could

now browsing by tag

 
 

Russian #hackers could #instantly cut #off the #internet for #half a #million people

Russian hackers have infected more than half a million routers across 54 countries with sophisticated malware that contains a killswitch to instantly cut internet access to users, security researchers have revealed.

The VPNFilter malware also allows attackers to monitor the web activity of anyone using the routers, including the their passwords, potentially opening up the possibility of further hacks.

“Both the scale and capability of this operation are concerning,” William Largent, a researcher at the cybersecurity firm Talos, said in a blogpost describing the vulnerability.

“The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware.”

The malware has been attributed to a group of Russian hackers, who are variously known as Sofacy Group, Fancy Bear and Apt28. The group has been in operation since the mid-2000s and has previously been blamed for attacks ranging from the Ukrainian military to the 2017 French elections.

Security researchers tell The Independent that the discovery of the malware highlights a broader issue of how vulnerable internet-connected infrastructure is to cyber attacks.

“No longer can we afford to keep our critical infrastructure connected to, and therefore directly accessible to, the internet,” said Eric Trexler, vice president of global governments and critical infrastructure at cybersecurity firm Forcepoint.

“VPNFilter proves that time tested military techniques such as network segregation not only makes sense, but is required if we expect industrial services to remain resilient in the face of sophisticated and persistent attacks.”

Routers found to be vulnerable to the VPNFilter malware include Linksys, MikroTik, Netgear and TP-Link, all of which are often used in homes or small offices. The researchers say they have not yet completed their research but they are making it public now to draw attention to it.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” Mr Largent said.

“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”

The FBI responded to the revelations by granting court permission to seize a web domain believed to be in control of the Russian hackers.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement on Wednesday.

advertisement:

FBI Special Agent Bob Johnson added: “Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updates and to change default passwords.

The post Russian #hackers could #instantly cut #off the #internet for #half a #million people appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked

Want to delete that embarrassing message you just sent? WhatsApp will let you, and so will Instagram — but if you’re using Facebook, then you’re out of luck.

Unless you’re Mark Zuckerberg, the CEO and cofounder of Facebook.

TechCrunch reported Thursday that some old messages sent by Zuckerberg and senior executives have disappeared from recipients’ Facebook Messenger inboxes, proven by the original email receipts sent at the time.

The company appeared to confirm the unique arrangement, telling TechCrunch the change was made in response to an uptick in hacking.

“After Sony Pictures’ emails were hacked in 2014 we made a number of changes to protect our executives’ communications. These included limiting the retention period for Mark’s messages in Messenger. We did so in full compliance with our legal obligations to preserve messages,” the company said.

The Sony hack targeted the emails of Sony film executives, which revealed a side of Hollywood rarely seen by outsiders, and the decision to name the event as a catalyst for Facebook’s message purge indicates how troubling the incident was in Silicon Valley — and that Facebook was concerned about being hacked.

The company also raised the idea of a “retention period,” though there is no such thing for normal users. If a user long presses a private message on Facebook a “Delete Message” pop up confirms that the function will “delete your copy of the message,” and the recipients’ copy will remain.

Facebook-owned Instagram has long had the option to “unsend” direct messages, while Facebook-owned WhatsApp recently launched a deletion function where unread messages can be deleted “for everyone.” A message is then displayed to all participants that content has been deleted.

But Zuckerberg’s deleted messages didn’t leave behind any such message, probably because they had already been read, many years ago.

The messages were originally sent to former employees and people outside of Facebook. According to TechCrunch, the recipients of the now-deleted messages were not informed at any stage that correspondence they received had been erased.

Zuckerberg may be the CEO of Facebook, but it’s unclear how the decision to remove senior executives’ messages would be allowed under the company’s terms of service. The terms only allow Facebook to remove content if the company believes “that it violates this Statement or our policies” or for infringing copyright.

Deleting messages quietly, and selectively, also appears to fly in the face of Facebook’s campaign to “make the world more open and transparent.” Its own policies say that the company “should publicly make available information about its purpose, plans, policies, and operations.”

Facebook appears to have not followed these policies in this instance, and it raises questions about the recipient’s right to privacy.

The news comes just weeks after the Cambridge Analytica scandal which has seen Zuckerberg admit that tens of millions of users probably had their data scraped.

advertisement:

The post Facebook #secretly deleted #some of Mark Zuckerberg’s private #messages over fears the #company could be #hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers could kill #patients by #attacking their #pacemakers, warns #Royal Academy of Engineering

Hackers could kill patients by attacking their pacemakers or heart pumps, the Royal Academy of Engineering has warned.

In a new report, security experts warned that health tech is vulnerable to cyberattacks which could have ‘severe consequences’ for patient safety.

The RAENG warned that the number of the number of healthcare devices which are susceptible to hacking is growing which not only poses a threat to individuals, but also provides a way to gain access to entire networks.

The experts cautioned that pacemakers or wearable health monitors which are linked up to the internet or internal computer networks could also provide a gateway for hackers to plant ransomware into systems, potentially crippling in the NHS or government departments.

Some US hospitals have already been infected by the Wannacry and Medjack computer viruses after hackers targeted medical devices which were not protected.

Professor Nick Jennings, a fellow of the RAENG and Vice Provost at Imperial College London said: “There is genuine harm that can be done through poor cyber security on medical devices, on future-connected homes, on autonomous vehicles, and if they are not dealt with then that will lead to harms and deaths.

Read More….

advertisement:

The post Hackers could kill #patients by #attacking their #pacemakers, warns #Royal Academy of Engineering appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

New York is #quietly working to #prevent a major #cyber attack that could bring down the #financial #system

Source: National Cyber Security News

Five months before the 9/11 attacks, US Secretary of Defense Donald Rumsfeld sent a memo to one of his advisers with an ominous message.

“Cyberwar,” read the subject line.

“Please take a look at this article,” Rumsfeld wrote, “and tell me what you think I ought to do about it. Thanks.”

Attached was a 38-page paper, published seven months prior, analyzing the consequences of society’s increasing dependence on the internet.

It was April 30, 2001. Optimistic investors and frenzied tech entrepreneurs were still on a high from the dot-com boom. The World Wide Web was spreading fast.

Once America’s enemies got around to fully embracing the internet, the report predicted, it would be weaponized and turned against the homeland.

The internet would be to modern warfare what the airplane was to strategic bombers during World War I.

The paper’s three authors — two PhD graduates and the founder of a cyber defense research center — imagined the damage a hostile foreign power could inflict on the US. They warned of enemies infecting computers with malicious code, and launching mass denial of service attacks that could bring down networks critical to the functioning of the American economy.

Read More….

advertisement:

View full post on National Cyber Security Ventures

The #Safety of U.S. #Data Could #Rest in #Georgia

Source: National Cyber Security News

At one point or another, much of the U.S.’s data passes through Georgia.

The state is a financial technology capital, with 70 percent of all payment transactions handled in Atlanta. And Georgia is a major internet access point for not only the Southeast but also the Caribbean and part of South America, says Stanton Gatewood, the state’s chief information security officer.

“We have a tremendous amount of information flowing through the state of Georgia,” he says.

But as more data is generated online, cybersecurity resources struggle to keep up. In 2017, the cybersecurity workforce gap was expected to hit 1.8 million people by 2022, a 20 percent increase since 2015. Sources say a shortage exists because cybersecurity is a relatively new academic field, so people haven’t had ample opportunity to undergo the proper training and gain necessary skills. “The crush of demand is coming at once, and academia can’t really keep up,” says Michael Farrell, co-executive director of the Georgia Institute of Technology’s Institute for Information Security & Privacy.

In the face of this issue, Georgia is working to become a cybersecurity hub, amassing an arsenal of initiatives. The U.S. Army Cyber Command is moving from Virginia to Fort Gordon army base, right next to Augusta, Georgia.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Your #phone’s #gyroscope could let #hackers guess your #PIN

Source: National Cyber Security – Produced By Gregory Evans

Security researchers have documented a way to unlock a target’s phone using readings from “zero-permission” sensors. Apps can access sensors such as the accelerometer and gyroscope without special permissions. The readings can be used to deduce your PIN.

Zero-permission sensors
Most smartphone hardware is protected against ordinary access from apps unless you’ve specially granted permission. If you’ve ever used an app that needs camera or microphone access, you’ll have seen a prompt to enable the functionality. Some sensors, including the accelerometer, barometer, proximity sensor and ambient light sensor, aren’t protected though, ostensibly because they’re non-critical and can’t intrude on your privacy.
A paper from researchers at the Nanyang Technological University (NTU) in Singapore suggests this lack of security might need to be reconsidered. As Sophos’ Naked Security blog explains, the researchers managed to correctly guess Android smartphone PIN codes with a 99.5% accuracy using data obtained from the “non-critical” sensors.

Because the sensors in modern smartphones are so accurate, the information they provide is sufficient to monitor a user’s activity. By looking at whether you’re moving, what angle you’re holding your phone at and basic environmental details, an attacker could glean enough clues to work out your PIN code.

The proof-of-concept attack demonstrated by the researchers analyses how a phone moves about as the user enters their PIN code. Because each number is in a standard location on the screen, the rotation and tilt of the phone provides pointers that identify the key being pressed. Most users will cause their phone to move in distinct ways as they reach for the top numbers and apply pressure to the screen.
Functionality over security

The researchers said that smartphone manufacturers should reconsider how they’re protecting the sensors being added to new devices. Hardware products such as fitness trackers and VR devices are dependent on the output from sensors. However, leaving physical sensors unprotected could give attackers a way to compromise phones without the owner ever suspecting.

“New technologies, such as health trackers, augmented or virtual reality, require more and more computing power and an increasing number and quality of physical sensors, to advance the user experience,” wrote the researchers. “However, the security countermeasures and the privacy protections implemented in smartphones are not improved at the same pace.”
The proof-of-concept attack could be implemented by malicious actors using a fake app. This could use machine learning techniques to accurately guess PIN codes after watching the user unlock their device several times. The only way to ensure protection is for mobile operating system vendors to place permissions around all physical sensors, giving users control over the apps that can use them.

The post Your #phone’s #gyroscope could let #hackers guess your #PIN appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft

Source: National Cyber Security – Produced By Gregory Evans

From phishing schemes to a thief pilfering your passport, there are plenty of ways to fall victim to identity theft. And now, participating in Facebook quizzes is one of them. As ABC News reports, the seemingly harmless surveys that populate your feed could wind up providing unscrupulous hackers with the answers to your online security questions.

Popular Facebook quizzes often ask users to answer a series of sharable personal questions, ranging from the name of their pet to their birth city. Some people see them as a fun way to bond with friends, or a way to make new ones. But as one local police department in Massachusetts recently noted on Facebook, many of these queries are similar—if not identical—to security questions used by banks and other institutions.

“Please be aware of some of the posts you comment on,” the Sutton Police Department in Massachusetts wrote in a cautionary message. “The posts that ask what was your first grade teacher, who was your childhood best friend, your first car, the place you [were] born, your favorite place, your first pet, where did you go on your first flight … Those are the same questions asked when setting up accounts as security questions. You are giving out the answers to your security questions without realizing it.”

Hackers can use these questions to build a profile and hack into your accounts or open lines of credit, the department said. They could also trick you into clicking on malicious links.

Experts say it’s OK to take part in a Facebook quiz, but you should never reveal certain personal facts. Take quizzes only from respected websites, and always carefully vet ones that ask for your email address to access the poll or quiz. And while you’re at it, consider steering clear of viral memes, like this one from 2017, which asked Facebook users to name memorable concerts (yet another common security question).

The post Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How #quantum #computing could create #unbreakable #encryption and save the #future of #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

A new breakthrough in quantum computing may mean quantum key distribution (QKD) is on its way toward being a practical cybersecurity protocol.

Researchers at Duke University, The Ohio State University, and Oak Ridge National Laboratory have announced in the latest issue of Science Advances that they’ve increased the speed of QKD transmission by between five and 10 times the current rates.

Up until this latest breakthrough, which is delivering megabit/second rates, speeds were restricted to between tens to hundreds of kilobits a second.

What is quantum key distribution?

It sounds like something straight out of science fiction, but quantum key distribution is reality, and it could be protecting your data before you know it.

QKD uses photons—particles of light—to encode data in qubits, or quantum bits. The qubits are transmitted to a sender and recipient as an encryption key, and here’s where things get crazy: The transmission channels don’t need to be secure.

QKD’s whole purpose rests on quantum indeterminacy, which states that measuring something affects its original state. In the case of QKD, measuring photonic qubits affects their encoding, which allows the sender and recipient to immediately know if a hacker is trying to crack their quantum encryption key.

That means, theoretically at least, that QKD would be a perfect encryption: Any attempts to crack it would immediately be noticed and keys could be changed.

Making QKD practical for cybersecurity

The breakthrough made by the Duke research team came from being able to pack more data onto a single photon. The trick was learning to adjust the time at which the photon was released, along with adjusting the phase of the photon, causing it to be able to hold two bits of information instead of just one.

What makes the new system developed by the researchers even more amazing is that they were able to do it with nothing but commercially available telecommunication hardware, save the single-photon detector.

“With some engineering,” said Duke graduate student Nurul Taimur Islam, “we could probably fit the entire transmitter and receiver in a box as big as a computer CPU.”

Islam and his research partners say that hardware imperfections render their QKD system less than hack-proof, but their research continues to incorporate hardware shortcomings to make up for them.

“We wanted to identify every experimental flaw in the system, and include these flaws in the theory so that we could ensure our system is secure and there is no potential side-channel attack,” Islam said.

While it’s likely to take some time to emerge from the research phase and become a practical tool, this latest QKD breakthrough gives cybersecurity a leg up on cybercriminals.

As quantum computing becomes accessible, the likelihood of it being used to obliterate current forms of encryption increases, making the development of practical QKD essential. This should come as good news to anyone concerned about the current, and future, state of cybersecurity.

The post How #quantum #computing could create #unbreakable #encryption and save the #future of #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Here’s another #cyber #scam that could cost you #thousands

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans In this year of horrendous cyberheists — Equifax the most prominent — you’ve probably taken at least a few precautions: changed passwords, stopped opening files and links from unknown senders, upgraded your computer security measures, maybe put a freeze on your credit reports. But if you’re […] View full post on AmIHackerProof.com | Can You Be Hacked?

New #bill could let #companies #retaliate against #hackers

Source: National Cyber Security – Produced By Gregory Evans

New #bill could let #companies #retaliate against #hackers

– A new proposed bill could make it legal for companies to retaliate against hackers.

Dubbed the “hack back” bill, it was introduced last week to allow businesses to hack the hackers who’ve infiltrated their computer networks.

Called the Active Cyber Defense Certainty (ACDC) Act, it amends the Computer Fraud and Abuse Act anti-hacking law so a company can take active defensive measures to access an attacker’s computer or network to identify the hackers, as well as find and destroy stolen information. It was introduced by two U.S. Representatives, Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

“I’ve heard folks say this is like the Wild West what we might be proposing, but in fact it’s not,” Graves told CNN Tech’s Samuel Burke in an interview. “We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.”

But security experts warn the legislation could have serious consequences if passed.

According to digital forensics expert Lesley Carhart, the fundamental problem with the idea is that a majority of organizations who would want to hack back aren’t qualified to do so responsibly. It often takes a long time to correctly identify who was responsible for a hack.

“In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware,” Carhart said. “A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.”

One way researchers place blame on a person or group for a hack is by looking at the evidence left in code. For example, researchers found similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea, earlier this year. Intelligence agencies later connected the country to the massive ransomware attack.

But it’s not uncommon for hackers to spoof that evidence and try and trick analysts into thinking it came from somewhere else, such as putting code from known hacking groups, or innocent third-parties, into their malware.

The bill says active defense measures could only be taken inside the U.S., which means it would have limited benefit. A majority of attacks are based outside the country or route their attacks through servers overseas so it looks like they’re coming from overseas, said Amanda Berlin, author of the Defensive Security Handbook.

Companies would also be required to alert the National Cyber Investigative Joint Task Force, an organization led by the FBI, before trying to hack their hackers. The agency could also review active defensive measures before they’re taken.

The FBI and other law enforcement agencies are already involved in investigating and prosecuting cybercrime. They work closely with major security firms and companies impacted by breaches. However, a relatively low number of businesses in the private sector report ransomware, a common and lucrative cyberattack.

Carhart says poking around in a hacker’s network could impede law enforcement investigations and court proceedings by potentially contaminating evidence.

The FBI defense review also introduces some thorny foreign retaliation issues. Kristen Eichensehr, assistant professor at UCLA School of Law, explained in Just Security, a national security publication.

“The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors,” she wrote.

However, some firms already engage in hacking back, despite the illegality. Graves said the bill could put some parameters on that behavior.

“Word on the street is many companies are already doing some of these things,” Graves told Burke in an interview. “They know, you know, and I know that they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.”

He also said he hopes additional tools will be developed by the security community that can protect people from hackers.

Some experts believe resources may be better spent elsewhere than through retaliation. According to Berlin, companies should invest in their existing infrastructure to prevent hacks in the first place.

“So many corporations get the basics wrong, or skip steps to spend money on some fancy blinky box that’s supposed to protect them from everything,” Berlin said.

This year’s most serious hack was not sophisticated. Equifax failed to patch a software hole despite a fix existing for months before hackers compromised data on 145.5 million people.

To keep systems secure, Berlin advised companies to remove non-essential machines from direct internet access, and patch early and often to prevent hackers from exploiting known holes. If something can’t be updated or fixed, it should be separated from other networks.

Experts warn that hacking back could also hurt innocent third-parties.

Consider Mirai, a massive botnet that turned connected home devices into an army of zombie computers controlled by one attacker. If a company was attacked by a botnet like Mirai and tried to hack back, they could be hitting an innocent family’s network connected to a security camera, instead of the real person behind the attack.

“I’m afraid it will take us back to ancient Babylon and Hammurabi code which called for an eye for an eye and a tooth for a tooth,” said Bassel Ojjeh, cofounder and CEO of security firm LigaData. “And everyone at this rate will go blind.”

The post New #bill could let #companies #retaliate against #hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures