication mechanisms by Google, Yahoo, and Microsoft has improved security — but problems remain.

Google will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. The warnings are scheduled to roll out in the next few months and are designed to push industry-wide adoption of strong encryption and authentication technologies for email.

Google’s move stems from a multi-year study conducted by researchers at Google, the University of Michigan, and the University of Illinois at Urbana Champaign, that surfaced mixed news on the email security front.

The researchers examined Simple Mail Transfer Protocol (SMTP) server configurations on the Alexa list of top million domains as well as one year’s worth of SMTP data from emails sent and received via Gmail.

The study showed that email security overall has improved significantly over the past two years mostly because of the broad adoption of encryption and authentication standards by Google, Yahoo, and Microsoft, the three biggest providers of email services.

However, a vast majority of the SMTP servers that other organizations use for sending and relaying email lag significantly behind in the use of Transport Layer Security (TLS) and other security mechanisms for protecting email, thereby exposing users to security risks.

The researchers found that incoming messages at Gmail that were protected by TLS jumped from 33% to 61% between December 2013 and October 2015. Similarly, the proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses increased from 60% to 80% in the same period, showing that a lot more domains support encrypted email compared to two year ago.

But when the researchers examined SMTP server configurations belonging to domains in the Alexa list of top million websites, they found a different story. Only 82% on the list, for instance, support TLS, and just 35% are configured to allow server authentication, the researchers noted. The relatively low adoption is likely because two of the top three SMTP platforms don’t support TLS by default, they added.

A similar gap in security capabilities exists with regard to email sender authentication. For instance, while Google uses a combination of mechanisms like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate inbound messages, only 47% of those in the Alexa list had a similar capability. A bare 1% use Domain-based Message Authentication, Reporting Conformance (DMARC) for authenticating senders.

The security patchwork offers attackers an opportunity to intercept and snoop on email and do other kinds of damage, the report noted

In a blog post Friday, Elie Bursztein, a member of Google’s anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead for Gmail, noted a couple of the challenges created by the inconsistent application of email security standards across the industry.

“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections,” the two Googlers said. Google is currently working with members of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers described as ”opportunistic TLS” to mitigate the threat.

“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the two researchers said.  Google’s goal in warning Gmail users about unencrypted connections is to alert them to such dangers, they said. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/endpoint/google-study-finds-email-security-a-mixed-bag/d/d-id/1323147?_mc=RSS_DR_EDT