Anyone who has been paying any kind of attention to IoT security, such as it is, has known for years that the vast majority of embedded or allegedly smart devices are terrifically insecure. It’s beyond cliche at this point to make fun of IoT security (although it’s also quite satisfying). So when a botnet comprised largely of Internet-connected rose up last week and DDoS-ed DNS provider Dyn into oblivion for several hours, many observers in the security community kind of shrugged and nodded.
Many of the devices recruited into the Mirai botnet include components made by XiongMai Technologies, a Chinese manufacturer. The company has responded by recalling some of those devices, including CCTV cameras, that have been compromised by Mirai and used in the attacks. That recall will have approximately zero effect on the victims using these devices or the attackers running the Mirai botnets. If you’re using an Internet-connected surveillance camera, it’s because you want to surveil something remotely. Are you going to take those cameras offline, pack them up, and ship them back to the manufacturer? Unlikely. The recall is probably designed mostly to get the vulnerable devices off shelves so more customers don’t but them, but that still doesn’t matter much given that the botnet already is out here kicking in doors.
Security teams know how to clean up a normal botnet, but disinfecting and patching compromised IoT devices is much more complicated. A lot of those devices are in hard-to-reach places and their owners are reticent to patch them even when vendors make fixes available, which is rare. Users and vendors both see these devices as somewhat disposable, so patching them isn’t exactly a priority. And building security into them during the design process isn’t high on the list either, obviously.
The letter is the result of news reports earlier this month that detailed an order that the FBI allegedly served on Yahoo in 2015 in an apparent effort to find messages with a specific set of terms. The stories allege that Yahoo complied with the order and installed custom software to accomplish the task. Yahoo officials said at the time the Reuters story came out that there is no such scanning system on its network, but did not say that the scanning software never existed on the network at all.
“Yahoo was mentioned specifically in these reports and we find ourselves unable to respond in detail. You office, however, is well positioned to clarify this matter of public interest. Accordingly, we urge your office to consider the following actions to provide clarity on the matter: (i) confirm whether an order, as described in these media reports, was issued; (ii) declassify in whole or in part such order, if it exists; and (iii) make a sufficiently detailed public and contextual comment to clarify the alleged facts and circumstances,” the letter says.
Trailrunner7 writes: Researchers have known for a long time that acoustic signals from keyboards can be intercepted and used to spy on users, but those attacks rely on grabbing the electronic emanation from the keyboard. New research from the University of California Irvine shows that an attacker, who has not compromised a target’s PC, can record the acoustic emanations of a victim’s keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.
The researchers found that when connected to a target user on a Skype call, they could record the audio of the user’s keystrokes. With a small amount of knowledge about the victim’s typing style and the keyboard he’s using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim’s machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it’s on.
Trailrunner7 writes: The FTC has shut down a phone fraud scam that involved scammers calling consumers–mostly elderly and on fixed incomes–and pressuring them to invest in web sites that supposedly had ties to large companies, promising quick returns. The scheme allegedly netted the scammers more than $9 million.
The scheme involved six companies that the FTC alleges were owned and operated by three defendants, Susan Rodriguez, Matthew Rodriguez and William Whitley. The commission alleges that the defendants would call consumers unsolicited and try to convince them to hand over money for an investment in e-commerce sites that supposedly had links to large, legitimate sites such as Amazon.
“The details of the offer differ, but Defendants routinely describe it as an offer to purchase or invest in e-commerce websites, or websites that direct traffic to e-commerce websites such as Amazon.com. Defendants’ telemarketers typically promise consumers that they will earn money based on sales at the e-commerce websites and/or traffic through their websites to the e-commerce websites. Defendants promise consumers substantial returns or income, such as hundreds or thousands of dollars every quarter,” the FTC complaint says.
Trailrunner7 writes: Depending upon your definition of the word, this presidential campaign cycle has included perhaps more surprises than any other in recent memory. Leaked videos, tax returns, and other data dumps have turned the 2016 campaign into the first to be defined by a modern information war.
And in today’s environment, whatever the imagination can conjure can be executed quickly and easily with a few keystrokes. Even Internet pioneer Al Gore likely couldn’t have envisioned today’s infowar campaigns. For decades, people have been leaking embarrassing information about political candidates to the media, but the leaks that we’re seeing published now are mostly enabled by the ubiquity of technology and the fundamental misunderstanding of some users of the way the Internet works and the permanence of data. Both Hillary Clinton and Donald Trump are now discovering that, like a weird uncle in town for the holidays, information has a way of hanging around and making life uncomfortable.
The data breach doesn’t affect cards that were used online and the company hasn’t specified how many users are affected yet. The incident apparently began on July 25 and ended on Sept. 23, and Vera Bradley said in a statement that it was alerted to the compromise by law enforcement on Sept. 15.
Sometime in the early part of 2015, the Justice Department reportedly went to Yahoo officials with an order to search its users’ incoming email messages for certain words. Yahoo complied by building a custom piece of software that sat in the mail system and looked for the terms, which haven’t been made public. The revelations about the mail scanning program last week caused an uproar among security experts and civil liberties groups.
Now, experts at the EFF and Sen. Ron Wyden say that the order served on Yahoo should be made public according to the text of a law passed last year. The USA Freedom Act is meant to declassify certain kinds of government orders, and the EFF says the Yahoo order fits neatly into the terms of the law.
“If the reports about the Yahoo order are accurate – including requiring the company to custom build new software to accomplish the scanning – it’s hard to imagine a better candidate for declassification and disclosure under Section 402," Aaron Mackey of the EFF said.
Wardle’s technique for monitoring users’ video call sessions would not be visible to the victim, because it would kick in while a session was already in progress, so the webcam light already would be on.
“After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection,” Wardle’s research abstract says.
Wardle also is releasing a new tool called OverSight that can detect this kind of attack and alert users.
“It’s tougher in some places than others, and we understand that skepticism. We’ve not been perfect. We’ve had our own flaws in the past. We understand that folks are always skeptical of the government to some extent. We will only break through that with partnerships. We’re trying to be more responsive and agile in the information we disseminate and show we’re here to help. The next step is true collaboration,” Deputy Director Andrew McCabe said.
Recent events will not help the FBI in this regard. The revelation Tuesday that the FBI used a classified order last year to get Yahoo to scan massive amounts of incoming email for specific terms has caused an uproar in the security and privacy communities. Experts say the revelation could have serious repercussions for the company and the government.
Trailrunner7 writes: The handful of companies that rule the Internet–Google, Amazon, Microsoft, etc.,–all sell products, whether they’re phones, books, or software. But they’re all essentially data analytics firms, ingesting and generating unfathomable amounts of information about their customers and their behavior and trying to predict what those customers might be interested in next. It’s a fine business, but it’s also one that courts danger. Not only will attackers come knocking, but so will law enforcement, and they will come bearing subpoenas and court orders.
The big web companies know this, of course, but they’ve built their businesses on monetizing data, so they don’t have a great way to unwind that. But some newer tech companies have gone in the opposite direction, deciding to keep as little user data as possible. Open Whisper Systems has given us the best example yet of this philosophy and how it can benefit the company as well as its users. OpenWhisper Systems is the developer of the Signal encrypted messaging app and earlier this year the FBI served the company wit a subpoena demanding all of the information OWS had on two separate phone numbers. One of the numbers turned out not to have a Signal account, but the other did, so OWS complied with the subpoena and gave the FBI everything it had on that number: the time the account was created and the last time it connected.
If the data isn’t there, no one can get to it. Not by compromising your network, and not with a subpoena. It’s a simple equation, but one that few organizations seem to be able to solve right now.
The human body is a good transmission mechanism for certain kinds of waves, and the UW researchers were looking for a way to take advantage of that fact to communicate authentication information from a user’s phone directly to a target device, such as a door knob or medical device. In order to make that idea a reality, they needed to develop a system that could be in direct contact with the user’s body, and could produce electromagnetic signals below 10 MHz. And to make the system usable for a mass audience, the team needed widely available hardware that could generate and transmit the signals.
So the researchers settled on the fingerprint sensor on iPhones and the touchpad on Lenovo laptops, as well as a fingerprint scanner and a touchpad from Adafruit. The concept is deceptively simple: generate an electromagnetic signal from the fingerprint sensor or touchpad and transmit that through the user’s body to the target device. The signal can carry a typical password or even an encryption key, the researchers said.
The payout was put on the table Thursday by Zerodium, a company that buys vulnerabilities and exploits for high-value target platforms and applications. The company has a set of standing prices for the information it will buy, which includes bugs and exploits for iOS, Android, Flash, Windows, and the major browsers, and the top tier of that list has been $500,000 for an iOS jailbreak. But that all changed on Thursday when Zerodium announced that the company has tripled the standing price for iOS to $1.5 million.
“The easy knee-jerk solution I thought was let’s just put a back door in everyone’s iPhone that law enforcement can access. Simple, makes sense,” McCaul said.
“Putting in a back door isn’t the solution. People don’t the government to have access to their data. The government wasn’t asking Apple to put in codes to create a vulnerability that would kill their product. We think there’s a better way and a better solution to doing that.”
McCaul also said that pressure from the U.S. government to insert backdoors could drive tech companies to take their operations out of the country.
“I don’t see it as privacy versus security. I see it as security versus security,” he said. “I don’t want to weaken encryption and drive these companies offshore.”
Trailrunner7 writes: Four days after releasing a new version that fixed several security problems, the OpenSSL maintainers have rushed out another version that patches a vulnerability introduced in version 1.1.0a on Sept. 22.
Last week, OpenSSL patched 14 security flaws in various versions of the software, which is the most widely used toolkit for implementing TLS. One of the vulnerabilities fixed in that release was a low-risk bug related to memory allocation in tls_get_message_header.
The problem is, the patch for that vulnerability actually introduced a separate critical bug. The new vulnerability, which is fixed in version 1.1.0b, only affected version 1.1.0a, but it can lead to arbitrary code execution.
Researchers at Elcomsoft, a Russian security company, discovered the issue, which is related to the choice of hashing algorithm in iOS 10. In the newest version of the iPhone operating system, Apple uses SHA256 to hash the password for the user’s local backup, which is stored on a computer paired with the phone. In previous versions, Apple used PBKDF2 for this job and ran the password through the algorithm 10,000 times, making password cracking quite difficult.
But iOS 10 uses just one iteration of SHA256 to hash the local backup password, something that the Elcomsoft researchers said made brute-forcing the password far easier. They found that using just a CPU rather than an optimized GPU implementation, they could try as many as six million passwords per second in iOS 10. By comparison, the same setup could try just 2,400 passwords per second against iOS 9.