Communications

Questioning the Dispute Over Key Escrow 73 73

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
Networking

Critical BIND Denial-of-Service Flaw Could Take Down DNS Servers 49 49

alphadogg writes: Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The vulnerability announced and patched by the Internet Systems Consortium is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
United Kingdom

Cameron Tells Pornography Websites To Block Access By Children Or Face Closure 362 362

An anonymous reader writes: Prime Minister David Cameron says that if online pornographers don't voluntarily install effective age-restricted controls on their websites he'll introduce legislation that will close them down altogether. A recent Childline poll found nearly 10% of 12-13-year-olds were worried they were addicted to pornography and 18% had seen shocking or upsetting images. The minister for internet safety and security, Joanna Shields, said: “As a result of our work with industry, more than 90% of UK consumers are offered the choice to easily configure their internet service through family-friendly filters – something we take great pride in having achieved. It’s a gold standard that surpasses those of other countries. “Whilst great progress has been made, we remain acutely aware of the risks and dangers that young people face online. This is why we are committed to taking action to protect children from harmful content. Companies delivering adult content in the UK must take steps to make sure these sites are behind age verification controls.”
United States

Germany Won't Prosecute NSA, But Bloggers 100 100

tmk writes: Despite plenty of evidence that the U.S. spied on German top government officials, German Federal Prosecutor General Harald Range has declined to investigate any wrongdoings of the secret services of allied nations like the NSA or the British GCHQ. But after plans of the German secret service "Bundesamt für Verfassungsschutz" to gain some cyper spy capabilities like the NSA were revealed by the blog netzpolitik.org, Hange started an official investigation against the bloggers and their sources. They are now being probed for possible treason charges.
Transportation

Hacker's Device Can Intercept OnStar's Mobile App and Unlock, Start GM Cars 54 54

Lucas123 writes: Security researcher Samy Kamkar posted a video today demonstrating a device he created that he calls OwnStar that can intercept communications between GM's RemoteLink mobile app and the OnStar cloud service in order to unlock and start an OnStar equipped car. Kamkar said that after a user opens the OnStar Remote Link app on his or her mobile phone "near the OwnStar device," OwnStar intercepts the communication and sends "data packets to the mobile device to acquire additional credentials. The OwnStar device then notifies the attacker about the new vehicle that the hacker has access to for an indefinite period of time, including its location, make and model. And at that point, the hacker can use the Remote Link app to control the vehicle. Kamkar said GM is aware of the security hole and is working on a fix.
Businesses

Symantec: Hacking Group Black Vine Behind Anthem Breach 18 18

itwbennett writes: Symantec said in a report that the hacking group Black Vine, which has been active since 2012 and has gone after other businesses that deal with sensitive and critical data, including organizations in the aerospace, technology and finance industries, is behind the hack against Anthem. The Black Vine malware Mivast was used in the Anthem breach, according to Symantec.
The Military

Sun Tzu 2.0: The Future of Cyberwarfare 76 76

An anonymous reader writes: Cyberwar and its ramifications have been debated for some time and the issue has been wrought with controversy. Few would argue that cyber-attacks are not prevalent in cyberspace. However, does it amount to a type of warfare? Let's break this down by drawing parallels from a treatise by 6th century military general, Sun Tzu, who authored one of the most definitive handbooks on warfare, "The Art of War." His writings have been studied throughout the ages by professional militaries and can be used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.
Security

Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks 75 75

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."
Supercomputing

Obama's New Executive Order Says the US Must Build an Exascale Supercomputer 218 218

Jason Koebler writes: President Obama has signed an executive order authorizing a new supercomputing research initiative with the goal of creating the fastest supercomputers ever devised. The National Strategic Computing Initiative, or NSCI, will attempt to build the first ever exascale computer, 30 times faster than today's fastest supercomputer. Motherboard reports: "The initiative will primarily be a partnership between the Department of Energy, Department of Defense, and National Science Foundation, which will be designing supercomputers primarily for use by NASA, the FBI, the National Institutes of Health, the Department of Homeland Security, and NOAA. Each of those agencies will be allowed to provide input during the early stages of the development of these new computers."
Security

Tools Coming To Def Con For Hacking RFID Access Doors 27 27

jfruh writes: Next month's Def Con security conference will feature, among other things, new tools that will help you hack into the RFID readers that secure doors in most office buildings. RFID cards have been built with more safeguards against cloning; these new tools will bypass that protection by simply hacking the readers themselves. ITWorld reports that Francis Brown, a partner at the computer security firm Bishop Fox, says: "...his aim is to make it easier for penetration testers to show how easy it is to clone employee badges, break into buildings and plant network backdoors—without needing an electrical engineering degree to decode the vagaries of near-field communication (NFC) and RFID systems."
China

What Federal Employees Really Need To Worry About After the Chinese Hack 122 122

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some."
vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
Android

Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones 91 91

itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."
Security

Hacking a 'Smart' Sniper Rifle 72 72

An anonymous reader writes: It was inevitable: as soon as we heard about computer-aimed rifles, we knew somebody would find a way to compromise their security. At the upcoming Black Hat security conference, researchers Runa Sandvik and Michael Auger will present their techniques for doing just that. "Their tricks can change variables in the scope's calculations that make the rifle inexplicably miss its target, permanently disable the scope's computer, or even prevent the gun from firing." In one demonstration they were able to tweak the rifle's ballistic calculations by making it think a piece of ammunition weighed 72 lbs instead of 0.4 ounces. After changing this value, the gun tried to automatically adjust for the weight, and shot significantly to the left. Fortunately, they couldn't find a way to make the gun fire without physically pulling the trigger.
Windows

Windows 10 Launches 315 315

An anonymous reader writes: Today Microsoft officially released Windows 10 in 190 countries as a free upgrade for anyone with Windows 7 or later. Major features include Continuum (which brings back the start menu and lets you switch between a keyboard/mouse UI and a touch UI without forcing you into one or the other), the Cortana digital assistant, the Edge browser, virtual desktops, DirectX 12 support, universal apps, an Xbox app, and security improvements. Reviews of the operating system generally consider it an improvement over Windows 8.1, despite launch-day bugs. Peter Bright writes, "Windows 8 felt unfinished, but it was an unfinished thought. ... Windows 10 feels unfinished, but in a different way. The concept of the operating system is a great deal better than its predecessor. It's better in fact than all of its predecessors. ... For all my gripes, it's the right idea, and it's implemented in more or less the right way. But I think it's also buggier than Windows 8.1, 8, 7, or Vista were on their respective launch days." Tom Warren draws similar conclusions: "During my testing on a variety of hardware, I've run into a lot of bugs and issues — even with the version that will be released to consumers on launch day. ... Everything about Windows 10 feels like a new approach for Microsoft, and I'm confident these early bugs and issues will be addressed fairly quickly."
Bug

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online 85 85

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
Security

Video Veteran IT Journalist Worries That Online Privacy May Not Exist (Video) 43 43

Tom Henderson is a long-time observer of the IT scene, complete with scowl and grey goatee. And cynicism. Tom is a world-class cynic, no doubt about it. Why? Cover enterprise IT security and other computing topics long enough for big-time industry publications like ITWorld and its IDG brethren, and you too may start to think that no matter what you do, your systems will always have (virtual) welcome mats in front of them, inviting crackers to come in and have a high old time with your data.

Note: Alert readers have probably noticed that we talked with Tom about cloud security back in March. Another good interview, worth seeing (or reading).
Government

Two Years Later, White House Responds To 'Pardon Edward Snowden' Petition 591 591

An anonymous reader writes: In June of 2013, a petition was posted to Whitehouse.gov demanding that Edward Snowden receive a full pardon for his leaks about the NSA and U.S. surveillance practices. The petition swiftly passed 100,000 signatures — the point at which the White House said it would officially respond to such petitions. For two years, the administration was silent, but now they've finally responded. In short: No, Edward Snowden won't be receiving a pardon.

Lisa Monaco, the President's Advisor on Homeland Security and Counterterrorism, said, "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it. If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and — importantly — accept the consequences of his actions. He should come home to the United States, and be judged by a jury of his peers — not hide behind the cover of an authoritarian regime. Right now, he's running away from the consequences of his actions."
Chrome

Chrome Extension Thwarts User Profiling Based On Typing Behavior 61 61

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
Security

Your Stolen Identity Goes For $20 On the Internet Black Market 57 57

HughPickens.com writes: Keith Collins writes at Quartz that the going rate for a stolen identity is about twenty bucks on the internet black market. Collins analyzed hundreds of listings for a full set of someone's personal information—identification number, address, birthdate, etc., known as "fullz" that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. The listings ranged in price from less than $1 to about $450, converted from bitcoin. The median price for someone's identity was $21.35. The most expensive fullz came from a vendor called "OsamaBinFraudin," and listed a premium identity with a high credit score for $454.05. Listings on the lower end were typically less glamorous and included only the basics, like the victim's name, address, social security number, perhaps a mother's maiden name. Marketplaces on the dark web, not unlike eBay, have feedback systems for vendors ("cheap and good A+"), refund policies (usually stating that refunds are not allowed), and even well-labeled sections. "There is no shortage of hackers willing to do about anything, computer related, for money," writes Elizabeth Clarke. "and they are continually finding ways to monetize personal and business data."
Security

Air-Gapped Computer Hacked (Again) 80 80

An anonymous reader writes: Researchers from Ben Gurion University managed to extract GSM signals from air gapped computers using only a simple cellphone. According to Yuval Elovici, head of the University’s Cyber Security Research Center, the air gap exploit works because of the fundamental way that computers put out low levels of electromagnetic radiation. The attack requires both the targeted computer and the mobile phone to have malware installed on them. Once the malware has been installed on the targeted computer, the attack exploits the natural capabilities of each device to exfiltrate data using electromagnetic radiation.