Denise Howell and Matt Curtis talk with Andrew Rossow, cyberspace and technology lawyer about whose fault is WannaCry and what can be done about it?
Denise Howell and Matt Curtis talk with Andrew Rossow, cyberspace and technology lawyer about whose fault is WannaCry and what can be done about it?
The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign
–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.
Of the top 10 vulnerabilities found in the exploit kits, eight of them were targeted at Adobe’s Flash plugin, used on millions of computers to play multimedia content, according to Recorded Future, a cybersecurity intelligence firm based in Somerville, Massachusetts.
To arrive at its conclusions, Recorded Future looked at software vulnerabilities known to be used in popular exploit kits such as Angler, Neutrino and Nuclear Pack as well as in cybercrime forums between January and September.
Echoing the conclusion of many other security experts, Recorded Future said the findings call “into question Flash’s place in a secure operating environment.”
“While the role of Adobe Flash vulnerabilities as a regular in-road for criminals and malware should come as no surprise to information security professionals, the scale is significant,” the report said.
Adobe has been working for years to make Flash more secure through code reviews, but it has proven to be a mighty task for an application that’s nearly two decades old.
Monthly patches are almost always released by Adobe, and emergency patches come out for zero-day flaws that cybercriminals are actively using.
Apple founder Steve Jobs famously forbid the iPhone from running Flash. This year, other companies have taken steps to reduce the risk of zero-day Flash flaws.
Facebook’s CSO, Alex Stamos, wrote on Twitter in July that it’s “time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.”
In September, Google stopped automatically playing some extraneous Flash content on Web pages. The move was aimed at improving performance in the Chrome browser, but it also has security benefits.
Perhaps the most humorous campaign against the application is the ”Occupy Flash” movement. The group advocates moving everything to HTML5, the latest specification of the Web’s vernacular that has a host of multimedia capabilities.
Occupy Flash’s manifesto reads in part: “It’s time has passed. It’s buggy. It crashes a lot. It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology.”
By Rob Thubron
In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit, which has sold more than 20 million devices worldwide, can theoretically be hacked in just ten seconds and used to spread malware to any computer it syncs with.
According to The Register, an attack on a FitBit via Bluetooth would only require an attacker to be a few feet from a target for around ten seconds after the devices connect. Any computer that later connects with the wearable can be infected with a backdoor, trojan, or some other form of malware used by the hacker.
An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. [When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile […] the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers (Fitbits).
Apvrille will be presenting a proof-of-concept demonstration video at the Hack.Lu conference taking place in Luxembourg today. “The video demonstrates that the infection persists over multiple messages,” she says. “Even when I fully reset the connection with the tracker, most of the infected bytes persist, so that means we have enough space to convey a short malicious code.”
FitBit have apparently been aware of the problem since March when Apvrille contacted the company about it. FitBit says it believes the vulnerability, which the first instance of a fitness wearable shown to be potentially hackable, is a low-severity issue and unrelated to malicious software. The researcher has pointed out that the attack is a proof of concept and not something that’s in the wild.
concerning that scenario of infecting a fitness tracker, it’s important to read the slide on limitations 1/ it’s a PoC, no malicious code
— Axelle Ap. (@cryptax) October 21, 2015
This isn’t the first instance of FitBit making headlines due to security failings. In 2011, blogger Andy Baio tweeted that Fitbit fitness band users’ sexual activity was showing up in Google search results by accident, revealing whether they had engaged in “vigorous” or “passive and light” efforts.
Hackers have been demonstrating for years that vehicles are just as susceptible to hacking as any other electronic gadget yet it wasn’t until the recent hack of a Jeep Cherokee’s infotainment system and Chrysler’s subsequent recall that people started to take notice.
According to Kelley Blue Book’s recent Vehicle Hacking Vulnerability Survey, 72 percent of respondents said they were aware of the Jeep hack in question while 41 percent said the incident will be of consideration when buying or leasing their next vehicle.
But just how big of a problem could vehicle hacking pose?
The survey found that a third of those questioned see vehicle hacking as a serious problem while 78 percent believe it will be a frequent problem over the next three years. Much like PC hacking, most believe vehicle vulnerabilities will become a permanent fixture moving forward with an overwhelming majority – 81 percent – citing vehicle manufacturers are most responsible for securing a vehicle from hacking.
Given the recent Chrysler recall, it’s little surprise that those surveyed felt the automaker’s vehicles were most susceptible to hacking (70 percent). General Motors was ranked as the second most susceptible in the eyes of survey-takers at 47 percent followed by Ford with 30 percent.
Karl Brauer, senior analyst for Kelley Blue Book, said cyber-security is still a relatively new area of specialization for automakers but it’s one they need to take seriously to ensure they are ahead of the curve.
Last November, Charles Tendell quietly launched a website called Hacker’s List. Its name was literal. In this online marketplace, white-hat security experts could sell their services in bite-size engagements to people with cyber-problems beyond their grasp.
“Hacker’s List is meant to connect consumers who have online issues to hackers or professionals out there who have the skills to service them,” Tendell told Ars. “Consumers get bullied online, they lose personal information, they have things stolen from them, they get locked out of things, and they have people post negative things or post personal information. They didn’t have a place to go to be able to get help and make sure they’re getting the right price or the best person for a particular job. That’s what Hacker’s List is for.”
The idea seemed clever enough. Soon after launch, The New York Times found the site and brought a stampede of traffic that initially caused it to go down under the strain. In the six months or so since, Hacker’s List has been running without technical hitches. (The site is also utilizing CloudFlare’s content delivery network nowadays.)
However, controversy has crept in to fill the void left by backend hiccups. It’s true that Hacker’s List’s purpose remains showing the general population that “not all hackers are evil,” as Tendell puts it. His intentions for the site also continue to be noble. But many of the project requests being posted to the site show the message isn’t getting through as the marketplace scales. If anything, it seems that those who now flock to Hacker’s List have largely been people looking for evil hackers to hire. And the site is constantly looking for ways to keep up.
Whether good or bad, all the attention Hacker’s List has drawn since launch hasn’t hurt Tendell. The founder and CEO of Denver-based Azorian Cyber Security is now also the co-host of a syndicated tech radio show and a frequent go-to cyber-expert for local and national news broadcasts. Tendell insists that Hacker’s List is a separate entity from his business, but he admits that “being on the front page of a lot of things has increased Azorian’s footprint and business.” In fact, the international press coverage may be Hacker’s List’s biggest upside—because it’s not clear how many actual business transactions happen through the site.
According to data on the site itself, only a handful of the enrolled hackers have made any money through Hacker’s List since its November 2014 launch. For most, their earnings listed have been just a few hundred dollars. While there are more than 3,000 “hacker” accounts registered—some representing security firms, others registered to individuals—there’s no way to know how many are active. Some early adopters of the site who spoke with Ars quickly abandoned it as a source of projects when they saw the sorts of requests that started to come in.
Logistically, Hacker’s List acts as a sort of reverse-eBay: customers post projects, then “hackers” bid on them. The customer selects someone for the job based on bids, and—if the project passes as legitimate with Tendell’s team—the site acts as an intermediary. It holds the customer’s payment until a project is done and they have approved the work. This escrow period also assures the person doing the work that the money is actually there. Afterwards, customers can rate the “hacker” based on their performance and write comments that appear on user profiles.
In theory, this checks and balances system is the same mechanism that keeps other user-generated economies, from AirBnB to Uber, honest. But a quick survey of the kinds of requests made on Hacker’s List recently looks a lot less like someone trying to buy a used cell phone and a lot more like someone trying to hire a hit-man:
Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk.
Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On July 5, a hacker released over 400GB of data stolen from the company on the Internet, including email communications, business documents, source code and other internal files.
On Tuesday, researchers found a proof-of-concept exploit among Hacking Team’s files that worked against the latest version of Flash Player. Cybercriminals were quick to adopt it and were already using it in large-scale attacks by the time Adobe Systems released a patch for it on Wednesday.
By late Friday, researchers from FireEye revealed that they found a second zero-day exploit for Flash Player in the Hacking Team data cache, prompting Adobe to issue an emergency advisory.
This was followed up Saturday by researchers from Trend Micro with yet another find, putting the number of Flash Player zero-day exploits used by Hacking Team to three—at least so far.
Only one of the vulnerabilities targeted by those exploits has been patched so far, with Adobe planning to release fixes for the other two—CVE-2015-5122 and CVE-2015-5123—later this week.
That’s a problem because the cybercriminals behind the Angler Exploit Kit were already using the exploit discovered by FireEye (CVE-2015-5122) by Sunday. The malicious activity was spotted by a malware researcher known online as Kafeine who specializes in tracking drive-by download attacks.
It’s very likely that attackers are also working on integrating the exploit found by Trend Micro (CVE-2015-5123) in commercial exploit kits, if they haven’t already.
“Until an update is available, users should consider disabling Adobe Flash,” researchers from Trend Micro said in a blog post. “Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.”
Web-based exploits are typically used to infect computers when users visit legitimate websites that were compromised or when their browsers load malicious advertisements.
A second major cyber breach that might reveal far more personal and damaging information appears to have hit the U.S. government’s Office of Personnel Management (OPM).
The breach was apparently carried out by hackers with connections to China and targeted a database containing copies of the government’s Standard Form 86, according to news reports citing unnamed government officials. The form, available online, is a 120-page questionnaire that’s answered by people seeking a national security clearance.
Those filling out the form are asked to provide highly personal details about their lives that go far beyond their birth dates and social security or passport numbers. Among the questions asked are details of former residences, names and addresses of neighbors and detailed information about family members.
There are also many questions, confined to the last seven years, that ask about contact with foreign nationals and problems with drug or alcohol abuse, debts or bankruptcy, imprisonment or run-ins with law enforcement.
The hack is believed to be separate from one disclosed last week that targeted the same agency and is feared to have resulted in the theft of personnel records on millions of current and former government employees in all branches of government except the military and intelligence fields.
That hack was initially thought to have affected about 4 million people, but the Associated Press reported on Friday that the actual number could be as high as 14 million.
The U.S. government has yet to officially pin blame for the first hack on any actor, but last week Sen. Susan Collins, a Republican from Maine and member of the Senate Intelligence Committee, said she believed the hackers were based in China.
On Thursday, a union representing government employees said it believes the detailed personal information stolen was not encrypted on OPM servers.
The Office of Personnel Management has yet to provide any details on the hacks beyond an initial statement published last week.
For at least four years, a bug in Apple’s OS X gave untrusted users—and possibly remote hackers with only limited control of their target—unfettered “root” privileges over Macs.
The vulnerability is being called a “hidden backdoor” by Emil Kvarnhammar, the security researcher who discovered the bug and privately reported it to Apple. It’s probably more accurate to describe it the equivalent of an unpublished programming interface that allowed users with admin or even lower-level standard privileges to gain root. The privilege escalation flaw was fixed in a massive security update Apple released Wednesday for the 10.10, aka Yosemite, version of OS X. Macs running versions 10.9 or earlier remain vulnerable.
“The Admin framework in Apple OS X contained a hidden backdoor API to root access for several years (at least since 2011, when 10.7 was released),” Kvarnhammar wrote in a blog post published Thursday. “The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but there is no access restriction. This means the API is accessible (through XPC) from any user process in the system.”
To fully exploit the bug, attackers would need physical access to the targeted Mac. But the escalation vulnerability could potentially be exploited remotely in combination with other attacks, for instance, one that’s able to compromise a browser and break out of its security sandbox but doesn’t have privileged access to operating system resources. Exploits might also be useful against machines running server versions of OS X.
When Kvarnhammar first discovered the bug last October, he found he could exploit it to gain root privileges from the rights normally granted only to admin accounts. The researcher continued to experiment with the flaw until he found a way to elevate privileges even from standard OS X accounts, which give users considerably less control. To Kvarnhammar’s amazement, he was able to expand the attack by sending a what’s known as a “nil” to the OS X mechanism that performs the elevation authorization. A nil is a zero-like value in the Objective C programming language that represents a non-existent object.
“It seems like the authorization checks are made by triggering callback functions on the auth-object supplied,” Kvarnhammar wrote. “For those of you who are not Objective-C programmers: Guess what happens if you call methods on a null reference–or to use Objective-C language, send a message to nil? Nothing! :)”
As in years past, the latest patched versions of the most popular web browsers around stood little chance against those competing in the annual Pwn2Own hacking competition. The usual suspects – Apple Safari, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer – all went down during the two-day competition, earning researchers a collective total of $557,500 in prize money.
The event, which took place at the CanSecWest conference in Vancouver, was sponsored by the Hewlett-Packard Zero Day Initiative. During the first day, HP awarded $317,500 to researchers that exploited flaws in Adobe Flash, Adobe Reader, Internet Explorer and Firefox.
eWeek notes that the first reward, paid to a hacker by the name of ilxu1a, was for an out-of-bounds memory vulnerability in Firefox. It took less than a second to execute which earned him a cool $15,000.
Firefox was exploited twice during the event. Daniel Veditz, principal security engineer at Mozilla, said the foundation was on hand during the event to get the bug details from HP. Engineers are already working on a fix back at home, he added, that could be ready as early as today.
Another security researcher, JungHoon Lee, managed to demonstrate exploits against Chrome, IE 11 and Safari. As you can imagine, he walked away with quite a bit of money: $75,000 for the Chrome bug, $65,000 for IE and $50,000 for the Safari vulnerability. He also received two bonuses totaling $35,000.