CyberInsecure.com

Archive for the ‘Hardware’ Category

The notorious LulzSec hacking outfit has leaked over 26,000 email addresses and plain text passwords stolen from the database of an adult website Pron.com. After dumping the data online, the group encouraged people to try the login credentials on Facebook and tell the victims’ family members how they signed up for the adult site.

The reason? Just for fun. “Watch the hilarity. Tell us about it on twitter!” the hackers wrote in their announcement. Fortunately, word of the potential abuse quickly reached Facebook’s security team which forced password resets for all accounts corresponding to those email addresses.

This impressed LulzSec members, but also gave them new ideas for future attacks. “Props to Facebook security for locking all emails located on our list so fast. That’s the kind of security that earns a tip of our hat,” the hackers wrote.

“Hmm… so Facebook automatically locks every email on our list… exploitable. >:] Until next time, Facebook. Bwahahaha,” they later tweeted.

LulzSec pointed out that there were a number of .gov and .mil email addresses registered on the compromised site, as well as some 55 accounts belonging to admins of other adult portals.

Partial screenshot from the 26,000 emails and passwords txt file released online on LulzSec website:

The group didn’t stop with this leak. It also published the personal information (dox) of executive officers and other employees from vulnerability research company Endgame Systems and anti-DDoS solutions provider Prolexic Technologies.

The dox didn’t only include information about these individuals themselves, but also their spouses, children and other family members, and their respective social media accounts.

Endgame Systems is a company set up by former ISS and CIA executives with the purpose of selling offensive security solutions and zero-day vulnerability information. The HBGary Federal email leak from earlier this year revealed that the company and its management make significant efforts to keep a low profile.

Meanwhile, Prolexic Technologies has made a selling point from the DDoS attacks orchestrated by Anonymous. In 2010 the company helped firms considered by the hacktivist group as WikiLeaks enemies to protect themselves.

Credit: Softpedia.com News

German security researchers have demonstrated that passwords stored on a stolen or lost iPhone can be retrieved in around six minutes even if the device is locked.

Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology (SIT) have published a paper and a video demonstration of their findings.

In order to get access to the phone and unlock access to the file system., the hackers used publicly available jailbreaking tools. They then uploaded a specially designed script able to scrape passwords stored in the device’s keychain. Their decryption was done using OS functions.

The extracted passwords corresponded to website accounts from Safari, Yahoo! Mail, Google Mail, WiFi, voicemail, MS Exchange, IMAP, LDAP, VPN and other services.

The purpose of the research was to demonstrate that stolen or lost iPhones can pose security risks not only to data stored on the devices itself, but also on external services. Furthermore, the iOS device encryption feature gives users a false sense of security, because in reality this protection mechanism can be easily bypassed.

“Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” the researchers advise. “Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts,” they add.

As far as companies are concerned, when loosing an iOS device they should consider immediately revoking VPN and wireless passwords. The remote wipe functionality might also be used.

The two researchers judge their attack’s complexity as low, because they used tools freely available on the Internet and creating the script only required moderate programming skills.

Credit: Softpedia.com News

Last week, ESET received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.

Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.

In this case, though, the device plugged into customers notebook appears to have been an Energizer® DUO USB Battery Charger, which is an AC and USB charger for rechargeable NiMH batteries. Last year the very same Energizer DUO USB battery charger software allowed unauthorized remote system access by installing an unwanted Win32/Arurizer remote access trojan.

Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect report of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter.

IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.

Credit: Aryeh Goretsky, ESET ThreatBlog

A whitehat hacker has cracked the digital rights management system enforced by Microsoft on Windows Phone 7 and demonstrated a simple method which allows users to install any application from the Windows Phone Marketplace for free. Hardware hackers also claim to have uncovered the private key used by Sony to authorize code to run on PlayStation 3 systems. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack.

The Windows Phone Marketplace is Microsoft’s online store for Windows Phone 7 applications and allows users to browse, try and install free or commercial apps. A few days ago, a user posted on the XDA forums a guide with what is needed to crack the protection of the Windows Phone Marketplace.

Most of the steps in that guide were already doable to some extent except one – removing the XAP (app installer format) signature. However, it wasn’t long until someone took it up as a challenge. WPCentral reports that a developer created a simple application, which allow people to download and crack any XAP file from the official marketplace.

The tool was demoed in a video, but has not been publicly released. Also, no information about how it actually achieves the signature stripping was provided. Instead, WPCentral and the whitehat hacker contacted Microsoft and give them the details so they can start working on a fix.

The issue is pretty serious, because if one developer can do it, then sooner or later others will figure out too and not all of them might be adepts of responsible disclosure. In the end, DRM systems will always be prone to hacking. Someone will eventually figure out a way to bypass them.

The Windows Phone 7 community, which is still fairly limited, will probably end up having access to alternative marketplaces like Cydia for people with jailbroken iPhones.

Different hackers recently uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin.

Chris Paget, a security researcher known for his work in the field of radio communications security, demonstrated how GSM phone calls can be intercepted with inexpensive equipment at the DEFCON hackers conference in Vegas. The technique exploited a loophole in current GSM implementations.

Paget made a name for himself by exploiting flaws in Radio-frequency identification (RFID) technology used in Enahnced Driver Licenses (EDLs), as well as electronic ID and passport cards. In the past the researcher demonstrated how information stored on RFID tags embedded in these government-issued documents can be sniffed with off-the-shelf equipment while driving around in a car.

This year he returned at the Black Hat technical security conference and showed how the same RFID tags can be read from much longer distances. With some custom-made equipment the researcher was able to hit a 217 feet range, smashing the previous record of 69. He also claims that by cranking up the power, the device can read tags from well over 500 feet.

However, his most impressive presentation yet was at DEFCON, the largest annual hackers conference in the world, that immediately follows Black Hat. There he managed to wow the audience by intercepting mobile phone calls made by attendees in the room.

To pull off this feat he used a device dubbed the “IMSI (International Mobile Subscriber Identity) catcher”, which he built with cheap and readily available components. The equipment is capable of mimicking an AT&T cell tower operating in the 900MHz band and tricks mobile phones into connecting to it.

The IMSI catcher exploits the fact that in U.S. the 900 MHz frequency range is used by amateur radios, while in most other parts of the world, including Europe, it is used by GSM networks. The problem is that, for compatibility reasons, many mobile phones sold in the United States are capable of operating over the 900 MHz band.

“During the talk at least 30 handsets connected to my tower; there were probably many more than this but the logs were all destroyed on-stage (I broke the USB key into several pieces [...]). Logged data included IMSI, IMEI, all numbers that were dialed, and of course audio recordings of all calls made (a total of 17 calls were connected during the talk),” the researcher writes on his blog.

Since phone call interception is illegal, the U.S. Federal Communications Commission (FCC) expressed concerns prior to the talk. There were also rumors of AT&T intending to intervene and stop the demo from happening. However, Paget enlisted the legal guidance of the Electronic Frontier Foundation (EFF) and to keep the exposure to a minimum, he tweaked the power of his device so the experiment wouldn’t affect people outside the conference room.

Credit: Softpedia.com News

AT&T has exposed the email addresses of more than 114,000 early adopters of Apple’s iPad, a security breach that could make some of the world’s most elite celebrities and executives vulnerable to phishing attacks, Gawker reports.

According to an article published Wednesday, the vulnerability in AT&T’s website was exploited by Goatse Security, the same grey-hat group that exposed Firefox-based attacks on IRC, wreaked havoc on Amazon sales rankings, and pioneered some of the most foul images found on the internet. As a result, email addresses for New York Times Co. CEO Janet Robinson, ABC Newswoman Diane Sawyer, film mogul Harvey Weinstein, and New York Mayor Michael Bloomberg have been exposed.

The breach also exposed the ICC-ID, or integrated circuit card identifier, for the group of 114,067, which were all early adopters of the iPad 3G. It appears the information is of little use to attackers, but Gawker said the possibility exists for it to be used to spoof individual iPads on AT&T’s network.

According to the report, Goatse obtained the data by exploiting a vulnerable web application on AT&T’s site that matched ICC-IDs with email addresses. By writing a script that bombarded the site with thousands of possible ICC-ID numbers, the group was able to obtain the email addresses. To make their exploit work, members had to lace their requests with an iPad-style user agent header.

Gawker said reporters alerted AT&T to the breach on Monday, and the hole was closed. Shortly after the article was published, the carrier acknowledged the breach, and said it would alert customers after an investigation is completed. So far, Apple has yet to comment on the report.

Other iPad users who were affected included executives at Dow Jones, Conde Nast, Viacom, Google, Amazon, Microsoft, and AOL. Top people inside some of the nation’s most sensitive organizations were also exposed, including William Eldredge, who commands the largest strategic bomber group in the US Air Force, Gawker said. It’s possible other groups exploited the same vulnerable web app to make off with a much larger cache of email addresses, Goatse said.

Credit: The Register

Olympus has apologised after it distributed a digital camera in Japan that came with added malware on its internal memory card.

An estimated 1,700 Stylus Tough 6010 digital compact cameras shipped pre-pwned with auto-run code designed to infect Windows PCs they were connected to, net security firm Sophos reports. The malware uses a USB connection infection route that has become one of the most popular means of malware distribution in recent years.

Olympus has apologised for the problem and promised to improve its quality control procedures to prevent future outbreaks. The incident is the latest in a long line of digital devices that come pre-infected with malware. Recent examples include Samsung Wave phones shipped in Germany, TomTom satellite navigation devices and Apple Video iPods. Last month IBM handed out malware-ridden USB sticks at a security conference in Australia.

These infestations normally start with an infected PC on production lines or testing rigs used by gadget manufacturers and their partners. Suppliers need to apply improved quality controls to minimise embarrassing digital device incidents. Meanwhile consumers are advised to disable Autorun in Windows, as a guard against possible attacks.

Credit: The Register

The Romanian organized crime police has dismantled a major cybercriminal ring that specialized in manufacturing and selling ATM skimmers. Law enforcement officials descended at more than 40 locations in several cities and detained 20 suspects.

Prosecutors from the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) are investigating multiple individuals under the suspicion of being members of an organized crime group, unauthorized access to a computer system, possessing card-cloning equipment, access device fraud and distributing fake electronic-payment devices.

According to DIICOT, the criminal group operated out of Romania’s Dolj county, particularly the city of Craiova, where the ATM skimmers were assembled. However, some of the electronic components used for the devices were manufactured in Bucharest. The devices were either sold to other fraudsters or used by ring members in Italy, Germany, Sweden or Romania.

Teams of Romanian Police special forces raided 38 locations in Craiova, six in Bucharest and three in a neighboring county earlier today, taking a total number of 20 suspects back for questioning. Amongst them are the brother of a local magistrate and the son of a Ministry of Interior official.

In related news, two days ago, DIICOT also arrested five fraudsters after executing similar raids in the city of Brasov. The individuals are believed to be members of another cybercriminal group specializing in card cloning. According to prosecutors, EXEBA card magstripe reading/writing equipment was found and confiscated, along with various ATM skimming devices.

Romania, once a safe haven for cybercriminal operations, has made significant progress in combating organized crime that focuses on credit-card fraud, phishing or hacking. During the past two years alone, the Romanian DIICOT has managed to dismantle an impressive number of cybercriminal rings operating in the country and abroad. Many of these successful takedowns were the result of a close collaboration with the FBI, the US Secret Service, the INTERPOL and other foreign law enforcement agencies.

Credit: Softpedia.com News

Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls.

Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications – or don’t encrypt them properly – can be forced to cough up sensitive communications or be forced to execute rogue commands.

At the CanSecWest conference in Vancouver, Dreamlab Senior Security Expert Thorsten Schroder demonstrated how Keykeriki could be used to attack wireless keyboards sold by Microsoft. The exploit worked because communications in the devices are protected by a weak form of encryption known as xor, which is trivial to break. As a result, he was able to intercept keyboard strokes as they were typed and to remotely send input that executed commands on the attached computer.

“Microsoft made it easy for us because they used their own proprietary crypto,” Schroder said. “Xor is not a very proper way to secure data.”

Even when devices employ strong cryptography, Schroder said Keykeriki may still be able to remotely send unauthorized commands using a technique known as a replay attack, in which commands sent previously are recorded and then sent again.

The device can also be used to spot weaknesses in cryptographic communications by comparing keystrokes to corresponding ciphertext. His analysis shows wireless keyboards made by Logitech most likely use 128-bit AES encryption. But even so, it may still be possible to decipher the contents by exploiting the way the secret key is exchanged.

“We still didn’t figure out how to crack that one, but I think it’s just a matter of time,” he said.

Credit: The Register

Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones. The researchers, who are presenting their findings at a mobile computing workshop in Maryland, are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless — all without the user’s knowledge.

“Smartphones are essentially becoming regular computers,” says Vinod Ganapathy, assistant professor of computer science in Rutgers’ School of Arts and Sciences. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by [malware].”

Ganapathy and computer science professor Liviu Iftode worked with three students to study the use of rootkits in smartphone operating systems. They note that while many PCs carry virtual machine monitors to help detect rootkits, most smartphones cannot support a VM monitor.

Rootkit attacks on smartphones — or upcoming tablet computers — could be more devastating because smartphone owners tend to carry their phones with them all of the time, the researchers say. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s GPS receiver. Smartphones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

“What we’re doing today is raising a warning flag,” Iftode says. “We’re showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defenses.”

In one test, the researchers showed how a rootkit could turn on a phone’s microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone, telling it to place a call and turn on the microphone, such as when the phone’s owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone’s location as furnished by its GPS receiver. This would enable an attacker to track the owner’s whereabouts.

In a third test, the researchers showed a rootkit turning on power-hungry capabilities — such as the Bluetooth radio and GPS receiver — to quickly drain the battery.

The researchers are careful to note they did not assess the vulnerability of specific types of smartphones. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects.

The research was supported by the National Science Foundation and the U.S. Army.

Credit: DarkReading.com