Topic security

Tails Distro update fails to address serious zero-day vulnerabilities

Anonymous Coward
in security on (#3RJ)
story imageThe Tails Linux distro gained a lot of publicity when Edward Snowden noted it as his operating system of choice. But while TAILS goes to great pains to ensure maximum anonymity when using online services, it is not impenetrable. In fact, the software's design is seriously flawed, says Loc Nguyen, a researcher at Exodus.
Tails is comprised of numerous components working in interchange," he said. ... however because there are numerous inter-locking mechanisms in play on the system, it's difficult to readily pinpoint a particular weak area."
Nguyen and team had identified a number of zero-day vulnerabilities in the distro that have gone unaddressed and remain open even as TAILS releases an update to the software. Exodus said it would release details about the zero-days in a series of blog posts next week. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."

More on the vulnerabilities at the Register and Forbes.

Russian hackers placed digital "bomb" in Nasdaq computers

in security on (#3RC)
story imageIt's old news, but it's only being reported today: turns out, in 2010, Russian crackers exploited a zero-day vulnerability to install some malware on the Nasdaq stock exchange systems capable of derailing the stock exchange.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. ... [The] National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. ... reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate. Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why.
Bloomberg Businessweek does an excellent job of telling the story of competing security agencies, their different mandates, and how they cooperated and sometimes competed to deal with the intrusion.
The agents found little evidence of a broader attack. What they did find were systematic security failures riddling some of the most important U.S. financial institutions. It turned out that many on the list were vulnerable to the same attack that struck Nasdaq. They were spared only because the hackers hadn’t bothered to try.

What if we owned our own data?

in security on (#3R4)
story imageIt's been proposed before, but MIT takes it a step further and is fleshing out a system where users can take control of their own data. This would be a radical shift in how things work now.
In the latest issue of PLOS One, MIT researchers offer one possible answer. Their prototype system, openPDS — short for personal data store — stores data from your digital devices in a single location that you specify: It could be an encrypted server in the cloud, but it could also be a computer in a locked box under your desk. Any cellphone app, online service, or big-data research team that wants to use your data has to query your data store, which returns only as much information as is required.
Interestingly, the system involves sharing code, not data. They outline a music recommendation service that would make a recommendation to you not by requesting access to your music store, but by sending you an algorithm your datastore would run and return. There's more work to do here, but it seems like a step up from the "everyone owns your data except you" model in which we're currently living.

People in leadership positions may sacrifice privacy for security

in security on (#3R0)
story imageNew research (abstract) suggests that those in higher-level positions are more likely to make decisions that value security over privacy, and be more determined to carry out those decisions. In one experiment, people who were appointed supervisors showed a significant increase in their concern for security. The researchers also found that participants who were assigned a worker-level status expressed higher concern for privacy, but not significantly higher.
We find that a high-status assignment significantly increases security concerns. This effect is observable for two predefined sub-dimensions of security (i.e., personal and societal concerns) as well as for the composite measure. We find only weak support for an increase in the demand for privacy with a low-status manipulation.
[Ed. note: that would explain why your boss is always more conservative/risk averse than you'd like. Maybe the perks and salary are too good to give up, so he'll do anything to stay where he is? In which case: let's pay them less.]

UN Human Rights Office: "government surveillance on rise worldwide"

in security on (#3QW)
We knew this, but now it's increasingly such a part of the written record that even the United Nations Office on Human Rights has made a statement.
Stepping into a fierce debate over digital privacy rights, the U.N. office says it has strong evidence of a growing complicity among private companies in government spying. It says governments around the world are using both the law and covert methods to access private content and metadata.

U.N. High Commissioner for Human Rights Navi Pillay said the lack of transparency and tactics extend to governments’ ”de facto coercion of companies to gain broad access to information and data on citizens without them knowing.”
[Ed. note: So who are these private companies, and are they hiring? Because it seems like a bit of a growth industry at the moment: job security, woo hoo!]

Five NSA programs you should know by name

in security on (#3QM)
story imageYou may be sick and tired of hearing about NSA surveillance, but we may as well get used to it: until legislators decide to put an end to the mass surveillance, they're here to stay. Rather than ignore them then, better to get to know them. RadioOpenSource has provided an excellent overview of five NSA programs currently in force that you should know by name.
  1. XKeyscore
  2. Fascia
  3. Optic Nerve
  4. Boundless Informant
  5. Dishfire
Even the names are evocative of the kinds of things and the sense of authority and accountability that led to their development. An excellent read. While you go through it, see if you can suggest some names for other NSA programs that would operate in the same vein. For example: "Operation Colonoscopy."

"Remote Control Systems" used by law enforcement to root your phone

in security on (#3PK)
This just in from the Reg, and it's not good: a massive botnet of 320 Command & Control servers placed in 40 countries, and being sold to law enforcement agencies to infiltrate and root cell phone systems.
The Milan-based firm that developed RCS boasts on its website that its malware can crack any mobile operating system and remain undetected while doing so. Based on documents leaked to Citizen Lab, the firm may be correct in its claims. ... Once a target is identified by cops or g-men the malware is sent out and installed, either by tricking the user with a spearphishing attack or by exploiting vulnerabilities in the target's operating system. ... Once on a target's mobile, the RCS software can intercept and record all phone calls, SMS messages, chat conversations from apps such as Viber, WhatsApp and Skype, grab any files or pictures on the handset, spy on the calendar, look up the user's location, and take screenshots whenever the operator specifies, as well as harvesting data from third-party applications like Facebook.
Looks like Android is more at risk here, but iOS can also be hacked, especially if it's been jailbroken. 'Scuze me while I go reinstall a landline and move into the basement with a tinfoil hat and a weapons cache :(

Medical records in the digital age

in security on (#3PD)
story imageThe medical field isn't exactly embracing the digital revolution, although it's quick to implement scientific progress in other areas. Trapped in a mess of legal, privacy, and insurance regulations and hampered by financial disincentives to implement digital record keeping, many medical centers still rely on voluminous paper records. But that's changing, and with change comes good news and bad.

First come the breaches of privacy. In Cincinnati, a woman is suing the University of Cincinatti Medical Center after a medical clerk posted the woman's medical records (showing name and diagnosis of syphilis) to Facebook's page "Team No Hoes." Privacy is also compromised when medical records become part of court hearings, as many legal cases become part of public record and are searchable online.

But these risks were part of the paper system as well. Recently, a huge number of paper medical records turned up in York, UK, and Michael Schumacher's paper records seem to have been stolen and put up for sale.

So what do we need to keep sensitive, personal, medical information private? Think quickly, because already some doctors can access your medical records via Google Glass as they talk to you.

Synology NAS Remotely Hacked To Mine $620K In DogeCoin

Anonymous Coward
in security on (#3PA)
story imageFrom ThreatPost via Soylent-not-a-food-trademark-infringing-site, a single criminal hacker planted trojans on Synology NAS units around the world and managed to use the little boxes to mine $620,000 worth of "DogeCoin", the cuter version of the BitCoin "virtual currency".

This, much more than the SuperMicro vulnerability, tells me I'm living in strange new times indeed. A home network-storage appliance used over the Internet to create wealth out of nothing but electricity running some decryption code. These are concepts that just didn't even exist a short time ago.

Had the hacker been just a little more conservative in resource utilization, the scheme may have gone undiscovered for much longer. The jig was up only after Synology users complained about performance to tech support! (Clearly, no one, anywhere, ever checks their router and firewall logs for unusual destinations).

I find this interesting as I had just been reading Ars Technica's new writeup of DIY NAS solutions as alternatives to the expensive fixed purpose NAS devices (some interesting alternatives mentioned in the comments there).

Exploiting bug in Supermicro hardware is as easy as connecting to port 49152.

Anonymous Coward
in security on (#3P8)
story imageIf you're running a server on Supermicro hardware, you're operating with your pants down. That's the conclusion by security firms who warn exploiting bug in Supermicro hardware is as easy as connecting to port 49152. There are very likely at least 32,000 servers broadcast admin passwords.

Over at security researchers explain:
On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7’s HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152.

If you take a look at the /nv directory, you will find the file IPMIdevicedesc.xml file; a file which was already known to be downloaded via the aforementioned port. You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface (reference link at the bottom of this article). This is not the only file that is vulnerable to this.
Read more here.