IoT - 4 Questions you should ask yourself

Here is a 5th one

Remember the philosophical discussion about "WANTS and NEEDS".
Similarly, We should first ask the question

5. Is a compelling reason for me to  enable this IoT stuff?


From the Article:

1. Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
2. Is it possible to have seamless mutual authentication between users and devices and devices and devices?
3. What happens if the connections between your smart home and your smart grid stop working and turn against you?
4. What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

For More Info:
http://www.darkreading.com/endpoint/4-iot-cybersecurity-issues-you-never-thought-about-/a/d-id/1322330?_mc=RSS_DR_EDT

Password Issues and Suggestions in a single Picture

D-Link adds additional stuff to their open source firmware, The stuff happens to be their the "private key" and the "pass phrases"

Apparently someone did not understand PKI-101.
Guard your private key. It is the the on and only important key to the kingdom that it is supposed to protect.
Good news is that the cert expired on 09/03


From the Article
Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used by a hacker to sign malware, making it much easier to execute attacks.

The reader found not only the private keys, but also passphrases needed to sign the software. 

The D-Link cert, was published on Feb. 27 and was exposed more than six months before it expired Sept. 3

For More Info
https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/

Great gift for your spouse or your boss - A Spy watch that can guess what they type.

Sometime in future we may have a Malware that will do that for free


From the article:

Using the watch's built-in motion sensors, more specifically data from the accelerometer and gyroscope, researchers were able to create a 3D map of the user's hand movements while typing on a keyboard.

The researchers then created two algorithms, one for detecting what keys were being pressed, and one for guessing what word was typed.

The first algorithm recorded the places where the smartwatch's sensors would detect a dip in movement, considering this spot as a keystroke, and then created a heatmap of common spots where the user would press down.

he second algorithm took this data, and analyzing the pauses between smartwatch (left hand) keystrokes, it was able to detect how many letters were pressed with the right hand, based on the user's regular keystroke frequency.

Based on a simple dictionary lookup, the algorithm then managed to reliably reproduce what words were typed on the keyboard.


For more info:
http://news.softpedia.com/news/creepy-smartwatch-spies-what-you-type-on-a-keyboard-491604.shtml

ERNW found five software flaws in FireEye's Malware Protection System - And FireEye is upset about it?

FireEye sending Cease-and-Desist Notice?


From the Article:

The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) earlier this year.


In a face-to-face meeting in Las Vegas on Aug. 5, Ray wrote that it appeared the two companies had reached a consensus on a draft of the disclosure document.

But about a day later, FireEye sent ERNW a cease-and-desist letter, which focused on the disclosure of the company's intellectual property, Rey wrote. The letter contended that no consensus had been reached between the parties the day before.

Before ERNW responded in writing, FireEye obtained an injunction on Aug. 13 from a district court in Hamburg


FireEye issued a notification describing the vulnerabilities, which it patched some time ago, on Sept. 8. Although it is customary to include a timeline from when a vendor is notified to when patches were issued, FireEye's notice doesn't contain one.




Form More Info
http://www.pcworld.com/article/2983144/fireeye-takes-security-firm-to-court-over-vulnerability-disclosure.html

Encryption is useful (to the bad guys too).

What can be used can also be abused.



From the article:

As more advertisers and ad networks start enabling HTTPS, criminals are beginning to make their activities harder to trace by serving their malicious ads over HTTPS, encrypting their tracks, according to security experts.


“HTTPS makes it a lot harder to be able to get this 'creative ID' as it is inside an encrypted session between the victimized client and the publisher giving the advertisement content,” Klijnsma said.


That’s the reason why a recent malvertising campaign that hit eBay and the Drudge Report, among others, was able to go unnoticed for three weeks. As Segura noted in his technical analysis of the campaign, the criminals avoided detection “by encrypting traffic” using HTTPS.

What’s worse, there’s no easy solution to this. One possibility, Klijnsma argued, is to limit ads containing dynamic scripts such as JavaScript, which are the preferred method to deliver malicious code. 

For more info:
http://motherboard.vice.com/en_uk/read/the-downside-of-encrypting-everything-virus-filled-ads-are-harder-to-track

ATM Theft Scenario: You insert your ATM card and your card is not returned (it happens) but, it will be given to the next guy who accesses the ATM (very bad). What if this is deliberately done by a Malware (named "Suceful") to steal your card (+ data) and give it to the bad guy.

Fact is Stranger than fiction.


From the article:

This particular sample can read all the credit/debit card track data and data from the card's chip (if the card has one), retain or eject the inserted card on demand, and can be controlled by the attackers via the ATMs PIN pad.

The malware is also capable of disabling the ATMs door, alarm and proximity sensors to prevent malicious activities from being detected.

While it's impossible for ATM users to spot a compromised machine, they are advised to be suspicious of machines that retain their cards. Giving a call to the bank if that happens is always a good idea, preferably while keeping an eye on the ATM in order to spot attempts by suspicious individuals to retrieve the card from the machine.

For more info:
http://www.net-security.org/malware_news.php?id=3098

Android 5 phones (other than Lollipop) - (Lock-screen) Password can be easily bypassed by typing any long string.

This is plain and simple failure in app testing.
However,  it has been fixed so go ahead and upgrade.



From the article:

 Unless they've been fully patched to version 5.1.1 including last week's security updates.

Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable and developer access to the device.


The attack only works if the gadget has a lock-screen password set, the researchers note: the attack doesn't work against pattern or PIN setups.




For more info:
http://www.theregister.co.uk/2015/09/16/google_patches_android_lockscreen_bypass_nexus/

Gone with the wind - I am not talking about the movie, I am talking about our Privacy.

Welcome to the privacy-free world where everything about you can be known.

AND   CAN BE USED AGAINST YOU.

However, it might help us as an Alibi to prove that we were present at a certain site at a certain time

Then again , who cares about privacy. GMAIL scans your emails. Facebook has your entire history. Even after we know they will hand over this information to Government.

Both are top products.

From the Article:

The study found 74% of shops are using technology to track customers when they are in the store, with a quarter of consumers believing it contributes to a positive shopping experience

When explaining how they use data, retailers were divided on what the term big data meant. Some admitted they were collecting data that may not currently be relevant with the hope they could “think of a use for it later”.

However, consumers are more comfortable with some data collection models than others, reacting better to opt-in models such as loyalty cards (trading privacy for freebies?) as opposed to a model where they do not have a choice, such as monitoring footfall or facial recognition.

For More information:

http://www.computerweekly.com/news/4500253499/Almost-30-of-retailers-use-facial-recognition-technology-to-track-consumers-in-store

Password Issues - In a single picture

Cisco Routers - Attackers can modify the Firmware (if you don't change the default password)

To be honest, this is not Cisco's fault (at least not fully)

Simple rule - Always change the vendor provided password ( if possible ,to a complex one).

From the Article:

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface,” -

The researchers say that Cisco 1841, 2811, and 3825 routers are known to be targeted in this kind of attack 

The modified IOS image that the attackers are using in these attacks survives a reboot of the router, but additional modules the attackers load live in volatile memory and will be lost after a reboot. The malicious implant modifies a function to point to the malware and overwrites a few other functions, as well. 

For more info:

https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665/

Ashley Madison - Moral of the story- Even the best security tool will not save you if you implement it badly.

All security folks know this.

Secure Product will not work if you configure it wrongly.

Ashley Madison is another sad story that failed to understand this.

Remember, Chase spends 250 Million a year and they still got hacked (check the link below)

https://www.blogger.com/blogger.g?blogID=545168781056666766&pli=1#editor/target=post;postID=908117919570800307;onPublishedMenu=posts;onClosedMenu=posts;postNum=0;src=postname

From the Article:

The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days.

Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 212, or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault. 

For more info:

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

TSA compatible locks are not useful any more - Time to use regular locks

Oh Yeah, the article also talks about Backdoor in the Phone switch and the NSA backdoor. All of which are now exposed and can be exploited

From the Article:

A  TSA agent and the Washington Post revealed the secret.  All it takes to duplicate a physical key is a photograph, since it is the pattern of the teeth, not the key itself, that tells you how to open the lock.

Any phone switch sold in the US must include the ability to efficiently tap a large number of calls.  And since the US represents such a major market, this means virtually every phone switch sold worldwide contains “lawful intercept” functionality.  

The final backdoor, Dual_EC_DRBG, was surreptitiously developed by the NSA.  This trap-doored pseudo-"random" number generator enables the NSA (or anyone who knows a secret number) to efficiently decrypt communication.  Yet as many cryptographers were suspicious of both Dual_EC's poor performance and "backdoor-capable" nature, the NSA also needed to use its market power to encourage adoption, including reportedly bribing RSA Data Security $10M to make it the default pRNG.

All three backdoors introduced significant problems.  TSA locks can be opened by anyone despite their promise of security, the CALEA interface has been used for nation-state spying, and the biggest potential victim of the Dual_EC backdoor is probably the US government.

For More info

https://www.lawfareblog.com/tale-three-backdoors

PayPal users should read this

The scary part is the vulnerability can allow even a 2-factor authentication bypass.

Moral of the story: If the building has problems in the foundation then, no matter what you add, you can still have issues.

From the article:

he researcher says the applications are plagued by a vulnerability that can be exploited to access such accounts through repeated login attempts that leverage valid session cookies

The bug bounty hunter says the method can be used to bypass not only the identity verification mechanism, but also the 2FA system

The issue was reported to PayPal in April, but it remains unfixed. According to Vulnerability Lab, the company confirmed the existence of the flaw, but downplayed its impact.

This is not the first time PayPal and Vulnerability Lab have argued over the impact of a mobile API flaw. In October 2014, the German security firm publicly disclosed a similar security bypass issue after PayPal refused to acknowledge its existence for more than a year. Ultimately, the payment processor confirmed the vulnerability, patched it, and promised to reward the researchers.

For more info:

http://www.securityweek.com/paypal-mobile-apps-plagued-authentication-flaw-researcher

Carbanak backdoor - Sound like something you want to install at home. Nah, it is a financial APT (meaning bad Malware)

Now, it has an upgrade.
The silver lining is it targets banks rather than end users.
Let's hope that the Banks have sensible (not expensive) security.


From the article:

The attacks begin with spearphishing emails that have rigged attachments containing the Carbanak backdoor. Once on a compromised machine, Carbanak gives attackers remote control of the machine and the criminals used that as a foothold on the bank’s network and then stole money in several different ways.

researchers at CSIS in Denmark say they’ve seen new variants of Carbanak that have some unique characteristics. The folder in which Carbanak installs itself and the filename it uses are both static. The malware injects itself into the svchost.exe process as a way to hide itself.

“As several other advanced data stealing threats, Carbanak utilizes plugins. The plugins are installed using Carbanak’s own protocol


Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar .

For more info
https://threatpost.com/new-versions-of-carbanak-banking-malware-seen-hitting-targets-in-u-s-and-europe/114522

Watch out Android Users - Ransomware disguised as Video player.Nothing new, except that, it is hard to block this one

It also uses XMPP for communication , making it hard to detect.

From the article

These infections begin with the victim downloading a phony application from a third-party app store, in this case a supposed Flash Player app - 

Victims, with this strain, see a message purporting to be from the National Security Agency with threatening language about copyright violations and threats of fines being tripled if not paid within 48 hours of notification.

The Ransomware uses an instant messaging protocol called XMPP, or Extensible Messaging and Presence Protocol, to receive commands and communicate with the command and control server

“Using XMPP makes it much more difficult for security devices to trace the malware C&C traffic as well as distinguish it from other legitimate XMPP traffic,” Check Point said in a report published Wednesday. “It is also makes it impossible to block traffic by monitoring for suspicious URLs.” 

“As XMPP supports TLS, the communication between the client and the server is also natively encrypted.” 

For More info:

https://threatpost.com/new-android-ransomware-communicates-over-xmpp/114530/

Free additional feature called "Spying on You" (my nick name to the service) without your permission - In windows 7 and 8

I am not surprised, if you are then you are not from this planet


From the article

Back in April, Microsoft released a non-security update for both Windows 7 and 8. This update, 3022345, created a new Windows service called the Diagnostics Tracking service.

The concern with the new Diagnostic Tracking service is much the same as with Windows 10's tracking: it's not clear what's being sent, and there are concerns that it can't be readily controlled.

(good news) Additionally, most or all of the traffic appears to be contingent on participating in the CEIP in the first place. If the CEIP is disabled, it appears that little or no traffic gets sent.


For More info:
http://arstechnica.com/information-technology/2015/08/microsoft-accused-of-adding-spy-features-to-windows-7-8/

AppLock - Nice catchy name for a "lock application". The only problem is , it only hides the files.

They called it APPLOCK , not "APP-ENCRYPT" so , they don't have to protect your files.

From the Article.

A researcher is claiming that the app, which is supposed to securely store photos, videos and other apps, doesn’t really use encryption to do so, it simply hides the files elsewhere on the phone, where an attacker could theoretically read them. 

The second issue, the weak lock mechanism vulnerability, allows an attacker with root access to the device to either see the PIN code associated with an app, or change it.

that’s perhaps the most dangerous as it could give an attacker full control of the app. By exploiting its password reset function, an attacker could potentially reset a user’s PIN code and “gain full access to all functionalities of the application without any kind of special permission,”

For more info:

https://threatpost.com/encryption-lock-mechanism-vulnerabilities-plague-applock/114500

Here is what Google play says about the app

============

Most downloaded app lock in Play Store

★ #1 App lock in over 50 countries.

★ Over 100 Million users, supporting 24 languages.

☞ AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.

☞ AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

★ With the help of App Lock, you may:

Never worry about a friend borrow your phone to play games again!

Never worry about a workmates get your phone to have a look again!

Never worry about private data in some apps may be read by someone again!

Never worry about your kids may changing phone's Settings, paying games, messing up it again!

===========