Tag Archive for Security

| August 6, 2016
Comments Off on Slam the Door on Hackers

Slam the Door on Hackers

Slam the Door on HackersLast year two white-hat hackers Charlie Miller and Chris Valasek, remotely compromised a Jeep Cherokee. The cybersecurity researchers used  existing functionality in the car to take control.  They were able to disable the car’s transmission and brakes, while the vehicle was in reverse, and take over the steering wheel.

Karamba SecurityThe Verge reports the researchers are back and have compromised their Jeep Cherokee, fooling the car into doing dangerous things. Things like turning the steering wheel or activating the parking brake at highway speeds. This year’s attack requires physical access to the car.

Hackers use the diagnostic port

The team used a laptop connected to the OBD II engine diagnostic port to control even more vehicle systems. The Verge says the researchers were able to update the electronic control unit. This allowed them to take control of the steering at any time. They could turn the steering wheel at any speed, activate the parking brake, or adjust the cruise control settings.

Electronic control unit

Most operations in a car have their own designated electronic control unit (ECU) controller. Some ECU’s manage things like a car’s navigation and entertainment systems. Others manage more critical systems like braking and fuel injection.

Radio are a gateway for attackersA connected car’s ECUs all operate on one network, self-contained within the vehicle. Tel Aviv start-up Karamba co-founder David Barzilai, warns. “If hackers gain access to just one of these controllers, they can get to all of them.

Harden ECU

The Israeli company hopes to sell Carwall Detroit automakers. Carwall is a tool that installs anti-hacking technology into chip-bearing auto parts before they hit the assembly line. Rgis could prevent hackers from crashing your new connected car. Mr. Barzilai told TechCrunch the startup’s technology can head off hackers at the pass. Carwall “hardens” the controllers, or small computers, within a vehicle that are externally connected.

Carwell, a tool that installs anti-hacking technologyKaramba’s Carwall is installed on the controllers, either as a retrofit or before the controllers are built into new cars. The software locks in the factory settings, and prevents any foreign code or banned behaviors from running on them. This essentially blocks a hackers ability to reach into a car’s CAN Bus, and mess with the car’s critical functions.

If indeed we are successful – if all hacks are blocked – then [you] don’t have to worry,” said Karamba’s Barzilai. “A hack that crashes your software is bad enough. A hack that crashes your car takes it to a whole new level.

Karamba’s technology is designed to monitor every bit of code that tries to run on the ECUs and to make sure it comes from legitimate sources. “We are the gatekeepers,” Mr. Barzilai told MiTechNews.

Out of stealth mode

monitor every bit of code that tries to runTechCrunch says Karamba has not yet scored a contract with top automotive suppliers that make ECU’s. They are targeting firms like Continental, Robert Bosch, Delphi Automotive, or Panasonic. But it has only just emerged from stealth and begun to shop its security software around.

YL Ventures has invested $2.5 million to fund Karamba’s growth, MiTechNews reported. Compared with the funding that some Silicon Valley security companies pick up, that’s not a huge amount. But it’s enough to move CEO Ami Dotan to Ann Arbor, where he’ll start making sales calls.

Karamba isn’t alone in attacking car security. Symantec (SYMC), the old school antivirus firm is working on auto security within its “internet of things” unit. Symantec recently released a  white paper “Building Comprehensive Security into Cars,” (PDF) detailing the many electronics and sensors that have to be protected.

rb-

Chrysler is doing a small part to reduce connected car hacking. They recently launched a bug bounty program with Bugcrowd that will pay out as much as $1,500 per bug found. On the other hand, Apple is offering a bug bounty of up to $200,000 for bugs that won’t kill you.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , , , , , , , , ,
| July 30, 2016
Comments Off on More IRS Tech Troubles

More IRS Tech Troubles

More IRS Tech TroublesThe U.S. gooberment agency in charge of extorting collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

collecting taxes from citizens, but not businessThe latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

two factor authenticationThis is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. 

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seatvoice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Related articles
  • Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| July 9, 2016
Comments Off on Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann ArborNext time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

  1. open security camerasWalnut Creek, CA – 89.69 / 100,000 residents
  2. Richardson, TX – 72.74 / 100,000 residents
  3. Torrance, CA – 72.55 / 100,000 residents
  4. Newark, NJ – 38.07 / 100,000 residents
  5. Rancho Cucamonga, CA – 36.76 / 100,000 residents
  6. Corvallis, OR – 37.98 / 100,000 residents
  7. Ann Arbor, MI – 34.18 / 100,000 residents
  8. Orlando, FL – 34.05 / 100,000 residents
  9. Eau Claire, WI – 22.21 / 100,000 residents
  10. Albany, NY – 20.32 / 100,000 residents

using the manufacturer's default passwordOpen security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

distributed denial-of-service (DDoS)A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globeThe compromised CCTV cameras were located around the globe:

  • 24% originated from Taiwan,
  • 12% United States,
  • 9% Indonesia,
  • 8% Mexico,
  • and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

block or absorb malicious trafficTo protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| June 25, 2016
Comments Off on Malware Steals Your Cash At ATM

Malware Steals Your Cash At ATM

Malware Steals Your Cash At ATMOn September 2, 1969, America’s first automatic teller machine (ATM) started dispensing cash to customers at Chemical Bank in Rockville Center, New York. Since then ATMs have been a trusted avenue for many banking transactions. However, Business Insider warns that the next time you pull cash out of the ATM, or “Tap the Mac” you should take extra care. BI reports that Internet security firm Kaspersky Lab has announced the return of a newer and more dangerous version of the Skimer malware.

TATMs hackedhe report characterizes Skimer as an especially dangerous malware that turns whole ATMs into card-skimming machines. The malware first appeared in 2009 and has been distributed at ATMs all over the world.

The majority of ATM fraud takes place through card skimming. Card skimming is usually physical, as criminals typically install an illegal card-reading device into ATMs, film people entering their PINs on keypads, and then create duplicate cards for sale and use, reports the New York Times. Fortunately, users can uncover these card skimmers because they’ll spot a problem with the card reader or notice an unusual camera.

Gas pump skimmerSkimer is particularly problematic because it is software-based. The article explains the threat is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with. The Russian-based program lets criminals access an ATM remotely, install the malware, and then gather data such as PINs, card numbers, and account numbers over the course of time. A “money mule” can then insert a special magnetic stripe card into the ATM to access the stolen data, take out money, or print card numbers onto a receipt.

The attack begins by gaining access to the ATM system either through physical access or via the bank’s internal network. Then Backdoor.Win32.Skimer malware is installed which infects the core of the ATM. The ATM core is responsible for the machine’s interactions with the banking infrastructure, cash processing, and credit cards. After that, the ATM has become a skimmer. The compromise allows the attackers to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.

Kaspersky logoKaspersky is trying to help banks detect Skimer and is providing techniques for identifying affecting machines and securing their ATM networks in the future. Sergey Golovanov, a principal security researcher at Kaspersky Lab explains it is possible for banks to stop Skimer.

We have discovered the hardcoded numbers used by the malware, and we share them freely with banks … they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware

To prevent ATM attacks, Kaspersky recommends that banks:

  • Perform regular AV scans,
  • Use whitelisting technologies,
  • Have a good device management policy,
  • Enable full-disk encryption,
  • Protect the ATM’s BIOS with a password,
  • Only allow HDD booting,
  • Isolate the ATM network from any other internal bank network.

ATM fraud continues to growDespite a way to control Skimer, ATM fraud continues to grow according to BI. A recent FICO study found the number of compromised ATMs in the U.S. surged 546% from 2014 to 2015, thanks in large part to the slow EMV migration of debit cards and ATMs. The article speculates that EMV upgrades would stop Skimer. The resistance to EMV means ATM fraud could grow even more from 2015 to 2016.

John Heggestuen, at BI Intelligence, explains that EMV cards are being rolled out with an embedded microchip for added security. The microchip carries out real-time risk assessments on a person’s card purchase activity based on the card user’s profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.

EMV cardsRetail card fraud cost U.S. retailers approximately $32 billion in 2014, up from $23 billion in 2013. To solve the card fraud problem across all channels, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud. In the article, BI’s Heggestuen describes some of the other technologies that financial institutions are utilizing to reduce fraud risks.

Encryption of payments data is being widely implemented. Encryption degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.EncryptionPoint-to-point encryption electronically changes sensitive payment data from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions.

Point-to-point encryption
Tokenization increases transaction security. Tokenization assigns a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses one emerging form of tokenization.Tokenization
3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to confirm that the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data as well as payment data to complete a transaction online.

rb-

The best recommendation to protect yourself from Skimer and other ATM threats is to use the ATMs at your bank or credit union. These ATMs are harder for thieves to install any type of skimmers or malware on because of the higher traffic and monitoring. ATMs located outside a financial institution like at a 7-11 are highly suspect.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| May 26, 2016
Comments Off on Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data Breach

Lessons From the LinkedIn Data BreachReaders of the Bach Seat know that passwords suck and that people are awful at picking passwords. The Business Insider offers more proof. According to a recent article, the 2012 LinkedIn data breach exposed a whopping 167 million accounts that were compromised, including 117 million passwords.

The article says the passwords were hashed or encrypted so they can’t be read, but researchers at LeakedSource have been able to decrypt them. Their findings should be no surprise to Bach Seat followers. The results show just how much the same passwords get used over and over (and over and over and over and over) again.

Most often used passwords

92% of the top leaked LinkedIn passwords were identified as the top 25 most often used passwords in 2011 or 2012. Nearly half of the passwords listed were the most commonly used password in 2011, 2012, or 2013. The top 5 bad passwords were used to “secure” over 1.2 million accounts.

PasswordsThe LeakedSource data says the most popular password for LinkedIn in 2012 was 123456. That password was used by more than 750,000 accounts. Data the Bach Seat has collected says that 123456 has been the top 1 or 2 passwords every year used since 2011.

The remarkably unstealthy password ’linkedin’ is the second most used password on these breached LinkedIn accounts with 172,523 users. That is just so wrong on so many levels.

The password ‘password’ is number three with 144,458 hacked LinkedIn users relying on it to secure their professional profile. Our historical data says that ‘password’ has swapped the top ranking with ‘123456’ since 2011.

password is ‘password’12345678’ is the fourth most popular bad LinkedIn password with 94,214 users according to LeakedSource. This password has been a consistent #3 in my data.

The data for the top 49 passwords is below. You can search for your user name here  Fix your passwords.

RankPasswordFrequencyNotes
1123456753,305#2 in 2012
2linkedin172,523
3password144,458#1 In 2012
412345678994,314#6 in 2012
51234567863,769#3 in 2012
611111157,210#12 in 2011
7123456749,652#7 in 2011
8sunshine39,118#15 in 2011
9qwerty37,538#4 in 2011
1065432133,854#21 in 2011
1100000032,490#25 in 2013
12password130,981#21 in 2013
13abc12330,398#5 in 2011
14charlie28,049
15linked25,334
16maggie23,892
17michael23,075#16 in 2012
1866666622,888
19princess22,122#22 in 2013
2012312321,826#11 in 2013
21iloveyou20,251#9 in 2013
22123456789019,575#13 in 2013
23Linkedin119,441
24daniel19,184
25bailey18,805#17 in 2011
26welcome18,504
27buster18,395
28Passw0rd18,208#18 in 2011
29baseball17,858#9 in 2012
30shadow17,781#17 in 2011
3112121217,134
32hannah17,040
33monkey16,958#6 in 2011
34thomas16,789
35summer16,652
36george16,620
37harley16,275
3822222216,165
39jessica16,088
40GINGER16,040
41michelle16,024
42abcdef15,938
43sophie15,884
44jordan15,839#22 in 2012
45freedom15,793
4655555515,664
47tigger15,658
48joshua15,628
49pepper15,610

rb-

The advice remains the same as I wrote about in 2010.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »