Topic security

Samsung, the big brother inside your TV?

in security on (#2X0A)
story imageSamsung is warning customers about discussing personal information in front of their smart television set. The warning applies to TV viewers who control their Samsung Smart TV using its voice activation feature. When the feature is active, such TV sets "listen" to what is said and may share what they hear with Samsung or third parties, it said. Privacy campaigners said the technology smacked of the telescreens, in George Orwell's 1984, which spied on citizens. Samsung has issued a statement that emphasized the voice recognition feature is activated using the TV's remote control.

Should Pipedot readers be concerned? What assurance is there that voice control systems which involve uploading voice commands to remote servers (Siri included) couldn't be used for surveillance covertly, as the FBI started doing with OnStar in General Motors vehicles over a decade ago? Samsung is not the first maker of a smart, net-connected TV to run into problems with the data the set collects. In late 2013, a UK IT consultant found his LG TV was gathering information about his viewing habits.

Today, users of Samsung's Smart TVs are also complaining that advertisements are being inserted into their own videos, without their permission. “Every movie I play, 20-30 minutes in it plays the Pepsi ad. It has happened on 6 movies today.” In a statement, a Samsung spokesperson said that the ad placement in third-party apps was a mistake, and that the issue only affected customers in Australia.

Microsoft admits Windows 10 preview has a keylogger

Anonymous Coward
in security on (#2WSZ)
Microsoft has admitted that the new Windows 10 operating system tracks keystrokes and examines audio input. The new operating system, currently a free download for users with Windows 7 and Windows 8 licences, not only tracks how long it takes to open different types of files, the make and model of device you're using, but it's also logging keystrokes and collecting voice recordings. Microsoft will not delete data already collected from Windows 10 users.

Hackers destroy blast furnace in German steel mill

in security on (#2WPR)
A recent report by Germany’s Federal Office for Information Security reveals that hackers caused "massive" damage to an unnamed steel mill. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down. The report doesn’t name the plant or indicate when the breach occurred.

This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in 2008 to sabotage centrifuges at a uranium enrichment plant. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks.

ICANN gets hacked after employees hand out private data in phishing scam

in security on (#2W4N)
ICANN has reported a major security breach. The organization, which is responsible for managing IP addresses (among other things) for the internet, was hacked late last month. Using basic spear phishing attacks, hackers managed to trick ICANN employees into giving up private credentials upon receiving emails that appeared to come from the organization itself. As a result, several internal systems have been breached.

ICANN reports that not only were internal emails accessed, but also a number of other things including an employee only wiki-page with public data, as well as the database to see who has registered a certain domain. Hackers also accessed the Centralized Zone Data System (CZDS), which allows them access to user names, addresses, emails and other contact/personal data. While certainly the most troubling of them all, the passwords stolen in the CZDS breach were encrypted and not just sitting around as plain text entries.

The organization implemented improved security measures early this year, before the attack. The group now plans to implement additional security measures.

U.S. officials previously announced plans to relinquish the federal government's control over managing the Internet to a “multistakeholder community” in March, following backlash over revelations about the National Security Agency's surveillance program. The cyber attack could fuel those wary of ICANN's transition to an international authority, who argue the move would compromise the safety of the Internet. Some opponents doubt the organization’s ability to manage the Internet for the entire globe.

Microsoft vulnerability allows remote code execution via a malformed SSL packet

Anonymous Coward
in security on (#2V1G)
Microsoft has quietly patched a serious SSL (Secure Sockets Layer) bug that allows remote code to be executed on any system configured to accept SSL transactions. That is to say, essentially, every Windows system ever made.

The bug is being discussed on Pastebin, where it is being alleged that Microsoft has seriously understated the seriousness of this bug, potentially in an effort to downplay its use as a potential zero day. The same folks are making threats about what will happen if Microsoft doesn't get around to producing patches for legacy systems as well, given how prevalent SSL technology is in today's web browsing environment.

ISPs caught stripping STARTTLS from email

in security on (#2V0A)
Those evil ISPs are at it again:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
Although I wouldn't trust the content of your non-PGP email to ever be secure, this could potentially lead to your email account password being transmitted in-the-clear, depending on how your email client and server are configured.

How one man found his private files on the Apple Cloud without his consent

Anonymous Coward
in security on (#2TVZ)
While last week Apple was being hailed as the white knight of user privacy while this week they are being called on for uploading files to icloud without sufficient warning. Bad times for Apple, whose blunder was a big one, and is generating a lot of buzz. The Washington Post reports:
[Security researcher Jeffrey Paul] was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function “both dangerous and poorly documented” by Apple.

The criticism was all the more notable because its target, Apple, had just enjoyed weeks of applause within the computer security community for releasing a bold new form of smartphone encryption capable of thwarting government searches – even when police got warrants. Yet here was an awkward flip side: Police still can gain access to files stored on cloud services, and Apple seemed determined to migrate more and more data to them.

Apple Pay Rival CurrentC Has Been Hacked

in security on (#2TT4)
story imageTechCrunch reports:
MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC meant to rival newcomer Apple Pay, has been hacked.
CurrentC is still in its pilot phase. Only emails of the early app testers have been stolen. No payment data or other personal informations. Furthermore since the project is still in the pilot phase, many of those emails belonged to dummy accounts.

Since there might be a war coming between CurrentC, Apple Pay, Google Wallet, and perhaps the established credit card companies, it would be easy to construct a nice conspiracy theory. However: Never ascribe to malice that which is adequately explained by incompetence. And even incompetence does not describe it correctly. The developers of each of those systems on the one side are probably vastly outmatched by the black hats, who try break it, on the other side. And the black hats just need to find one single implementation error, while the developers have to anticipate everything. I cases like this, where real money can be made, the Linus's Law is definitely applicable.

What does it mean for the customers? They should be extra careful. Neither Apple, nor Google, nor MCX have much experience as payment service providers. Their technologies are new and most certainly will have weaknesses, which is bad. But also for the courts these system will be uncharted waters. For a duped user this might even be worse. So before using one of those shiny new and convenient payment options: Read the fine print in the contracts. Check who carries the risk and the burden of proof in case of a misuse.

wget prior to 1.16 allows for a web server to write arbitrary files on the client side

Anonymous Coward
in security on (#2TS1)
Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.

A Metasploit module is available for testing:

the disclosure is here:

Redhat's bug is here:

POODLE: A new SSL vulnerability

in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.