CyberInsecure.com

Archive for the ‘Cryptography’ Category

In the business world today, email has become one of the most heavily means of communication. It is quick and easy, files and ideas can be simply transferred between people in other parts of the world and it is relatively inexpensive. The downside is that it can be extremely vulnerable and important personal and company information can be easily compromised if the security standards are not up to par. There are a few areas of concerns that every business person should know about.

Malicious attacks come from outside and unknown sources very easily through email. To combat this, there needs to be several layers of protection in place. If an attack is successful, data can be corrupted or lost, information can be stolen and time and money can be spent in trying to remedy the problem.

Having a robust virus scanning program and firewall system will help to limit attacks and potential viruses. With any program, the most important aspect would be that virus definitions are up to date and updates are installed as soon as they are released. Malicious programs are constantly evolving in an effort to stay ahead of the virus protection programs.
(more…)

A new Android app makes hijacking other people’s Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks. Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.

“It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK),” the developer writes. FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.

So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S (Galaxy S T-Mobile), Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black – original rom, LG Optimus 3D – original rom, Samsung Infuse.

Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.

Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims’ accounts.

Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.

At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.

Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.

FaceNiff app homepage: http://faceniff.ponury.net

Credit: Softpedia.com News

Northrop Grumman, the second largest U.S. government contractor, has abruptly suspended remote access to its network last week, raising suspicions of a cyber attack.

Fox News quotes a confidential source inside the company who claims the suspension came without any advance notice on May 26.

“We went through a domain name and password reset across the entire organization. This caught even my executive management off guard and caused chaos,” the source said.

The insider also noted that such actions are normally announced in advance, which suggests the decision was the result of a very serious incident that required immediate action.

This latest revelation follows the announcement last week that Lockheed Martin, the largest US government contractor, suspended VPN access and reset all passwords following a cyber attack against its network.

In the Lockheed Martin attack, the hackers used cloned SecurID tokens to get past the company’s defenses. It’s believed the access devices were created with information stolen from RSA Security earlier this year.

RSA, a division of EMC and manufacturer of the SecurID authentication tokens, suffered a security breach in March which resulted in information related to the product being leaked.

The full implications of the breach are not known because RSA has made very little information public. The company shared more details about the incident with its customers but had them sign non-disclosure agreements first.

The SecurID tokens are used by millions of companies around the world, including most of the Fortune 500 ones. The product is also deployed across government agencies.

Before the Lockheed Martin cyber attack was revealed, L-3 Communications, another major government contractor, warned its employees about intrusion attempts that leveraged information stolen from RSA.

“We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions. As a leader in cybersecurity, Northrop Grumman continuously monitors and proactively strengthens the security of our networks,” a Northrop spokesperson told Fox.

Credit: Softpedia.com News

Lockheed Martin has reportedly suspended remote access to email and corporate apps following the discover of a network intrusion that may be linked to the high-profile breach against RSA earlier this year.

The manufacturer of F-22 and F-35 fighter planes has reset passwords in response to a “major internal computer network problem”, according to two anonymous sources and an unnamed defence official, Reuters reports. Technology blogger Robert Cringely reports that Lockheed detected the suspected breach on Sunday. He adds that an estimated 100,000 personnel will be issued with new tokens before remote access is restored, a process likely to take at least a week.

The incident involves the use of SecurID token from RSA to log into accounts and may be tied to, or at least use information extracted from, an attack on RSA Security’s systems back in March. Unknown (or at least unidentified) hackers broke into the EMC divisions network and made off with unspecified information related to SecurID, possibly the seed used to generate one-time codes supplied by the token.

RSA has publicly explained how the attack might have taken place but not what was obtained. It did however warn that the breach may affect the level of protection offered by SecurID tokens, which are very widely used for two-factor authentication.

Potential hackers would still need a lot of information – including user account names and PINs – to break into corporate email or remote access systems protected by RSA SecurID. Our best guess is that Lockheed detected an attempt to access just this information and responded by suspending remote access and shutting down portions of its network as a precaution.

The data held by Lockheed would be of profound interest to agents of a hostile power. The level of sophistication of the original RSA hack strongly points towards state-sponsored hackers, hence Lockheed’s response is a proportionate response to an all too real cyberespionage threat.

Credit: The Register

Attackers breached the servers of RSA and stole information that could be used to compromise the security of two-factor authentication tokens used by 40 million employees to access sensitive corporate and government networks, the company said late Thursday.

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT),” RSA Executive Chairman Art Coviello said in an undated letter posted on the company’s website. “Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems.”

Neither the letter nor a filing (PDF) with the Securities and Exchange Commission identified what the stolen data was, but Coviello went on to say it “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

Among the unanswered questions was whether attackers got access to the so-called seed values that SecurID tokens use to generate the six-digit numbers that change every 60 seconds. Workers in both private industry and government agencies use the devices as an additional security measure when logging onto their employers’ networks. Requiring the employee to have physical access to the dongle thwarts hackers who may have intercepted the users’ password.

If attackers were able to access the seeds for a specific company, they might be able to generate the pseudo-random numbers of one of its tokens, allowing them to clear a crucial hurdle in breaching the company’s security.

Other possibilities include the theft of source code that gives attackers a blueprint of vulnerabilities to exploit, or the theft of private cryptographic keys that might allow them to imitate RSA servers or register new employee tokens.

“RSA is going to have to convince people that their stuff still works,” said Nick Owen, CEO of Wikid Systems, a two-factor authentication startup that competes with RSA. “That means they’ll have to come clean about the attack. They may be in a position where they have to reissue hardware tokens to their users as well.”

Owen noted that RSA’s notice came as one of the company’s websites related to the activation of software licenses was down for unexplained reasons. It’s not clear if the outage is related to the attack.

Coviello’s letter said that company security systems recently identified “an extremely sophisticated cyber attack in progress being mounted against RSA.” That description, and the reference to APT, leaves open the possibility that attacks could have lasted days, weeks, or months – but the company didn’t say more. They also evoked memories of attacks Google disclosed early last year that breached security at dozens of companies and made off with highly sensitive data.

RSA sent a communication to customers urging them to follow a variety of security best-practices, including to “enforce strong password and pin policies,” to “re-educate employees on the importance of avoiding suspicious emails,” and to “harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.”

Credit: The Register

German security researchers have demonstrated that passwords stored on a stolen or lost iPhone can be retrieved in around six minutes even if the device is locked.

Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology (SIT) have published a paper and a video demonstration of their findings.

In order to get access to the phone and unlock access to the file system., the hackers used publicly available jailbreaking tools. They then uploaded a specially designed script able to scrape passwords stored in the device’s keychain. Their decryption was done using OS functions.

The extracted passwords corresponded to website accounts from Safari, Yahoo! Mail, Google Mail, WiFi, voicemail, MS Exchange, IMAP, LDAP, VPN and other services.

The purpose of the research was to demonstrate that stolen or lost iPhones can pose security risks not only to data stored on the devices itself, but also on external services. Furthermore, the iOS device encryption feature gives users a false sense of security, because in reality this protection mechanism can be easily bypassed.

“Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” the researchers advise. “Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts,” they add.

As far as companies are concerned, when loosing an iOS device they should consider immediately revoking VPN and wireless passwords. The remote wipe functionality might also be used.

The two researchers judge their attack’s complexity as low, because they used tools freely available on the Internet and creating the script only required moderate programming skills.

Credit: Softpedia.com News

A whitehat hacker has cracked the digital rights management system enforced by Microsoft on Windows Phone 7 and demonstrated a simple method which allows users to install any application from the Windows Phone Marketplace for free. Hardware hackers also claim to have uncovered the private key used by Sony to authorize code to run on PlayStation 3 systems. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack.

The Windows Phone Marketplace is Microsoft’s online store for Windows Phone 7 applications and allows users to browse, try and install free or commercial apps. A few days ago, a user posted on the XDA forums a guide with what is needed to crack the protection of the Windows Phone Marketplace.

Most of the steps in that guide were already doable to some extent except one – removing the XAP (app installer format) signature. However, it wasn’t long until someone took it up as a challenge. WPCentral reports that a developer created a simple application, which allow people to download and crack any XAP file from the official marketplace.

The tool was demoed in a video, but has not been publicly released. Also, no information about how it actually achieves the signature stripping was provided. Instead, WPCentral and the whitehat hacker contacted Microsoft and give them the details so they can start working on a fix.

The issue is pretty serious, because if one developer can do it, then sooner or later others will figure out too and not all of them might be adepts of responsible disclosure. In the end, DRM systems will always be prone to hacking. Someone will eventually figure out a way to bypass them.

The Windows Phone 7 community, which is still fairly limited, will probably end up having access to alternative marketplaces like Cydia for people with jailbroken iPhones.

Different hackers recently uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin.

Cryptographers have cracked software used to verify that images taken with Canon cameras haven’t been altered.

Russian password-cracking company ElcomSoft said on Tuesday that it’s able to extract the original signing key from the Canon Original Data Security Kit and use it to validate fake photos. Canon has billed the service as a way to verify the originality of an image and to confirm that global positioning coordinates, data, time, and other metadata hasn’t been changed.

“The entire image verification system is proved useless,” ElcomSoft CEO Vladimir Katalov said in a statement. “If one company was able to produce fake images indistinguishable from originals, how do we know that others haven’t been doing this for years?”

The Russian company mocked the system by posting doctored photos authenticated by the system purporting to show Russian cosmonauts landing on the moon ahead of US astronauts and Joseph Stalin brandishing an iPhone.

According to ElcomSoft, the verification kit embeds cryptographic data into every image taken with a compatible Canon camera that’s supposed to verify the picture’s authenticity and originality. The kit’s demise joins a long list of other cracks by ElcomSoft that extract everything from iPhone 4 passwords to Wi-Fi encryption keys.

Credit: The Register, Elcomsoft.com

Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls.

Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications – or don’t encrypt them properly – can be forced to cough up sensitive communications or be forced to execute rogue commands.

At the CanSecWest conference in Vancouver, Dreamlab Senior Security Expert Thorsten Schroder demonstrated how Keykeriki could be used to attack wireless keyboards sold by Microsoft. The exploit worked because communications in the devices are protected by a weak form of encryption known as xor, which is trivial to break. As a result, he was able to intercept keyboard strokes as they were typed and to remotely send input that executed commands on the attached computer.

“Microsoft made it easy for us because they used their own proprietary crypto,” Schroder said. “Xor is not a very proper way to secure data.”

Even when devices employ strong cryptography, Schroder said Keykeriki may still be able to remotely send unauthorized commands using a technique known as a replay attack, in which commands sent previously are recorded and then sent again.

The device can also be used to spot weaknesses in cryptographic communications by comparing keystrokes to corresponding ciphertext. His analysis shows wireless keyboards made by Logitech most likely use 128-bit AES encryption. But even so, it may still be possible to decipher the contents by exploiting the way the secret key is exchanged.

“We still didn’t figure out how to crack that one, but I think it’s just a matter of time,” he said.

Credit: The Register

Catalogue firm Argos has been criticised for an email security breach that exposed customers’ credit card details and CCV security numbers. The breach was discovered by UK Argos customer Tony Graham and first reported by PC Pro. Graham’s card details were recently fraudulently misused, but this incident has not been linked to the Argos email slip-up.

The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. The slip-up meant that any miscreants who intercepted email confirmation messages from Argos would be able to harvest plastic card payment details – if they spotted where the numbers were stashed.

It’s unclear how long the exposure problem lasted, or how many Argos customers were affected.

In a statement, Argos said it had already corrected the fault and was working with privacy watchdogs at the Information Commissioner’s Office in dealing with the fallout from the breach.

Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions.

Ed Rowley, product manager EMEA at content security firm M86 Security, said the whole incident might easily have been prevented. “It is incomprehensible that this credit card data was sent out in an unencrypted format – even if the sensitive information was not visible in the main body it should have been protected from being sent out,” he said.

“A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules.

“This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. It’s astonishing that larger companies are not using these well established security tools and procedures.”

Credit: The Register