Aug 192013
 

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

Spear-phishing: It’s not just for the bad guys

The Register / UK
by Bill Ray
August 2, 2013

 

FBI spooks use MALWARE to spy on suspects' Android mobes - report

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

 

The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.

That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.

The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.

It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.

Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect’s hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.

Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.

The WSJ cites UK-based lawful spook spyware supplier Gamma International as selling such exploits to the Feds. The company was recently in the news after allegations that it was also supplying dodgy governments with kit – allegedly including malware disguised as the Firefox browser.

Given the convergence of mobile and desktop, it’s no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.

The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn’t try using it against you.

 

Direct Link:  http://www.theregister.co.uk/2013/08/02/fbi_staff_admit_hacking_android/

Jun 242013
 

The computer hackers and phishing experts ‘on our side’

 

BBC News
June 21, 2013

 

The computer hackers and phishing experts 'on our side'

The computer hackers and phishing experts ‘on our side’

 

Article Related Viseo :    The computer hackers and phishing experts ‘on our side’

If you have been hacked it means someone somewhere is watching your computer’s every move. Hackers deploy a variety of tricks to gain access to your computer but a fight-back has begun. Some companies are now even paying hackers to test their own firm’s security.

LJ Rich meets some professional hackers who are on the right side of the law, explains how people go about trying to get inside your computer and has some useful tips on how to stay safe from unwanted invaders.

 

Watch more clips on the Click homepage. If you are in the UK you can watch the whole programme on BBC iPlayer.

Direct Link:  http://www.bbc.co.uk/news/technology-23008088

May 282013
 

Homeland Security database leaks employee information


PC World

by Ellen Messmer
May 26, 2013

Homeland Security database leaks employee information

Homeland Security database leaks employee information

 

The Department of Homeland Security (DHS) said lat week it has notified employees and others with DHS clearance to be on alert for potential fraud due to a vulnerability discovered in software used by a vendor to process personally identifiable information (PII) for background investigations. The software hole in had been there since July 2009.

“During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports,” the DHS said in its statement “Privacy Response to Potential PII Incident.” DHS says a vulnerability in software that an unnamed vendor uses to maintain a database of background investigations had a hole in it that left open to potential unauthorized access information that includes name, Social Security number, and date of birth.

DHS says the software vulnerability has now been fixed and there’s no evidence that this PII released to DHS clearances has been stolen from the vendor-maintained database. (See also “Ten Best Practices to Prevent Data and Privacy Breaches.”)

* Follow-up resources offered

DHS has set up a call center to address any employee concerns related to the notifications and is advising affected individuals concerned about potential fraud to consider taking certain measures, such as letting potential creditors know to contact them before opening a new account in their name. DHS also listed the three credit reporting firms, Equifax, Experian, and TransUnion, saying an individual can place a fraud alert.

DHS also indicated it’s in a legal confrontation with the unnamed vendor with this background investigations database and has raised a “stop work request” while engaging with the “vendor’s leadership to pursue all costs incurred mitigating the damages.” DHS is in talks with this unspecified vendor on “notification requirements for current contractors, inactive applicants and former employees and contractors.”

DHS was alerted by a law enforcement partner of the potential vulnerability, and says it took immediate steps to address the problem with the vendor. Though DHS does not know that PII related to this security hole has been stolen, it’s investigating the matter.

Employees who submitted background investigation information, and individuals who received a DHS clearance between July 2009 and May 2013, primarily for positions at the DHS headquarters, Customs and Border Protection (CBP), and Immigration and Customs Enforcement, may be affected.

* Spreading word to former contacts

DHS also says it is making “every possible effort” to reach out to former employees, applicants, former contractors, and “similar individuals who received a DHS clearance that may be impacted.”

In its privacy notification alert, DHS sought to address concerns, such as whether employees should alert the contacts they provided for the background investigation. DHS says it has no reason to believe that kind of step is needed.

As to whether DHS will continue to work with the unnamed vendor whose software had the security hole, the Department indicated the CBP has put the brakes on work at this time while DHS is “evaluating all legal options.”

 

Direct Link:  http://www.pcworld.com/article/2039752/homeland-security-database-leaks-employee-information.html

May 152013
 

Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm’s Fix


FORBES

by Andy Greenberg
5/15/2013

 

Photos released by Arizona police of two suspects alleged to have robbed a 27-year-old girl's hotel room using the Onity lock-hacking method at the Coast Hotel in Phoenix.

Photos released by Arizona police of two suspects alleged to have robbed a 27-year-old girl’s hotel room using the Onity lock-hacking method at the Coast Hotel in Phoenix.

 

More than nine months after the hotel lock firm Onity announced a fix for a security flaw that allowed anyone to gain access to millions of hotel rooms in seconds, that lock-hacking technique seems to be thriving–and thieves are still using it to perform dozens of burglaries with hardly a trace.

The latest reports of criminals implementing the Onity lock hack come from Arizona, where police say that hotel rooms have been burglarized across the cities of Phoenix, Scottsdale, Tempe, and Mesa, with between six and nine robberies in each city. In every case, police and hotel staff believe that the burglars used a small device that can be inserted into a data port on the underside of hotel locks to read their memory, access a digital key, and trigger the locks’ opening mechanism in seconds. The targeted hotels include the Holiday Inn, Extended Stay, Quality Inn, Laquinta Inn, Red Roof Inn, Motel Six, Budget Inn, Courtyard By Marriot, and Comfort Inn, according to a Phoenix police spokeperson.

The video below shows two of the suspects entering the Coast Hotel in Phoenix and allegedly leaving with a 27-year old woman’s suitcases. Though the video footage doesn’t capture the accused thieves using the lock-hacking device to open the room’s door, police say that hotels found evidence in its lock’s memory that a device accessed the lock during the brief time when the men were in the building. That hacking device, which was first revealed by the security researcher and software developer Cody Brocious at the Black Hat security conference last year, can be built for less than $50, and spoofs the “portable programmer” used by hotel staff to change locks’ settings and open locks with depleted batteries.

Local police are offering a $1,000 reward for information about the suspects.

In cases at other hotels, thieves stole luggage, TVs, laptops, iPads, the gun and badge of a U.S. marshall, and the full uniform of an airline pilot, along with every other possession he’d left in the Tempe hotel room. “Since all my stuff was cleaned out, I thought I was in the wrong room,” pilot Ahmiel Fried told local news TV station ABC15, who first reported the break-ins. “[I was] not expecting everything to be gone.

 

Photos released by Arizona police of two other suspects believed to have used the hotel lock-hacking devices.

Photos released by Arizona police of two other suspects believed to have used the hotel lock-hacking devices.

 

Phoenix police spokesperson Darren Burch says it’s still not clear how many people are exploiting the vulnerability in Onity’s locks to rob hotels, or even whether the Arizona burglaries were performed by a single group or by individuals working separately. But he warns that while he’s only aware of the Arizona thefts, it’s likely that the lock-hacking technique is being exploited across the country, and that it may be being used more often than it’s being reported. After all, Onity’s keycard locks protect more than four million rooms worldwide. “We’ve just learned about this locally, but it’s my understanding this is happening elsewhere,” Burch says. “This is just the tip of the iceberg.”

In November of last year I reported that the same vulnerability in Onity locks was used to break into a series of hotel rooms in Houston, Texas. In that case, police arrested and charged 27-year-old Matthew Allen Cook with theft. Cook, who still awaits trial, was identified when a stolen HP laptop ended up at a local pawnshop, whose staff helped to identify him.

An Onity lock and (inset) the circuit board Onity has offered to replace for a full reimbursement in many hotels' doors.

An Onity lock and (inset) the circuit board Onity has offered to replace for a full reimbursement in many hotels’ doors.

This latest round of burglaries comes months after Onity became aware of its security issue and began working to fix it. In August, Onity announced it would be releasing temporary plugs to cover its locks data ports, and would follow up with a software update, albeit one that hotel customers themselves would have to pay for. But after the string of Texas break-ins, I obtained memos from Onity to Marriott, InterContinental Hotel Group, and Hyatt in which it agreed to reimburse those major chain hotels for a full circuit-board fix.

Given that some of the Arizona hotels are among the customers whose fixes Onity agreed to cover, it’s not clear how they’ve remained vulnerable. I’ve reached out to Onity for a response and will update this post if I hear from the company.

Onity’s troubles began in July, when Cody Brocious demonstrated to me in a series of New York hotels that his lock-opening trick could work. At the time, Brocious’ technique was unreliable, only opening one of the three hotel room doors we tested. But he soon released the method online, and hackers began to post YouTube videos of themselves adapting and improving the lock-opening device until it worked reliably and could fit into an iPhone case or even a dry-erase marker.

At the time, Brocious argued that his hacking trick was intended to demonstrate Onity’s security vulnerability and force the company to fix it–not to take advantage of the security flaw for criminal purposes. But nearly a year after he first showed me his trick, it’s transformed from a theoretical bug to a very real criminal technique. And unless Onity and its customer hotels take greater care to update their locks, there’s no end to the insecurity in sight.
Direct Link:  http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/

May 152013
 

Microsoft to Close Critical IE Security Holes on Patch Tuesday

Security Week
by Brian Prince
May 9, 2013

 

Microsoft to Close Critical IE Security Holes on Patch Tuesday

Microsoft to Close Critical IE Security Holes on Patch Tuesday

 
Microsoft is prepping fixes for close to three dozen vulnerabilities for this month’s Patch Tuesday, including critical issues affecting Internet Explorer.

Tucked in among the 10 security bulletins is one aimed squarely at the Internet Explorer 8 zero-day vulnerability being exploited in the wild. Microsoft has already issued a “Fix It” tool this week to offer protection in lieu of a patch. According to the company, the issue is due to the way IE accesses an object in memory that has been deleted or that has not been properly allocated. By exploiting the issue, an attacker could potentially remotely execute code.

“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content,” Microsoft noted. “Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.”

The vulnerability has been at the center of a spate of water holing attacks that have roped in a number of sites, including the U.S. Department of Labor site.

All totaled, 33 vulnerabilities are expected to be fixed. Just two of the bulletins are rated ‘critical’, while the other eight are considered ‘important.’ Both critical bulletins address issues in Internet Explorer. The remaining bulletins are focused on issues in Windows, Microsoft Lync, Microsoft Office and Microsoft Windows Essentials.

“With ten bulletins, eight important this month, we have seen 45 to date in 2013, or 10 more bulletins than last year at this time,” said Paul Henry, security and forensic analyst at Lumension. “This tells me Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities. This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”

“As always, I recommend patching the important bulletins based on what programs you’re using,” he said. “Looking through the bulletins, Bulletin 4 is probably the most interesting, affecting all versions of Windows, from XP through Windows RT and Windows 8. This is a spoofing issue, which we don’t see very often in Microsoft bulletins. I’ll be very interested to see what this one turns out to be on Tuesday.”

Direct Link:  http://www.securityweek.com/microsoft-close-critical-ie-security-holes-patch-tuesday