Tag Archives: Exploits

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

FBI spooks use MALWARE to spy on suspects’ Android mobes – report

Spear-phishing: It’s not just for the bad guys

The Register / UK
by Bill Ray
August 2, 2013

 

FBI spooks use MALWARE to spy on suspects' Android mobes - report
FBI spooks use MALWARE to spy on suspects’ Android mobes – report

 

The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.

That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.

The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.

It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.

Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect’s hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.

Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.

The WSJ cites UK-based lawful spook spyware supplier Gamma International as selling such exploits to the Feds. The company was recently in the news after allegations that it was also supplying dodgy governments with kit – allegedly including malware disguised as the Firefox browser.

Given the convergence of mobile and desktop, it’s no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.

The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn’t try using it against you.

 

Direct Link:  http://www.theregister.co.uk/2013/08/02/fbi_staff_admit_hacking_android/

The computer hackers and phishing experts ‘on our side’

The computer hackers and phishing experts ‘on our side’

 

BBC News
June 21, 2013

 

The computer hackers and phishing experts 'on our side'
The computer hackers and phishing experts ‘on our side’

 

Article Related Viseo :    The computer hackers and phishing experts ‘on our side’

If you have been hacked it means someone somewhere is watching your computer’s every move. Hackers deploy a variety of tricks to gain access to your computer but a fight-back has begun. Some companies are now even paying hackers to test their own firm’s security.

LJ Rich meets some professional hackers who are on the right side of the law, explains how people go about trying to get inside your computer and has some useful tips on how to stay safe from unwanted invaders.

 

Watch more clips on the Click homepage. If you are in the UK you can watch the whole programme on BBC iPlayer.

Direct Link:  http://www.bbc.co.uk/news/technology-23008088

Homeland Security database leaks employee information

Homeland Security database leaks employee information


PC World

by Ellen Messmer
May 26, 2013

Homeland Security database leaks employee information
Homeland Security database leaks employee information

 

The Department of Homeland Security (DHS) said lat week it has notified employees and others with DHS clearance to be on alert for potential fraud due to a vulnerability discovered in software used by a vendor to process personally identifiable information (PII) for background investigations. The software hole in had been there since July 2009.

“During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports,” the DHS said in its statement “Privacy Response to Potential PII Incident.” DHS says a vulnerability in software that an unnamed vendor uses to maintain a database of background investigations had a hole in it that left open to potential unauthorized access information that includes name, Social Security number, and date of birth.

DHS says the software vulnerability has now been fixed and there’s no evidence that this PII released to DHS clearances has been stolen from the vendor-maintained database. (See also “Ten Best Practices to Prevent Data and Privacy Breaches.”)

* Follow-up resources offered

DHS has set up a call center to address any employee concerns related to the notifications and is advising affected individuals concerned about potential fraud to consider taking certain measures, such as letting potential creditors know to contact them before opening a new account in their name. DHS also listed the three credit reporting firms, Equifax, Experian, and TransUnion, saying an individual can place a fraud alert.

DHS also indicated it’s in a legal confrontation with the unnamed vendor with this background investigations database and has raised a “stop work request” while engaging with the “vendor’s leadership to pursue all costs incurred mitigating the damages.” DHS is in talks with this unspecified vendor on “notification requirements for current contractors, inactive applicants and former employees and contractors.”

DHS was alerted by a law enforcement partner of the potential vulnerability, and says it took immediate steps to address the problem with the vendor. Though DHS does not know that PII related to this security hole has been stolen, it’s investigating the matter.

Employees who submitted background investigation information, and individuals who received a DHS clearance between July 2009 and May 2013, primarily for positions at the DHS headquarters, Customs and Border Protection (CBP), and Immigration and Customs Enforcement, may be affected.

* Spreading word to former contacts

DHS also says it is making “every possible effort” to reach out to former employees, applicants, former contractors, and “similar individuals who received a DHS clearance that may be impacted.”

In its privacy notification alert, DHS sought to address concerns, such as whether employees should alert the contacts they provided for the background investigation. DHS says it has no reason to believe that kind of step is needed.

As to whether DHS will continue to work with the unnamed vendor whose software had the security hole, the Department indicated the CBP has put the brakes on work at this time while DHS is “evaluating all legal options.”

 

Direct Link:  http://www.pcworld.com/article/2039752/homeland-security-database-leaks-employee-information.html

Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm’s Fix

Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm’s Fix


FORBES

by Andy Greenberg
5/15/2013

 

Photos released by Arizona police of two suspects alleged to have robbed a 27-year-old girl's hotel room using the Onity lock-hacking method at the Coast Hotel in Phoenix.
Photos released by Arizona police of two suspects alleged to have robbed a 27-year-old girl’s hotel room using the Onity lock-hacking method at the Coast Hotel in Phoenix.

 

More than nine months after the hotel lock firm Onity announced a fix for a security flaw that allowed anyone to gain access to millions of hotel rooms in seconds, that lock-hacking technique seems to be thriving–and thieves are still using it to perform dozens of burglaries with hardly a trace.

The latest reports of criminals implementing the Onity lock hack come from Arizona, where police say that hotel rooms have been burglarized across the cities of Phoenix, Scottsdale, Tempe, and Mesa, with between six and nine robberies in each city. In every case, police and hotel staff believe that the burglars used a small device that can be inserted into a data port on the underside of hotel locks to read their memory, access a digital key, and trigger the locks’ opening mechanism in seconds. The targeted hotels include the Holiday Inn, Extended Stay, Quality Inn, Laquinta Inn, Red Roof Inn, Motel Six, Budget Inn, Courtyard By Marriot, and Comfort Inn, according to a Phoenix police spokeperson.

The video below shows two of the suspects entering the Coast Hotel in Phoenix and allegedly leaving with a 27-year old woman’s suitcases. Though the video footage doesn’t capture the accused thieves using the lock-hacking device to open the room’s door, police say that hotels found evidence in its lock’s memory that a device accessed the lock during the brief time when the men were in the building. That hacking device, which was first revealed by the security researcher and software developer Cody Brocious at the Black Hat security conference last year, can be built for less than $50, and spoofs the “portable programmer” used by hotel staff to change locks’ settings and open locks with depleted batteries.

Local police are offering a $1,000 reward for information about the suspects.

In cases at other hotels, thieves stole luggage, TVs, laptops, iPads, the gun and badge of a U.S. marshall, and the full uniform of an airline pilot, along with every other possession he’d left in the Tempe hotel room. “Since all my stuff was cleaned out, I thought I was in the wrong room,” pilot Ahmiel Fried told local news TV station ABC15, who first reported the break-ins. “[I was] not expecting everything to be gone.

 

Photos released by Arizona police of two other suspects believed to have used the hotel lock-hacking devices.
Photos released by Arizona police of two other suspects believed to have used the hotel lock-hacking devices.

 

Phoenix police spokesperson Darren Burch says it’s still not clear how many people are exploiting the vulnerability in Onity’s locks to rob hotels, or even whether the Arizona burglaries were performed by a single group or by individuals working separately. But he warns that while he’s only aware of the Arizona thefts, it’s likely that the lock-hacking technique is being exploited across the country, and that it may be being used more often than it’s being reported. After all, Onity’s keycard locks protect more than four million rooms worldwide. “We’ve just learned about this locally, but it’s my understanding this is happening elsewhere,” Burch says. “This is just the tip of the iceberg.”

In November of last year I reported that the same vulnerability in Onity locks was used to break into a series of hotel rooms in Houston, Texas. In that case, police arrested and charged 27-year-old Matthew Allen Cook with theft. Cook, who still awaits trial, was identified when a stolen HP laptop ended up at a local pawnshop, whose staff helped to identify him.

An Onity lock and (inset) the circuit board Onity has offered to replace for a full reimbursement in many hotels' doors.
An Onity lock and (inset) the circuit board Onity has offered to replace for a full reimbursement in many hotels’ doors.
This latest round of burglaries comes months after Onity became aware of its security issue and began working to fix it. In August, Onity announced it would be releasing temporary plugs to cover its locks data ports, and would follow up with a software update, albeit one that hotel customers themselves would have to pay for. But after the string of Texas break-ins, I obtained memos from Onity to Marriott, InterContinental Hotel Group, and Hyatt in which it agreed to reimburse those major chain hotels for a full circuit-board fix.

Given that some of the Arizona hotels are among the customers whose fixes Onity agreed to cover, it’s not clear how they’ve remained vulnerable. I’ve reached out to Onity for a response and will update this post if I hear from the company.

Onity’s troubles began in July, when Cody Brocious demonstrated to me in a series of New York hotels that his lock-opening trick could work. At the time, Brocious’ technique was unreliable, only opening one of the three hotel room doors we tested. But he soon released the method online, and hackers began to post YouTube videos of themselves adapting and improving the lock-opening device until it worked reliably and could fit into an iPhone case or even a dry-erase marker.

At the time, Brocious argued that his hacking trick was intended to demonstrate Onity’s security vulnerability and force the company to fix it–not to take advantage of the security flaw for criminal purposes. But nearly a year after he first showed me his trick, it’s transformed from a theoretical bug to a very real criminal technique. And unless Onity and its customer hotels take greater care to update their locks, there’s no end to the insecurity in sight.
Direct Link:  http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/

Microsoft moves to optional two-factor authentication

Microsoft moves to optional two-factor authentication

In the days to come, users of Outlook.com, Skype and SkyDrive will be given the option of adding a second form of authentication

Computer World
by Joab Jackson
April 17, 2013

Microsoft moves to optional two-factor authentication
Microsoft moves to optional two-factor authentication

 

IDG News Service –

Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products.

“With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account,” wrote Eric Doerr, Microsoft Account group program manager, in a blog entry announcing the secondary authentication. “It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.”

With two-factor authentication, a user logging in to a service or device supplies a second piece of information in addition to a password, thus making it impossible for another party to gain illicit access to the user’s accounts without all the separate pieces of information. Microsoft is using additional verification methods such as a short code sent to the user’s mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.

Microsoft Account, formerly called Windows Live ID, is a single sign-on Web service to authenticate users of Outlook.com, SkyDrive, Skype, and other Microsoft services. It can also be used as an authentication mechanism for Windows PCs, the Xbox and Microsoft Office. Overall, Microsoft has over 700 million users registered to Microsoft Account.

Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user’s mobile phone, the number of which Microsoft will keep on file, each time the user logs on.

As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.

Microsoft can also keep a list of trusted devices designated by the user. With such devices, users enter a security code once and have that device remembered in future visits, eliminating the need to enter the security code for each log in. Microsoft currently offers this capability, but only with Internet Explorer and the use of additional software. Users can manage their list of trusted devices through their account settings page.

Doerr cautioned that, though more secure, two-factor authentication can be more difficult to manage. Losing a security code results in a 30 day wait for a new code. And Microsoft is asking for at least two pieces of information on file, in case one of the pieces is lost or forgotten. And if the user loses both the password and all the security information, he or she will not be able to access the account again.

Direct Link:  http://www.computerworld.com/s/article/9238465/Microsoft_moves_to_optional_two_factor_authentication?taxonomyId=82