Thursday, July 02, 2015
Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners. But it gets worse for GoPro, as now Pen Test Partners has also explained in a blog posting how the GoPro Studio editing software was making update requests using an unencrypted HTTP connection which could enable an attacker on public Wi-Fi to inject a potential fake malicious download code update instead. "It's fairly easy to add malicious code into pre-existing binaries and therefore we could abuse this to introduce backdoors to the victim whilst also letting them update their GoPro Studio software at the same time" the post warns.
Friday, June 26, 2015
According to the Japan Real Time blog, Toshiba is working on a ‘foolproof' quantum-cryptography system that industry analysts claim cannot be breached. Immediately this raises a number of red flags, not least the use of words such as unbreakable in relation to any encryption system, next-generation or not, and the fact that the analysts who are apparently claiming this remain unnamed in the report. SCMagazineUK.com decided to take a closer look. The Toshiba system, which starts a two-year long third-party data testing phase in August, uses photons delivered via custom fibre optic cables which are not connected to the internet. According to the unnamed analysts in the report, the one-time key is the same size as the encrypted data, so decoding without the correct key would be impossible as there will be no repeated use of the pattern. It may sound fantastical, but quantum cryptography really isn't anything new, nor has it proven to be as unbreakable as the boffins would have us believe.
Wednesday, June 24, 2015
Earlier this month, security outfit FireEye's 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe's buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much." C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...
A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.
Tuesday, June 23, 2015
The Electronic Frontier Foundation (EFF) has released the latest version of its 'Who Has Your Back?' report and accompanying infographic, and it makes for interesting reading. Once you appreciate that what the EFF is talking about here is how good, measured as a response to a handful of yes or no questions, a bunch of leading tech companies are at protecting our data from government snooping requests. It's not about privacy in the larger scheme of things, just from that particular angle. That said, let's look at how the EFF came to the conclusions that can be seen in the accompanying graphic. Essentially the organisations concerned were asked, on a yes or no basis remember, if they fulfilled five criteria when it comes to privacy expectations regarding government snooping in the post-Snowden era: follows industry-accepted best practice, informs users about government data access demands, discloses data retention policy, discloses government content removal requests and if it has pro-user public policy which opposes encryption back doors. Here's the broad breakdown.
Thursday, June 18, 2015
Researchers at NowSecure have uncovered a vulnerability in the stock keyboard that is pre-installed on 600 million Samsung mobile devices, including the new Galaxy S6, that can apparently enable a remote arbitrary code execution attack. According to the researcher Ryan Welton, the SwiftKey IME keyboard update mechanism can be manipulated by a remote attacker capable of controlling user network traffic, and can then execute code as a privileged system user on the target phone. As far as we can tell, the threat itself only actually applies to users of Samsung mobile devices which run a stock keyboard version of the SwiftKey keyboard, rather than the app which is available for download from the Apple or Google Play stores (this appears to be confirmed by the developers). Which begs the question, if the standalone download is secure what went wrong with the Samsung IME keyboard development process?
The news that LastPass network security has been compromised is, of course, a serious issue. That the company being breached was one that provides a password-management service ratchets up the seriousness by a notch – or ten. So why am I, someone who has built a career on writing about IT security, not pulling my hair out about it? Well beyond the fact that I have none to tug at, the LastPass “breach” isn’t as big a deal for some of us as it is for others.
Log management is, without a doubt, one of the most boring subjects to set before even the most hardcore of IT admins. Seriously, just the mention of analyzing event logs is enough to send a geek to sleep. Unless, that is, the geek happens to understand that these logs have the power if not always to stop a potential security breach before it starts then certainly to stop it before it succeeds. Think of log management and the alerting capabilities that come attached as being the Agatha Christie of the server room, or perhaps more appropriately the Hercule Poirot: this is where data turns detective!
Saturday, June 13, 2015
Speaking to TrustedReviews this week, Alexander Moiseev, Kaspersky Europe's Managing Director, has warned that your car is at serious risk of being hacked. He is, however, wrong and I'm going to explain why. Kaspersky Lab and Mr Moiseev may well insist that the threats to the automotive industry are very real, and very much here and now; and while I don't dispute that there are concerns I do think there is a very real element of Mandy Rice-Davies Applies about the entire debate. With the demise, albeit a long and drawn out death, of desktop AntiVirus as the golden goose of the IT security industry, it should come as no real surprise when that industry looks for alternative areas to occupy. Transport is one of the much hyped, I would argue over-hyped, areas currently doing the rounds. The more the 'threat' is talked up, the more there will be a demand from consumers for 'protection' and vehicle manufacturers will turn to vendors to supply it. That is far from my campervan being hackable now, or ever, matter of fact.
As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter: The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.