[ISN] Aloha point-of-sale terminal, sold on eBay, yields security surprises

http://news.techworld.com/security/3531445/aloha-point-of-sale-terminal-sold-on-ebay-yields-security-surprises/ By Jeremy Kirk Techworld.com 18 July 2014 Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Treasury’s New Focus on Cyber-Risks

http://www.bankinfosecurity.com/treasurys-new-focus-on-cyber-risks-a-7068 By Tracy Kitten Bank Info Security July 17, 2014 Treasury Secretary Jacob Lew this week took the precedent-setting step of publicly addressing what he referred to as the financial system’s cybersecurity shortcomings. Lew’s comments were noteworthy because they apparently mark the first time a member of the Treasury Department has directly addressed cyber-risks. Lew’s remarks about the need for banking institutions, retailers and all other parties involved in financial services to make cybersecurity, and cyberthreat information sharing, a top priority could signal a policy shift for the Treasury, says Tom Kellerman, chief cybersecurity officer at Trend Micro. “This is the first time a Secretary of Treasury has made such a declaration,” Kellermann says. “The regulators and bank examiners will now become much more proactive in their roles.” Point-of-sale attacks against major retailers, including Target Corp., Neiman Marcus and retail crafts store chain Michaels, illustrate why cyberthreat information sharing is needed to adequately protect the country’s critical infrastructure, Lew noted during the Delivering Alpha conference hosted July 17 by cable news station CNBC and global financial magazine Institutional Investor. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why ‘123456’ is a great password

http://www.csoonline.com/article/2455088/identity-access/why-123456-is-a-great-password.html By Antone Gonsalves CSO Online July 17, 2014 New research shows that “123456” is a good password after all. In fact, such useless credentials from a security standpoint have an important role in an overall password management strategy, researchers at Microsoft and Carleton University, Ottawa, Canada, have found. Rather than hurt security, proper use of easy-to-remember, weak credentials encourages people to use much stronger passwords on the few critical sites and online services they visit regularly. “Many sites ask for passwords, but they require no security at all,” Paul C. Van Oorschot, a Carleton professor and a co-author of the research, said. “They basically want to get the email address to contact you, but there’s nothing to protect.” Strong passwords would be more likely adopted if people learned to use them only on critical accounts, such as employer websites, online banking and e-commerce sites that store the user’s credit card number. To be effective, this group should be small. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Chinese Collegiate Hacking Team Hacks The Tesla Model S, Well Sort Of…

http://www.infosecnews.org/chinese-collegiate-hacking-team-hacks-the-tesla-model-s-well-sort-of/ By William Knowles @c4i Senior Editor InfoSec News July 18, 2014 A team of Chinese collegiate hackers attending the Symposium on Security for Asia Network conference in Beijing have been succeeded in breaking into the software used in electric cars made by Elon Musk‘s Palo Alto California-based Tesla Motors. The South China Morning Post is reporting that a team from Zhejiang University was awarded 10,600 yuan [Approximately $1707.34 USD] by the SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China Where attendees have been invited to hack into a Tesla Model S. SyScan 360 organisers said on Friday: “Tesla Software Hack Challenge ended with team “yo”, from ZheJiang University, coming in first overall and winning 10,600 Yuan in prize money. No team succeeded in the mission of hacking Tesla’s door and engine within the timeframe of the challenge. Therefore, no one received the grand prize of $10,000 USD.” Tesla had said it welcomed news of any vulnerabilities discovered as a result of the hacking competition. “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” the company said on Wednesday. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How Russian Hackers Stole the Nasdaq

http://www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq By Michael Riley Businessweek.com July 17, 2014 In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage. As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq. The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate. Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Even Script Kids Have a Right to Be Forgotten

http://krebsonsecurity.com/2014/07/even-script-kids-have-a-right-to-be-forgotten/ By Brian Krebs Krebs on Security July 18, 2014 Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business. Indexeus boasts that is has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts. Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online. Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — essentially powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cyber cold war likely to continue

http://www.chinadaily.com.cn/opinion/2014-07/18/content_17830716.htm By Colin Speakman China Daily 2014-07-18 Tensions are growing amid claims and counter-claims of cyber espionage by the United States and China. Even the just concluded Sino-US Strategic and Economic Dialogue in Beijing couldn’t ease the tensions. In May, the US charged, albeit without evidence, five Chinese nationals with breaking into US companies’ systems and stealing trade secrets, and called them “military hackers”. On July 11, US Department of Justice officers arrested a Chinese national, Su Bin, for “working with hackers in China” to infiltrate US companies’ networks and steal valuable data on military technology. Su is the owner of Chinese aviation technology company Lode Tech and has been accused of working with two co-conspirators in China to break into the computers of Boeing and other US defense contractors. Raising tensions further, Fox News’ Bob Beckel, who hosts The Five program, said: “Chinese are the single biggest threat to the national security of the US. Do you know what we just did? As usual, we bring them over here and teach a bunch of Chinamen, uh, Chinese people, how to do computers, and then they go back to China and hack us.” His remark has been strongly criticized by many, including Chinese Americans, with California State Senator Ted Lieu demanding Beckel’s immediate resignation. Lieu has said that Americans “should all be alarmed by the racist, xenophobic comments”. Alarming it is indeed, as The Washington Post recently noted that “the US-China relationship is facing its stiffest test since then US president Richard Nixon traveled to Mao Zedong’s China in 1972”, and German Chancellor Angela Merkel again expressed serious concern over the US-sponsored hacking into confidential German data. If the US cannot trust its Western allies, how can it trust China, a country it openly admits to be in a competitive relationship with? China, too, is stepping up its security protection against US surveillance. In May it announced that the Central Government Procurement Center had mandated all “desktops, laptops and tablet PCs purchased by central State organizations must be installed with OS other than Windows 8”. The Chinese media have painted Microsoft, Apple, Facebook, Google, Yahoo and other IT giants as pawns of the US National Security Agency, claiming that foreign technology service providers such as Google and Apple can become cybersecurity threats to Chinese users. That’s why it looked like a retaliatory move when China’s State-run television told iPhone owners that the device is a threat to national security because it tracks users’ movements. The warning was that iOS 7’s “frequent locations” app, which records places users have been to and the time they spend there, can help the IT giant obtain sensitive information, including State secrets. Apple has explained the app’s functionality as designed to learn important locales to provide pre-emptive information, such as directions to a frequently patronized restaurant or the estimated commute time to work. However, Chinese concerns are that Apple’s mobile phone positioning can view users’ addresses and whereabouts, because information will be recorded even if the app is turned off. From this app, someone can get a cell phone user’s occupation, place of work, home address and then obtain all other relevant information on him/her. It is understandable that such permitted culling of information would raise concerns after the “Snowden Effect” – many US technology companies’ relations with foreign governments, including China’s, have come under scrutiny and many big service providers asked the NSA to drastically change its policies before the surveillance program further harms their businesses. Apple is one of the companies at the forefront of this risk. In the first quarter of 2014, Apple said revenue from the “Greater China” region, which included the mainland, Hong Kong and Taiwan, accounted for 20 percent of its total sales, up 13 percent year-on-year. The question is: Will the future see a shutting out of potentially useful US technological advances in China as a response to the lack of trust and dearth of knowledge on what these technologies could be used for? Each side accuses the other of cyber espionage and each side views itself as a victim. China rightly cites the NSA scandal, which revealed widespread surveillance by US intelligence agencies on not only US citizens but also governments and companies worldwide, including Chinese companies. The US, on its part, continues to accuse China of using cyber warfare to steal confidential information, trade secrets and data of national importance. Since most countries engage in some form of spying and can justify it in terms of national interest, a protocol on cybersecurity and boundaries of invasive behavior should be put in place. Unfortunately, such a possibility seems a long way off. At the next Strategic and Economic Dialogue, therefore, a new formula should be brought to the table, and perhaps the economic benefits of cooperation should be allowed to drive the agenda. But whatever is agreed, spying will take place. In some form, the cyber cold war is likely to continue. The author, an economist and international educator, is director of China Programs at CAPA International Education, a US-UK based organization that cooperates with Capital Normal University and Shanghai International Studies University.


Facebooktwittergoogle_plusredditpinterestlinkedinmail