News & Updates

Weston Hecker, a security researcher with Rapid7, has devised a $6 tool to open guest rooms and hack into Point-of-Sale systems.

It is not difficult to image that it is quite easy for hackers to hack a hotel room door, but it is surprising to discover that it is possible to do with a $6 tool.

Weston Hecker, a security researcher with Rapid7, has devised a cheap and small device that can be used to open guest rooms.

The device has the size of a card deck and can be used also to hack into point-of-sale systems and cash registers.

Last yeas the popular hacker Samy Kamkar, designed a tool dubbed MagSpoof, a cheap gadget (it goes for US$10) that can predict and store hundreds of American Express (AMEX) credit cards and use them for wireless transactions. The tiny gadget is a credit card/magstripe spoofer and can be used also at non-wireless payment terminals, it is composed of a micro-controller, motor-driver, wire, a resistor, switch, LED, and a battery.

Now, Weston Hecker started from the Kamkar’s MagSpoof and improved, the $6 tool, in fact, can read and duplicate keys directly. The tool is also able to launch a “brute force” attack against the door lock in order to guess every room’s key.

The attacker can use the tool to access information from hotel room key, including the encoded output of their folio number, the hotel room number, and also the checkout date.

The hacker could put the tool close to the card reader and run a brute force attack by trying every possible combination of the above information. The tool is very speedy, it is able to make 48 guesses at a key in just a minute.

“He would then know what data fields needed to be guessed for a key copy to be found.” wrote Thomas Fox-Brewster from Forbes.

“The hacker could then walk up to a hotel room, hold Hecker’s tool close to the card reader, and it would run through every possible combination of those details, before spewing out the encoded data (i.e. the key).”

The device is fast because compared with original Kamkar’s tool it uses a few more antennas that work in parallel like a load balancer.

“Think of it as load balancing,” Hecker explained to Forbes. “When one overheats, it moves over to the next one.”

The device could be used to hack PoS systems, once in their proximity it is able to inject keystrokes via the magstripe reader.

Hecker tool Point-of-Sale

The F8 key could open the cash register on many PoS systems, but the tool could be exploited by attackers to force the PoS to visit a website hosting a malware that is able to infect the point-of-sales.

“Hecker started tinkering with hotel key brute force attacks in April, though his techniques were somewhat slower, taking as long as 20 minutes to guess a key. He did, however, discover during that research he could use a cheap Chinese MP3 player to inject credit card numbers into an ATM machine for potential theft.” reported Forbes.

Hecker will present his $6 tool at the DEF CON conference in Las Vegas this week.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – $6 tool, hacking Point-of-Sale)

The post Hacker devised a $6 Tool to hack into hotel rooms and Point-of-Sale systems appeared first on Security Affairs.

Source: Security affairs

An FBI cyber security expert funneled sensitive information about the Bureau to the Chinese government, and now faces years in the jail.

If it can happen to the FBI, it most likely is happening in the private industry.  Yesterday, the FBI revealed that it was been the victim of insider espionage campaign by a Chinese-born electronics technician spying for Beijing.

Kun Shan Chun, a 20 year veteran of America’s top law enforcement agency plead guilty for spying for a Chinese handler, passing an organizational chart and pictures of surveillance technology in exchange for a lenient sentence – 2 years imprisonment.  That probably won’t sit well with many in the FBI or intelligence communities!

According to court documents, Chun had been recruited by a Chinese operative while traveling in Europe in 2011.  Almost immediately, Chun began his espionage campaign including sending the travel patterns of an FBI special agent in exchange for money.

A periodic background check, routine for those holding a US clearance, revealed that Chun had been less than honest about his background and his relationship with Chinese nationals including a close relationship with Zhuhai Kolion Technology, a Chinese tech company.  The company has been accused of bribing Chun with prostitutes. According to its website, Kolion is a manufacturer of printers and photocopiers.

Although rare, the FBI isn’t immune to insider threats.  In 2001, the FBI found itself embroiled in an espionage campaign against the agency, again, by one of its own – Robert Hanssen.  Hanssen a 25 year veteran of America’s top law enforcement agency was convicted of selling secrets to then, the Soviet Union, for US$1.4 million in cash and diamonds.  For his trouble, Hanssen was sentenced to 15 life terms without the possibility of patrol.  Hanssen, along with Aldrich Ames, who was caught spying for the CIA, are believed to be responsible for major setbacks in US intelligence programs throughout the 1980s including the capture and execution of US intelligence agents inside the Soviet Union.

The news Chun’s espionage campaign against the FBI comes on the heels of recent reports by cyber security companies that Chinse cyber espionage has been seen tapering off against US industries.  Though an agreement between President Obama and Chinese President Xi to cease spying against US and Chinese industry may be taking hold, government espionage campaigns against both nations have not subsided and is clearly in play.

Insider threats have become increasingly more disconcerting among government and business alike.

New research released by global management consulting group McKinsey and the World Economic Forum documented vulnerabilities in technologies are widening, exposing businesses to an overwhelming threat of fraud and cybercrime.  The group concluded that perimeter defenses were insufficient to keep up with the dynamic changes in the threat landscape but didn’t stop there. Many executives noted that the insider threat problem was as big a risk and external attacks. And why not, the payoffs for corporate espionage can be very lucrative.

Early this year, IBM reported that insider threats were one of 2015’s top cybersecurity trends along with ransomware. In 2014 alone, IBM concluded that 55 percent of all attacks were carried out by insiders.

Rule 41 google fbi 2

Taking on the problem of insider threat head on, in July of this year, Randy Trzeciak, technical Manager of the CERT Insider Threat Center, gave a webinar on how to build an effective insider threat program. The seminar focuses on Executive Order 13587, issued by the Obama administration to draw attention to the insider threat problem within US government agencies.  The executive order simply states:

“These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and system security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government.”

EO 13587 also makes changes to National Industrial Security Program (NISPOM), requiring US federal contractors to, “…establish and maintain an insider threat program to detect, deter, and mitigate insider threats.” The change requires contractors to institute insider threat awareness training to identify suspicious activity, allow independent assessments of their program and establishes reporting requirements.

EO 13587 is not without its critics.  Most importantly, what happens to the contractor when an insider threat is identified, who gets that information, and what ramifications could it have on future contract work with the federal government.  Other critics of the program point out that EO 13587 has been in place since 2011 and it did little to prevent insider threats such as Edward Snowden and Chelsea Manning.  I’m sure the debate will continue, but baring and significant change in US policy, federal contractors have until November of this year to get their insider threat programs in place.

It is unlikely the US government is overrun with foreign agents or insider threat actors.  Even in the case of Chun, the process of reopening his background for scrutiny worked well enough to cut off China’s fast track of FBI resources; but this is the federal government, where resources seem endless.

For the past five years, cyber threat intelligence people have done a pretty good of catching up on the defensive side as they map their strategies to the kill chain but insider threat adds a completely new dimension, and headaches, to already overburdened security teams.

For CISOs, questions remain.  Is my security team able to fight the battle on two fronts, outside and inside, and can we afford not to?

Written by: Rick GamacheRick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – FBI, cyber espionage)

The post The FBI and the reality of the threat within appeared first on Security Affairs.

Source: Security affairs

A single Firefox process. (credit: Roger)

Firefox 48 shipped today with two long-awaited new features designed to improve the stability and security of the browser.

After seven years of development, version 48 is at last enabling a multiprocess feature comparable to what Internet Explorer and Google Chrome have offered as stable features since 2009. By running their rendering engines in a separate process from the browser shell, IE and Chrome are more stable (a webpage crash does not take down the entire browser) and more secure (those separate processes can run with limited user privileges). In order to bring the same multiprocess capability to Firefox, Mozilla started the Electrolysis project in 2009. But the organization has taken substantially longer than Microsoft, Google, and Apple to ship this feature.

Mozilla’s delay was partly driven by changing priorities within the organization—Electrolysis development was suspended in 2011 before being resumed in 2013—and partly because Firefox’s historic extension architecture made this kind of separation much harder to achieve. Traditional Firefox extensions can invasively meddle with parts of the browser, and many assumed equal access both to the rendering engine and to the browser’s shell. Firefox’s developers had to both create a new extension system (they’ve ended up using HTML and JavaScript-based extensions closely related to those pioneered by Chrome and also adopted by Edge) and create shim layers to offer developers a temporary way to continue to support their old extensions.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Björn Láczay)

On Tuesday, investigators in Japan released a report attempting to explain how Japanese automaker Mitsubishi was able to falsify its fuel economy numbers on certain cars sold in Japan. The three-month-long investigation pointed to a “collective failure,” at an executive level, to deal with concerns that employees brought up.

The automaker’s cheating was discovered earlier this year when Nissan, which rebrands some of Mitsubishi’s cars and sells them in Japan, found discrepancies in emissions rates between reported and real-world mileage. Mitsubishi later admitted to having falsified data for more than 25 years, in some cases overstating fuel economy by 16 percent, according to CBS News. Nissan’s discovery crushed Mitsubishi’s share price. Since then, Nissan scooped up 34 percent of Mitsubishi for a bargain $2.2 billion (¥237 billion).

In an unrelated discovery in March, Japan’s Department of Transportation publicly called out Mitsubishi, as well as Toyota and Nissan, for selling diesel cars with higher-than-allowed nitrogen oxide (NOx) emissions in Japan, echoing the scandal that has embroiled Volkswagen since last September in the US.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Out of all of Elon Musk’s recent “Master Plan Part Deux,” the part that really caught our eye was a short paragraph about a Tesla semi. Much of the rest—solar, autonomous driving, ride-sharing—wasn’t exactly unforeseen. But the idea of a heavy duty Tesla electric vehicle took us by surprise and left us scratching our heads. Tesla isn’t the only company going after this market; Wrightspeed, Proterra, and BYD are already building heavy duty urban electric vehicles, and Mercedes-Benz is about to enter the fray. The Nikola Motor Company (no connection to Tesla Motors) already has 7,000 orders for a zero-emission heavy duty freight hauler that won’t be revealed until December. To find out if our confusion over the Tesla Semi is unwarranted, we spoke to some of the big players in the heavy duty EV market.

Even though heavy duty vehicles only account for about eight percent of US carbon emissions (light duty vehicles make up roughly 20 percent), Wrightspeed CEO Ian Wright says electrifying that sector makes more economic sense. In fact, Wright doesn’t think the economics work in favor of electric passenger vehicles. “A Nissan Leaf is twice the price of a Versa and you only save $800 a year,” he told Ars, “that’s a 20-year payback time.”

Wright goes on:

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Crazy 3D dragon, courtesy of Tilt Brush.

Every virtual-reality tester at Ars Technica has a favorite app on either the Oculus Rift or the HTC Vive, especially when it comes to introducing newbies to the format. For my money, Audioshield is the most breathtaking for musically inclined users (and our own Lee Hutchinson might agree), but that rhythm-action game can be too stressful and movement-heavy for casual testing.

Tilt Brush’s new Audio Reactor mode

Now, I have a new feather in my VR-demo cap: Tilt Brush‘s new “Audio Reactor” mode. This update, which was added to the HTC Vive’s best-known paint-sculpting app for free on Tuesday, lets VR creators add PC audio sensitivity to any of the app’s strokes of paint. Certain Tilt Brush creations now react to the rhythm and dynamics of whatever song is being played on your VR computer. This means different types of paint strokes will glimmer or animate in time with the music.

Enabling Audio Reactor’s music feature is a little clunky right now since Tilt Brush has neither its own dedicated MP3 interface nor a convenient YouTube search tool. Currently, you’ll need to alt-tab out of Tilt Brush, turn on your music-playing interface of choice, and make sure it’s playing on Windows’ “default playback device” before switching back to your VR window. Thankfully, Steam includes a music-playing interface in its VR “chaperone” system, but it’s a bit inelegant since it requires going into Steam’s menus.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / FTC Chief Technologist Lorrie Cranor speaking at PasswordsCon 2016, part of the Bsides security conference in Las Vegas.

Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: “Encourage your loved ones to change passwords often, making them long, strong, and unique.” Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization’s network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that’s based more on superstition than hard data wasn’t bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

“I saw this tweet and I said, ‘Why is it that the FTC is going around telling everyone to change their passwords?'” she said during a keynote speech at the BSides security conference in Las Vegas. “I went to the social media people and asked them that and they said, ‘Well, it must be good advice because at the FTC we change our passwords every 60 days.”

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Brian Brown)

For many, taking the time to floss every day is a bother. But for dentists, taking the time to properly research flossing over the course of a century is apparently even more inconvenient.

Despite being dentist-recommended since the early twentieth century, researchers have yet to conduct sufficient, reliable studies to support the claim that flossing effectively prevents cavities and gum disease.

This stain on the dental profession was cracked wide open last year when the Associated Press asked federal agencies for the data behind its recommendation that Americans floss. After the AP filed Freedom of Information Act requests, the government admitted that it didn’t have adequate data to back the recommendation—something it is required to have by law.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Greetings, Arsians! Courtesy of our partners at TechBargains, we have a bunch of great deals to share today. Anyone looking for a versatile business notebook, take note: you can now get a Dell Latitude 13 7000 2-in-1 notebook for just $499. In addition to having a great three-year warranty, this model features a 1080p IPS touchscreen display, a full-sized backlit keyboard, 128GB SSD, Dell’s data protection suite and TPM, and best of all—no bloatware. Latitudes are very popular business notebooks, and getting a hybrid one like this for such a low price is a deal you don’t want to miss.

Check out the full list of deals below.

Featured

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/