Tag Archives: Hacking

Heartbleed: routers and phones also at risk, says security expert

Heartbleed: routers and phones also at risk, says security expert

Manufacturers must patch routers, video conferencing software and desktop phones, as scale of software vulnerability continues to grow

 

The Guardian
by Alex Hern
April 14, 2014

 

The recently uncovered "Heartbleed" bug exposes data to hackers. (Photograph: Pawel Kopzynski / Reuters)
The recently uncovered “Heartbleed” bug exposes data to hackers. (Photograph: Pawel Kopzynski / Reuters)

 

Heartbleed, the software vulnerability in hundreds of thousands of web servers which laid their contents open to attackers, also affects consumer devices, security experts have warned.

Hardware including smartphones, routers and cable boxes are all potentially affected, posing the risk of anything from data theft to attackers seizing control of the vulnerable device.

“Network-connected devices often run a basic web server to let an administrator access online control panels,” says Philip Lieberman, president of security firm Lieberman Software. “In many cases, these servers are secured using OpenSSL and their software will need updating.

“However, this is unlikely to be a priority. The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”

Some manufacturers have confirmed that their devices are not affected. Belkin says that its routers, as well as those of its Linksys subsidiary, are safe: one range does use OpenSSL, the software which contains the Heartbleed vulnerability, but uses a version which predates the flaw.

But others are not so lucky. Networking giant Cisco has confirmed that a number of its products are vulnerable, including desktop phones, video conferencing hardware and VPN software. It is investigating a further 83 products for potential vulnerabilities.

Neither Netgear nor BT returned requests for comment, and have not spoken publicly about whether or not their devices are vulnerable.

For affected devices, operators are slowly releasing patches, which must be downloaded and installed. But many users will not apply the updates, warns Lieberman.

“The list of compromised devices is huge,” he says. “Most of the devices are not going to be patched because their users do not know how to do it since they bought a router or firewall, not OpenSSL (as far as they are concerned).

“Many of the devices are from manufacturers that are no longer supporting the previously shipped devices as a matter of policy and business model,” he adds. “What do you expect in the way of support when you buy a device or embedded system for less than $100 and the company is making $10.00?”

As with affected websites, users should not change passwords until they are sure the vulnerability has been fixed. The best way to be certain is to wait for the affected company to specifically say it is time to change passwords: examples of companies who have done so include Tumblr, Flickr, IFTTT and Dogecoin service DogeAPI.

 

SSL keys stolen

One potential avenue of hope was blocked off on Friday, when online services company CloudFlare confirmed that four people had successfully stolen SSL certificates from an affected server.

SSL is the basis of security online, and is the protocol that leads to browsers displaying a padlock icon to show that a given website is secure. One of the attacks that the Heartbleed vulnerability allows is theft of the private key for SSL, allowing an attacker to decrypt intercepted messages or impersonate the site.

Cloudflare had previously written that “we have reason to believe… that it may in fact be impossible” to steal the keys from their servers, in contrast to claims made by the researchers who uncovered the flaw. But the company issued a challenge to the outside world to prove them wrong, and four separate researchers managed to steal the information over the next 48 hours.

The result of the challenge underscores that it’s not enough for a site vulnerable to Heartbleed to fix the server: it also needs to treat the SSL key as stolen, and issue a new one. Cloudflare described the possibility of a stolen key as “the disaster scenario, requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well.”

Since the news of Heartbleed broke on April 6, more than 10,000 sites have revoked and re-issued their certificates, giving some idea of the scale of the problem.

 

* RELATED:

Heartbleed: what you need to know

 

Direct Link:  http://www.theguardian.com/technology/2014/apr/14/heartbleed-routers-phones-at-risk-security-expert

 

Heartbleed: 95% of detection tools ‘flawed’, claim researchers

Heartbleed: 95% of detection tools ‘flawed’, claim researchers

Free web tools and not picking up the vulnerability, leaving consumer data exposed

 

The Guardian (UK)
by Tom BrewsterApril 16, 2014

 

Tools designed to tackle high-profile Heartbleed bug have their own problematic bugs. (Photograph: Pawel Kopczynski / Reuters)
Tools designed to tackle high-profile Heartbleed bug have their own problematic bugs. (Photograph: Pawel Kopczynski / Reuters)

 

Some tools designed to detect the Heartbleed vulnerability are flawed and won’t detect the problem on affected websites, a cybersecurity consultancy has warned.

The Heartbleed flaw, which undermined the common security software for internet connections called OpenSSL, caused mass panic last week due to the ease with which it could be exploited to acquire passwords or encryption keys, potentially leaking sensitive personal data from popular consumer websites.

A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.

 

‘Absolute panic’

“A lot of companies out there will be saying they’ve run the free web tool and they’re fine, when they’re not,” Hut3’s Edd Hardy told the Guardian. “There’s absolute panic. We’re getting calls late at night going ‘can you test everything’.”

Most of the tools checked by Hut3 rely on code designed to highlight the flaw created by developer Jared Stafford, which itself contained problematic bugs, said Hut3 penetration tester Adrian Hayter. These included tools created by major tech companies such as Intel-owned security firm McAfee and password management provider LastPass.

Hayter uncovered three problems with the Heartbleed checkers, which could lead to many cases of sites remaining vulnerable. One of the issues was to do with compatibility with different versions of SSL, the Secure Sockets Layer kind of web encryption affected by the Heartbleed flaw.

“The Heartbleed Checker is designed to work with common system configurations found in the wild,” said Raj Samani, CTO for Europe, the middle east and Asia at McAfee. “There have been reports of detection failure rates of around 2.8% due to these configurations. We were aware of the possibility and have provided a disclosure directly above our checker. We are continually reviewing and revising our code and technique.”

Joe Siegrist, CEO at LastPass, said: “Unlike all other tests, LastPass is not actually attempting to exploit the bug to test if it’s currently present – we’ve been unsure if that’s legal for a US entity to do.

“Our focus has been in ensuring people are updating/revoking their certificates, and that we’re reflecting what major organisations are saying about their exposure. Can you update or make a new certificate and keep the heartbleed bug in place? Sure, but that’s what all the other tests are for.”

 

Widespread consequences

“It is yet another symptom of the ‘hit the ground running’ approach that has characterised the response to this vulnerability,” said Rik Ferguson, vice president of security research at Trend Micro.

“The consequences are so widespread and the technology involved so arcane or invisible to the average user, that knee-jerk reactions and well-meaning advice have been offered up with little planning. From the initial Tumblr blog advising user to change all passwords everywhere ‘now’, before most of the vulnerable services would have been patched, to self-confessed ‘quick and dirty’ demonstration tools being incorporated into complete vulnerability scanning tools.”

“The key to success with protection and mitigation of Heartbleed is more haste, less speed – otherwise you may well be sitting in the comfortable haze of a false sense of security. Ignorance isn’t bliss, it’s dangerous.”

There are various versions of SSL and servers hosting websites can support some or all of them. If the server doesn’t support the version that the user machine selects, then it will respond by either dropping the connection or trying to use a different type of SSL which the server does support.

Herein lies the problem with the detection tools: in many of them, only one version, known as TLSv1.1, is checked. If the server being tested for Heartbleed doesn’t support TLSv1.1, it will either reject the connection or suggest another version. But the failed detectors do not check for another version and assume any server that does not provide a successful response is not vulnerable, said Hayter.

Similar problems lie in compatibility with “cipher suites”, the selections of algorithms used to set up a secure connection over the internet. “Once again, if the server does not support any of the cipher suites that the client sends, the connection will disconnect,” said Hayter.

Most of the tools he examined only told the server they supported about 51 cipher suites, when there are at least 318 cipher suites that could be used by a website. “Granted, most servers will support at least one of the ciphers in the list of 51, but there could be instances where a server does not support any of them, and in these cases, the server would respond with an error, which the scripts interpret as ‘not vulnerable’.”

The third bug was more simplistic: it meant that on slow internet connections some tools would stop working when processing the response of the server, as they would have a time limit. This would again interpret a server as not vulnerable, even if the partially downloaded response would have been enough to confirm the vulnerability, Hayter added.

Given the panic around Heartbleed, with many prematurely being told to change passwords for all web services, even before those sites had been fixed, the latest findings will do nothing to appease the confusion. Hut3 has created its own tool which it believes could help alleviate some of the pain.

 

** RELATED:

Heartbleed: what you need to know to stay secure

Heartbleed: routers and phones also at risk

Developer who introduced Heartbleed error regrets ‘oversight’

US government denies being aware of Heartbleed bug

 

Direct Link:  http://www.theguardian.com/technology/2014/apr/16/heartbleed-bug-detection-tools-flawed

 

 

 

Tor anonymity network to shrink as a result of Heartbleed flaw

Tor anonymity network to shrink as a result of Heartbleed flaw

 

PC WORLD
by Lucian Constantin
April 17, 2014

 

 

Tor anonymity network to shrink as a result of Heartbleed flaw
Tor anonymity network to shrink as a result of Heartbleed flaw

 

 

The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network’s entry and exit capacity.

The decision has already been implemented on a Tor directory authority—a server that maintains a list of Tor relays—controlled by Roger Dingledine, the Tor Project leader, and is likely to be followed by other directory authority operators.

The 380 relays flagged for rejection are trusted entry relays, also known as guards, and exit relays. As a result, the immediate impact of this decision would be a 12 percent reduction in the network’s guard and exit capacity, Dingledine said Wednesday in an email sent to the tor-relays mailing list.

Traffic from clients typically flows through the Tor network in three hops. The first hop is through a guard relay and the final hop, before the traffic is returned on the Internet to reach its intended destination, is through an exit relay.

Twelve percent might not sound like much, but guard and exit relays play an important role on the network and are not easy to replace. Many relays are run by volunteers, but they need to be trusted and need to have enough bandwidth at their disposal to handle traffic from multiple clients.

“I thought for a while about taking away their Valid flag rather than rejecting them outright, but this way they’ll get notices in their logs,” Dingledine said.

 

Tardy patches seem to be the reason

It seems that the ban might be permanent. Dingledine said that he wouldn’t want those relays back on the Tor network even if they upgraded their versions of OpenSSL because their operators didn’t patch the flaw in a timely manner.

The Heartbleed vulnerability was announced on Apr. 7 and affects versions 1.0.1 through 1.0.1f of OpenSSL, a library that implements the TLS (Transport Layer Security) encrypted communication protocol and which is used by many operating systems, web servers, browsers and other desktop and mobile applications.

The flaw allows attackers to extract information from the memory of an application that relies on OpenSSL for TLS communications, whether that application acts as a client or a server.

Both the Tor client and relay software is potentially vulnerable if the OpenSSL library is not updated on the underlying OS.

“Tor relays and bridges could maybe be made to leak their medium-term onion keys (rotated once a week), or their long-term relay identity keys,” Dingledine wrote in a blog post last week after the Heartbleed flaw was announced.

“An attacker who has your relay identity key, has your onion key, and can intercept traffic flows to your IP address can impersonate your relay (but remember that Tor’s multi-hop design means that attacking just one relay in the client’s path is not very useful). In any case, best practice would be to update your OpenSSL package, discard all the files in keys/ in your DataDirectory, and restart your Tor to generate new keys.”

In addition to the 380 guard and exit relays that have been banned already there are over 1,000 other relays that are also vulnerable and should be added to the rejection list at some point soon, Dingledine said.

 

Direct Link:  http://www.pcworld.com/article/2145280/tor-anonymity-network-to-shrink-as-a-result-of-heartbleed-flaw.html

Victim of Your Bad Online Habits? Cryptolocker Ransomware: What You Need To Know

Cryptolocker Ransomware:  What You Need To Know!

 

MalwareBytes.org
by Joshua Cannell
October 8, 2013

 

FBI / Cryptolocker Ransomware: What You Need To Know
FBI / Cryptolocker Ransomware: What You Need To Know

 

Just last month, antivirus companies  discovered a new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

 

Cryptolocker Ransomware (view)
Cryptolocker Ransomware (view)

 

Spread through infected websites, this ransomware has been targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

 

asymmetric encryption.
asymmetric encryption.

 

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

Currently, infected users are instructed to pay $300 USD to receive this private key.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

 

REMOVAL:

Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.

 

MalwareBytes detected Trojan
MalwareBytes detected Trojan

 


In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).

 

 

While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.

Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.

To learn more on how Malwarebytes stops malware at its source, check out this blog.

Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.

 

MalwareBytes Protected System
MalwareBytes Protected System

 

Backup:

Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.

However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.

Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).

 

MalwareBytes Secure Backup
MalwareBytes Secure Backup

 

To find out more on remove Cryptolocker, check out the official removal guide from Malwarebytes.

Direct Link:  http://webcache.googleusercontent.com/search?q=cache:AALLcZNyITkJ:blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

 

 

 

 

Car hackers use laptop to control standard car

Car hackers use laptop to control standard car

Next time you have a passenger in the back seat of your car offering infuriatingly “helpful” advice about your driving skills, count yourself lucky that they aren’t doing anything more sinister in their attempts to guide your vehicle.


BBC News

by Zoe Kleinman / Technology reporter
July 26, 2013

 

The researchers managed to stop, start and steer a car with an old Nintendo handset
The researchers managed to stop, start and steer a car with an old Nintendo handset

 

Two security experts in the US have demonstrated taking control of two popular models of car, while someone else was driving them, using a laptop.

Speaking to the BBC ahead of revealing their research at security conference Defcon in Las Vegas in August, Charlie Miller and Chris Valasek said they hoped to raise awareness about the security issues around increasingly computer-dominated car control.

“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Mr Miller, a security engineer at Twitter.

“We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”

Their work, funded by the Pentagon’s research facility Darpa, has so far received a mixed reaction from the manufacturers themselves.

 

How they did it

The researchers used cables to connect the devices to the vehicles’ electronic control units (ECUs) via the on-board diagnostics port (also used by mechanics to identify faults) inside a 2010 model Ford Escape and Toyota Prius.

Contained within most modern vehicles, ECUs are part of the computer network that controls most aspects of car functionality including acceleration, braking, steering, monitor displays and the horn.

The pair were able to write software which sent instructions to the car network computer and over-rode the commands from the actual drivers of the cars.

They filmed themselves in the back of one of the vehicles steering it left and right, activating the brakes and showing the fuel gauge drop to zero, all while the vehicle was under driver control and in motion.

 

The cable used to connect the devices to the ECUs via the diagnostics port.
The cable used to connect the devices to the ECUs via the diagnostics port.

 

The cable used to connect the devices to the ECUs via the diagnostics port.

A spokesman for Toyota told the BBC that because the hardware had to be physically connected inside the car, he did not consider it to be “hacking”.

“Altered control can only be made when the device is connected. After it is disconnected the car functions normally,” he said.

“We don’t consider that to be ‘hacking’ in the sense of creating unexpected behaviour, because the device must be connected – ie the control system of the car physically altered.

“The presence of a laptop or other device connected to the OBD [on board diagnostics] II port would be apparent.”

 

Expensive and difficult

Mr Miller and Mr Valasek say this is not the point.

Their work builds on earlier research carried out by researchers at the University of Washington and the University of San Diego in 2010, who demonstrated that it was possible to control a car remotely and developed a tool, which they called CarShark, for the purpose.

“We’re big fans of their work but we figured they already proved you can remotely get into a car’s network,” Chris Valasek, director of security intelligence at consultancy IOActive told the BBC.

“We wanted to see how much control would you have once that’s happened.”

They admitted that they had destroyed a few cars while refining their technique.

“It’s very expensive and difficult to do the research to show you can hack into a car. It’s not like you can just download something and look at it,” said Mr Miller.

 

The hackers set the speedometer to read 199 miles per hour while the car was stationary
The hackers set the speedometer to read 199 miles per hour while the car was stationary

 

“I wouldn’t dare do this to my own car,” added Mr Valasek.

They said the cars did not appear to acknowledge the address from where a command was being sent, only the instruction itself.

“There’s no authentication,” said Mr Miller.

“But there are restrictions – the car has to operate very fast. If you run into a wall you need to kill the engine immediately, engage the airbag.

“Car manufacturers don’t have the luxury PC software makers have – if something doesn’t work in a car that can’t happen, it needs to function.”

Mr Miller and Mr Valasek intend to make their research openly available following the conference.

The hackers set the speedometer to read 199 miles per hour while the car was stationary

“The information will be released to everyone. If you’re just relying on the fact people aren’t talking about the problem to stay safe, you’re not really dealing with the problem,” said Mr Miller.

Toyota said it invested heavily in security research.

“Our focus, and that of the entire automotive industry, is to prevent hacking into a vehicle’s by-wire control system from a remote/wireless device outside of the vehicle.

“Toyota has developed very strict and effective firewall technology against such remote and wireless services. We continue to try to hack our systems and have a considerable investment in state of the art electro-magnetic R&D facilities.

“We believe our systems are robust and secure.”

Ford also told the BBC the company takes electronic security seriously.

“This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers on any mass level,” it said in a statement.

“The safety, privacy, and security of our customers is and always will be paramount.”

 

“Scary”

Security expert Prof Alan Woodward, Chief Technology Officer at consultancy Charteris, said that car hacking hasn’t been widely discussed because as yet there has been no criminal incident of it.

“I think [car hacking] is one of the most scary things out there – [the hacking of] cars and medical devices are the two things nobody talks about,” he told the BBC.

“You’ve heard of ransomware – imagine that happening inside a car. It won’t take criminals that long.”

Ransomware is a computer virus that freezes a victim’s computer or threatens to release personal files unless a payment is made.

 

Actor Damian Lewis stars in Homeland, a TV series which featured a car hack storyline
Actor Damian Lewis stars in Homeland, a TV series which featured a car hack storyline

 

A car crash caused by a hacked car featured as a storyline on the US TV series Homeland but was widely dismissed as fantasy, he added.

“There was loads of talk afterwards saying it was rubbish. I remember saying on Twitter, ‘I’m sorry, it’s not.'”

However both the researchers and Prof Woodward agree that hacking into a car is not easy.

“This is a very technical attack, it requires a great deal of technical knowledge,” Prof Woodward said.

“A lot of manufacturers are doing work on security software but they don’t talk about it. It’s not about anti-malware software, it’s more about penetration testing – finding any holes left in the system.

“When people build things based on software, it is built with Intention A. They never think about intention B – which could be all sorts of nefarious purposes.”

Direct Link:  http://www.bbc.co.uk/news/technology-23443215