SIM Cards Cracked; Hundreds of Millions of Phones Vulnerable
I love this one — it looks so easy (I’m sure it isn’t) that it’s surprising that it hasn’t been done before. But it’s strange how many vulnerabilities / bugs / flaws get found just before Black Hat.
Ubuntu Forum Hacked; 1.8 Million Accounts Compromised
The worry here is that users who are no longer active on the site might not realise their passwords have been compromised — and if they use the same password elsewhere, well…
Apple Developer Site Breached
Or was it? Ibrahim Balic says it wasn’t, but it could have been. Apple, in typical ‘say nothing’ mode is giving very little away. But if Balic is right, the price of his publicity could be a nasty lawsuit from Apple (remember, they once sued a grocer for selling apples too much like their own).
Trend has done an analysis of #OpIsrael attacks on April 7. It notes that on that particular day, traffic to one particular website, normally around 90% Israeli, became 90% international due to the botnet DDoS attacks.
This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site.
This is factual and we can take it at face value from a company like Trend. The next comments, however, start with fact but end in interpretation:
[fact] Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.
[opinion] These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.
The interpretation is that because a particular PC is known to be infected with a bot, participation in the DDoS attack against Israel was necessarily under the direction of the botherder criminal. But an alternative interpretation could be that the PC owner, entirely independently, decided to take part in the protest. (This is unlikely given the need to hide the source IP during such a protest.) Another possibility, however, could be that an activist protester, not otherwise a criminal, could have hired a botnet from a criminal, not otherwise an activist.
My point is that the final comment (“major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well”) is a non-sequitur from the preceding argument. Trend may be right; but should not be making such a bald statement without further ‘proof’.
It highlights a danger we all face as we shift our news intake from traditional newspapers to blogs: the automatic acceptance of an opinion as fact. Blogs, for their part, should draw a distinction between fact and opinion – and the conclusion of this particular blog should be clearly labelled ‘opinion’.
Evernote (announced it) got hacked on Saturday – joining an illustrious 2013 line-up. New York Times, Wall Street Journal, Washington Post, Twitter, Facebook and Bank of America just off the top of my head.
These are all major companies holding vast amounts of our data – companies you would hope to be hack-proof. Clearly they aren’t, which lends weight to the idea that once you’re targeted, you will be breached.
But if that’s the case, what’s happening with the banks (not counting BofA, of course) and our financial accounts? Are they not being targeted, or is there a cost level to genuine security that the banks achieve, but hardly anyone else?
Are ‘free’ services like Evernote, Twitter, Facebook and the newspapers simply not viable if they have to provide genuine security? Have we reached the stage where ‘free’ means ‘insecure’?
Or are the banks getting breached but just not telling us?
Ahem… I refer my honourable friends to my earlier post last year.
In which, I said,
So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?)…
Toward a new strategy for Microsoft
Yesterday, Reuters reported,
Microsoft Corp is in discussions to invest between $1 billion and $3 billion of mezzanine financing in a buyout of Dell Inc, CNBC cited unidentified sources as saying on Tuesday.
Microsoft in talks to invest up to $3 billion in Dell
Keep up, chaps.
Last summer I interviewed Space Rogue and did a story on his history of security hype: A cyber terrorist ate my hamster.
I must now report that the process is alive and well, courtesy of eWeek.
Over the last couple of days the media has been full of a story about two virus outbreaks in US scada installations. eWeek is clear in its own story USB Storage Drive Loaded With Malware Shuts Down Power Plant:
The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.
I would just like to point out, very politely, that this is what is known in polite circles as a ‘lie’. ICS CERT did not say that.
I covered this story in Infosecurity Magazine way back on January 4: The lessons of Shamoon and Stuxnet ignored: US ICS still vulnerable in the same way.
The truth is less dramatic than eWeek suggests – although dramatic enough. The virus was discovered while the system was in a scheduled shutdown. It delayed its restart, it did not cause its shutdown. But that’s far less dramatic and far less worrying…
The next stage in the security hype process is for politicians to seize on the eWeek story to justify the need of the next draconian piece of anti-terrorist cyber legislation, or the next exponential increase in some LEA’s budget request. Journalists really should read what they talk about before they talk about what they haven’t properly read.
Earlier this year Google showed off its prototype for the long-awaited Google Glass, described as “a stamp-sized electronic screen mounted on the left side of a pair of eyeglass frames which can record video, access email and messages, and retrieve information from the Web.” The glasses apparently contain a wireless networking chip and essentially all the other technology found inside a typical smartphone.
But is Google about to be left at the starting gate with the latest development in memristors? Memristors are ‘resistive RAM’. They differ from traditional flash RAM by storing data based on electrical resistance rather than an electrical charge, and are approaching commercialization based on indium gallium zinc oxide.
However, the latest research shows that they can also be based on zinc tin oxide – which is much cheaper than indium gallium zinc oxide. “Products using this approach could become even smaller, faster and cheaper than the silicon transistors that have revolutionized modern electronics – and transparent as well,” reports phys.org.
Transparent electronics, continues the report, “offer[s] potential for innovative products that don’t yet exist, like information displayed on an automobile windshield, or surfing the web on the glass top of a coffee table.” Or, dare we say, an entire PC in a pair of glasses.
You may wonder what a computer in a pair of glasses has to do with security – but we used to wonder the same about a telephone. And glasses are just as easily lost, and more easily broken.
Cult of Android, the online antidote to the online Cult of Mac, announced on 13 September, “Ladies and gentlemen, I wish I was making this up, but unfortunately I’m not… They’ve actually filed a lawsuit against an online Polish grocery site…”
Cult of Android’s Vincent Messina was, of course, writing about Apple Inc. Fresh from a colossal victory against rival mobile colossus Samsung, it was reported that Apple’s lawyers had now targeted an online Polish grocer called A.pl. ‘A’ is the first letter of the alphabet. .pl is the web suffix for Poland. A marketing argument is thus that A.pl will appear very near the top of any alphabetic listing of online grocers in Poland.
The problem, however, seems to be that A.pl sells apples; and that’s getting perilously close to trading off. But worse than that, A.pl has (had, it seems to have removed it), a picture of an apple; and A.pl’s apple looks too similar to Apple’s apple for Apple’s lawyers.
Two days earlier, Reuters had summarized the argument. “‘Apple brand is widely recognized and the company says that A.pl, by using the name that sounds similar, is using Apple’s reputation,’ patent office spokesman Adam Taukert said.”
“A.pl chief executive Radoslaw Celinski said: ‘The accusation is ludicrous’.”
Apple co-founder Steve Wozniak, who is famous for having a different and more liberal attitude towards patents, said, “I hate it.” He was, however, talking about Apple’s victory over Samsung. His views on Apple Vs A.pl are not yet known.
The web is often described as cyberspace. Hold that image, and then travel into deep space – the dark web. You might see what looks like Saturn, surrounded by rings. But look closer and you’ll find it’s a black hole protected by onion rings.
This is possibly the next step in the evolution of botnets. Blackhole is the cybercriminals’ exploit kit of choice. Botnets are used to drive victims to infected sites that host Blackhole. But botnet communications can be monitored and their controlling (C&C) servers located and taken down by the authorities – the Nitol botnet, taken down by Microsoft, is the latest example.
Enter Tor (the name is an acronym for ‘the onion ring’). It was developed to allow users to surf the internet in privacy, making it very, very hard for third parties – including law enforcement agencies – to monitor where you go.
There’s a logic behind criminals using Tor to protect themselves. Hence the blackhole surrounded by onion rings.
Now G-Data claims to have found an example. “The botnet owners placed their C&C server, which uses the common IRC protocol, as a hidden service inside of the Tor network.”
This has several advantages for the criminal. The service is anonymous, so even if the C&C server is found, it won’t reveal its owner – nor can it easily be taken down. And since the traffic itself is encrypted, it isn’t easily blocked by intrusion detection systems. The main disadvantage is that the problems inherent to Tor itself (latency and a degree of unreliability) are introduced to the botnet. But since the FBI has already said that it cannot track the deep space of the dark net, we may soon see, or not see, more of these hidden botnets.
Movie makers of course, says Scientific American – and there’s a lot of logic to the argument. DVDs are dying primarily because phones, tablets, netbooks and many new laptops simply don’t have a DVD slot. But if that’s where people get their entertainment, how are they to view movies? Streaming – which is perfect for our new do it instantly, do it anywhere, increasingly fast broadband society.
“Hollywood movie studios should benefit, too. The easier it is to rent a movie, the more people will do it. And the more folks rent, the more money the studios make.” But “none of that has occurred to the movie industry.” They seem intent on making things hard. Examples cited by Scientific American include 24-hour rentals (Blockbuster would rent a DVD for three days); online rentals don’t give you the ‘free’ extras such as deleted scenes, alternative endings and so on; staggered release so that some countries get new movies before others while hotels and pay-per-view gets it before general release; and “Worse,” says SA, “some movies never become available.”
If the movies are there and people aren’t allowed to pay for them, or are asked to pay over the top, they will obviously just take them. “The studios are trying to prevent a dam from bursting by putting up a picket fence.” The moral? “Make your wares available legally, cleanly and at a fair price – and only the outliers will resort to piracy.”
There are many variants of spam. The traditional is scam-carrying mass emails. One recent variant, being tackled by the UK’s ICO, is SMS-based spam ‘advertising’ the services of lawyers who promise to recoup the banks’ mis-sold payment protection insurance.
Back in February, security researcher Robin Wood (DigiNinja) described the repeated spam received from the Hakin9 security magazine (Hakin9 – Spam Kings). The problem is that different ‘editors’ with the magazine would never take no for an answer whenever he declined to provide a free article.
But he wasn’t alone – a group of well-known security researchers, clearly overburdened by the same requests, provided an article on the DARPA Inference Cheking Kludge Scanner, perhaps better known and understood by its acronym, DICKS. Here’s a sample from the content: “Our experiments soon proved that exokernelizing our fuzzy Knesis keyboards was more effective than making autonomous them, as previous work suggested. Our experiments soon proved that microkernelizing our PDP 11s was more effective than exokernelizing them…”
Hakin9 published the article. At the time of writing it is still on the Hakin9 website (just Google ‘exokernelizing’). Revenge, as they say, is a dish best served cold.