chicksdaddy writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network.
IOActive researcher Mike Davis said on Tuesday that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” (http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html) IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. (http://www.kb.cert.org/vuls/id/656302). There has been no response yet from Belkin.
Among the problems discovered by Davis and IOActive: Belkin’s firmware reveals the signing key and password allowing an attacker with physical or logical access to a WeMo device to sign a malicious software update and get it to run on the device, bypassing security and integrity checks. Also, Belkin WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate, potentially pushing a bogus firmware update or malicious RSS feed to deployed WeMo devices.
WeMo customers who are counting on their wireless router and NAT (network address translation) or a firewall to provide cover should also beware. Davis found that Belkin has implemented a proprietary 'darknet' that connects deployed WeMo devices by ‘abusing’ an (unnamed) protocol originally designed for use with Voice over Internet Protocol (VoIP) services. With knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to- and control any WeMo device over the proprietary network."Link to Original Source
chicksdaddy writes "Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.
Some visitors to the web site of the VFW, vfw [dot] org, were the victim of a ‘watering hole’ attack starting on February 11. The attacks took advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. According to a write-up by the firm FireEye (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html), the VFW site was hacked and then altered to redirect users to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system.
Initial analysis of the attack suggests that it is part of a “strategic Web compromise targeting American military personnel.” FireEye said evidence points to hacking groups responsible for similar campaigns, including ‘Operation DeputyDog,’ which targeted high-profile Japanese firms as well as the US security firm Bit9, and ‘Operation Ephemeral Hydra,’ targeting military and public policy personnel.
FireEye dubbed the attack 'Operation Snowman,' saying that it was timed to coincide with a massive East Coast blizzard that affected the Washington D.C. area, as well as the President's Day federal holiday on Monday. Security Ledger notes that the attack was also timed to fall immediately after Microsoft issued its February security patches with the malware used in the attacks — standard operating procedure with attacks using Microsoft 0day exploits."Link to Original Source
chicksdaddy writes "File this one in your (bulging) 'creepy big data applications' folder: Google has applied to the US government for a patent on what is described as a method for “inferring events based on mob source video,” according to the Web site Public Intelligence. (http://info.publicintelligence.net/GoogleMobVideoPatent.pdf)
According to the application, Google has developed the ability to mine metadata from videos, photos or audio submitted by Google users (to YouTube, etc.) to infer that “an event of interest has likely occurred.” The technology surveys time- and geolocation stamps on the videos and other data to correlate the activities of individuals who might be part of a gathering, The Security Ledger reports.
The Patent, US2014/0025755 A1, was published on January 23, 2014. The technology, dubbed “mob sourcing” will allow Google to correlate video and images to infer the existence of groups (i.e. a public gathering, performance or accident), then send notifications to interested parties.
“Embodiments of the present invention are thus capable of providing near real-time information to pertinent organizations when users of wireless terminals (aka ‘mobile phones’) upload video clips to the repository upon being recorded,” the application reads.
The mob sourcing capability could be used to analyze and correlate video clips submitted by users either with the user’s permission or without it, Google claims. Consumer applications could allow YouTube users who upload a video to associate it with an ongoing event –say “South by Southwest Festival 2014 – making it easier for others to enjoy a crowd-sourced view of events. As for the non-consumer applications? Well...we know what those are."Link to Original Source
chicksdaddy writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons?
Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea (https://securityledger.com/2013/03/dprkurious-is-north-korea-really-behind-cyber-attacks-on-the-south/). But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?
Speaking at the recent S4 Conference, Ralph Langner, perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn’t count as cyber warfare.
True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise.
Stuxnet, he notes, made headlines for using four exploits for “zero day” (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran’s centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country’s uranium enrichment operation.
Thomas Rid, of the Kings College Department of War Studies said the conditions for using a cyber weapon like Stuxnet aren't common and the deep intersection of intelligence operations and cyber ops means that "all cyber weapons are bespoke." "If you want to maximize the effect of a cyber weapon," he said at S4," the way you do it is with more intelligence.""Link to Original Source
chicksdaddy writes "The U.S. government is giving large Internet firms more leeway to discuss secret government requests for data.(http://www.nytimes.com/2014/01/28/business/government-to-allow-technology-companies-to-disclose-more-data-on-surveillance-requests.html?hp) But when it comes to trust, the battle may already be lost. IT World reports that U.S. hosting companies and cloud providers say they now face pressure from international customers to keep data off of U.S. infrastructure – a request many admit is almost impossible to honor.
The article quotes an executive at one, prominent U.S. hosting firm who says that the picture of NSA spying that has come as a result of leaks by Edward Snowden prompted a slew of requests from European customers to have data cordoned off from U.S. infrastructure. Customers in Germany are often the source of the requests, he said, but the phenomenon isn't limited to Germany, where revelations of NSA spying there, including a tap on the phone of German Chancellor Angela Merkel, have stoked a kind of economic nationalism.
Chris Swan, the chief technology officer at Cohesive FT, a cloud networking company, said that his company began fielding calls from European clients, Germany companies, in particular, last year. "They were asking for help finding and using non U.S.-affiliated infrastructure," he said.
"It’s a bit of a gradient with Germany at the top of the hill and the Swiss standing right alongside them," said Swan.
The requests take a couple different forms, according to the hosting company executive. Customers have asked for their data to be kept 'locally,' segregating it on infrastructure located within the geographic border of Germany or other EU nations that are not perceived to be subject to access from U.S. intelligence agencies. Others are asking for changes that at least give them plausible deniability with local press and government officials. For example, they might ask for hosting firms to transfer the registration IP addresses used to host content from U.S.–based entities to a German or EU-based subsidiary, according to the report."Link to Original Source
chicksdaddy writes "Cisco released its annual security report this morning and the news isn't good. Hidden amid the standard bad news (100% of 30 Fortune 500 companies were found to host malware on their network) is a particularly biting piece of bad news: a dire shortage of trained cyber security experts.
Cisco estimates that there is already global shortage of up to one million more cyber security experts in 2014. As the security demands on companies increase, that shortage is set to become even more acute, according to Levi Gundert of Cisco's Threat Research and Analysis Center. Expertise in areas like security architecture, incident response and threat intelligence are already in demand and where organizations are going to feel the pinch of the skills shortage, he said."Link to Original Source
chicksdaddy writes "Neiman Marcus became the latest, prominent U.S. retailer to admit that its network was hacked and credit card data on customers stolen. (http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/) But the story isn't over. Reuters reported on Monday that at least three other, well-known U.S. retailers took place in November and December and "were conducted using similar techniques as the one on Target." (http://mobile.reuters.com/article/idUSBREA0B01720140112?irpc=932) The common thread? Point of Sale malware like Dexter and Project Hook.
According to the Reuters report, which cited unnamed law enforcement officials and experts who were investigating the incidents, the malware used was described as a "RAM scraper," a possible reference to a feature of malware like Dexter, which uses RAM scraping to retrieve unencrypted credit card numbers from compromised point of sale systems.
The Security Ledger quotes experts from Arbor Networks who have observed a jump in Point of Sale malware with botnet like command and control features.(http://www.arbornetworks.com/asert/2013/12/happy-holidays-point-of-sale-malware-campaigns-targeting-credit-and-debit-cards/) CERT echoed those warnings in an advisory issued last week. (https://securityledger.com/2014/01/us-cert-warns-about-point-of-sale-malware/)
According to Arbor, much of the newest PoS malware uses RAM scraping to steal data before sending it out, in encrypted form, to command and control servers managed by the cyber criminal group behind the attack."Link to Original Source
chicksdaddy writes "In a great example of the cybercrime "chickens coming home to roost," credit card information stolen from box retailer Target have been linked to fraudulent purchases at large retail outlets, including Target itself, the web site Krebsonsecurity.com reports. (http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets)
Writing on Friday, Brian Krebs said that millions of the stolen cards are "flooding" underground carder web sites. Working with a source at a small New England bank, Krebs was able to identify hundreds of stolen credit card accounts being offered for sale from that bank alone on a carder site, rescator(dot)la.(http://rescator.la) The cards were being uploaded daily in batches of 100,000 or more, branded as the "Tortuga base."
A "point of purchase" analysis on 20 of stolen accounts belonging to the bank and purchased from four of the "Tortuga" dumps confirmed Target as a common reference point for the cards. Even worse: “Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” Krebs source at the bank informed him. A number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including Target, itself, he said.
After reports by Krebs about a major theft of credit cards, Target acknowledged the breach on Thursday, admitting that data on up to 40 million consumers may have been taken. (https://securityledger.com/2013/12/target-confirms-massive-breach-40-million-credit-cards-affected/)"Link to Original Source
chicksdaddy writes "Its hard to put a number on exactly how many Internet connected "smart devices" will be served up by the end of the decade. 30 billion (http://www.gartner.com/newsroom/id/2621015)? 50 billion (http://blogs.cisco.com/diversity/the-internet-of-things-infographic/)? 75 billion (http://www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10)? Like McDonald's hamburgers, its probably better to just say "billions and billions." After all, the exact number doesn't matter and everyone agrees there will be lots of them.
But all those devices – and the near-limitless IPV6 address space that will accommodate them – do present a management and governance problem (https://securityledger.com/2013/11/it-pros-internet-of-things-is-a-governance-disaster/): how do you find the specific device you’re looking for in a sea of similar devices?
What the world needs is a Google or, better yet, a Facebook for Internet of Things devices, and that’s what the folks over at the UK-based firm Umbrellium (http://umbrellium.co.uk/about-us/) introduced on Friday with thingful.net (http://www.thingful.net), a search engine that scours the Internet for smart devices.
Unlike Shodan (http://www.shodanhq.com/), the hardware search engine, Thingful is about building connections between Internet of Things devices. Thingful users register using a Twitter account, then associate discoverable smart devices they own with that account. Users can search for others nearby who own and operate smart devices and “follow” those devices, or network with other individuals who own specific types of smart infrastructure via Thingful.
Not that its all voluntary. Thingful currently aggregates public data from connected devices. In large part that is through indexing IoT platforms like Xively, Smart Citizen (open source environmental monitoring), Weather Underground and Air Quality Egg. The search engine has indexed tens of thousands of devices globally, ranging from home thermostats and simple sensors, to wired ocean monitoring buoys in the mid-Atlantic and tanker ships plying the Mediterranean, The Security Ledger reports."Link to Original Source
chicksdaddy writes "The Federal Trade Commission (FTC) announced on Thursday (http://www.ftc.gov/opa/2013/12/goldenshores.shtm) that it settled with the maker of a popular Android mobile application over charges that the company used deceptive advertising to collect location and device information from Android owners, The Security Ledger reports.
The FTC announced the settlement with Goldenshores Technologies, LLC of Moscow, Indiana, makers of the “Brightest Flashlight Free” Android application, saying that the company failed to disclose wanton harvesting and sharing of customers’ location and mobile device identity with third parties.
Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. (https://play.google.com/store/apps/details?id=goldenshorestechnologies.brightestflashlight.free) Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars.
The application, which is available for free, displays mobile advertisements on the devices that it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers including what the FTC describes as “precise geolocation along with persistent device identifiers.”
As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."Link to Original Source
chicksdaddy writes "Cyber attacks on"connected vehicles" are still in the proof of concept stage (http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/). But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter (http://www.markey.senate.gov/documents/2013-12-2_GM.pdf) to 20 major auto manufacturers asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles.
Markey's letter, dated December 2, cites recent reports of "commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks," and references research conducted by Charlie Miller and Chris Valasek on Toyota Prius and Ford Escape. (http://illmatics.com/car_hacking.pdf) and presented at the DEFCON hacking conference in Las Vegas.
"Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN)...Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another," Markey wrote.
Among the questions Markey wants answers to:
+ What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?
+ What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar).
+ What third party penetration testing is conducted on vehicles (and any results)?
+ What intrusion detection features exist for critical components like controller area network (CAN) busses on connected vehicles?
A member of the Commerce, Science and Transportation Committee (http://www.commerce.senate.gov/public/), Markey is a longtime privacy advocate. He rose from the House to become the junior Senator from Massachusetts after winning a special election in June to replace Sen. John Kerry, who left office to become President Obama's Secretary of State."Link to Original Source
chicksdaddy writes "The Security Ledger is reporting on an article in the December issue of Usenix's ;login: logout (https://www.usenix.org/publications/login) from researchers at UCSD and George Mason University that suggests reports of Bitcoin’s anonymity may (to paraphrase Twain) “be greatly exaggerated.”
Specifically: the researchers found that, by culling a variety of open source data including public data from the Bitcoin Peer to Peer network and public Internet postings, as well as their own Bitcoin transactions, they were able to “identify major institutions” engaged in Bitcoin transactions “and the interactions between them.”
By mapping unique Bitcoin change addresses, the researchers were able to positively identify 2,197clusters of Bitcoins with common ownership. Those clusters were linked to over 1.8 million BitCoin addresses.
The experiment, though small, suggests that a large slice of the public keys used in Bitcoin transactions – around 14 percent — can be linked back to larger, institutional players, including banks, Bitcoin (or BTC) exchanges or large vendors like the now defunct Silk Road. That centralization makes the Bitcoin network susceptible to surveillance by law enforcement or governments that have the computing power and determination to track down the individuals, groups and institutions at either end of specific exchanges.
The paper, “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names” (http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf)was presented at the IMC (Internet Measurement Conference) 2013 Conference in Barcelona, Spain in October and is reprinted in the December issue of ;login: logout a USENIX publication. It is based on research conducted at The University of California, San Diego and George Mason University. In it, the researchers, led by Sarah Meiklejohn of UCSD used a combination of strategies to “de-anonymize” the BitCoin network.
Aspects of the work have been noted before in news reports, including work that Meiklejohn did with Brian Krebs of Krebsonsecurity tracking an online purchase of heroin in Krebs name (http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/). However, Meiklejohn and her colleagues have expanded their analysis of Bitcoin protocol and its potential weaknesses."Link to Original Source
chicksdaddy writes "The U.S. Federal Trade Commission (FTC) used a one-day workshop to highlight security and privacy issues prompted by so-called “Internet of Things.” But attendees at the event may have walked away with a more ambiguous message, as prominent technologists and industry representatives questioned whether conventional notions of privacy had much relevance in a world populated by billions of Internet-connected devices.
“I don’t feel like privacy is dead,” keynote speaker Vint Cerf, a Vice President and Chief Internet Evangelist at Google, told an audience at the FTC workshop (http://www.ftc.gov/bcp/workshops/internet-of-things/). “I do feel like privacy will be increasingly difficult for us to achieve,” Cerf warned.
And Cerf wasn’t alone in wondering whether that might not be such a bad thing – or even that unusual. “Is privacy an anomaly,” he asked attendees in a keynote speech on Tuesday.
Recalling his experience living in a small, German town where the “postmaster knew what everyone was doing," Cerf argued that the modern concept of being ‘alone in the crowd’ is a fairly recent one, borne of the industrial revolution and the growth of urbanization.
Tensions between the social benefits and costs of new technologies and the Internet of Things cropped up in many discussions during the one-day event, which featured workshops on Internet-connected “Smart Homes,” “Connected Vehicles,” and “Connected Health and Fitness.” The panel on “Connected Vehicles” saw noted researcher Tadayoshi Kohno of the University of Washington sparring with Christopher Wolf of the tech industry-backed Future of Privacy Forum over the benefits of connected car features like geo-tracking and crash detection versus the cost: potential privacy violations or remote attacks on connected car systems."Link to Original Source
chicksdaddy writes "Veracode's blog has an interesting post on how the fast adoption of "Internet of Things" technology will empower application developers as never before.
Picking up on a post by Jim Morrish over at Bosch's Internet of Things blog (http://blog.bosch-si.com/m2m-platforms-recast-for-the-age-of-the-internet-of-things/), Veracode notes that the an ecosystem is fast developing that abstracts information from a wide range of data sources – including traditional corporate and IT systems, as well as legacy M2M platforms. The effect of that is to put power into the hands of application developers, who have free(er) reign to shape the applications that will define the Internet of Things.
Application developers can already tap off-the-shelf development tools, protocols, and features that connect them to a much wider pool of data (and, thus, possible applications). That frees them from the onerous task of mastering proprietary application logic or stove piped platforms.
Of course, the security and privacy implications of all that abstracted logic (and the boilerplate code that enables it) have yet to be worked out. Veracode has noted before that third party code in its various incarnations is already a frequent source of computer security vulnerabilities. (http://www.veracode.com/blog/2013/10/third-party-components-and-the-owasp-top-10-talking-code-part-6/)"Link to Original Source
chicksdaddy writes "All those sensors on your smartphone are great. They enable all kinds of cool features – from finding the nearest Starbucks to mobile payments. But they also pose a risk to the privacy of the phone’s owner, as malicious actors (and the occasional national government) look for ways to turn cameras and other sensors into powerful, cheap and convenient spying tools.
Now researchers at The University of Cambridge have demonstrated one possible, new attack type (http://www.lightbluetouchpaper.org/2013/11/08/5653/): harnessing the built-in video camera and microphone on Samsung Galaxy and Nexus devices to spy on an owner’s hand movements and guess his or her password, The Security Ledger reports. The technique could be a way for cyber criminals to defeat anti-keylogging technology like secure “soft” keyboards used to enter banking PINs and other sensitive information, the researchers report. (http://www.cl.cam.ac.uk/~rja14/Papers/pinskimmer_spsm13.pdf)
The lesson for mobile application developers and device makers is that “mobile devices are fundamentally different from traditional servers (and) desktops in the way we use them," Laurent Simon, one of two Cambridge University researchers who conducted the research told The Security Ledger. ”Smart phones and other devices that are “aware” of the physical world are vulnerable to new types of attacks. “This physical-world interaction needs to be considered when designing secure devices,” he wrote."Link to Original Source