hacking – Page 456 – STE WILLIAMS

Shifting Attacks Put Increasing ID Fraud Burden on Consumers

library
crime | hacking | security

Card-present fraud is down, but attackers continue to find new strategies, and consumers are paying the price.

The credit card and financial services industries have much to cheer in the latest annual fraud report from market researcher Javelin Strategy Research. Overall fraud dropped 15% in 2018 compared with the previous year, affecting 2 million fewer people, much of which was due to the rollout of the Europay, Mastercard, and Visa (EMV) chip-card standard.

“Card fraud at the point of sale went through the floor, and that is great, because that has been so much of the fraud for so many years,” says Al Pascual, senior vice president of research and head of fraud and security for Javelin. “That is great for issuers and financial institutions and others who have been trying to manage this risk forever, but it is not as great for the consumer, because the consumer was not paying out of pocket in the first place.”

Yet online thieves continue to find ways to fraudulently monetize identity information, such as stealing from non-card accounts, taking over accounts, and creating new accounts in the victim’s name. And when the fraudsters get the cards using these methods, they are typically issued an EMV card.

“It almost makes it worse, because you trust those cards now,” Pascual says.

The report, based on a survey of 5,000 US adults, highlights that digital crime does not go away in reaction to changes in defense, but moves to new avenues attempting to get around. Fraudulent loan applications more than doubled for car loans, mortgages, student loans, and home equity lines of credit.

For consumers, the downside is that they are not protected against damages incurred in these new schemes. New account fraud often requires a consumer to spend a great deal of time contacting the issuer, filing a police report, and attempting to prove that he or she was not the person who asked for a new account. In 2018, nearly a quarter of fraud victims — an estimated 3.3 million people — had to pay out-of-pocket costs to deal with fraud, according to the Javelin report.

“The industry had a multibillion-dollar problem that they solved, and it just happened that what was left over increased the cost to the consumers,” Pascual said.

Another setback for consumers is that criminals were able to misuse fraudulently obtained accounts for much longer, for almost every type of fraud. A new fraudulent account, for example, was used for 54 days by criminals before being detected, according to Javelin. While financial institutions have historically been the first to detect and notify consumers, because the types of accounts targeted by criminals have changed — with mortgages and student loans being common — the accounts are not caught in the same ways.

Credit-monitoring services became the most common way to detect fraud, accounting for 17% of all detection. Notification by financial institutions fell to 15%, down from 33% in 2017.

“This speaks to the prevalence of identity protection services after years of free protection following a data breach and also to the complexity of detecting fraudulent loan accounts,” according to the report.

While credit freezes have become a best practice following massive breaches at Equifax and other data services, credit freezes are a hurdle for criminals, but not an absolute road block, Pascual says. Criminals will likely become more focused on the big scores, he says.

“If you have an 800 credit score and a six-figure salary, they are going to find a way to break that credit freeze on your account,” he says.

A security measure that may go a way to helping further reduce fraudulent transactions is 3-D Secure 2.0. While the initial attempt at the standard failed to be adopted, the current iteration, which will be widely deployed this year, is based on cooperation between financial institutions and merchants, and relies less on consumers.

Two-factor authentication has also helped, but criminals are targeting weaker authentication methods based on the short message service. In 2018, 17% of account takeovers involved mobile devices, compared with 10% in 2017, according to Javelin.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/shifting-attacks-put-increasing-id-fraud-burden-on-consumers/d/d-id/1334112?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Citrix Hacked by ‘International Cybercriminals’

library
crime | hacking | security

FBI informed Citrix this week of a data breach that appears to have begun with a ‘password spraying’ attack to steal weak credentials to access the company’s network.

Virtual desktop and app vendor Citrix today said it had been alerted by the FBI on March 6 that its network had been breached.

Citrix said the FBI said it had “reason to believe” that international cybercriminals were behind the attack into its corporate network, most likely via password-spraying attacks to steal weak passwords and gain access to Citrix’s network.

The attackers appear to have downloaded business documents, according to Citrix’s internal forensics investigation findings thus far, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO wrote in a blog post today.

“Citrix deeply regrets the impact this incident may have on affected customers. Citrix is committed to updating customers with more information as the investigation proceeds, and to continuing to work with the relevant law enforcement authorities,” Black wrote.

Tina Fey, RSAC, and Parallels Between Improv and Cyber

library
crime | hacking | security

This year’s RSA Conference concluded with actress Tina Fey and program chair Hugh Thompson chatting about teambuilding, diversity, and improv.

RSA CONFERENCE 2019 – San Francisco – How much overlap exists between the worlds of comedy and cybersecurity? “Almost none,” joked actress, writer, and producer Tina Fey in a closing keynote conversation with Hugh Thompson, RSA Conference program chair.

On the surface, she had a point. But a few parallels emerged as the two chatted onstage. For example, Thompson asked Fey about improvisation – a form of theater which, if you’re not familiar, is founded on the premise of agreement. No matter what anyone says on an improv stage, the other actor(s) have to work with it. “Yes, and …” is a phrase core to improv, Fey explained. If another actor disagrees with a statement, the story stops and the show falls flat.

The audience laughed as Thompson put the idea of “yes, and” in a security context: “Someone walks into a room and says ‘yes, we’ve been compromised,’ … ‘yes and, someone just found our data on a Russian website … ‘yes, and somebody from the FBI’s here.'”

Thompson turned the conversation to teambuilding, where there also exists similarities with improv. As long as each actor contributes, the storyline is built. That said, Fey noted, you meet a lot of people who struggle with agreement, and those people don’t have a place on the team.

“People who operate from a place of ‘no’ are very troubling to me,” she added. You want the people on your team who bring ideas; who are willing to fully jump in. At 30 Rock, she said, her team would work 17-hour days, dedicating their time to the project at hand. “With improv, one of the biggest things is you need to lose your fear of failure and fear of embarrassment.”

Fey also pointed out that “you want the most diverse room you can have,” with a team of people who have different points of view. Thompson admitted the industry has been working more on diversity over the past few years, but “we’re making just small progress.”

When staffing a show, Fey said, she looks for both academic intelligence and emotional intelligence to contribute to a mix of skills and personalities. “You need people who are flexible, and people who are committed,” she explained. And, finally, “don’t hire anyone you wouldn’t want to see in the hallway at three o’clock in the morning.”

“That’s true in our industry too,” Thompson joked.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/tina-fey-rsac-and-parallels-between-improv-and-cyber/d/d-id/1334123?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Developer-only iPhones help reveal Apple’s secret security sauce

library
crime | hacking | security

In August 2016, at the Black Hat security conference in Las Vegas, well-known security researcher Mathew Solnik dangled an answer in front of an audience of security pros, hackers, and iPhone-cracking researchers who wanted to know: How did his team become the first to disembowel the iPhone to get at its data-encryption processor?

He dangled, but he didn’t deliver. As Motherboard’s Lorenzo Franceschi-Bicchierai recalls, Solnik only had this zero-calorie snack packet of air to give to his extremely inquisitive listeners:

Well, you get to ask us next time we talk.

Solnik said the same to Franceschi-Bicchierai after his talk, which was about the work done by his team on the iPhone’s Secure Enclave Processor (SEP) – the processor that handles data encryption on the device that oh, so many law enforcement and hacker types spend so much time complaining about… or, as the case may be, cracking for fun, fame and profit.

Motherboard, for which Franceschi-Bicchierai writes, did not simply sit and chew over Solnik’s evasion. Rather, it launched a months-long investigation that found what the publication thinks is the answer (but which, mind you, Solnik says is based on nothing but rumor).

Motherboard’s sources say that Solnik and his former colleagues – David Wang and Tarjei Mandt, a team who are all well-known in the iPhone jailbreaking community – got their hands on prototype phones.

Such devices are called “dev-fused” iPhones, and they’re created for internal use at Apple in order to extract and study the SEP software. The iPhones have either not completed the production process, or they’ve been reverted to a development state.

As such, these rare, “pre-jailbroken” iPhones have many security features disabled – a convenient feature for researchers looking to see how they tick and to discover previously unknown iPhone vulnerabilities known as zero days, which can be worth millions of dollars.

The supply chain goose that keeps laying “golden eggs”

These phones are, in fact, “golden eggs,” as one iPhone jailbreaker who asked to be identified as Panaetius told Motherboard. They’re the key to getting around the wall of encryption Apple puts around the SEP and other key components to (try to) ensure that the SEP operating system can’t be extracted or reverse-engineered.

Give a cracker an inch, and they’ll take a mile – exactly what some researchers have done when, following Solnik’s talk, they got their hands on dev-fused iPhones. Motherboard quoted Panaetius, who says he’s bought and re-sold several dev-fused devices:

It’s kind of the golden egg to a jailbreaker. Here’s a device where you can slap all the security mechanisms out of the way. Because there are still security mechanisms on a development fused device, but you can kind of just push them.

For sale: Keys to the kingdom

These golden eggs aren’t supposed to slip out of the production pipeline, but they do. They’re sold by “smugglers and middlemen” for thousands of dollars to hackers and security researchers, Motherboard reports.

Sometimes, they’re stolen from Apple’s factories in China, or from its development campus, according to what one person who sells the devices on Twitter told Motherboard.

Another source, Andrew “Bunnie” Huang, a hardware security researcher, told the publication that he sometimes sees the devices being sold by people who don’t realize how valuable they are:

The gray market guys don’t even know what they sit on half the time. They are just trading trash for cash.

It gives you a new attack surface that’s not as heavily fortified. They don’t put the metaphorical lock on the door until the walls are built on the house, so to speak.

Apple knows what’s up but can’t seem to stop it

Several sources from inside Apple or in the jailbreaking community told Motherboard that they believe that Apple is trying to crack down on these devices escaping the production pipeline and that it’s putting more effort into going after people who sell them. The company would have to be living under a rock not to be aware, given that Solnik teased his Black Hat talk by Tweeting a screenshot of a terminal window that showed that he’d obtained the SEP firmware.

How, exactly, did Solnik and his team decrypt and reverse-engineer the firmware? They still aren’t saying. What we do know: everybody except Apple is loving the dev-fused iPhones. Motherboard quoted Viktor Oreshkin, an iOS security researcher:

To be honest everyone benefits from Apple’s lousy supply chain management. Except Apple, obviously.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VSH6LpMS9dA/

Serious Security: When randomness isn’t – and why it matters

library
crime | hacking | security

We’ve written many times about ';--have i been pwned? (HIBP), a website run by security researcher Troy Hunt where you can check how many times your email address has shown up in data breaches.

Amazingly, the number of breached accounts that Troy has processed into his database over the years is just under 7 billion.

We’re not looking at 7 billion real accounts or even still-active accounts, of course, and we’re definitely not looking at 7 billion unique users, which would just about cover everyone on the planet…

…but the cumulative amount of breached data exposed publicly in recent years is alarming.

Fortunately, HIBP doesn’t have passwords for all those breached accounts, because well-run websites store your passwords in salted-hashed-and-stretched form, so that the original passwords can’t be recovered easily in the event of a hack.

The idea of storing a password hash instead of the actual password is that a hash can be used to verify a password, but can’t be reversed to recover the original password. A crook who makes off with 1,000,000 plaintext passwords has already won the battle and has no cracking to do. But a crook with 1,000,000 hashes still has to crack each one by guessing the password that computes to each hash.

💡 LEARN MORE: How to store your users’ passwords safely ►

Nevertheless, HIBP currently has more than 550,000,000 breached passwords in its database.

Those passwords actually match up with 3.34 billion accounts, given that each leaked password had been chosen by about six different people on average.

Some of use choose passwords like correctgiraffebatterystaple or QPDizG/V4gLtmlo30dXEHLC5, carefully crafted by hand or churned out automatically by a password manager.

Others of us aren’t quite so careful, and pick words that feel or sound secret – or perhaps actually are the word secret – but are well-known to crooks and therefore among the ones they try out first.

A few of us aren’t careful at all, and pick passwords simply because they’re trivial to remember and easy to type in, such as 1234567 or qwertyuiop.

With this in mind, you can probably guess which passwords top the HIBP list…

    1.   0.69%   123456
    2.   0.23%   123456789
    3.   0.11%   qwerty
    4.   0.11%   password
    5.   0.09%   111111
    6.   0.09%   12345678
    7.   0.08%   abc123
    8.   0.07%   1234567
    9.   0.07%   password1
   10.   0.07%   12345
   11.   0.07%   1234567890
   12.   0.07%   123123
   13.   0.06%   000000
   14.   0.05%   iloveyou
   15.   0.04%   1234
   16.   0.03%   1q2w3e4r5t
   17.   0.03%   qwertyuiop

…but what about the best (or the worst) of the rest?

Robert Ou, a software developer from California, asked himself the same question and went looking for the answer:

Fun thing I learned today regarding secure passwords: the password “ji32k7au4a83” looks like it’d be decently secur… twitter.com/i/web/status/1…

—
Robert Ou @ BSidesSF (@rqou_) March 01, 2019

The obvious explanation, you might think, is that the password ji32k7au4a83 was just someone battering away at the keyboard for a bit, so that, in a long list of passwords, it’s reasonable to expect that a few people ended up with the same mash-up of keystrokes by chance.

For example, qpeowpalsk20 looks kind of random, but we bashed it out by typing characters in a left-right-left-right pattern from the top three rows and outer two columns of a US keyboard.

It’s unlikely but far from impossible that two different users just clattering away on their keyboards in a similar way might come up with the same sequence.

💡 LEARN MORE: Fun ways to figure out fiendish passwords ►

A 12-character password from the set a-z0-9 presents 36¹² different choices, for a grand total of nearly five million million million (4.744×10¹⁸).

But the qpeowpalsk20 password above comes from a far shorter set of possibilities.

We hit one of 12qwas at the left side of the keyboard, then one of the two characters on the same row at the other side of the keyboard, with six left-right repeats to get 12 characters.

The total number of different passwords using this approach is (6×2)⁶, or just under three million – a minuscule fraction (just 0.00000000006%) of the full password set we’d draw from if we used all the letters and numbers randomly.

Even so, you wouldn’t expect to see more than a few examples of qpeowpalsk02 in a list of 550,000,000 passwords, nor would you expect to see many examples of ji32k7au4a83.

But the mysterious password ji32k7au4a83 turns up 141 times in the HIBP list, compared to zero appearances of our own “randomly mashed” password.

Why so many hits?

The explanation of why one 12-character random-looking sequences turned up so often is both fascinating and depressing in equal measure.

The Twittersphere quickly figured out that the key sequence makes sense on what’s known as a Bopomofo keyboard.

That’s a keyboard system widely used in Taiwan for entering Taiwanese words as syllabic characters, constructing Chinese characters along the way as you type.

The name Bopomofo is a bit like the English word alphabet, which comes from the first two Greek letters, alpha and beta, or the Arabic abjad, named after the sound of the first four Arabic consonants. Bopomofo refers to the first four sounds in the Taiwanese syllabary (the name given to what is essentially an alphabet of distinct sounds) known as Zhuyin.

As Twitter fan and scientist Peter Barfuss, who’s from Paris, quickly pointed out:

@peroxycarbonate @rqou_ LOL IT’S “我的密码”.

Literally “My Password”.

—
Peter Barfuss 𒀱 (@bofh453) March 01, 2019

The simple truth is that the unusual repetition of ji32k7au4a83 isn’t so unusual after all.

All is does is remind us that at least some users in Taiwan have exactly the same bad password habits as the rest of us.

In case you’re wondering, the Roman-character password mypassword was repeated 38,621 times in the HIBP data, while the abovementioned not-so-secret password secret came in 159th place, used 226,313 times.

What to do?

Randomness often isn’t. The fact that a bunch of data “looks” random means nothing, and never can on its own. When you’re evaluating whether something is random or not, you need to address the whole history of that data, from how it was generated, where it was used, what happened to it next, and whether it was re-used inapproriately.
Proper passwords matter. Mashing away at the keyboard is better than using your cat’s name, but as we explained above, you usually end up picking from a tiny fraction of the password space available if you use a decent random generator.
Two-factor authentication is your friend. This story is a simple but very effective reminder of just how prevalent password breaches are, and that if you’re sending passwords to websites, even temporarily, you don’t have any control over how well or how badly they subsequently treat that password. A second factor, such as a one-time login code, makes account takeover much harder for the crooks.

💡 LEARN MORE: How not to write a random number generator! ►

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZsltRDUiOpw/

Nah, National Cyber Security Centre doesn’t need its own minister, UK.gov tells Parliament

library
crime | hacking | security

The British government has rejected Parliamentary calls for greater ministerial control over the National Cyber Security Centre (NCSC), an arm of secretive spy agency GCHQ.

In addition, the government affirmed that it will actively try to remain a part of the EU’s Networks and Information Systems Co-operation Group, as well as its “associated work streams, and with the network of Computer Security Incident Response Teams” after Britain leaves the EU, which is currently set for the end of this month.

The news will come as a relief to those who believe British national security is under threat if EU sources of cybersecurity information are closed off to the UK after Brexit.

In its response to a House of Commons report (PDF) about the security of UK critical national infrastructure (CNI), the government said that the current oversight setup for the NCSC, where it answers to the Foreign Secretary via a long chain of officials and ministers, is “the most effective way of achieving our vision of cyber security as a core, embedded part of Government policy for every CNI sector”.

Parliament’s Joint Committee on the National Security Strategy had previously criticised the government for not having a Cabinet Office minister dedicated to overseeing the NCSC, as well as Britain’s CNI infosec improvement efforts.

The government also refused, in its response to Parliament published yesterday, to produce annual reports into how the National Cyber Security Programme (NCSP) was being delivered. These reports were something that the previous Conservative-Liberal Democrat coalition government led by David Cameron was happy to do. Parliament described this refusal as “a backwards step, given that the previous Government published Annual Reports and high-level budget breakdowns by activity”.

Although £1.9bn of taxpayers’ money is spent on that strategy every year, the government refuses to tell the public what its money is being spent on because of “national security reasons”, though it did add that a National Audit Office report into the NCSP will be published later this year.

UK CNI companies are “ultimately responsible” for the security of those installations, said the government’s response to Parliament. It appears that the tension between those who believe the government should directly run cybersecurity efforts and those who believe industry knows best what measures need to be taken has yet to be resolved. For now, the government sides with the latter half of the argument. But a bone has been thrown to those who think the state knows best.

It said: “We note the recommendation regarding mandatory corporate reporting on cyber resilience, and will give this further consideration, building on analysis undertaken as part of the 2016 Cyber Security Regulation and Incentives Review. The government agrees that cyber insurance has a part to play in reducing cyber risk.”

Separately from the report response, the government also quietly reiterated that it has a controversial “hack back” unit at its fingertips.

“Britain now has a National Offensive Cyber Programme, delivered by a Joint Mission between GCHQ and the Ministry of Defence,” said foreign secretary Jeremy Hunt, who was giving a speech in Glasgow, Scotland yesterday. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/08/ukgov_rejects_closer_ncsc_ministerial_oversight/

Sign Up Now for Practical, Hands-On Training at Black Hat Asia

library
crime | hacking | security

These multi-day Trainings provide excellent hands-on technical skill-building opportunities, but you have to act fast — many are almost sold out.

With just weeks to go until Black Hat Asia kicks off in Singapore, organizers want to quickly remind you that you can still sign up for two and four-day Training sessions — but you have to hurry, because many are almost sold out.

Often designed exclusively for Black Hat, these multi-day Trainings provide hands-on technical skill-building opportunities, making them a great way to efficiently level up your skillset under the tutelage of top security experts.

“Pentesting Industrial Control Systems”, for example, is a 2-day Training that will teach you everything you need to start pentesting industrial control networks. You’ll cover the basics to help you understand the most common ICS vulnerabilities, then spend some time learning and exploiting Windows Active Directory weaknesses (as most ICS are controlled by Windows systems).

The Training will end with a challenging hands-on exercise: A capture-the-flag challenge in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, then pivot to an ICS setup to take control of a model train and robotic arms.

“Tactical OSINT For Pentesters” is another promising 2-Day Training that will help you become a better pentester by teaching you how to effectively reconnoiter a target using open-source intelligence (OSINT).

Covering critical topics like attack surface mapping, employee profiling, and identifying hidden injection points, this Training aims to help you effectively protect clients against the latest threats. You’ll be provided with a framework to manage and prioritize all the data collected during the course, as well as private lab access for one month so you can practice what you learned. Don’t miss it!

If you’re looking for something a bit more advanced, consider “Advanced Infrastructure Hacking – 2019 Edition”, a fast-paced 2-Day Training that covers a wide variety of neat, new and ridiculous techniques to compromise modern operating systems and networking devices.

This is a condensed and streamlined version of a 4-Day Training, and to fit the entire training material within 2 days, some of the exercises have been replaced by demos shown by the instructor. It offers a lot of practical, hands-on learning. Plus, students will receive a free month of lab access to practice each exercise after the class.

While most of the 4-Day Trainings at Black Hat Asia are now sold out, there’s still a little room left to sign up for “Adversary Tactics- Red Team Ops,” an intense course that will walk you through how to perform Red Team operations and defend against modern threats.

You’ll be immersed in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems, modern defenses, and active network defenders responding to Red Team activities. You’ll also learn about all phases of a Red Team engagement in depth: advanced attack infrastructure setup and maintenance, user profiling and phishing, advanced Kerberos attacks, data mining, and exfiltration. Sign up quick — only a few spaces remain!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/sign-up-now-for-practical-hands-on-training-at-black-hat-asia/d/d-id/1334119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ultrasound Machine Diagnosed with Major Security Gaps

library
crime | hacking | security

Check Point researchers investigate security risks and point to implications for medical IoT devices.

RSA CONFERENCE 2019 – San Francisco – Vulnerabilities in connected medical devices could have massive implications for patients and the healthcare industry as a whole.

The Internet of Medical Things (IoMT) is poised to broaden the attack surface for healthcare organizations, according to Check Point experts. Eighty-seven percent of healthcare institutions are expected to use IoT technologies by the end of 2019, with nearly 650 million IoMT devices in use by 2020, states a new Check Point study. The study underscores the danger of what could happen if these devices are poorly secured.

IoT devices collect vast stores of data and are commonly built on outdated software and legacy operating systems. This makes them a simple gateway for cybercriminals, who could break in and move laterally across the target network.

Consider ultrasound technology. Researchers explain how “huge advancements” have been made to provide detailed health data to doctors and patients. Unfortunately, they report, this innovation hasn’t made its way to the security of IT environments where ultrasound machines sit. To prove this point, they went “under the hood” of a real ultrasound device.

What they found was a tool running on Windows 2000. Like many IoMT devices, this no longer receives updates or patches, and leaves both the machine and its data exposed to intruders. It wasn’t hard to exploit vulnerabilities and access its database of ultrasound images, they explain.

An attacker with this access could launch a ransomware campaign on the hospital system or swap patients’ images. “Think how much chaos that can do in the hospital,” said Oded Vanunu, head of product vulnerability research at Check Point, in an interview with Dark Reading here at the RSA Conference.

Cybercriminals may use health records to get pricey medical services and prescription medications; they may also gain access to government health benefits. Or they could sell it: The Ponemon Institute found healthcare breaches are most expensive, at $408 per record.

Healthcare organizations often don’t have the budget for strong IT and security, Vanunu explained. “Hospitals are flat networks – from our perspective … we think cybercrime will start to move to the weakest networks.” It’s happening already, he noted.

IoMT devices are in mass production, Vanunu continued, but nothing is being done to secure them. Because the device Check Point analyzed was running Windows 2000, exploiting it was simple. “We didn’t use any sophisticated tools,” Vanunu said. “No zero-day, no reverse-engineering vulnerability. Any beginner can exploit it.”

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Article source: https://www.darkreading.com/threat-intelligence/ultrasound-machine-diagnosed-with-major-security-gaps/d/d-id/1334118?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For sale: Gray-market iPhones that yield secrets to encryption

library
crime | hacking | security

He dangled, but he didn’t deliver. As Motherboard’s Lorenzo Franceschi-Bicchierai recalls, Solnik only had this zero-calorie snack packet of air to give to his extremely inquisitive listeners:

Well, you get to ask us next time we talk.

The supply chain goose that keeps laying “golden eggs”

It’s kind of the golden egg to a jailbreaker. Here’s a device where you can slap all the security mechanisms out of the way. Because there are still security mechanisms on a development fused device, but you can kind of just push them.

For sale: Keys to the kingdom

Sometimes, they’re stolen from Apple’s factories in China, or from its development campus, according to what one person who sells the devices on Twitter told Motherboard.

Another source, Andrew “Bunnie” Huang, a hardware security researcher, told the publication that he sometimes sees the devices being sold by people who don’t realize how valuable they are:

The gray market guys don’t even know what they sit on half the time. They are just trading trash for cash.

It gives you a new attack surface that’s not as heavily fortified. They don’t put the metaphorical lock on the door until the walls are built on the house, so to speak.

Apple knows what’s up but can’t seem to stop it

To be honest everyone benefits from Apple’s lousy supply chain management. Except Apple, obviously.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VSH6LpMS9dA/

Windows Calculator is going open source

library
crime | hacking | security

Can the combined power of the world’s developers possibly improve the iconic Windows Calculator app?

Microsoft is so sure they can that this week it posted the source code for one of the most used applications in history, on GitHub under an open source MIT License.

In a week when the NSA open-sourced all 1.2 million lines of code for its Ghidra reverse engineering tool, the Windows Calculator’s 35,000 lines of C++ might sound a bit puny by comparison.

But what Calculator lacks in size, it more than makes up for in the stature of having been in every version of Windows since version 1.0 in 1985.

It could be that the move is simply good PR, showcasing the company’s Damascene conversion to the idea of open source, coming only months after it offered up the admittedly ancient Windows File Manager on identical terms.

And then, as Microsoft blogs, there’s the fact that:

Reviewing the Calculator code is a great way to learn about the latest Microsoft technologies like the Universal Windows Platform, XAML, and Azure Pipelines.

Or perhaps Microsoft thinks it’ll be flooded with improvements for a program that’s already becoming weighed down with all sorts of clever features (using data conversion to usefully calculate that 1 Yobibyte is equivalent to 239.5 quadrillion DVDs, for example).

What to do?

Anyone who fancies having a fiddle will need to be running Windows 10, version 1803 or newer, and have installed the latest free or licensed version of Visual Studio, plus:

The “Universal Windows Platform Development” workload
The optional “C++ Universal Windows Platform tools” component
The latest Windows 10 SDK

Whilst bearing in mind that:

Calculator will continue to go through all usual testing, compliance, security, quality processes, and Insider flighting, just as we do for our other applications. You can learn more about these details in our documentation on GitHub.

Rummaging around in the source code might bring to light security issues, in which case coders should report their findings to the Microsoft Security Response Center (MSRC).

Whatever the open source experiment throws up, Calculator’s status among security researchers is assured – for years it’s been a popular way to demonstrate browser proof-of-concept sandbox escapes.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8yLGz4EwBcg/