Category: Cybersecurity


Following the release of the original iPhone in 2007 and the subsequent launch of Android, many people with work-issued phones spent years asking for their employers to switch away from BlackBerry smartphones to more modern devices. Finally, as Apple and Google increased their focus on security and BlackBerry hit dire straights a few years ago, workers began getting what that wanted and bring your own device (BYOD) policies became more common.

More recently, however, an interesting trend is being observed: Workers want their BlackBerry’s back.

CIO’s Tom Kaneshige reports on an interesting phenomenon that we’ve heard rumblings of in the past. At companies where employees were permitted to ditch their work-issued BlackBerry phones and bring their own iPhones and Android handsets, they’re now begging their IT departments to move back to BlackBerry.

Why? It turns out there are a few reasons.

For one thing, there are privacy concerns. When workers use their own iOS and Android devices, IT departments gain access to all of their private data in addition to any corporate apps that might be on the devices. It’s never a good thing when you have to hand over a smartphone packed full of naked selfies so that IT can fix an issue with email not syncing properly.

Beyond that, IT professionals Kaneshige spoke with say they are having some serious problems with mobile device management (MDM) software, and the related on-device apps often cause issues like battery drain and device bogging.

Source: BGR

Google and Microsoft have both revealed that they will integrate a ‘kill switch’ into the next versions of their smartphone operating systems, allowing customers to disable their devices if they are lost or stolen.

Google told Bloomberg that it will add a “factory reset protection solution” to its next version of Android

Meanwhile, Microsoft’s vice president for US government affairs, Fred Humphries, said that the company would be adding new anti-theft capabilities to its Find My Phone feature in Windows Phone before July 2015.

“With these additional features, we’re hopeful that technology – as part of a broader strategy – can help to further reduce incentives for criminals to steal smartphones in the first place,” Humphries said in a blog post.

The news comes after Apple introduced ‘activation lock’ and ‘delete phone’ to its Find My iPhone app in September 2013.

As a result, robberies involving the company’s products reportedly decreased by 19 per cent in New York in the first five months of this year. San Francisco and London have also seen Apple-related robberies drop.

New York attorney general Eric Schneiderman said the statistics illustrate the “stunning effectiveness of kill switches”, and has called for other smartphone companies to add theft-deterrence features to their devices.

US Senator Amy Klobuchar, a Minnesota Democrat, and Jose Serrano, a New York Democrat, have both introduced bills that would require phones sold in the US to include kill-switch technology.

Last summer, the Mayor of London Boris Johnson also wrote to eight companies – including Apple, Samsung and Google – stating that about 10,000 handsets are stolen every month in London, and manufacturers have a “corporate responsibility” to help tackle thefts.

“If we are to deter theft and help prevent crimes that victimise your customers and the residents and visitors to our city, we need meaningful engagement from business and a clear demonstration that your company is serious about your corporate responsibility to help solve this problem,” Mr Johnson told manufacturers.

“Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products.

“We hope you would support this objective. Customers and shareholders surely deserve to know that business cannot and must not benefit directly from smartphone theft through sales of replacement devices.”

Source: The Telegraph

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data — everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed — in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don’t follow any links in suspicious looking emails – if you want to change a password go to the site directly.

Which sites are affected?
Most Google sites and services (including Gmail and YouTube – but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties — including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here — just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe — as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?
In a word: Yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won’t hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn’t be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we’ve listed above have patched their servers and if you want to check one we’ve not mentioned — click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don’t need to change their passwords. While it’s true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?
In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old standbys such as ’123456′ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets’ names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd — more complicated variations are required) or patterns derived from your keyboard layout (eg ’1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer — so try combining multiple words together and then adding in numbers between them.

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line “When you call my name it’s like a little prayer” and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method — especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

Ryan says: I recommend everyone on any of the sites mentioned in this article to change their passwords ASAP.

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.

As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.

Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.

Source: ArsTechnica

Cybercriminals have infected the computers of digital currency holders, using a virus known as “Pony” to make off with account credentials, bitcoins and other digital currencies in one of the largest attacks on the technology, security services firm Trustwave said.

The attack was carried out using the “Pony” botnet, a group of infected computers that take orders from a central command-and-control server to steal private data. A small group of cybercriminals were likely behind the attack, Trustwave said.

Over 700,000 credentials, including website, email and FTP account log-ins, were stolen in the breach. The computers belonging to between 100,000 and 200,000 people were infected with the malware, Trustwave said.

The Pony botnet has been identified as the source of some other recent attacks, including the theft of some 2 million log-ins for sites like Facebook, Google and Twitter. But the latest exploit is unique due to its size and because it also targeted virtual wallets storing bitcoins and other digital currencies like Litecoins and Primecoins.

Eighty-five wallets storing the equivalent of $220,000, as of Monday, were broken into, Trustwave said. That figure is low because of the small number of people using Bitcoin now, the company said, though instances of Pony attacks against Bitcoin are likely to increase as adoption of the technology grows. The attackers behind the Pony botnet were active between last September and mid-January.

“As more people use digital currencies over time, and use digital wallets to store them, it’s likely we’ll see more attacks to capture the wallets,” said Ziv Mador, director of security research at Chicago-based Trustwave.

Most of the wallets that were broken into were unencrypted, he said.

“The motivation for stealing wallets is obviously high—they contain money,” Trustwave said in a blog post describing the attack. Stealing bitcoins might be appealing to criminals because exchanging them for another currency is easier than stealing money from a bank, Trustwave said.

There have been numerous cyberattacks directed at Bitcoin over the last year or so as its popularity grew. Last year, a piece of malware circulating over Skype was identified as running a Bitcoin mining application. Bitcoin mining is a process by which computers monitor the Bitcoin network to validate transactions.

“Like with many new technologies, malware can be an issue,” said a spokesman for the Bitcoin Foundation, a trade group that promotes the use of Bitcoin, via email. Wallet security should improve, the spokesman said, as more security features are introduced, like multisignature transactions, he said.

Digital currency users can go to this Trustwave site to see if their wallets and credentials have been stolen.

Source: PC World

Apple quietly released iOS 7.06 late Friday afternoon, fixing a problem in how iOS 7 validates SSL certificates. Attackers can exploit this issue to launch a man-in-the-middle attack and eavesdrop on all user activity, experts warned.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said in its advisory.

Users should update immediately.

Watch Out for Eavesdroppers
As usual, Apple didn’t provide a lot of information about the issue, but security experts familiar with the vulnerability warned that attackers on the same network as the victim would be able to read secure communications. In this case, the attacker could intercept, and even modify, the messages as they pass from the user’s iOS 7 device to secured sites, such as Gmail or Facebook, or even for online banking sessions. The issue is a “fundamental bug in Apple’s SSL implementation,” said Dmitri Alperovich, CTO of CrowdStrike.

The software update is available for the current version of iOS for iPhone 4 and later, 5th generation iPod Touch, and iPad 2 and later. iOS 7.06 and iOS 6.1.6. The same flaw exists in the latest version of Mac OS X but has not yet been patched, Adam Langley, a senior engineer at Google, wrote on his ImperialViolet blog. Langley confirmed the flaw was also in iOS 7.0.4 and OS X 10.9.1

Certificate validation is critical in establishing secure sessions, as this is how a site (or a device) verifies that the information is coming from a trusted source. By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker. The user’s browser also relies on the certificate to verify the response came from the bank’s servers and not from an attacker sitting in the middle and intercepting sensitive communications.

Update Devices
It appears Chrome and Firefox, which uses NSS instead of SecureTransport, aren’t affected by the vulnerability even if the underlying OS is vulnerable, Langley said. He created a test site at https://www.imperialviolet.org:1266. “If you can load an HTTPS site on port 1266 then you have this bug,” Langley said

Users should update their Apple devices as soon as possible, and when the OS X update is available, to apply that patch as well. The updates should be applied while on a trusted network, and users should really avoid accessing secure sites while on untrusted networks (especially Wi-Fi) while traveling/

“On unpatched mobile and laptop devices, set ‘Ask to Join Networks’ setting to OFF, which will prevent them from showing prompts to connect to untrusted networks,” wrote Alex Radocea, a researcher from CrowdStrike.

Considering recent concerns about the possibility of government snooping, the fact that iPhones and iPads were not validating certificates correctly can be alarming for some. “I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control,” Matthew Green, a cryptography professor at Johns Hopkins University, posted on Twitter.

Check out this video from News Loop:

 

Source: PC World Security Watch

Just a few months ago, a story broke about how Samsung smart TVs were susceptible to remote spying by users that hack into the built-in camera. Now, new research demonstrates that MacBook webcams are just as susceptible to being hacked and spied-on as televisions.

Researchers at John Hopkins University discovered exactly how the hacking process is possible without signaling for the light adjacent to the camera to turn on, which is usually an indication that the camera is on.

The primary researcher, computer science professor Stephen Checkoway, published a paper in conjunction with graduate student Matthew Brocker entitled “iSeeYou: Disabling the MacBook Webcam Indicator LED” that contains the detailed process of remotely spying on others’ laptops. Although the researchers could only prove their methods worked with MacBooks created before 2008, they suggest that the process could be successfully repeated with newer computers.

The Washington Post recently ran an article detailing the story of Miss Teen USA Cassidy Wolf, who received nude photographs of herself via email. After an FBI investigation, the authorities discovered that Wolf’s former high school classmate Jared Abrahams had hacked into her computer, as well as the computers of several other women, and had been spying on them via their webcam.

The case of Wolf as well as the new research from John Hopkins raises several issues about privacy and security in the modern world. While Apple’s light was intended as a security feature to alert users when their camera was on, it appears that hackers have found an easily solution to disable that feature. According to The Washington Post, the FBI has been using similar hacking technology for years.

Source: PRPick.com

Got fancy new iOS 7 on that iPhone of yours? Beware. There’s a super simple bug that can let anyone blow right by your lockscreen and look through your pictures, and even share them.

The process was discovered by Jose Rodriguez, and even though it has quite a few steps, it’s super easy to master. Here’s how it works:

  • Swipe up on the locked phone to get to the control panel
  • Open the stopwatch app
  • Go over to alarm clock
  • Hold the power button until you get the “Power down” prompt
  • Hit the cancel button and immediately hit the home button twice, holding it down just a little longer on the second press. Like, buh-baah. It takes a try or two to get the hang of.

Then, bam, you’re in the target’s multitasking menu and can start goofing around. If you go to the camera app, you’ll be treated to unrestricted access to the Photo Stream, and can share the pictures from there with email, Twitter, and more. It’s pretty scary. This isn’t the first time a bug like this has showed up in iOS either. Hopefully it’s the last.

We were able to replicate the bug on an iPhone 4s and an iPhone 5, and Jose. We can’t tell for sure if it works on the iPhone 5S or 5C yet, but there’s little reason to think it wouldn’t.

We’ve reached out to Apple for comment, and there’s no doubt they’ll be issuing a fix in the near future. But in the meantime, just be aware that your photos aren’t safe from prying eyes. The prying eyes of an up-to-date nerd, at least.

Update: You can fight this by turning off the Control Center access on the lockscreen. Just go to Settings, Control Center, and set Lockscreen Access to off. But man, lockscreen Control Center is awesome and it’s on by default. So maybe just don’t leave your phone with creeps?

Ryan says: I’ve been able to get into iPhone’s for a LONG time now.. when is Apple fixing these holes?

A vulnerability in the BlackBerry Protect software built into Z10 smart phones could allow hackers to gain access to the passwords of some devices, according to a security advisory issued by BlackBerry

By taking advantage of “weak permissions” malicious applications will be able to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Web site
  • Intercept and prevent the phone from acting on BlackBerry Protect commands, such as remote wipe
BlackBerry said the issue is with the BlackBerry Protect software and not the Z10’s operating system.

“The most severe potential impact of this vulnerability requires a BlackBerry Z10 smart phone user to install a specially crafted malicious app, enable BlackBerry Protect and reset the device password through BlackBerry Protect,” the advisory said.

With the device password and physical access to the phone, an attacker can:

• Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
• Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
• Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
• Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
• Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
• Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

An attacker can also gain Wi-Fi access to the phone if the owner enables Wi-Fi storage access on the Z10 and sets a storage access password that is the same as the device password.

Researchers from the Georgia Institute of Technology will be demonstrating a proof-of-concept method of hacking an iPhone using a malicious USB charger. Billy Lau, Yeongjin Jang, Chengyu Song announced the demonstration for Black Hat USA 2013, an annual conference for hackers and security researchers that begins on July 27th in Las Vegas.

The short version is the three researchers found a way to use USB protocols to bypass some of Apple’s security features in iOS that prevent unauthorized software from being installed on your iOS device. The three built a charger based on a BeagleBoard (see below)—a US$125 computer-on-a-circuit-board—that was able to successfully insert malware onto an iPhone plugged into it.

Worse, they can do so in under a minute.

“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the researchers wrote on their BlackHat presentation description. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

In the demonstration, they said will discuss Apple’s existing security mechanisms that protect against “arbitrary software installation,” which in layman’s terms essentially means malware. They will then describe how standard USB capabilities can be, “leveraged to bypass these defense mechanisms.” To finish it off, they will demonstrate how this same process can be used to then hide the resulting malware from the user the same way Apple hides its own built in software.

The three researchers named their malicious charger “Mactans.”

The BeagleBoard it is based on is an off-the-shelf circuit board that can be used to create all manner of tiny computing devices running Angstrom (Open Embedded), Debian, Ubuntu, and Gentoo. There are other BeagleBoard products as well, including a slightly larger model with a 1GHz Sitara ARM Cortex-A8 processors that can run Android.

The point the researchers are making is that their method can be accomplished with readily available technology.

“While Mactans was built with limited amount of time and a small budget,” they wrote, “we also briefly consider what more motivated, well-funded adversaries could accomplish.”

The researchers will offer methods for protecting yourself against such an attack—we’ll throw out that you should probably be choosy about using a charger whose provenance you can’t verify—and what Apple can do to make this attack, “substantially more difficult to pull off.”

Source: UPI