[ISN] Thousands Of People Oblivious To Fact That Anyone On The Internet Can Access Their Computers

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/ By Kashmir Hill Forbes Staff 8/13/2014 There are technologists who specialize in “scanning the Internet.” They are like a search team making its way through a neighborhood, but instead of checking the knob of every door, they check Internet entrances to online devices to see which ones are open. These people have been screaming for some time that there is a lot of stuff exposed on the Internet that shouldn’t be: medical devices, power plants, surveillance cameras, street lights, home monitoring systems, and on and on. But incredibly, their message doesn’t seem to get through, because their scans keep on picking up new devices. While talking about the issue at hacker conference Defcon on Sunday, security engineer Paul McMillan sent his winged monkey scanners out looking for computers that have remote access software on them, but no password. In just that short hour, the results came pouring in: thousands of computers on port 5900 using a program called VNC for remote access. The total number is likely over 30,000. Those using the program failed to password-protect it, meaning anyone who comes looking can see what they’re doing, and manipulate their computers. McMillan set a scanner to take a screenshot of every exposed computer it came across. I went through the screens captured Sunday and saw people checking Facebook, playing video games, watching Ender’s Game, reading Reddit, Skyping, reviewing surveillance cameras, shopping on Amazon, reading email, editing price lists and bills, and, of course, watching porn. I saw access screens for pharmacies, point of sale systems, power companies, gas stations, tech and media companies, a cattle-tracking company, and hundreds of cabs in Korea. This isn’t just about watching people use their computers; the fact that the scanner got in means anyone could manipulate the devices, changing the power company’s settings, pausing the porn stream, going through a company’s records, or reviewing the prescriptions for a pharmacy’s patients. There is no need for hackers to go to great lengths to compromise these computers; their owners have built in backdoors with no locks. “It’s like leaving your computer open, unlocked and ready to rock in a crowded bus terminal and walking away,” says security engineer Dan Tentler, who presented with McMillan. Increasingly, everything is connected to the Internet, and unfortunately, people don’t always know how to connect their things securely. “It’s important to remember that this scan only scratches the very surface of the problem,” says McMillan. “We can’t legally scan for default passwords, but I’m certain if we did, the results would be orders of magnitude worse.” […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Former hedge fund researcher pleads guilty to helping colleague hide trade-secret thefts

http://www.chicagotribune.com/news/local/breaking/chi-former-hedge-fund-researcher-pleads-guilty-to-helping-steal-trade-secrets-20140812-story.html By Jason Meisner Chicago Tribune August 12, 2014 A former researcher with Chicago-based Citadel LLC pleaded guilty today to helping a colleague try to hide personal computers that had been used to steal trade secrets from the giant hedge fund’s high-speed automated trading system. Sahil “Sonny” Uppal, 26, of New Jersey, had been scheduled to go to trial next month in federal court in Chicago, but he pleaded guilty to one count of obstruction of justice just days after co-defendant Yihao “Ben” Pu entered a guilty plea to charges he stole trade secrets. Under federal sentencing guidelines, Uppal faces up to 16 months in prison at his sentencing in November. Prosecutors said Uppal and Pu were co-workers at an undisclosed New Jersey-based trading firm and later at Citadel, where Uppal’s primary job responsibilities included researching and developing a high-frequency trading strategy for equity investments. In July 2011, Uppal helped copy onto Pu’s personal hard drives three files containing research he had used to develop the trading strategy, according to his plea agreement with prosecutors. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The biggest iPhone security risk could be connecting one to a computer

http://news.techworld.com/security/3536309/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer/ By Jeremy Kirk Techworld.com 14 August 2014 Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it’s far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS’s Achilles’ heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn’t rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple’s layered protections to accomplish a sinister goal. “We believe that Apple kind of overtrusted the USB connection,” said Tielei Wang, a co-author of the study and research scientist at the institute. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A portable router that conceals your Internet traffic

http://arstechnica.com/information-technology/2014/08/a-portable-router-that-conceals-your-internet-traffic/ By Sean Gallagher Ars Techica Aug 13 2014 The news over the past few years has been spattered with cases of Internet anonymity being stripped away, despite (or because) of the use of privacy tools. Tor, the anonymizing “darknet” service, has especially been in the crosshairs—and even some of its most paranoid users have made a significant operational security (OPSEC) faux pas or two. Hector “Sabu” Monsegur, for example, forgot to turn Tor on just once before using IRC, and that was all it took to de-anonymize him. (It also didn’t help that he used a stolen credit card to buy car parts sent to his home address.) If hard-core hacktivists trip up on OPSEC, how are the rest of us supposed to keep ourselves hidden from prying eyes? At Def Con, Ryan Lackey of CloudFlare and Marc Rogers of Lookout took to the stage (short their collaborator, the security researcher known as “the grugq,” who could not attend due to unspecified travel difficulties) to discuss common OPSEC fails and ways to avoid them. They also discussed their collaboration on a set of tools that promises to make OPSEC easy—or at least easier—for everyone. Called Personal Onion Router To Assure Liberty (PORTAL), the project is a pre-built software image for an inexpensive pocket-sized “travel router” to automatically protect its owner’s Internet traffic. Portal provides always-on Tor routing, as well as “pluggable” transports for Tor that can hide the service’s traffic signature from some deep packet inspection systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously

http://www.wired.com/2014/08/nsa-monstermind-cyberwarfare/ By Kim Zetter Threat Level Wired.com 08.13.14 Edward Snowden has made us painfully aware of the government’s sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government’s cyber defense capabilities, too. The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks. Although details of the program are scant, Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat. Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail