Hacking & Security
A report published by the House Committee on Science, Space and Technology today found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015.
The FDIC failed at the time of the "advanced persistent threat" attacks to report the incidents. Then-inspector general at the FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg's chances of confirmation.
The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October "Florida incident." On October 23, 2015, a member of the Federal Deposit Insurance Corporation's Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC's data loss prevention system of a significant breach of sensitive data—more than 1,200 documents, including Social Security numbers from bank data for more than 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC's Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at the FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.
Over a month after a prominent staffer at the Tor Project left the organization amid public accusations of sexual misconduct, the project has shaken up its entire seven-person board of directors, replacing the seven who have left as of Wednesday with six new members.
The Tor Project is the Massachusetts-based nonprofit that maintains Tor, the well-known open-source online anonymity tool.
In June 2016, Jacob Appelbaum, one of Tor’s most public-facing developers and a member of the "Core Team," denounced the accusations as a "calculated and targeted attack has been launched to spread vicious and spurious allegations against me."
As we have seen in the past couple of years, car hacking is becoming an ever-greater threat. Many of the systems in our vehicles—and the standards to which they were designed—predate the connected car era. And so computerized vehicle systems lack some of the basic kinds of security that we would otherwise expect as default given the ramifications of a hack. The car-hacking problem gained widespread attention in July 2015, when hackers revealed that 1.4 million Chrysler and Dodge vehicles were vulnerable to an exploit—via the car's infotainment system—that could allow a malicious hacker to take over control of the vehicles' throttle, brakes, and even steering.
On Wednesday morning, Fiat Chrysler Automobiles (FCA) announced it has created a bug bounty program, using Bugcrowd's platform to allow the security community to inform it about possible exploits.
"We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers," said Titus Melnyk, senior manager of security architecture at FCA. "Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer. Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all."
For more than two decades, Microsoft Windows has provided the means for clever attackers to surreptitiously install malware of their choice on computers that connect to booby-trapped printers, or other devices masquerading as printers, on a local area network. Microsoft finally addressed the bug on Tuesday during its monthly patch cycle.
The vulnerability resides in the Windows Print Spooler, which manages the process of connecting to available printers and printing documents. A protocol known as Point-and-Print allows people who are connecting to a network-hosted printer for the first time to automatically download the necessary driver immediately before using it. It works by storing a shared driver on the printer or print server and eliminates the hassle of the user having to manually download and install it.
Researchers with security firm Vectra Networks discovered that the Windows Print Spooler doesn't properly authenticate print drivers when installing them from remote locations. The failure makes it possible for attackers to use several different techniques that deliver maliciously modified drivers instead of the legitimate one provided by the printer maker. The exploit effectively turns printers, printer servers, or potentially any network-connected device masquerading as a printer into an internal drive-by exploit kit that infects machines whenever they connect.
Adobe has pushed out a critical update to plug at least 52 security holes in its widely-used Flash Player browser plugin, and another update to patch holes in Adobe Reader. Separately, Microsoft released 11 security updates to fix vulnerabilities more than 40 flaws in Windows and related software.
First off, if you have Adobe Flash Player installed and haven’t yet hobbled this insecure program so that it runs only when you want it to, you are playing with fire. It’s bad enough that hackers are constantly finding and exploiting zero-day flaws in Flash Player before Adobe even knows about the bugs.
The bigger issue is that Flash is an extremely powerful program that runs inside the browser, which means users can compromise their computer just by browsing to a hacked or malicious site that targets unpatched Flash flaws.
The smartest option is probably to ditch this insecure program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach — as well as slightly less radical solutions — in A Month Without Adobe Flash Player.
If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart.
Happily, Adobe has delayed plans to stop distributing direct download links to its Flash Player program. The company had said it would decommission the direct download page on June 30, 2016, but the latest, patched Flash version 22.214.171.124 for Windows and Mac systems is still available there. The wording on the site has been changed to indicate the download links will be decommissioned “soon.”
Adobe’s advisory on the Flash flaws is here. The company also released a security update that addresses at least 30 security holes in Adobe Reader. The latest version of Reader for most Windows and Mac users is v. 15.017.20050.
Six of the 11 patches Microsoft issued this month earned its most dire “critical” rating, which Microsoft assigns to software bugs that can be exploited to remotely commandeer vulnerable machines with little to no help from users, save from perhaps browsing to a hacked or malicious site.
In fact, most of the vulnerabilities Microsoft fixed this Patch Tuesday are in the company’s Web browsers — i.e., Internet Explorer (15 vulnerabilities) and its newer Edge browser (13 flaws). Both patches address numerous browse-and-get-owned issues.
Another critical patch from Redmond tackles problems in Microsoft Office that could be exploited through poisoned Office documents.
For further breakdown on the patches this month from Adobe and Microsoft, check out these blog posts from security vendors Qualys and Shavlik. And as ever, if you encounter any problems downloading or installing any of the updates mentioned above please leave a note about your experience in the comments below.
Something all Information Security Controls have in common is the data output they produce in the form of logged events and alerts. With an increase in the size of an organization or an increase in security levels, the size of this data and its storage requirements will also rapidly grow. Traditionally organizations purchase more and […]
When we reviewed the Blackphone 2 last September, the company behind the privacy-focused smartphone was in transition. Silent Circle had moved to bring the Blackphone joint venture with the Madrid-based Geeksphone back under its umbrella, hired a telecom industry veteran as CEO, and was fine-tuning its marketing to go after an enterprise audience. The phone’s Android-based operating system, rebranded as Silent OS, became simultaneously more user-friendly and more hardened, paving the way for features that would be incorporated into Android for Work.
Less than a year later, Silent Circle has substantially changed. For starters, that new CEO is gone. Bill Conner resigned June 27 after, as he put it, Silent Circle "extended its privacy leadership into the enterprise as a secure communications SAAS [Software as a Service] company." The company’s general counsel is now serving as interim CEO as it seeks new leadership.
Over the course of the last year, many more core security team members—including co-founder and Chief Technology Officer Jon Callas, Chief Architect Mike Kershaw (AKA "dragorn," creator of the Kismet wireless network security tool), and Chief Security Officer Dan Ford—left the company. Callas remains as an investor, but he now works for Apple. There have also been layoffs.
Jedna z nejstahovanějších aplikací posledních dní Pokémon GO, která se těší neočekávanému zájmu, přitahuje nejen hráče, ale i útočníky. Kvůli velkému zájmu a omezené dostupnosti nabízí nyní řada stránek alternativní odkazy pro stažení aplikace. Pro její instalaci pak musí uživatelé povolit instalaci z alternativních zdrojů. Podle expertů však mnoho z těchto odkazů vede na verzi aplikace Pokémon GO infikovanou nástrojem DroidJack, který umožňuje vzdálené ovládnutí telefonu. Zda má uživatel nainstalovánu infikovanou verzi pozná podle přidělených oprávnění. Pokud se v nich vyskytují položky jako přímé vytáčení telefonních čísel, editace a čtení SMS, nahrávání audia, přístup k historii prohlížených stránek, modifikování a čtení kontaktů, čtení a zápis informací o hovorech a změny síťového nastavení, pak by měli uživatelé aplikaci okamžitě odinstalovat. Je však potřeba dodat, že i samotná oficiální aplikace Nintenda je terčem kritiky, neboť svým tvůrcům umožňuje získat kompletní kontrolu nad Google účtem uživatele, včetně například čtení e-mailů.