hack

now browsing by tag

 
 

#cybersecurity | #infosec | About the “easy to hack” EU Exit: ID Document Check app

Source: National Cyber Security – Produced By Gregory Evans

About the "easy to hack" EU Exit: ID Document Check app

Today the Financial Times has published a news story about how the British Home Office’s app for EU citizens applying to live and work in the UK post-Brexit “could allow hackers to steal phone numbers, addresses and passport details.”

It certainly caught my attention. Just yesterday I used the EU Exit: ID Document Check app on my cleaning lady’s Android phone to help her apply for residency. And – to be honest – it was pretty easy to use, once I’d worked out how to change the language of her phone from Romanian to English.

Applicants scan their passport, take a selfie, and use their phone’s NFC feature to read the biometric chip embedded in their passport.

But, according to the FT, Norwegian cybersecurity researchers have discovered flaws in the Android version of the app (they didn’t test the iPhone version):

Promon, a Norwegian cybersecurity company, found major loopholes that allowed them to take control of the app and access any information that was entered into it, including the facial scans and images of passport pages.

They were also able to see information being typed into the app, such as usernames, passwords and other details, and were able to alter information being entered.

“The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge,” said Tom Lysemose Hansen, chief technology officer at Promon, who added that they had “experienced no resistance”.

Ok… so it sounds scary that information could be surreptitiously stolen as it is entered into the app… but how would a hacker do this?

Mr Lysemose Hansen said Promon’s researchers had focused on copying and stealing or manipulating data while it was being actively entered into, or processed by, the app. But he added that it was possible to add malicious code to the app while it was inactive that would then help steal personal information when it was subsequently being used.

Oh.

So what the researchers are saying is that if a hacker manages to compromise your smartphone or the app then it could do something malicious…

Err, isn’t that pretty much the case with all programs and computers? If a hacker already has control of the device or has already compromised the app then all bets are off…

Now, if the researchers had described a way in which an attacker might be able to remotely compromise the app or meddle with the phone then that would have been interesting. Or if it had been found that the app was sending sensitive data insecurely which could be intercepted then that would have certainly raised an eyebrow.

And yes, an app could always integrity check itself to see if it had been tampered with, but if someone is replacing your legitimate version of the app with a bogus compromised version there’s no reason why they couldn’t also tamper with the code which checks if it has been tampered with!

So, this doesn’t seem like a big deal to me.

The final word goes to the Financial Times again:

The app was tested for several months before being launched in March and there have been no reports of any security breaches. The app’s page on the Google Play Store states that it is “safe and secure” and that: “None of your personal identity information will be stored in the app or on the phone when you finish using it.”

Source link

The post #cybersecurity | #infosec | About the “easy to hack” EU Exit: ID Document Check app appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Analyst Discusses Reporting Hack Of Computer System At Indian Nuclear Reactor | Avast

Source: National Cyber Security – Produced By Gregory Evans This week a report of hackers gaining access to an Indian nuclear power plant’s computer network led to alarm, confusion, and denial before officials admitted the hack took place. The threat analyst who reported the issue experienced a unique vantage point in the middle of that […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | Men paid $100K by Uber to hush up hack plead guilty to extortion scheme

Source: National Cyber Security – Produced By Gregory Evans

Two hackers face up to five years in prison after pleading guilty to their involvement in a scheme which saw them attempt to extort money from Uber and LinkedIn in exchange for the deletion of stolen data.

Twenty-six-year-old Brandon Charles Glover and Vasile Meacre, 23, entered guilty pleas this week at a federal court in San Jose, California in relation to the theft of records related to 57 million of Uber’s passengers and drivers.

According to the US Department of Justice, the duo stole personal information from databases on AWS cloud servers in a criminal scheme which ran from October 2016 to January 2017. They then audaciously contacted the concerned companies, claiming they had found vulnerabilities in employees’ use of the systems and demanding payment for the erasure of the confidential data.

Controversially, Uber’s security team acceded to the hackers’ demands and paid them $100,000 in Bitcoin in December 2016 to delete the data and keep the breach quiet.

After making the payments, Uber subsequently identified Glover as one of the hackers who had extorted money from them. However, rather than passing information to the authorities, Uber astonishingly met with both Glover and Meacre and convinced them to sign a confidentiality agreement with the hope that the news of the breach would not become public.

It was not until November 2017 that millions of Uber users and drivers found out their personal information had fallen into the hands of criminals.

Dara Khosrowshahi, who became CEO of Uber after the security breach and the payment to the hackers, said in November 2018 that “none of this should have happened, and I will not make excuses for it.”

At the same time, Uber’s security chief Joe Sullivan was ousted from the company alongside one other employee involved in the handling of (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> Men paid $100K by Uber to hush up hack plead guilty to extortion scheme <p> appeared first on National Cyber Security.

View full post on National Cyber Security

‘Anonymous Greece’ #Claims #Hack of #State #TV

Source: National Cyber Security – Produced By Gregory Evans

The Greek chapter of the Anonymous hacker collective has claimed to have infiltrated state broadcaster ERT, but the channel has denied there was any attack at all.

The bizarre incident allegedly occurred on Monday night when, according to Anonymous Greece, ERT’s databases were hacked in response to the state broadcaster’s decision not to cover Sunday’s Thessaloniki ‘Macedonia’ rally live.

Sixteen ERT databases containing 60 gigabytes’ worth of data were attacked, the group claimed. They even posted a screengrab of the ERT webpage during the alleged hack on their own Facebook page.

The hacking collective said that by refusing to cover the rally against the use of Macedonia in FYROM’s name in the northern Greek city, ERT “cheated the people who supported it a few years ago”.

This was a reference to the crowds of Greek citizens who flocked the ERT building in Aghia Paraskevi in the summer of 2013, when the conservative government of the time decided to pull the plug on the public broadcaster.

A few hours after Monday’s alleged hack was reported, ERT’s IT head, Nikos Michalitsis, denied the incident, according to a report by LiFO free press; “We have seen no hack in our databases in the last few days,” he was quoted as saying.

According to Michalitsis, the only hacking incident reported by his technicians in the past month was 20 days ago, when a group took control of ERT’s New Media webpage. Even then, there was no database hack, he added.

Anonymous Greece have claimed various hacks in the past, including one of classified Bank of Greece documents in September 2017, plus home foreclosure e-auctions as well as Turkish state webpages.

The post ‘Anonymous Greece’ #Claims #Hack of #State #TV appeared first on National Cyber Security .

View full post on National Cyber Security

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”

advertisement:

The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Nuit du Hack

General Cybersecurity Conference

 June 30 – July 1, 2018 | Paris, France

Cybersecurity Conference Description 

The Nuit du Hack is organized by the nonprofit organization HZV, in synergy with a security assessment company: Sysdream.

The Nuit du Hack is the largest yearly French Hacking Con. From Sat. June 30th, 09AM until the next morning, whatever human being in crave for a Pwn will join there. There will be held a public wargame ( BYOD, we provide the eth. switches + wifi ), a private, prequalified Capture The Flag tournament, lots of workshops around electronics, soft, and hack culture/gear, a job speed-dating, lulz, and even a lovely crafted chill-out room!.

advertisement:

The post Nuit du Hack appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Here Are The #Clever Means #Russia Used To #Hack The #Energy #Industry

Last July, officials from the Federal Bureau of Investigation and the Department of Homeland Security revealed that Russian hackers were behind cyber intrusions into the U.S. energy power grid. The intrusion illustrated the severe threat that hackers pose to our most critical industries – energy, finance, healthcare, manufacturing and transportation.

The DHS and FBI downplayed the danger in a joint statement: “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

But that might not be the end of it. Russia may be laying the groundwork for more damaging hacks, on America as well as other nations, using new cyber weapons like CrashOverride and BlackEnergy 3.

In 2015, Russia tested this on the Ukrainian capital of Kiev. These tools were specifically developed to disrupt electric power grids and it blacked out 225,000 people in the Ukraine.

One might wonder what is Russia’s end game for this kind of attack. To hurt us financially? To show us how vulnerable we are? In preparation for a more sinister attack?

Is it to punish America for anti-Russian policies? The White House expelled 60 Russians from the United States this week, joining western allies in response to Russia’s poisoning of a former Russian spy in Britain with what was a banned chemical weapon.

When DHS and FBI dissected the hackers’ tradecraft, it turned out to be very clever indeed. Mark Orlando, Chief Technology Officer for cyber services at Raytheon, broke down the particulars of why the new world of hacking works so well in America.

One of the attackers’ main strategies is to divide targets into two groups – intended targets which are the energy companies themselves, and staging targets like vendors, suppliers, even trade journals and industry websites.

Instead of going straight to the larger and better-protected targets, like a $60 billion energy company with a cyber security department, the hackers worked their way into the smaller and less secure companies’ networks like those that supply the big ones with smaller equipment. Or the local utilities that are partnered with them. Local regulators may also have good access.

There is even an Electric Utility Industry Sustainable Supply Chain Alliance that many of the large energy companies use.

When the hackers get into those systems, they use that access to gather intelligence and set traps for the larger company.

This targeting of the supply chain partners is brilliant. The manufacturer of natural gas turbines that supply a gas power plant would have great access to the plant’s systems and management, would probably have password access, and would not be questioned very hard.

‘It’s important to raise awareness,’ says Orlando. ‘These details, if taken by themselves, might not seem that impactful. When presented with the entire story, we can see it was part of a larger, sustained campaign, potentially causing a lot of damage.’

This is a long-term strategy that takes patience – just the kind of thing traditional espionage has perfected over the last century.

America seems to be getting the message. A recent survey from Raytheon and Ponemon showed that two-thirds of cyber security executives and chief information security officers in America, Europe and the Middle East believe cyber extortion, such as ransomware and data breaches, will increase in frequency and payout.

The traps themselves are pretty imaginative. Many are based in social media. No one would suspect a cute kitten video of hiding malware. But they do. And if your co-worker is a kitten-nut, they may not hesitate to download that video without thinking that it is a trap.

‘The weakness in cybersecurity are the users themselves, those that are not necessarily computer-savvy,’ says Quinn Mockler, a young cyber security researcher at Columbia Basin College in the Tri-Cities Washington near the Hanford Nuclear Reservation. ‘People overall need better awareness of cyber security. Otherwise, we will be open to constant attack.’

In one example discussed by Orlando, the attackers found a harmless-looking photo on one company’s human resources site that contained valuable information – the manufacturer and model of a certain piece of control-systems equipment.

That provided critical information on how the plant runs and set up the next phase of the attack – spear phishing – which is the use of customized, highly deceptive emails designed to deliver malware. Using resumés, curricula vitae, policy documents and other common messages, the hackers made reference to these control systems creating plausible, well-informed emails likely to fool someone into opening a malware-laced attachment.

One was an invitation to a company New Year’s Eve party.

Another common method used to infiltrate is called a watering-hole attack which plants malicious code in a place the targets trust, then waits for them to come pick it up.

In the energy-sector attack, DHS and FBI found that watering holes included trade publications and informational websites that dealt with matters specific to the energy industry. The hackers corrupted those sites and altered them to contain malicious content. The targets saw no reason to suspect anything was wrong when they visited them.

‘It’s a low-complexity, low-effort, high-yield attack,’ Orlando says. ‘With relatively little effort, you can target lots and lots of users.’ The best defense, he says, is for a company to monitor its own networks for signs that a user may have unwittingly stumbled into a watering-hole.

Much of the malware in the energy-sector attack was designed to capture user credentials, or the digital identity of someone authorized to use a target network. Credential harvesting includes usernames and passwords, hashes or a computer’s digital signature, often stolen through tricking someone at a false login page for a familiar site.

The hackers’ spear phishing emails contained documents that ordered the target’s computer to retrieve data from a server – one the hackers either owned themselves, or had commandeered. Once the hackers had the target’s credentials, they could apply techniques to reveal the password in plain text.

Requiring multiple modes of authentication to sign in, such as a thumbprint or a security token code, is the best way to thwart this type of attack.

Hackers imitated login pages themselves, planting a link that redirected users to a page whose ‘username’ and ‘password’ fields fed credentials straight to them. Orlando notes, ‘If I can come into your environment using authorized credentials, detecting that just became exponentially more difficult.’

There are two main lessons from the power-grid hack, Orlando says. First, businesses should know that small hacking attempts like suspicious emails are often part of a larger campaign. Also, they should understand that truly cyber-secure businesses look beyond their own networks. Like tracking the spread of a new Flu virus.

‘Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers,’ he says. ‘If you’re not mitigating risk across the entire cyber ecosystem, you’re potentially missing a very large exposure to your business.’

Since smaller companies are the hacker’s first stop on the way to the bigger targets, Orlando recommends monitoring computer networks for unusual activity, installing security patches regularly, developing a response plan to disclose breaches and limit damage, and communicate up and down the supply chain on cyber security.

Data diodes, air gaps, field programmable gate arrays – all the sophisticated approaches to cyber security that the nuclear and defense industries use – eventually need to be part of everyone’s defense.

But as Orlando summed up, the daunting new reality in modern cyber security is that a company’s cyber defenses are only as strong as the defenses of everyone connected to it.

advertisement:

The post Here Are The #Clever Means #Russia Used To #Hack The #Energy #Industry appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hack of #Baltimore’s 911 #dispatch system was #ransomware #attack, city #officials say

The hack that forced Baltimore’s 911 dispatch system to be temporarily shut down over the weekend was a ransomware attack, city officials said Wednesday.

Such attacks — another of which occurred in Atlanta last week — take over parts of private or municipal computer networks and then demand payment, or ransom, for their release.

Frank Johnson, chief information officer in the Mayor’s Office of Information Technology, said he was not aware of any specific ransom request made by the hackers of Baltimore’s network, but federal authorities are investigating.

“The systems and the software and the files are all being investigated by the FBI right now,” Johnson said.

No personal data of city residents was compromised, he added.

Dave Fitz, an FBI spokesman, could not be reached Wednesday. On Tuesday, Fitz said the agency was aware of the breach and providing assistance to the city, but otherwise declined to comment.

The attack infiltrated a server that runs the city’s computer-aided dispatch, or CAD, system for 911 and 311 calls. The system automatically populates 911 callers’ locations on maps and dispatches the closest emergency responders there more seamlessly than is possible with manual dispatching. It also relays information to first responders in some cases and logs information for data retention and records.

The breach shut down the CAD system from Sunday morning until Monday morning, forcing the city to revert to manual dispatching during that time. While the city’s 911 calls are normally recorded online on Open Baltimore, the city dispatch logs stopped recording them at 9:54 a.m. Sunday and didn’t resume recording them again until 7:42 a.m. Monday.

Johnson said the attack was made possible after a city information technology team troubleshooting a separate communications issue with the server inadvertently changed a firewall and left a port, or a channel to the Internet, open for about 24 hours, and hackers who were likely running automated scans of networks looking for such vulnerabilities found it and gained access.

“I don’t know what else to call it but a self-inflicted wound,” Johnson said. “The bad guys did not get in on their own without the help of someone inadvertently leaving the door open.”

Once the “limited breach” was identified, city information technology crews “were able to successfully isolate the threat and ensure that no harm was done to other servers or systems” on the city’s network, Johnson said. And once “all systems were properly vetted, CAD was brought back online.”

Johnson said the city “continues to work with its federal partners to determine the source of the intrusion.”

The Baltimore hack comes amid increasing hacking of municipal systems across the country, and follows one in Atlanta last week that paralyzed that city’s online bill-payment system, with hackers demanding a $51,000 payment in bitcoin to unlock it. That attack occurred Thursday, and Atlanta employees only turned their computers back on Tuesday.

Johnson said his office works diligently to prevent cyberattacks and is looking to invest more in safeguarding its networks.

Baltimore also faced cyberattacks during the unrest in 2015, when its website was taken offline. Johnson said he was unaware of any other successful attacks on the city’s networks. He said the city would be obligated to disclose any attacks that compromised residents’ personal information, health information or crime data.

Johnson said he feels the city recovered well from the breach once it was identified, but that he did not want to go into detail about what was done lest he expose the city to more attacks.

The city has a $2.5 million contract with TriTech Software Systems to maintain its CAD software and provide “technical support services to ensure the functional integrity” of the city’s CAD system.

Scott MacDonald, TriTech’s vice president of public safety strategy, said the company worked with city IT personnel to shut down the CAD software after the attack. The breach was not related to the company’s software, MacDonald said.

“When we were alerted of it, it was reported that the server had some sort of compromise,” he said. “Our techs connected and worked with the IT staff there, and the CAD system was taken down manually, in combination between our staff and theirs, while the servers could be troubleshooted by the city.”

advertisement:

The post Hack of #Baltimore’s 911 #dispatch system was #ransomware #attack, city #officials say appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hack Miami

General Cybersecurity Conference

 May 18 – 20, 2018 | Miami, Florida, United States

Cybersecurity Conference Description

HackMiami Conference is famous for gathering the brilliant minds in the information security business and the digital underground under one roof. This conference will showcase the greatest penetration testing tools, techniques and methodologies which are the cutting edge of the worldwide digital threatscape.

Read More….

advertisement:

The post Hack Miami appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Duke #Energy #Vendor’s #Hack May Mean #Stolen Customer #Bank Info

Nearly 375,000 Duke Energy Corp. customers may have had personal and banking information stolen in a data breach.

The country’s largest electric company said Tuesday the customers paid a bill by check or cash at 550 walk-in payment processing centers in the Carolinas, Florida, Indiana, Ohio and Kentucky since 2008.

Those payments were processed by TIO Networks, which was hacked in an attack disclosed after the company was purchased in July by PayPal Holdings Inc. Duke Energy customers make up nearly a quarter of the 1.6 million TIO Network customers potentially compromised.

The personally identifiable information that may have been stolen from Duke Energy customers includes names, addresses, electricity account numbers and banking information if a customer paid power bills by check.

TIO Networks is sending letters to notify those affected.

View full post on National Cyber Security Ventures