STE WILLIAMS

Executives at Facebook, Google and other terrorist-enabling online services are said to be quaking in their boots as UK Home Secretary Amber Rudd swoops into Silicon Valley this week to read them the riot act.

Rudd has been a frequent critic of social media giants, particularly after the murders in London and Manchester, and has repeatedly argued that “there should be no place for terrorists to hide.”

She has proposed breaking encryption on apps like Facebook’s WhatsApp, argued for legislation that would impose fines on corps like Facebook and Google if they do not remove illegal content within a specific timeframe, and pushed for outfits like Twitter to be more proactive in tackling offensive content.

In one interview, Rudd even mused about what she would tell Apple CEO Tim Cook, were she to meet him, with respect to his refusal to introduce a backdoor into Apple’s systems.

“If I was talking to Tim Cook, I would not say ‘open up,’ we don’t want to ‘go into the cloud,’ we don’t want to do all sorts of things like that,” she told the Beeb. “But I would ask him to think again.”

She went on: “We want them to recognize that they have a responsibility to engage with government, to engage with law enforcement agencies, when there is a terrorist situation. We would do it all through the carefully thought-through, legally covered arrangements. But they cannot get away with saying ‘we are a different situation.’ They are not.”

Making a hash of things

Rudd may not get the opportunity to meet with Cook while in California, however – the Home Office has only said she is meeting with representatives from YouTube and Alphabet. (Presumably that means two different groups of representatives, but since Google owns YouTube, we can’t be 100 per cent certain. Rudd is not exactly tech savvy.)

It is worth noting that YouTube has been repeatedly flagged by the UK government as the most open and willing to work with the authorities on issues such as extremist content, so in that sense the company represents the lowest-hanging fruit when it comes to pushing an unwelcome message in the Bay Area.

But for all her bluster, whenever it has come down to actual action, Rudd has backtracked from her bold position demanding changes to arguing that the internet giants need to “work with” the government.

A meeting between the Home Office and representatives of Facebook, Google, Microsoft and Twitter back in March was pushed by the UK government – and Rudd herself – as some kind of showdown.

But in the end, all that emerged from the meeting was the weakest of promises that the companies would “look at all options for structuring a forum” where they would discuss the issues.

That outcome was called “a bit lame” by chair of the Home Affairs Select Committee Yvette Cooper, who complained: “All the government and social media companies appear to have agreed is to discuss options for a possible forum in order to have more discussions. Having meetings about meetings just isn’t good enough.”

No underlings

In recent months, the Home Office has also made it plain that it is not happy talking to the UK representatives of US companies who simply stonewall discussions, and wants to talk directly to the top people.

It is likely no coincidence that Facebook second-in-command, its COO Sheryl Sandberg, was in London last week during which time she gave an interview with Desert Island Discs in which she reiterated that Facebook was not going to backdoor encryption, but that the companies would work on removing illegal content.

“The message itself is encrypted, but the metadata is not,” Sandberg said. “If people move off those encrypted applications to other applications offshore, the government has less information, not more.”

She later added: “If a video by a terrorist is uploaded to any of our platforms, we are able to fingerprint it for the others, so that they can’t move from platform to platform.”

Rudd’s Silicon Valley trip is clearly an effort to grow those top-level connections, although how successful it will be and whether Rudd will get through the doors of organizations other than Google remains to be seen.

Further complicating matters, due to Brexit plans, the UK no longer holds much sway in Europe – which is pushing for Europe-wide new rules on internet companies and their services – so any discussions would likely apply to the UK only.

Despite President Trump’s recent claim that a US‑UK trade deal was imminent and would be “beautiful,” the reality is that a UK government minister – even the Home Secretary – carries little weight in California. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/amber_rudd_comes_to_silicon_valley/

The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.

The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.

Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.

Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.

So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a blog this week.

According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.

News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.

But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.

The Necurs botnet is one of the world’s largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.

Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.

Related content:

• Petya Or Not? Global Ransomware Outbreak Hits Europe’s Industrial Sector, Thousands More
• WannaCry: Ransomware Catastrophe or Failure?
• NSA Tools Behind WannaCry Being Used In Even Bigger Attack Campaign
• 5 Security Lessons WannaCry Taught Us the Hard Way

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/wannacry-inspires-worm-like-module-in-trickbot/d/d-id/1329491?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IT executives, however, increasingly believe they are “completely ready” to withstand a cybersecurity attack on their healthcare system.

A survey of IT healthcare executives found that 47% have suffered a data breach or violation of the Health Insurance Portability and Accountability Act (HIPAA) at their organization this year, compared to 37% in 2015.

Even so, 35% of the 100 IT healthcare executives believe they are “completely ready” to offset a threat, compared to 16% in 2015, according to the KPMG 2017 Cyber Healthcare Life Sciences Survey released today.

Boards of directors, meanwhile, show a declining interest in cybersecurity, according to the survey. The report found 79% are putting cybersecurity as a board agenda item on the list at meetings, down from 87% in 2015. Healthcare companies are also spending less on cybersecurity, with 66% indicating they made investments in this area in the past 12 months – down from 88% in 2015.

“There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate,” KPMG’s Healthcare Advisory Leader Dion Sheidy says in a statement. “The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/healthcare-execs-report-rise-in-data-breaches-and-hipaa-violations/d/d-id/1329494?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Third-party service provider for the insurer discovered one of its employees allegedly engaged in identity theft of thousands of Anthem Medicare members.

Anthem recently learned that 18,580 of its Medicare members may have been victims of identity theft, after its third-party coordination services vendor LaunchPoint Ventures discovered an employee had emailed a file containing the sensitive information to his personal email account.

The Anthem file contained Medicare ID numbers, which also includes social security numbers, Health Plan ID numbers, Medicare contract numbers, dates of enrollment, and, in some cases, the last names and dates of birth of the members. LaunchPoint, which hired a forensics company to investigate the breach, currently does not have any information that the pilfered data was misused, according to Anthem.

On April 12, LaunchPoint discovered one of its employees was allegedly engaged in identity theft activities and hired a forensics company. Then on July 8, LaunchPoint discovered the employee had emailed the Anthem file to his personal account, which violated LaunchPoint’s policies. The company learned the file contained Protected Health Information (PHI) on July 12 and two days later it reported the breach to Anthem.

LaunchPoint terminated the employee and is working with law enforcement to look into the matter. In the meantime, the former employee is incarcerated and under investigation for an unrelated issue, LaunchPoint noted.

Read more about the Anthem breach here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/anthem-hit-with-data-breach-of-18580-medicare-members/d/d-id/1329501?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A few years back, we saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.

Eventually, 13 alleged thieves were charged with forging bank cards using banking details chirped out via Bluetooth to nearby crooks from devices that were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally.

Of course, it’s much easier to detect thieves’ attempts to get at your credit card when they’ve gone the kludgy, model airplane route. That route entails thieves 1) gluing a card catcher onto the front of an ATM (hopefully in a nice, wiggly fashion—much easier for victims to detect that way!), 2) hoping it doesn’t fall off before it catches some cards, and then 3) hanging around the machine, pretending to look innocent, as they wait to snatch the cards after victims give up on ever getting them back.

True, the Bluetooth skimmer was installed internally, making it tougher to spot than the glued-on kludge of a card catcher. It still presented a problem for the thieves, though: namely, using Bluetooth meant the skimmer still relied on the thieves hanging around nearby, given the limited range of this wireless technology. It also meant that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”

Now, as security journalist Brian Krebs reports, New York City police have started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GMS text messages to get card details to the crooks anywhere in the world.

No more hanging around smelly gas pumps! No more returning to the scene of the original crime – as in, the place where the skimmers were initially installed – to retrieve the booty. Now, the thieves can plug the skimmers in and make themselves scarce, taking off to wherever their counterfeit card making setup is located.

Mind you, wireless transmission of stolen card data is nothing new. There’s a US Secret Service task force in Los Angeles that’s been looking into fuel theft and fuel-pump skimming since 2009, and it’s found that there are distinct crime gangs, working in tandem, that steal the gas and that skim the card data. They use SMS/text messages to exfiltrate card data. And like the GSM skimmers, use of the SMS skimmers likewise means that thieves don’t have to return to the scene of the crime: all they need is mobile phone service to collect card data and PINs.

Krebs quoted Secret Service agent Steve Scarince in a 2015 article:

Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring. The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business.

They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.’

But this is apparently the first time that we’ve seen GSM-based pump skimmers show up in gas pumps – at least, in New York – according to a New York police officer. The devices were pulled off of three New York filling stations this month. The officer shared some images of the devices with Krebs.

Krebs identifies that, like other pump skimmers, these GSM skimmers draw power from the pumps they’re attached to, allowing them to operate indefinitely.

Analysis on the T-Mobile SIM cards apparently hasn’t turned up any data on the thieves. All that investigators have found so far are the unique serial numbers—what’s known as the integrated circuit card identifiers, or ICCIDs—of the SIM cards.

It’s common to see skimming devices on ATMs – or gas pumps, or any card processing device – used with some type of remote sensing or telemetry, whether messages are being sent out via GSM or mobile phone. Thieves can take off-the-shelf devices, including the bits and pieces of a mobile phone used in this recently discovered GSM skimmer or, say, a video recorder, and then just jam it behind some believable-looking moldings. It can make it tough for a customer to tell there’s something fishy going on.

What to do?

Don’t use a card machine on a gas pump, an ATM or anything else if you think it may have been tampered with.

In cases like this, where the machine itself seems to have been compromised and there are no external clues to the tampering, there isn’t much you can do beyond deciding if you trust the gas station or not.

As always, it’s smart to regularly check credit card statements and keep an eye out for anything that doesn’t look right.

Keep your bank’s phone number handy on your phone too. If you see anything suspicious, whether it’s on your statement or at an ATM, a restaurant or the filling station, report it to the credit card company.

And don’t forget to call the police: if there’s fraud going on, they’ll want to know.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k1dkpwcpRqY/

We often hear stories about how criminals take advantage of people who reuse their passwords across websites and don’t enable two-factor authentication (2FA).

But, recently it appears these roles were reversed when police in the Netherlands shut down the criminal activity of a number of dark web vendors who reused their own credentials and didn’t enable 2FA on their accounts.

According to cryptomarket researcher @5auth, as of 24 July 2017, up to 16 accounts on the dark web marketplace Dream Market were under control of the Dutch Police:

Means: all of these vendors sold on Hansa without 2fa and used the same password on Dream.

— C (@5auth) July 25, 2017

The Dutch Police likely seized these credentials in their crackdown on the Hansa and AlphaBay marketplaces earlier this year.

While Hansa and AlphaBay fell, another dark market, Dream Market, seemed untouched by authorities and many of the affected vendors moved their operations there.

However, there was rampant speculation that Dream Market was either actively compromised and being monitored by authorities, or that it was only a matter of time until it too was shut down.

Earlier this week, it looked like the shoe finally dropped for at least 16 vendors on Dream Market, but it doesn’t appear that the authorities used any high-powered tricks in their takedown. Instead, it looks as though the Dutch police simply reused credentials they’d already captured.

According to at least one of the vendors themselves on the /r/DarkNetMarkets subreddit, they hadn’t changed their password after Hansa was taken down, and they also hadn’t enabled 2FA, or were unable to enable it.

“Guys, I am one of those vendors. I can clearly say that (at least) my account was seized by dutch LE. I think they came on it through my sillyness using same password on hansamarket. All my informations got changed during the night they took hansamarket offline.”

Though we have no confirmation from the Dutch police as yet, if this was a matter of credential reuse it was trivial for the police to log in to vendor accounts and completely take them over, shutting the vendors out of their own accounts and swapping the vendors’ PGP keys to ones owned by the Dutch police.

The vendors taken offline seem to be garnering little sympathy from their peers for their lax security practices. “You likely didn’t have 2FA enabled in the first place… and used the same password as on Hansa,” wrote one user in the DarkNet Market UK subreddit. “You should know better.”

If they’re read five ways to upgrade your passwords they would have.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/l1LO_F8X8LQ/

Do you need to extract text from images, videos or PDFs?

Not only is there an app for that, it turns out there’s even a browser plugin called Copyfish to help you, too.

Copyfish is supposed to let you grab subtitles from films, captions from cartoons, and so on, while you’re browsing.

(We’re assuming that the name is a pun on HHGttG’s Babelfish, the eel-like creature you stick in your ear that automatically translates everything you hear into your own language.)

Unfortunately, the Copyfish software project is in all sorts of crisis right now, thanks to a phishing attack over the weekend.

In Copyfish’s case, it seems very much that an injury to one ended up being an injury to all.

According to the creators of the Copyfish tool, this is what happened:

• An email arrived, apparently from Google, telling Copyfish that its plugin wasn’t compliant with the Chrome Web Store rules and might be removed.
• The email included a handy link that supposedly went to the relevant developer dashboard so that Copyfish could look into it.
• A helpful Copyfish developer decided to investigate, and clicked on the given link to log in.
• The link was bogus, and so the developer ended up revealing the company password to a bunch of crooks.

What next?

After that, things happened quickly.

More ads and web spam than usual started appearing on the computers of Copyfish’s own computers.

After a while, Copyfish rather scarily figured out that the ads were being inserted by its own Chrome plugin.

Worse still, the infected version that was doing the adware injection was an update the company didn’t even know was out there.

The crooks who’d acquired the password had lost no time:

• Locking Copyfish out of its own Chrome Web Store account.
• “Upgrading” the plugin from version 2.8.4 to an unofficial release numbered 2.8.5 and adding in a bunch of ad-serving malware code.
• Moving the Copyfish for Chrome code to a different account.

Presumably, the Copyfish developers all had automatic plugin updates turned on, so they’d unexpectedly acquired an unauthorised version of their own software.

The only word we can think of to describe this sort of situation is, “Ouch.”|

Apparently, the rogue ad-serving component works by “calling home” to a third-party website to fetch unauthorised JavaScript code; Copyfish managed to get this rogue site blocked so that the rogue ads it delivers never appear.

But as the the company noted earlier today: “we still have no control over Copyfish, so there is a chance that the thieves [could] update the extension once more.”

Ironically, Copyfish’s breach notification page invites you to sign up to the company’s newsletter “[i]f you want to get an email once the issue is fixed”…

…so watch out for further fake emails telling you that version 2.8.6 is ready!

What to do?

You might have expected professional web developers to be a bit more circumspect in a case like this – but apart from containing a suspicious link, the the original email from the crooks was at least vaguely believable:

Your Google Chrome item, “Copyfish Free OCR Software,” with ID: [redacted] did not comply with our program policies and will be removed from the Google Chrome Web Store unless you fix the issue.

Please login to your developer account [link redacted] for more information.

To a native speaker of English, the wording here isn’t quite right (e.g. did not comply would read better if it were does not comply), and to a fluent techie, the login link – which used a non-Google link shortening service – should have been a red flag that something was wrong.

So here’s our advice to reduce the risk of account takeovers of this sort:

• Don’t click on login links in emails. If you never click on login links, even when you trust the email, but always find the login page in a trusted way of your own, the crooks will find it much harder to phish you in this way.
• Turn on two-factor authentication (2FA) whenever you can. 2FA means you need a one-time login code, as well as your username and password, every time you login. That’s one more thing the crooks need to figure out every time they try to phish you.
• Don’t feel pressurised to act when you receive what sounds like bad news via email. Ask for a second opinion from someone you actually know and trust – a nearby colleague, for instance – especially when the email apparently relates to an official company account.
• Never believe the contact details provided in an email. If the email comes from an imposter, the contact details will lead back to the crooks, who will simply “confirm” any lies they told in the original email. Get details such as websites, email addresses and phone numbers from a trusted third party source that you found for yourself.

Think before you click!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nvgwJ3AiFhY/

Analysis BSides, Black Hat, DEF CON… For the last six days, Las Vegas has been home to the top brains in the computer security industry and the business menagerie that follows them – causing some panic among locals.

We’ve seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the Standing Rock camps and elsewhere, killer car washes and the awards for this year’s biggest blunders and best research. But there’s a lot going on at the edges of the shows that gets missed.

Hacker Jeff Moss kicked the whole conference season off in 1993 with a few hotel suites booked in Vegas where he and his mates would code and party. It has grown into one of the most popular hacking events out there and this year was DEF CON’s biggest show ever.

Black Hat was established five years later as a commercial offshoot. It involves days of training before the main show, a day of CIO-level briefings with no press allowed, and then a two-day jamboree with as many as eight tracks of talks running concurrently. Alex Stamos, chief security officer for Facebook, kicked off the opening keynote and it looked more like a rock concert than a technology conference.

This is a security conference, not a rock venue. Is Black Hat getting too big? pic.twitter.com/sNbJTw4vRt

— Iain Thomson (@iainthomson) July 26, 2017

“When I brought my girlfriend – now my wife – to the first Black Hat 20 years ago, it was because we were hacking the Man,” he joked. “Now, we are the Man.”

DEF CON is even more complex. While the show only has four main keynote tracks, there are a plethora of other briefings. The hardware hacking talks are well worth it, the social engineering village is fascinating if unsettling, and there is a phenomenal amount of smaller training sessions dotted around the venue, not to mention informal meet, greet and share hacking talks.

Some of these sessions we’ll be reporting on later in the year, when fixes have been found and papers peer-reviewed. But here’s a roundup of the best hacks that weren’t covered on the day.

Mobile madness

Considering how much of our lives is tied to the things these days, mobile phone hacking is a focus for many, and Chinese giant 360 Technology detailed a disturbingly easy way to hijack phones because of lousy network security.

The firm’s Unicorn Team pulled off what they called the Ghost Telephonist attack by intercepting the signals between a smartphone and a cell tower. When phones link to a new tower, they send an ID code to ensure connection, but the team found that when phones switch from a 4G to a 2G connection this authentication code is skipped.

Youtube Video

By intercepting a signal at the point when it switched network, using an aerial-equipped laptop, an attacker could send texts and take calls from the hacked phone. They could also log onto a Facebook account using the stolen phone’s credentials and get a password reset sent to their devices.

The Unicorn Team are now working with operators to fix this issue and that should disable the attack. But, based on other research, telcos are already going to have more problems on their hands with 3G and 4G communications.

Research by Ravishankar Borgaonkar and Lucca Hirschi has found a cryptographic flaw in the authentication system used to connect a phone to a network. While the flaw doesn’t allow the content of calls or messages to be read, it does allow for pinpointing of mobile phone users and provides records of how long they are online.

The flaw also turns out to be very easy to exploit. The team spent just $1,500 on its surveillance system and it’s clear that police forces around the world would be willing to pay that – considering that they already use Stingray cellphone targeters in the US, and locally produced equivalents overseas.

But the real doozy of a flaw was Broadpwn, a now-patched remote exploit that left over one billion smartphones open to a worm infection that could have built one of the largest botnets, according to its discoverer Nitay Artenstein of Exodus Intelligence.

Broadpwn stems from a serious flaw in Broadcom’s BCM43xx family of Wi-Fi chipsets that would allow malware to install itself on a device’s firmware. It could then ping out to other vulnerable devices in range and create a cascade of infections.

Broadcom is one of the biggest suppliers of chipsets to the smartphone industry and the vulnerability is found in every iPhone since its fifth version, Samsung handsets from the S3 to the S8 and all Samsung Note 3s, as well as Google’s Nexus 5, 6, 6X and 6P.

Hardware hacking

A lot of hackers first got into the business by becoming fascinated by noodling around with hardware, typically picking locks. There’s an entire DEF CON village devoted to that now, but innovative hardware hacks elsewhere were also very much in evidence.

A personal favourite with this hack was the safe-cracking computer, an ingenious device that used an Arduino microprocessor, an Erector set framework, magnets to hold it in place and a 3D-printed unit that meshed onto the rotary combination dial.

The device’s father, SparkFun Electronics boss Nathan Seidle, explained at DEF CON that he got into safe-cracking when his wife (another hardware hacker) bought him one on eBay for $20 as a present. The safe was so cheap because it was locked and had no known combination, so the two of them were determined to crack it.

And they got it open. It only took 30 min. pic.twitter.com/LNxmlvOArO

— Jack (atDEFCON) (@jmorse_) July 28, 2017

Seidle set the robot working, aiming to have the safe cracked in the time it took him to give his presentation. The robot managed it in a few seconds over 30 minutes.

Another interesting DEF CON talk by Dennis Maldonado showed how easily RFID chips can be harvested and cloned. Using some cheap parts he bought on eBay, Maldonado was able to copy chips from two feet away and then fire the data to a card cloner.

Reading RFID chips that don’t belong to you is nothing new but it was the speed and ease of this attack that made it really impressive. And with more and more RFID chips in circulation, Maldonado’s research could come in handy.

Youtube Video

Meanwhile, at Black Hat, researchers at IOActive performed a perennial favourite – making an ATM spew money everywhere.

They found that an ATM built by Diebold Nixdorf had a USB port that was trivially easy to manage. They informed the company, only to be told that it couldn’t possibly be used to carry out a hack.

The team found a way to reverse-engineer the ATM’s software and cause it to dump its entire load of cash. The team reported that Diebold still hasn’t fixed the flaw as it not longer makes that model of ATM and that the hacked model hadn’t been patched.

A mountain of malware

Software cracking is what most people associate with hacking and there was more than enough to go around.

Earlier this year, a new Mac malware was found called Fruitfly, and Patrick Wardle, chief security researcher at Synack, spoke about how he’d managed to hack a variant of the software’s command-and-control servers. What he found is going to be giving Apple some serious concern.

Fruitfly is an obfuscated perl script using antiquated code that can give an attacker pretty much complete control of macOS, including key logging, webcam control, alerts when the user is online, and a tunnelling system to get this back to the command and control servers.

With a reverse-engineered piece of the code, Wardle was able to log into the command and control systems and view infected systems. They appeared to be mostly US based, although not too numerous, but all had been taken over by malware and antivirus engines were missing.

Using malware for physical targets was also covered, with Robert Lee, CEO of industrial security specialist Dragos, giving a detailed rundown of how hackers brought down sections of the Ukrainian power grid last year. This was a complex attack with initial reconnaissance by hackers in 2014 followed by more than year of development before the biggest outage.

The attackers had designed malware to hit specific sections of the power grid and cause them to fail. This initially complex task had been simplified so that someone without detailed knowledge of the grid could use it. But Lee was hopeful that US grids were more resilient.

“The US government simply doesn’t know what is going on in infrastructure, because they own so little of it, but operators are getting on the case,” he said. “The North American power grid is one of the most complex organisations in existence, with systems piled onto system. That leaves a lot of redundancy.”

Finally Marcus Hutchins, the British researcher who discovered the kill switch for the WannaCry malware, was also wandering the halls and parties of Las Vegas. He just missed out on a Pwnie Award but Charlie Miller, car hacker extraordinaire, said that Hutchins was due his plaudits. Hutchins also enjoyed some traditional Las Vegas pursuits.

pic.twitter.com/wEr1Q1Fh8Z

— MalwareTech@Vegas (@MalwareTechBlog) July 29, 2017

It was a fun, if exhausting, week. The first presentations for DEF CON and Black Hat are now online so you can catch up with the whole thing. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/best_of_rest_black_hat_def_con/

Hackers have leaked files amid claims they broke into the network of incident response firm FireEye/Mandiant. The firm has denied this.

The hackers, who branded their attack campaign “Op #LeakTheAnalyst” claimed in a preface to their PasteBin dump that they had “breached [Mandiant’s] infrastructure” and alleged that Mandiant’s internal networks and its clients’ data had been compromised.

However, independent analysts, based on initial analysis, said no evidence of any compromise beyond the unconfirmed breach of a single machine had been provided this far.

Ido Naor, a researcher at Kaspersky Lab, commented: “Only one workstation seems to be infected during ‪#leakTheAnalyst‬. Dump does not show any damage to core assets of ‪Mandiant‬.”

Researcher Hanan Natan‏ agreed: “The current ‪#leakTheAnalyst‬ dump doesn’t contain any [proof] that they compromised the ‪Mandiant‬ networks.‬”

In response, FireEye put out a preliminary statement blaming the whole thing on a social media leak.

We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation, and took steps to limit further exposure. Our investigation continues, but thus far, we have found no evidence FireEye or Mandiant systems were compromised.

®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/mandiant_fireeye_leak/

A leading security researcher predicts a sea of technology changes that will rock our world, including the Internet of Things, cryptocurrency, SSL encryption and national security.

BLACK HAT USA – Las Vegas – Buckle in for a wild ride in the next two decades where the role of security professionals will rise in dramatic importance, Mikko Hypponen, F-Secure chief research officer, predicted at a Black Hat presentation today.

“Our work is not to secure computers, but our work is to secure society,” says Hypponen in his presentation The Epocholypse 2038: What’s In Store for the Next 20 years.

The security researcher pointed to likely sea changes the industry will witness in the coming 20 years: the 2038 Unix Millennium bug that will drive industry worry on par with Y2K, major shifts in the way security professionals deal with Internet of Things devices, cryptocurrency, SSL encryption and national security.

Y2k Redux in 2038?

When January 19, 2038 rolls around, the industry is bracing for a situation where the computer industry running on Unix will out of bits and systems will crash.

The 2038 epocholypse has been compared to Y2K, in that fear and loathing hype is mounting. Hypponen recalls how he was busy standing guard on New Years Eve when 2000 rolled in and the entry into the new millennium went smoothly. But despite all the bashing that the industry cried wolf about the doom that could have occured on New Years’ day 2000, Hypponen says two points were missed — and it’s something to keep in mind for 2038.

One point is that an enormous amount of work went into finding bugs and fixing them prior to Y2K, so the impact was greatly minimized on the actual day, said Hypponen.  The second point is that not all Y2K-related problems immediately emerged on Jan. 1. Some came much later, such as inaccurate readings for Down Syndrome risk in pregnant women, he recalled, noting how some women underwent abortions unaware of the misdiagnosis.

“[The year] 2038 is way off in the future. People think we have plenty of time to fix it,  but I will guarantee you we will run out of time,” Hypponen warned.

Cryptocurrency Game Changer

Bitcoin and other forms of cryptocurrency will likely take a big chunk of business away from the brick-and-mortar banks but these virtual currencies won’t likely cause institutions to go out of business, predicted Hypponen.

But cryptocurrency is dramatically changing the landscape related to how law enforcement will chase the bad guys and follow the money. Cryptocurrency not only allows cybercriminals to conduct transactions anonymously but also gives them an avenue for laundering the money through multiple digital accounts with lightning speed, he noted.  

And thugs are also using the cryptocurrency when committing traditional physical crimes, Hypponen said, pointing to a Brazilian kidnapping where the attackers demanded a ransom payment in Bitcoins.

SSL, IoT, and Nation State Attacks, Oh My

Quantum computing is reaching a point where in the very near future it may pose a threat to SSL encryption, Hypponen predicted, explaining how the ability of quantum computers to crunch through waves of prime numbers puts the security of SSL encryption at risk. Evidence: IBM’s announcement earlier this year about the construction of a commercially available universal quantum computing systems for its IBM cloud platform.

In addition to the potential demise of SSL encryption, humans are also facing greater risks with the rise of IoT devices. “There will be a day when consumers buy products and don’t even realize they are IoT devices,” Hypponen said. “If it is a smart device, it is a vulnerable device,” which he predicts will create the need for a separate IoT network.

But what keeps Hypponen awake at night is the prospect of a nation state attack on consumers. “Wars today are fought with drones,” he said, asking what would happen if the software that feeds into computer chips and devices were instructed to have the device catch on fire, simultaneously across millions of homes.

“Technically, it can be done,” Hypponen said, showing a demo of one device in flames.

Related Content:

• Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud
• Nation-State Hackers Go Open Source
• IoT Security By The Numbers

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/get-ready-for-the-2038-epocholypse-(and-worse)/d/d-id/1329479?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple