News & Updates

The U.S. Federal Trade Commission has announced a “prize competition” for creating a software or hardware-based solution with the ability to auto-patch vulnerable Internet of Things (IoT) devices.

Today we are surrounded by a number of Internet-connected devices. Our homes are filled with tiny computers embedded in everything from security cameras, TVs and refrigerators to thermostat and door


Source: http://feeds.feedburner.com/TheHackersNews

One of the most discussed topics these days are the various nefarious uses that a Drone can be put to or just flown where they shouldn’t be.

2016 has been an eventful year bagged with mixed sentiments around the US presidential election, Brexit and Global terrorism striking the World’s news outlets. Simultaneously not far behind are the debates to seek, understand innovative venues/loopholes that have the potential to create havoc globally.  One of the most discussed topics these days are the various nefarious uses that Drones can be put to or just flown where they shouldn’t be.

Drone Pilots capabilities to fly a drone into restricted areas or the risk of harming others is a topic for another day. Here in this short blog, we have tried to look at the various strategies Governments and Aviation Authorities have attempted to instigate to curb the menace only to see a threat evolving which poses a danger to the drones themselves.

So just what is a drone anyway? For the sake of argument let’s focus on the type of aircraft that you can purchase as a consumer for Video and Photography purposes (as opposed to the firing missiles and blow up things type). The world’s media has slapped the label of “Drone” onto any Quadrocopter, Octocopter or any other modern platform without actually investigating the differences between commercial platform, military devices and traditional models. Essentially our UAV (Unmanned Aerial Vehicle -which is the correct term!) has four components:

  1. Power supply (typically a high power Li-Po Battery)
  2. Propulsion units (4+ motors)
  3. Transmitter (Video/Photo) / Receiver
  4. Motherboard (the Flight controller)

Up until number 3 we were in the same ballpark as remote control helicopters and other model aircraft, which are controlled with servos according to the radio signals. However, with the introduction of the Motherboard we now have a flying computer with just as many undisclosed security issues as any other Internet of Things (IoT) device. Just because there isn’t a cable connected to the device does not mean that it is not susceptible to attack. For a clear breakdown of what is and isn’t a drone we have the following:

  • Model Aircraft Remote control only, no preprogrammed flight paths etc.
  • Drone Equipped with a flight computer, however, has no ability to follow pre- programmed path, nor does it have any built-in intelligence
  • Unmanned Aerial Vehicle (UAV) Encompasses all of the features seen in a drone but has additional intelligence features (Object Tracking, Terrain/Hazard avoidance etc.)
  • Unmanned Aerial System (UAS) All components seen in a UAV with additional support equipment (Base Station etc.)

So let’s have a look at some of the ways that have been identified to remove consumer UAVs from the air.

Shotgun:         Eh, think we get this one! The US town of Deer Trail Colorado even attempted to enact a law to allow residents to hunt for federal UAV’s and shoot them down!

Net:      Police forces and organizers of sporting events around the world have been trialing nets which are launched from a bazooka. This expands in the air and fowls the UAV’s rotor blades bringing it crashing to earth. There are also other slightly less destructive methods used where nets are carried by other larger UAVs; this approach has been adopted by the police force in Tokyo[1]. These again snare the rotor blades and are designed to capture the errant flying machine rather than send it crashing to the ground and onto potential pedestrians.

RF Generator (Denial of Service!)        Or more simply a UAV Radio signal jammer. These devices overpower the radio signals (typically 2.4Ghz for most commercial UAVs which is the same range as standard Wi-Fi networks, Bluetooth connections, microwave ovens, car alarms, baby monitors, and ZigBee devices) with white noise causing the UAV to return to it’s “Home” position if this has been set (or is available) or at the very least severe the control from the Pilot. However, it should be noted that these devices themselves are highly illegal in most countries[2]. Some commercial firms are investigating Jamming Guns which target a narrow window and allow the operator to aim at the offending UAV without affecting other services.

Exploitation     The takeover of the UAV’s flight systems by an outside attacker by various technical means allowing the attacker to have complete control of the system for their own purposes. The owner/pilot is locked out and has no way of controlling the system.

Hacking UAVs is not new with the first high profile case being of an RQ-170 Sentinel stealth drone, a key weapon in the intelligence gathering arsenal of the US Central Intelligence Agency (CIA); the drone was diverted and captured by the Iranians in December 2011. In this case, the Iranian military had identified that the US Military utilized encrypted GPS frequencies for its control systems. They first jammed the drone’s communications link to its ground controllers (which forced the drone into autopilot mode) this also had the effect of forcing the drone to search for unencrypted commercial control channels. The Iranian attackers spoofed these signals sending wrong GPS coordinates tricking the drone into believing it was at its home base in Afghanistan, thus landing on Iranian territory to the welcoming arms of its attackers. It should be noted that the US Military disputed this account and stated that it was a system malfunction; however subsequently researchers have been able to reproduce the incident with commercial UAVs using encrypted GPS signals.

Security Analysts and Hackers alike have been investigating these types of attacks for some time now Samy Kamkar (an Independent researcher) created a program called “dronestrike” in 2013 where he mounted a Raspberry Pi computer running his code on his Parrot AR UAV 2.0 along with a wireless transmitter[3]. When his UAV was flown in the vicinity of another parrot UAV the dronestrike program would make a connection to the victim UAV and disconnect the owner/pilot and take control of the system itself.

Earlier this year Johns Hopkins University[4] set its capstone project for Master’s Degree students. The students’ task was to conduct wireless pen testing on a consumer UAV and then take what they had identified and craft exploits to attack the system. Three various strategies were identified all of which successfully broke the connection to the pilot:

  1. Denial of Service: The UAV was bombarded with over 1,000 wireless connection requests in a short period of time; each connection attempt asked to take control of the aircraft. This overloaded the UAV’s CPU causing it to shut down.
  2. Buffer Overflow: In this scenario, an exceptionally large data packet was sent to the UAV. This exceeded the buffer in the UAV’s flight application causing the aircraft to crash.
  3. Spoofing: The third scenario utilized an attack against the controller rather than the UAV. A fake packet was sent to the controller impersonating the UAV itself. The Controller severed the connection with the real UAV resulting in the aircraft making an emergency landing. XBee – Spectral analysis is seen to be utilized aggressively here.

These three types of attacks are nothing new to Cyber Security Analysts with these types of attacks occurring daily in Enterprise computer systems. But surely we as an industry don’t really have to be that worried about this, as these are only isolated case for hobbyist fliers? Think again, a UAV is a flying computer. Computers get hacked. Period!

drone

To add complication to this many logistical firms are trialing UAV delivery systems including Amazon, DHL and Domino’s Pizza to name but a few. Amazon has already been awarded a patent for the flying warehouse, (AFC) an airborne fulfillment center. The notion is that AFC could be used as a launch pad for drones to make local deliveries.  The approved patents highlight that AFC would be housed at about 45,000 feet allowing UAVs to be stocked, deployed and flown as necessary.

With the above development moving forward the possibility of hacking into a UAV and divert it without the owner knowing where it has gone will be a massive incentive for criminals seeking to steal the deliveries flying over their heads. With the assistance of insiders within the delivery firm the criminals can target specific cargos. Already we have seen evidence where attackers are easily able to intercept the operator’s command at a distance up to 2 kilometers and spoof its own. At a distance of 100 meters, WEP can be easily cracked and the drone can be stolen.

A number of firms are now looking to UAV’s to provide a mobile security platform for organizations with large estates or in the case of smaller UAV’s warehouse security. The opportunity to attack these platforms is twofold. Firstly an attacker who is able to take control of the UAV is then able to turn it’s “eyes” away from any intruders on the ground. Secondly and more worrying is where the attacker diverts the drone, lands it and attaches their own monitoring equipment cameras with transmitting equipment etc.  to the aircraft. When this is returned to the control of the automated system/pilot the UAV will continue about it’s tasks as though nothing has happened, all the while becoming a physical Trojan Horse to the attached monitoring equipment. This could lead to the loss of trade secrets with the likes of the indoor warehouse UAVs. This kind of attack can also be used to kill out market competition, not to forget current 70% of the commercial drone market is held by Chinese DaJiang Innovation technology (DJI)

One threat vector, which is already being utilized, is where criminal gangs are utilizing UAV’s to smuggle drugs into prisons for waiting for inmates. Whilst this is already occurring, the UAV’s themselves have either been purchased or stolen from their owner’s residencies. To have the ability to hack into a UAV take over it and then use it for your own purposes removes a great deal of risk and removes all attribution to the criminals when and if the UAV is captured by Prison staff. The ability to steal a UAV in flight is going to be a great temptation to criminals.

On a relevant note there is also a psychological dimension as the drone pilot while operating at a distance can be in a sense detached from the local context and culture. This may trigger the creation of dream-world/ gaming environment thus detaching from the physical reality and risking operator behavior towards professional reasonability and social mores. [5]

What we have seen in this blog is that UAV’s, or drones (if you must!) are just like any system which relies upon a computer to operate. They can be hacked and taken over for many nefarious activities and we have only just seen the beginning. When the delivery platforms take to the air (pun intended) cyber criminals are going to have a field day!

We are truly on the highway to the Danger Zone.

[1] http://www.telegraph.co.uk/technology/2016/01/21/tokyo-police-are-using-drones-with-nets-to-catch-other-drones/

[2] https://www.fcc.gov/general/jammer-enforcement

[3] https://www.youtube.com/watch?v=EHKV01YQX_w

[4] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

[5] http://releases.jhu.edu/2016/06/08/johns-hopkins-team-makes-hobby-drones-crash-to-expose-design-flaws/

Azeem Aleem Director RSA Advanced Cyber Defence Practice EMEA

An experienced information security executive with over 15 years of practitioner experience in cyber defense technologies, security operations, counter threat intelligence, data analytics and behavioral classification of cyber criminal. As a subject matter expert, he has made frequent appearance on regional television and radio programs as an expert on cyber threats. A published book author and academic criminologist, he has also authored several periodical on advanced security threats in peer-reviewed journals and security magazines. He is an eminent plenary conference guest speaker both at the national and international level.

Dave Gray: Senior Consultant RSA Advanced Cyber Defence Practice EMEA

David has been in the security business all his adult life having started in the Royal Air Force as his first job. He has worked in the cyber security field for over 10 years now in various cyber defence positions including Network, Malware and Forensic Analysis before leading teams himself.

He has co-developed an open framework for implementing Use Cases into any SOC and spoken at a number of International Security Conferences including RSAC and SANS on various cyber-related security topics. David currently works as a Team Leader for RSA ACD deploying security programs and Advanced SOC/CIRC designs to customers in EMEA.

Gareth Pritchard   Consultant Advanced Cyber Defense Services Practice EMEA

Gareth Pritchard is a consultant for the Advanced Cyber Defense Services Practice – EMEA. In this capacity, Gareth is responsible for professional services engagement for Global Incident response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign.

Gareth has over 10 years of experience in Information technology focusing on root cause analysis of infrastructure and cyber security related issues. This has led to a broad knowledge base of remediating problems and designing processes and procedures to assist in the prevention of issues arising in the future. Gareth has studied various technologies and has a broad wealth of experience in application scripting, web design, malware analysis, big data correlation, data mining and windows / Linux technologies. This knowledge has been paramount in learning more about the current threats and tactics used by cyber criminals in the cyber security threat landscape.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – drone, cyber security)

The post The case of flying saucer – Highway to the Danger Drone appeared first on Security Affairs.

Source: Security affairs

LAS VEGAS—Virtual reality was bound to be a big theme of this year’s CES, and another big name is using the event to get into the space with a new, low-cost headset. Lenovo announced its own VR headset at CES—it doesn’t have a name yet, but the company claims it will cost less than $400 when it’s released later this year.

The affordable price is enough to make this intriguing, but the specs make things even more interesting. It’s built to be smaller and lighter than both the HTC Vive and the Oculus Rift, weighing just 350g (the Vive weighs about 550g). The bulk of its weight lies against your forehead rather than on the bridge of your nose, which should make it more comfortable to wear for long periods of time. It also has a convenient hinge design, which lets you turn the headset portion up whenever you need to give your eyes a break without requiring you to remove the entire system.

The headset’s display is made of two 1440×1440 panels, making it higher-res than both the Vive and the Rift. We would have liked to see this in action, but Lenovo only had a non-working prototype to show us. The company paired it with its new Legion Y720 gaming notebook, which is VR ready, and also showed off its new Entertainment Hub. This is basically a media library featuring VR-ready movies, games, and other content.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Google hacker Tavis Ormandy discovered a serious flaw that affects the Kaspersky antivirus software and the way it manages inspection digital certificates.

Experts from Kaspersky are solving a problem that disabled certificate validation for 400 million users. The problem was spotted by the notorious Google hacker Tavis Ormandy, the vulnerability affects the Kaspersky antivirus software and the way it used certificates to analyze encrypted traffic.

The security firm is a trusted CA, the Kaspersky Anti-Virus Personal Root, and uses its digital certificate for the traffic inspection, in this way it is able to decrypt it and analyze scanning for malicious patterns.

“In order to inspect encrypted data streams using SSL/TLS, Kasperky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be “Kaspersky Anti-Virus Personal Root”.” Ormandy wrote in a security advisory.

The process implemented by Kaspersky for certificate interception has previously resulted in serious vulnerabilities. Now the experts discovered other issues such as the way leaf certificates are cached that leverages on an extremely naive fingerprinting technique.

“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection.” explained the expert.

“The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent.”

It is easy to understand that a 32bit key open to brute-forcing attacks to generate a collision in a few seconds. An attacker can produce a collision with other certificates.

Ormandy also provided a description of the attack:

  • Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
  • Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates its own certificate and key for.
  • On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let’s say attacker.com)
  • Now Mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.

Ormandy also provided a proof of the bug forcing a collision between Hacker News and manchesterct.gov website.

“You can reproduce this bug, by visiting https://autodiscover.manchesterct.gov, then https://news.ycombinator.com and observing that the content is signed by the wrong certificate.” he added. “So if you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn’t work sometimes, it’s because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users.”

The expert also provided the C source code that it is possible to use to generate a colliding certificate for testing.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – digital certificates, Kaspersky)

The post Kaspersky fixing a serious problem with inspection digital certificates appeared first on Security Affairs.

Source: Security affairs

Enlarge

Specs at a glance: 2016 Hyundai Ioniq Hybrid
Body type Five-door hatchback
Layout Front-wheel drive
Powertrain 1.6L 4-cylinder Atkinson cycle petrol engine, with electric hybrid drive and 1.56kWh Li-ion battery
Transmission Six-speed automatic DCT
Horsepower 105ps (petrol engine) / 32kW (electric motor) / 104kW/141ps (combined)
Torque 147Nm (petrol engine) / 170Nm (electric motor) / 265Nm (combined)
Suspension MacPherson strut (front) / Multi-link (rear)
Tyres 195/65 R15
Top speed 115mph
CO2 79g/km
Combined fuel economy 83.1mpg
Weight 1,870kg
Wheelbase 2,700mm
Dimensions 4,470 x 1,820 x 1,450mm (LWH)
Base price £19,940

Sometimes the dice just roll the right way. I had been scheduled to spend a week kicking the tyres of Kia’s new Niro at the end of August but a mixup with the booking and then the theft of a press fleet car meant that I didn’t actually get my hands on it until the last week of September, which happened to be a week before the UK press launch of the Hyundai Ioniq.

So I decided to tackle them all at once. The Ioniq (that’s “ionic” rather than “ion-eek”) will eventually be available in three guises: pure electric, hybrid—which I’m reviewing here—and a plug-in hybrid due to arrive in Blighty next spring. As it happens, the Ioniq hybrid drivetrain is also found in the Kia Niro (pronounced like the actor rather than the pen), while a plug-in version of the Niro will also appear down the line.

Read 46 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: Garmin)

LAS VEGAS—Garmin has updated its Fenix line of high-end multisport watches annually for the past few years, and 2017’s update will be welcome by all those with smaller wrists (myself included). This week Garmin announced the new Fenix 5 line of fitness watches, including the Fenix 5, 5S, and 5X, all of which were redesigned to be more compact than the existing Fenix watches. The new offerings should be easier for women and people with smaller wrists to wear.

Garmin’s Fenix line combines the widest feature set with arguably the most inoffensive design out of Garmin’s wearable family. However, Fenix watches are big watches—so big that whenever I put one on, the gigantic face weighed down my wrist, and the metal band would leave a gap so large around my wrist my index finger could fit through it. The company is tackling that issue with the Fenix 5 line (no, there were no Fenix 4 models, you’re not missing anything), which measure 42mm (Fenix 5S), 47mm (Fenix 5), and 51mm (Fenix 5X).

The Fenix 5X may be the size of a typical Fenix 3 HR, but the other two models are made to be compact and take up less wrist real estate. They all come in a variety of colors and finishes, and they all have sapphire versions that use scratch-resistant lenses. All of the watches are waterproof up to 100 meters and can be interchanged between leather, metal, and silicone bands depending on how you’re wearing them.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / Alexa, how do I create something that combines AI with a creepy 1980s toy? (credit: Sean Gallagher)

It’s been 50 years since Captain Kirk first spoke commands to an unseen, all-knowing Computer on Star Trek and not quite as long since David Bowman was serenaded by HAL 9000’s rendition of “A Bicycle Built for Two” in 2001: A Space Odyssey. While we’ve been talking to our computers and other devices for years (often in the form of expletive interjections), we’re only now beginning to scratch the surface of what’s possible when voice commands are connected to artificial intelligence software.

Meanwhile, we’ve always seemingly fantasized about talking toys, from Woody and Buzz in Toy Story to that creepy AI teddy bear that tagged along with Haley Joel Osment in Steven Spielberg’s A.I. (Well, maybe people aren’t dreaming of that teddy bear.) And ever since the Furby craze, toymakers have been trying to make toys smarter. They’ve even connected them to the cloud—with predictably mixed results.

Naturally, I decided it was time to push things forward. I had an idea to connect a speech-driven AI and the Internet of Things to an animatronic bear—all the better to stare into the lifeless, occasionally blinking eyes of the Singularity itself with. Ladies and gentlemen, I give you Tedlexa: a gutted 1998 model of the Teddy Ruxpin animatronic bear tethered to Amazon’s Alexa Voice Service.

Read 34 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Jim Resnick

Financially beleaguered and lacking two top executives—who left just before the end of the year—Faraday Future unveiled its first actual electric car at the 2017 Consumer Electronics Show in Las Vegas on Tuesday night. Calling it “a new species” that “reformats the future,” the FF91 (“nine-one”) has a name which will confuse rather than clarify, but the critical numbers are impressive.

Faraday claims the FF91 will have the biggest electric drive system at 130kW of energy (using cells provided by LG Chem but packaged by Faraday). The greatest range, at a minimum of 378 miles using the EPA’s protocol (700km on the EU cycle) before needing a charge. And a power output of 783kW (equivalent to 1,050hp). Charging is important to Faraday, too, and an open charging strategy across networks works at 1.5, 10, and 15kW power levels, though the fastest DC charging will operate over 200kW.

Read 12 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A mysterious hacker is breaking into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.

Co-founder of the GDI Foundation Victor Gevers is warning of poor security for MongoDB installations in the wild. The security expert has discovered 196 instances of MongoDB that were wiped by crooks and being held for ransom.A hacker who goes by online moniker Harak1r1 is demanding 0.2 BTC, roughly $200 at the current exchange,  in order to restore the installation. The crooks also request system administrators to demonstrate the ownership of the installation through email.

It seems that the hacker is focusing on open MongoDB installations, likely using a search engine like Shodan.

On December 27, Gevers discovered a MongoDB server that was left accessible without authentication through the Internet.

“Unlike other instances he discovered in the past, this one was different. When he accessed the open server, instead of looking at the database’s content, a collection of tables, Gevers found only one table, named “WARNING”. ”  reads a blog post published on bleepingcomputer.com.

The attacker accessed the open MongoDB database, exported its content, and replaced all data with a table containing the following code:

{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "[email protected]", "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }

“I was able to confirm [this] because the log files show clearly that the date [at which] it was exported first and then the new database with tablename WARNING was created,” Gevers told BleepingComputer. “Every action in the database servers was being logged.”

The expert notified victims their database were hacked:

“Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” he wrote in the notification letter sent to the victims. 

MongoDBQuerying Google for the hacker’s email address and Bitcoin address it is possible to verify that many other users were victims of the same attacker.Gevers suggests to block access to port 27017 or limit access to the server by binding local IPs in order to protect the MongoDB installations. MongoDB admins could also restart the database with the “–auth” option, after they’ve assigned users access.Below other tips useful for MongoDB admins:

  • Check the MongDB accounts to see if no one added a secret (admin) user.
  • Check the GridFS to see if someone stored any files there.
  • Check the logfiles to see who accessed the MongoDB (show log global command).

In December 2015, the popular expert and Shodan creator John Matherly found over 650 terabytes of MongoDB data exposed on the Internet by vulnerable databases.

Other clamorous cases of open MongoDB exposed on the Internet were found by the researcher Chris Vickery.
In December 2015 the security expert Chris Vickery discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – databases , hacking)

The post Hacker held open MongoDB databases for ransom appeared first on Security Affairs.

Source: Security affairs