Monthly Archives: October 2016

Computer science researchers at the University of Washington are developing a technology to securely send data through the human body rather than wires or the air.

Passwords sent over insecure networks are liable to sniffing. This well-understood problem is most easily mitigated against using VPN technology but now security academics have taken a left-field approach to the same problem which also guards against the risk of vulnerabilities in custom radio protocols for wearables and implantables.

The technology would work in conjunction with fingerprint sensors in the latest generation of smartphones.

One use cited is opening a door fitted with an electronic smart lock. A user would touch the doorknob and the fingerprint sensor on their smartphone at the same time, with their credentials been transmitted through their body rather than over the air.

The technology is not restricted by body type or posture, as a research paper by the researchers (abstract below) explains:

We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body.

We characterize the propagation of the resulting transmissions across the whole body and run experiments with ten subjects to demonstrate that our approach generalizes across different body types and postures. We also evaluate our communication system in the presence of interference from other wearable devices such as smartwatches and nearby metallic surfaces. Finally, by modulating the operations of these input devices, we demonstrate bit rates of up to 50 bits per second over the human body.

The approach works because fingerprint sensors “produce characteristic electromagnetic signals at frequencies below 10 MHz” that propagate well through the human body.

The researchers ran tests using iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touch pads. Interference from wearable or metallic objects a users might have about them (such as watches) wasn’t a problem. The data transmission rate achieved of just 25 bits per second, or “less than a quarter the speed of a 1950s modem”, as security blogger Bill Camarda notes, might well be a limitation though.

“It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible,” Camarda adds in a post on the Sophos Naked Security blog.

“Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body.

Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks,” he concludes. ®

Sponsored: Fast data protection ROI?

The Register - Security

Paul Ducklin

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Follow him on Twitter: @duckblog

Information Security Podcasts

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

"Last night we were on the receiving end of what our IT chief called a 'massive' DoS [denial of service] attack," he told Talking Points Memo.

"As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating."

The story, written by staffer Kurt Eichenwald, detailed how former employees of Trump Hotels had arranged a visit to Cuba in 1998 to explore the possibility of joint ventures with the communist regime. A consultancy company called Seven Arrows made the visit, and the funds to pay for the trip were then allegedly hidden as a charitable expense.

Shortly after the story was published, traffic on the site started to rise – as you'd expect in a presidential season with serious allegations being made. But the traffic count continued to rise and eventually brought the site down.

As with any DDoS attack, finding the culprit is nearly impossible. But it appears that the article has pissed off a lot of people who control many Russian servers. ®

Sponsored: Flash storage buyer's guide

The Register - Security

A report made available this week by the U.S. Government Accountability Office (GAO) shows that the Food and Drug Administration (FDA) needs to address some serious cybersecurity weaknesses that expose industry and public health data.

An audit conducted by the GAO between February 2015 and August 2016 revealed several problems that put the confidentiality, integrity, and availability of the FDA’s systems at risk.

The GAO’s analysis targeted seven of the FDA’s 80 systems. The machines covered by the audit receive and process sensitive drug information and are essential to the agency’s mission. Since they have a Federal Information Processing Standard of moderate or high impact, if the systems or their information is compromised, it could have a serious or catastrophic impact on the organization.

A total of 87 weaknesses have been identified by GAO, including failure to protect network boundaries, identify and authenticate users, restrict user permissions, encrypt sensitive data, monitor system activity, and conduct physical security reviews.

For instance, the FDA’s internal network was not isolated from the network of the contractor in charge of the agency’s public website. The internal network was also accessible from one of the organization’s untrusted networks.

Another example refers to the FDA’s failure to implement strong password controls, including passwords that remained unchanged for several years, weak credentials and default settings.

As for authorization-related concerns, the GAO discovered that hundreds and even thousands of user accounts had unnecessary or uncontrolled access to file shares. The audit also revealed that sensitive data, including passwords, were not properly encrypted.

The FDA did not properly audit and monitor its systems, which could allow malicious actors to remain undetected for extended periods of time. The GAO pointed out that the agency did not always retain audit logs, and it failed to preserve evidence related to a 2013 security breach that resulted in an external attacker gaining access to sensitive user account information.

“FDA has taken steps to safeguard its systems that receive, process, and maintain sensitive data by, for example, implementing policies and procedures for controlling access to and securely configuring those systems. However, a significant number of weaknesses remain in technical controls — including access controls, change controls, and patch management — that jeopardize the confidentiality, integrity, and availability of its systems,” the GAO said in its report.

One of the causes of weak security controls, according to the GAO, is the lack of a properly implemented agency-wide information security program as required by federal laws. These laws require government organizations to implement risk assessments, incident response procedures, regular testing of security controls, reviews and updates for security policies and procedures, vulnerability patching mechanisms, and security training.

The GAO has made over a dozen recommendations for the implementation of an agency-wide information security program and 166 recommendations on addressing specific problems.

Related: Huge US Facial Recognition Database Flawed

Related: DHS's Einstein Security System Has Limited Capabilities

Related: Internet Connectivity Could Expose Aircraft Systems to Cyberattacks

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods. The primary purpose is to overhaul and simplify the existing controls that were designed to limit the proliferation of weapons of mass destruction (WMDs); but it also introduces new controls over the export of cyber surveillance and computer intrusion tools.

More explicitly, it aims at preventing "the misuse of digital surveillance and intrusion systems that results in human rights violations" in line with the 2015 Human Rights Action Plan and the EU Guidelines for Freedom of Expression. New laws are necessary because existing legislation does not provide sufficient control over cyber-surveillance technologies.

It is a difficult area since cyber-surveillance and intrusion are both recognized as legitimate practices for some governments and some law enforcement agencies (especially in the name of national security). The problem is to allow and even simplify sales and exports to acceptable companies and governments while restricting it from those companies and countries that might use it to abuse the human rights that are protected by the EU constitution.

Misuse of these technologies can have -- and have had -- dire effects; and this is explicitly acknowledged by the EU. These technologies, notes the Introductory Memorandum, have "been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death." Under such circumstances, it goes on, continued export of cyber-surveillance runs counter to the EU's own human rights requirements, "such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life."

The EU's proposed solution "sets out a two-fold approach, combining detailed controls of a few specific listed items with a 'targeted catch-all clause' to act as an 'emergency brake' in case where there is evidence of a risk of misuse. The precise design of those new controls would ensure that negative economic impact will be strictly limited and will only affect a very small trade volume."

Privacy International (PI) is one of the organizations that has long campaigned for stricter rules on the export of surveillance technologies. In a recent report (PDF) published in August 2016, it called for a new approach combining corporate social responsibility with export restrictions. "While pro-active due diligence on the behalf of companies is a necessary start," it suggests, "without instruments capable of restricting transfers and shining a light on the companies and the trade, surveillance technologies developed in and traded from the West will further undermine privacy and facilitate other abuses."

The export of encryption technologies is also covered in the new proposal. Encryption is considered 'dual use' and therefore regulated by many countries. However, different countries have different standards, and the EU has concluded that this gives those countries an unfair trading advantage.

The proposal is expected, says the Memorandum, "to improve the international competitiveness of EU operators as certain provisions - e.g. on technology transfers, on the export of encryption - will facilitate controls in areas where third countries have already introduced more flexible control modalities. The proposal's new chapter on cooperation with third countries is also expected to promote the convergence of controls with key trade partners and a global level-playing field, and thus to have a positive impact on international trade."

Details of the new Regulation were leaked in July. Since that time PI has lobbied the EU for additional improvements. In a statement sent to SecurityWeek, PI comments, "The eventual proposals only differ slightly however, with the main change being that the definition of 'cyber-surveillance' technology has been narrowed. The actual annex which contains a detailed list of what technology has been subject to control has also been published. In addition to spyware used to infect devices, mobile phone interception tech, and mass internet monitoring centres, the Commission has proposed to add unilateral EU categories. Currently these are listed as telecommunications monitoring centres and lawful interception retention systems."

While PI welcomes the new regulation, it believes it could be better and should have been done much sooner. It points out that more than half of the world's surveillance companies that it has identified are based in the EU, and that it has been known since 1979 that "a UK company had provided the necessary wiretapping technology to the genocidal regime of Idi Amin in Uganda." 

The proposals, says PI, "encapsulate the best and worst aspects of the European Union. Their stated intent reflects Europe's commitment to fundamental rights, and - as a regulation - it will be binding on all member states, massively magnifying the effect of any legislation. But it adds, "The policy making process has been marked by technical and bureaucratic complexities detached from individuals, making it vulnerable to the interests of industry, powerful national governments, and civil society."

FinFisher GmBH and the Hacking Team are two EU companies that are likely to be affected by the new regulation. This would also have included Vupen if it had not closed down and resurrected itself as Zerodium in the US.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


SecurityWeek RSS Feed

Here’s an overview of some of last week’s most interesting news and articles:

Yahoo breach was not state-sponsored, researchers claim
The massive 2014 Yahoo breach isn’t the work of state-sponsored hackers as the company has claimed to believe, say researchers from identity protection and threat intelligence firm InfoArmor. Instead, the breach was effected by a group of professional blackhats believed to be from Eastern Europe.

The psychological reasons behind risky password practices
A Lab42 survey highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Mobile security stripped bare: Why we need to start again
There are three main threat vectors for mobile devices: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code; and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, etc.

ICS-CERT releases new tools for securing industrial control systems
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published newer versions of two tools that can help administrators with securing industrial control systems: the Cyber Security Evaluation Tool (CSET), and a whitepaper on recommended practices for improving ICS cybersecurity with defense-in-depth strategies.

OS analysis tool osquery finally available for Windows
Nearly two years after Facebook open sourced osquery, the social networking giant has made available an osquery developer kit for Windows, allowing security teams to build customized solutions for Windows networks.

DefecTor: DNS-enhanced correlation attacks against Tor users
A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Incident response survival guide
Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

D-Link DWR-932 router is chock-full of security holes
Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

Enhance iMessage security using Confide
One of the new features in iOS 10 offers the possibility of deploying specially crafted applications within iMessage. Most users will probably (ab)use this new functionality for sending tiresome animations and gestures, but some applications can actually provide added value for iMessage communication.

Why digital hoarding poses serious financial and security risks
82 percent of IT decision makers admit they are hoarders of data and digital files. These include: unencrypted personal records, job applications to other companies, unencrypted company secrets and embarrassing employee correspondence.

Clear and present danger: Combating the email threat landscape
As long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes.

Europol identifies eight main cybercrime trends
A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.

Microsoft equips Edge with hardware-based container
Windows Defender Application Guard is a lightweight virtual machine that prevents malicious activity coming from the web from reaching the operating system, apps, data, and the enterprise network.

Rise of the drones: Managing a new risk environment
More drones in the skies raise a number of new safety concerns, ranging from collisions and crashes to cyber-attacks and terrorism.

Swiss voters approve new surveillance law
The Swiss Federal Intelligence Service will now be able to bug private property, phone lines, and wiretap computers (under certain conditions).

IoT-based DDoS attacks on the rise
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

Public safety threat: Cyber attacks targeting smart city services
A new survey conducted by Dimensional Research assessed cyber security challenges associated with smart city technologies.

Help Net Security

Security researchers earlier this year managed to zero-in on the Encryptor Ransomware-as-a-Service (Raas), which forced the developer to shut down the operation, but without releasing the master key to help victims.

The ransomware service first emerged in July 2015 as a multiplatform threat at an appealing price, and managed to become a considerable threat to users and businesses fast, Trend Micro researchers reveal. Attacks leveraging this piece of ransomware could be easily tailored by affiliates, and Encryptor RaaS author created a full web panel for his patrons, which could be accessed only via the Tor network.

The same as with other ransomware, Bitcoin was the preferred transaction currency, and the earnings looked highly appealing for affiliates, as they had to share only 5% of their revenue to the author. Other similar services out there, such as Cerber, would require affiliates to pay 40% in commissions, Trend Micro explains (the Cerber campaigns generate an estimated $ 2.3 million in annual revenue). 

Encryptor RaaS was being advertised in surface web and darknet forums and interested parties only needed to contact the developer to show interest. Technical expertise wasn’t a requirement, though affiliates needed to know how to set up a Bitcoin Wallet ID, which would be attached to the distributed ransomware variant. Affiliates were also provided with a “customer ID” and could choose the ransom amount and the distribution method.

The malware was written purely in C language, used a combination of RC6 and RSA-2048 algorithms to encrypt 231 file types, generated an ID for each victim, and had its entire infrastructure hidden within the Tor network. Victims were instructed to use Tor2Web or the Tor Browser to access the payment site and could also use a chat box to contact the cybercriminals.

The ransomware’s author focused on avoiding detection and even started offering a file-signing service for affiliates, saying that he had access to stolen Authenticodes. Encryptor RaaS was improved to become virtually undetectable, being able to trick static engine analysis, but still being caught by behavioral detection.

While analyzing the threat, researchers discovered that the actor left a command and control (C&C) server either abandoned or mistakenly open: it was exposed and not anonymized by Tor. Thus, researchers determined that Encryptor RaaS was being hosted on a legitimate cloud service, and one of the RaaS’s systems was seized in June.

The operator immediately took the infrastructure down as a precautionary measure, but more servers were seized a few days later. However, the developer managed to bring the entire system back online after four days, and also announced that it would shut down the operation. A shutdown notice was posted on all the main pages of decryptor sites, and Encryptor RaaS’s main site.

“Encryptor RaaS’s systems went down around 5 PM GMT on July 5, 2016, with the developer leaving victims a message that they can no longer recover their files, as he deleted the master key,” Trend Micro reveals. Thus, while there’s one less ransomware family to worry about, there are users left without the possibility of recovering their files.

Related: Locky Ransomware Drops Offline Mode

Related: New MarsJoke Ransomware Targets Government Agencies

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Brazilian cybercriminals are expanding their tactics and have recently adopted ransomware as a new means of attack, Kaspersky Lab reveals.

Security researchers from the Moscow-based security firm have analyzed a new variant of the Brazilian-made ransomware "Xpan" Trojan (Trojan-Ransom.Win32.Xpan). The malware has been used by the “TeamXRat” group, also identified as “CorporacaoXRat” (the Portuguese equivalent of “CorporationXRat”) to target local companies and hospitals. The ransomware’s signature is extension “.___xratteamLucked,” which is appended to encrypted files.

While Xpan isn’t the first ransomware to come out of Brazil – TorLocker and HiddenTear copycats were seen in local attacks – it packs code improvements that reveal increased interest in this type of malware. The threat is developed by an organized gang that uses targeted attacks via Remote Desktop Protocol (RDP) to infect systems, Kaspersky says.

When executed, the ransomware checks the system’s default language, sets a registry key, obtains the computer name from the registry, and deletes any Proxy settings defined in the system. During execution, Xpan logs all actions to the console, but clears it when the process is completed. It then informs victims that their files were encrypted using a RSA 2048-bit encryption.

Unlike the previous ransomware used by the TeamXRat group, Xpan doesn’t use persistence, has switched from Tiny Encryption Algorithm to AES-256, and encrypts all files on the system, except for .exe and .dll files, and those that include blacklisted substrings in the path. The malware, Kaspersky says, uses the implementation of cryptographic algorithms provided by MS CryptoAPI.

The security researchers have identified two versions of the Trojan, based on their extensions and the different encryption techniques. The first version uses the “___xratteamLucked” (3 ‘_’ symbols) extension and generates a single 255-symbol password for all files, while the second one uses the “____xratteamLucked” (4 ‘_’ symbols) extension and generates a new 255-symbol password for each file.

Before encryption, the ransomware attempts to stop popular database services, and deletes itself when the process has been completed. After encryption, the Trojan modifies the registry so that, when the victim double-clicks on a file with the extension “.____xratteamLucked,” the ransom note is displayed using msg.exe (a standard Windows utility).

The TeamXRat attacks are performed manually by hacking servers via RDP brute force and installing the ransomware on them. After gaining  access to a server, the attackers disable the installed anti-virus product and begin installing their malware.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” Kaspersky researchers explain.

RDP vulnerabilities are also exploited for remote code execution when an attacker sends a specially crafted sequence of packets to a targeted system. Servers that haven’t been patched are extremely valuable to cybercriminals, as the reports on the xDedic server marketplace revealed.

“Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal,” Kaspersky notes.

The good news when it comes to the Xpan ransomware is that Kaspersky managed to break the malware’s encryption, allowing for free file decryption. In fact, the researchers already helped a hospital in Brazil to recover from an Xpan attack. The security researchers expect new ransomware variants to come from the same threat actor.

Related: Apocalypse Ransomware Leverages RDP for Infection

Related: Shade Ransomware Updated With Backdoor Capabilities


view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

A new Bitglass report on insider threats in the enterprise found that, in a third of organizations surveyed, careless or malicious user behavior resulted in data leakage, up slightly from a year ago. 56 percent of respondents believe insider leaks have become more frequent in the last year.

insider attack

“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” said Nat Kausik, CEO, Bitglass. “The reality is that cloud apps have made data more readily accessible and insider threats more likely – it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”

Bitglass found that 64 percent of enterprises can detect a breach within a week, up significantly from 42 percent a year ago. Only 23 percent take a month or longer to identify insider breaches, which indicates growing use of cloud-based audit and security tools. Respondents identified analytics as critical in detecting anomalous behavior.

Employee training (57 percent) and identity management solutions (52 percent) topped the list of best means for preventing insider attacks. Data leakage prevention was also included among the most effective tools in 49 percent of organizations.

insider attack

Key findings

  • One in three organizations surveyed have experienced an insider attack in the last year, while 74 percent feel vulnerable to insider threats.
  • Seventy-one percent of cybersecurity professionals are most concerned with inadvertent leaks that are the result of risky unsanctioned app usage, unintended external sharing and unsecured mobile devices. Negligence (68 percent) and malicious insiders (61 percent) were also of concern to respondents.
  • Privileged users, more than any other user group, were seen as posing the greatest security risk by 60 percent of organizations.
  • Cloud and mobile are forcing IT to rethink detection and prevention. Cybersecurity professionals agree that lack of employee training (62 percent), insufficient data protection solutions (57 percent), more devices with access to sensitive data (54 percent) and more data leaving the network perimeter (48 percent) are at the core of many insider leaks.
  • A third of organizations do not have any analytics solutions in place to detect insider threats. Fifty-six percent use some kind of analytics solution to address anomalous behavior, but only 15 percent have user behavior analytics in place.
  • Collaboration tools (44 percent) and cloud storage apps (39 percent) were perceived to be most vulnerable to insider threats, as careless users are easily able to share data externally or lose a mobile device that contains sensitive information.

Help Net Security

USN-3090-2: Pillow regresssion | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads

Ubuntu Security Notices