Author: Ali Raza

Street Fighter V Gives Killer Punch to User Security

By Ali Raza

The latest version of Capcom’s Street Fighter V for Windows includes an update that installs an unpublicized rootkit. The company claims it is intended to prevent players from cheating but its poor design allows any installed software to access the rootkit. It is an open back door to full kernel privileges and provides the capability to take over the user’s machine. A hacker’s dream.

What is a rootkit?

The term Rootkit comes from the Linux world where Root is the equivalent of Administrator in Windows. Users or components with this level of authorization have godlike powers over the device to more or less do anything that pleases them. Kit signifies a toolkit of utilities that can perform a range of tasks as the controller of the rootkit demands.

A rootkit is not necessarily malevolent of itself but is generally considered to be cloaking malware, or potential malware at least. Hackers use them to conceal their activities and to run stealth applications such as botnet stations in a DDOS attack, keyboard loggers and spam relays. A decade ago, Symantec, vendors of Norton Utilities debated the true definition of the term and when rootkits are legitimate.

What happens next?

Capcom tweeted that they are backpedaling on that initiative and rolling back those “security measures”. It is difficult to reconcile the concept of security with the release of such a potentially damaging rootkit and does bring into question the decision making process within the Capcom software engineering division. The action delivered a big negative hit to the company’s reputation.

It’s not the first time that a big name software vendor resorted to deploying a variety of rootkit as a means to address a legitimate objective. As well as Symantec, Sony was the original offender that brought the issue into public awareness in the first place in its messy music anti-piracy move.

 

Symptoms of rootkit infection

Because they operate at the lowest level on a device and implement cloaking measures, users may be unaware of the presence of a rootkit. Symptoms may reveal themselves only when the rootkit is operating stealthily. Screen components, such as the taskbar or system tray may disappear. General slowness is a good indicator. Malware that generates network traffic, such as spam relays and DDOS configurations, may cause a user to think that “the Internet is slow today”. There is no one signal that definitively indicates the presence of rootkit.

How to defend against rootkits

The obvious first step, which all computer users should by now adopt as a normal routine exercise, is to keep anti-virus systems up to date. This presents a difficulty for the older generation, whose devices present a rich picking ground for hackers. However, once installed, all anti-virus applications automatically check for and install the latest updates.

More security conscious users will find a variety of rootkit detection and removal tools online to add an extra layer of defense. The quandary is – just because the tool detects the rootkit while it is running, can it identify the source in a corrupted firmware module, for example? Malware rootkit authors are extremely clever and ingenious in devising the mechanisms to install and launch their tools. Rootkits come in a wide variety of guises and the only sure way to remove them is to strip the device and start with a clean software build.

Yahoo 2014 Security Breach Exposes the Harsh Reality of Internet Security

By Ali Raza

Yahoo suffered a major security breach, affecting hundreds of millions of users – but we only found out about it 2 years later. This incident, combined with the 2012 DropBox breach, demonstrates the harsh reality of internet security: most breaches either go undetected, or unreported, for years.

The background to Yahoo’s security breach

Yahoo is the latest major player to reveal a previous hacking security breach and theft of user data. What the company describes as a “state-sponsored actor” stole 500 million user details in 2014. Yahoo has not yet revealed which state is under suspicion, how they came to this conclusion, or the mechanism he used to breach security.

The Recode website was first to publish the story on Sep 22 and later that day Yahoo confirmed the news on its Tumblr site. It follows hot on the heels of the recent Dropbox revelation that almost 70 million encrypted user access credentials were hacked and stolen in 2012. Dropbox has only now disclosed the extent of that breach. The Yahoo incident has implications for the proposed $4.8 billion Verizon takeover of Yahoo. Disgruntled users may launch a class action suit that could impact Yahoo’s balance sheet and depress the stock.

 

What happened?

The stolen data is reported to consist of passwords hashed using the bcrypt algorithm. The hacker also took user names and personal information, including birth dates, phone numbers, email addresses and both unencrypted and encrypted security questions and answers. A reputed cybercriminal named Peace offered the data for sale on an underground website, which brought the incident to light. He did not access more sensitive data such as bank and credit card details, which are stored in a different system.

 

What happens next?

Yahoo says they issued an alert email to all impacted users, prompting them to change any passwords that they have not amended since 2014. They also urge users to consider using a stronger authentication method than mere passwords. Yahoo also disabled all unencrypted security questions and answers.

Even though the stolen data is relatively innocuous in itself, it poses risks to users that are much greater than simply having their email accounts hacked. Criminals use this information to attempt other hacking attacks. They may also attempt to access an individual’s network of contacts for phishing and social engineering scams.

 

What can users do about it?

While Yahoo and other online service providers execute strenuous attempts to protect data, the lessons for us users are clear. We really do need to learn and utilize stronger account authentication measures. This self-discipline need not cost a penny but inertia holds us back.

There is still a large number of Internet users, including seasoned IT pros who should know better, who re-use the same favorite passwords over and over for multiple online accounts. Hackers know this all too well. They use known passwords to attempt to break into other accounts. This opens avenues for exploiting financial information and possible bank account or credit card fraud.

As well as using stronger passwords that free password generator services provide, we need to consider options such as two-step authentication. Many online services offer this in an effort to reduce and prevent unauthorized access and hacking. There are both free and paid password manager services that will store strong passwords that may be impossible to memorize. Many will automatically fill in the details when you visit a website and are asked to sign in.

Whichever option we choose to take, we must take action to improve our online protection. Break-ins like these will inevitably happen again despite the best efforts of the service providers. Doing nothing is no longer an option.

Leonia AG Lost €40 Million ($45M) to Whaling Phishing Scam

By Ali Raza

Leonia AG is a 100-year-old company headquartered in Nuremberg, Germany, and is a global supplier of wiring systems and cable technology with 76,000 employees in 32 countries and a market cap of €1,015 Million ($1,140 M) listed on the Frankfurt stock exchange.

Yet this behemoth fell prey to a fairly simple spoof email scam in August that cost them €40 Million cash ($45 M) and has unsurprisingly resulted in a profit warning.

The company reported that fraudsters used fake emails and identities to target one individual in a successful attempt to transfer funds from a company bank account to an account controlled by the fraudsters. They picked a factory in Romania, which is only one of the four in that country authorized to handle international money transfers. The spoof emails purported to come from a senior director in Germany and apparently were accepted without question by the officer in Romania.

Whaling is the term used for the type of phishing scam that targets just one individual in a corporation. In order to succeed, the fraudsters carry out in-depth investigation of the company, its mode of operation, styles of communication, security capabilities as well as the target victim’s roles, responsibilities, staff and so on. Whether or not insider assistance was involved is not known at this point but the required information can be obtained and pieced together by clever and patient fraudsters who may use social engineering to ferret out small elements of the overall picture, which may appear innocuous in isolation.

To achieve this level of sophistication, fraudsters often create domain names that are so close to the real company’s domain name that a quick glance does not detect the slight name difference. An email coming from that fake domain, formatted in an identical manner to genuine emails, with similar language style and so on, can easily be accepted as the genuine article.

The core of the problem is that the fatal email was accepted as being genuine without question. The fraudsters invested time and expertise in investigating Leoni AG. Con artists have been honing their email phishing skills for well over 20 years and many have perfected their technique to the extent that their fraudulent emails and other identification instruments are instantly accepted by the victims. Fraud has always moved with the times but the public has usually been slow to cotton on. These attacks have been on the increase, according to reports following a similar attack last year.

What precautions can we take to safeguard against this type of scam?

1. Watch out for email ID with fake domain names. For example, if the official Leonia AG domain is @leoniaag.com, fraudsters might use similar domain names such as @leoniag.com to phish victims.

2. If you receive an email requesting financial transactions, pick up the phone and call the person. Never enter sensitive information into pop-up browser windows.

3. Use an anti-phishing and anti-spam service. It’s easier to get caught when you’re focusing on mission-critical business operations and can’t spare a moment to double check authenticity of the email senders. Security solutions will make your life easier.

4. When you must click through a link, hover the mouse over the link and see the actual URL – bottom right of the browser if you’re using Chrome. Make sure the links you need to access are valid and secure. Check for the HTTPS certificate. Don’t click shortened URLs.

5. Educate employees on all levels to ensure that they are security aware and up to date with latest phishing threats, prevention practices and solutions.

6. Make sure the attachments are valid and secure before downloading.

It does appear unusual that an officer of a company would execute such a huge financial transaction on the basis of one email alone. One might expect some basic security countermeasures, such as at least a phone conversation with the authorizing director, or a second authorization such as when corporate checks are cut. Such sheer common sense precautions are easy to implement.

Phishing and social engineering is now so commonplace that security firms offer training course for company staff, educating them on how to recognize the likely warning signs of a scam. Corporations have no excuse for not engaging in at least an awareness program but, no doubt, some will only realize that when it is too late.

Tesla Remote Hack: Passengers Exposed to Frightening Risks

By Ali Raza

In the midst of all the hype surrounding next-gen automobile capabilities featured on Tesla vehicles, the company receives its share of bad press when something goes wrong with a sci-fi Tesla feature. Last week was no different, when one Shanghai-based Internet security firm demonstrated vulnerabilities in the Tesla software and performed unauthorized remote control on Tesla cars.

What is startling about these latest exploits is the range of actions that hackers managed to trigger remotely, some while the car was in motion, and one from 12 miles distant.

Here’s what the white hat hackers at Keen Security were able to achieve:

  1. On the research car when parked up, they remotely operated the sunroof, the indicator lights and adjusted the position and vertical tilt of the car seat.

 

The team claimed they had researched several Tesla models and, to demonstrate that claim, they exploited a brand new Tesla S75D to which they had not previously had physical access.

  1. While parked up and switched off, with the driver searching for the nearest charging station, the team remotely took control of the system using a laptop and planted a hacked message on the display consoles to prove the point. The driver was unable to regain use of the screens. Then they the unlocked the driver’s door remotely, from the laptop.

 

The more alarming exploits were demonstrated on the vehicle while it was in motion.

  1. From a laptop inside the car, the security researcher was able to switch on the windscreen wipers. Then indicator control was hacked during a lane change maneuver and the researcher was able to fold the wing mirror closed.

 

A vivid visual came next, again while the car was in motion.

  1. From the laptop, the researcher was able to unlock the trunk, which flew open in an abrupt and startling manner when viewed from inside the vehicle.

 

The final demonstration was the most unsettling. While the previous exploits were amusing and in the parlor game category, none of them could be considered life threatening to other road users.

  1. From an office 12 miles away, the researcher was able to remotely activate the emergency stop brake on a moving car. The effect was quite dramatic on the occupants. It was a fitting finale to an extremely interesting demonstration.

 

Connected cars loaded with automated functionality have already become a commonplace in the world of automobile research and development. Drivers are relieved of mundane tasks that otherwise keep drivers engaged in a traditional car, which means that Tesla drivers are not always in full control of their machines. The recent exploits therefore pose extremely high-risk to Tesla passengers. The security research firm, Keen Security, published a blog article and video detailing their exploits.

It should be noted that it took the Keen Security team many months of focused investigation to uncover the secrets for these contactless remote access exploits. However, it’s not the first time such exploits have been discovered.

Last year, a Tesla was exploited via its entertainment system and there were previous exploits before that. The general consensus is that the Tesla software is now very difficult to crack and that can only be a good thing. Tesla has already updated the firmware and owners are urged to download it as a matter of urgency. Not that your average computer geek will be easily able to uncover exploits. The guys at Keen Security are the crème de la crème of geekdom in that they dedicate 12 hours a day to their chosen career and insist that they work only on the side of the angels.

The best solution for now: Update the Tesla software with (some) patches to these vulnerabilities.

MIT Researchers Devise TOR Alternative That’s 10x Faster

By Ali Raza

Tor (The Onion Router) is now 14 years old and the biggest bugbear that users consistently moan about is speed. Riffle is proclaimed to deliver significant advances in anonymity technology, which includes both more reliable anonymity as well as being 10 times faster than Tor. It is the new anonymity joint development by MIT and the École Polytechnique Fédérale de Lausanne. Riffle is still at the prototype stage and quite a way from becoming commercially available. Two applications have been developed, for microblogging and for file sharing.

Riffle’s approach uses multiple technologies, none of which are new, but they are layered and interact in a way that has not been done before. The overall effect is that messages are split and packets are delivered in a random sequence that is computed in advance (hence the riffle, or shuffle) and is verified at the receiving end so that the message is reassembled.

The claim for greater security of anonymity is based on Tor’s known susceptibility to hacking by introducing rogue code and predefined messages onto a node, one of its estimated 4,500 network servers. As the servers are owned and maintained by volunteers, the possibility of introducing a malicious node is obvious. The known messages can then be tracked through the network. Riffle’s architecture uses an anytrust model, which means that, so long as just one single node remains uninfected, network security is not compromised.

At its core, Riffle uses a Mixnet, a small number of networked servers, to perform the message shuffle. Unlike Tor, where messages are sent in a linear sequential manner from one node to the next, the first thing Riffle does is to send the messages to all servers in the Mixnet where a new hybrid “verifiable shuffle” of the already split message components is performed, which also creates a mathematical proof. This proof can be used to validate that the message has not been modified and protects from malicious interference with the Mixnet system.

The network nodes utilize shared private key encryption, which in turn depends on authentication encryption, and is used used in conjunction with the Onion Layer model of successive layers of message data. Each node receives the authenticated private key. This process renders the packets effectively indecipherable except to the network nodes, where each layer is stripped to reveal the next encrypted routing directions to the next node. Messages are retrieved by the receiving party using Private Information Retrieval (PIR) to further assist with client anonymity.

The 10x speed enhancement over Tor has been measured in independent tests. Riffle’s approach of the verifiable shuffle and PIR makes compute and bandwidth efficiencies that add up to a significantly faster throughput than what Tor can achieve.

At this early stage, the future for Riffle is still unclear. The security community will take it to pieces to fully test its potential and further validate (or disprove) its heightened security claims. If proven, it will no doubt be welcomed by Internet users living under oppressive regimes where staying alive can depend of total anonymity in Internet terms. Its speed alone may position it as “the new Tor” and see it take over the mantle of the most popular anonymity technology. Right now, it’s a watch and wait brief to observe its progress from prototype to something tried and trusted.

Four-Year-Old DropBox Hack Comes Back to Haunt

By Ali Raza

It’s hard to believe that Dropbox is almost 10 years old. It seems to have been around forever. It’s now a $10 billion cap corporation and as close to being a household name as something as mundane as data storage can get for an operation.

The numbers are staggering. Almost 500 million of us use it or have used it at some point. That means a major chunk of social responsibility for Drobox to maintain the robust and impenetrable security required and expected by all us users. But they dropped the ball back in 2012. Security was penetrated and some 68+ million email addresses and hashed (scrambled) passwords were stolen. Fortunately, the repercussions have not been as bad as they could have been because of the scrambled nature of the passwords.

Dropbox advised users to change their passwords at the time but PR and reputation damage limitation now seems to have been uppermost on the priorities list. Last week, four years later, we are told that 60 million users were affected.

The thing is that all of us regular consumers who use online services of any description still have the mentality of the free Internet. We really don’t like paying very much and we are astounded if the service is not rock solid and utterly professional for our $5/mth or whatever.

Many of us, even hardened IT veterans, have not taken on board the vital necessity of using strong, secure passwords. The “it happens to other people, not to me” mentality is deadly because when it does happen, the impact can be scarily bad. I wonder how many people use Dropbox as their automatic backup for their laptops and devices? And of those, how many keep confidential documents like passport scans and bank account details (yes, even passwords too) in a Notepad file. Everything is probably replicated at Dropbox and, over time, users can forget that fact and forget that the security of their data has a massive dependency on an outside agent that is under constant security attack.

The incident at Dropbox stemmed from one user whose email account was hacked. The intruder then managed to locate and retrieve four files that contained the data. The lesson here is that every touchpoint with the outside world is a potential vulnerability. Every corporation invests significantly in security expertise but the defenders have to win 100% of the time 24/7/365. The attackers need to get lucky only once. And passwords with their very human creators and maintainers are still one of the weakest links.

Enterprises do instigate password security processes, such as encouraging users to change passwords frequently. However, users typically access a number of different applications, each of which requires a password, so the temptation to take the convenient route of weak but memorable passwords and reusing them is a constant. It is the individual that needs to change, and changing one’s habits is not something that can be done without an internal driver. That driver does not exist for too many of us.

Dropbox has moved to restrict the downside from the incident. It encourages users to adopt their two-step authentication process, which is a must-do no-brainer for any users of the service who have been made aware of it. Dropbox and their user base were lucky on this occasion because the stolen passwords were salted (obfuscated with a secret text string) before hashing, which means that cracking them is unlikely. However, they are now out there and may be cracked one day. Therefore any reuse of a password that was used for a Dropbox account should be changed immediately.

It goes to show that, as users of Internet services, we simply must take nothing for granted. Any service is a potential victim of a security breach.

If we truly want to create a virtual Fort Knox for our critical and sensitive data, images, plans, or anything else that is in digital format – the best way (and according to many experts, the only way) is to encrypt the data and hold those encryption keys ourselves. Stay tuned for some announcements from us at Scram Software on how we’ll make it easy for you to do exactly that.

China Bolts Ahead to Pioneer Secure Quantum Communication

By Ali Raza
https://upload.wikimedia.org/wikipedia/commons/6/67/WebImg_Image.jpg
Image Source: commons.wikimedia.org

China launches the world’s first quantum communication satellite to battle cybercrime. Researchers believe the Quantum Experiments at Space Scale (QUESS) spacecraft with quantum communication capabilities will revolutionize cybersecurity and possibly eliminate risk of intercepting digital communication. Quantum research has enabled unprecedented new ways to transmit digital information without succumbing to cyber-attacks.

 

China Leads the Quantum Race

China is regarded as a key player in the game of state-sponsored warfare – both as a victim and an attacker. Accusations against the country fuel the journalistic fodder and tend to obscure any threat vectors facing digital communications in China. At the same time, strong economic growth and foray into digital innovation makes China a prime target for financially motivated cybercriminals.

China looks to leapfrog competition and pioneer quantum communications as a true enabler of secure digital data transmission. The country is treating quantum research as a top strategic focus with a multi-billion-dollar endowment to establish sophisticated security capabilities. In 2015 alone, the Chinese government allocated $101 billion for basic quantum research. In comparison, the US allocates only $200 million per year.

 

Why Quantum Communications?

Traditional communication systems use radio signals to transmit data. The digital information is encoded into radio waves that can be intercepted and decoded to retrieve original information. Despite strong encryption and security protocols, sophisticated cyber-attacks effectively intercept traditional satellite radio transmission.

Quantum cryptography is a hot topic in the world of cybersecurity. The technique exploits quantum mechanics to yield hack-proof digital encryption. The quantum communication satellite transmits digital information in the form of entangled photons generated by a quantum crystal. The beam of photons is considered as hack-proof because any interception would alter the quantum state of photons and scramble the encoded messages.

Don’t worry if it all sounds very confusing. Scientists and researchers all over the world are rushing to understand how this stuff works, and China is the only country that has developed a 1400 lb. satellite to bring this concept to reality. Even China has a long way to go before quantum communications is adopted as the primary medium for digital data transmission. The satellite nicknamed as “Micius” after a 5 century B.C. Chinese scientist is aiming for even greater technological breakthroughs. During the two-year mission, QUESS will also test out the concept of Quantum Teleportation.

 

Are You Secure Enough?

Organized cybercrime rings compromise data during transit, before you get the chance to secure it. Traditional data transmission systems are prone to interception. Your organization may not be prepared to battle state-sponsored warfare – and it shouldn’t have to, in the first place. Yet, your organization can unexpectedly get caught in the line of fire and facing the attacks head-on is a sure-fire way to lose the battle of cybersecurity.

Until quantum communications becomes a standard for data transmission, the least you can do is to follow current best practices. Leverage private networks and strong encryption protocols to secure your data in transit. End-to-end encryption and encrypting data at rest are two practices we enable with the software we’re developing here at Scram.
On the bright side, when quantum communication becomes the norm, we can look forward to a hack-proof cyber world where all of your data is invulnerable during transmission.