Tech News

In a slip that could prove costly to manufacturers and users, the D-Link cryptography keys used to certify that software is trustworthy – and not malware – were accidentally published, according to Dutch security firm Fox-IT. The keys were made available through the companies open-source firmware package, and were not discovered for seven months. Their release could make it easier for hackers to disrupt Windows and Apple computers. The mistake was discovered by a reader for a Dutch technology website, Tweakers, who purchased a D-Link security camera and downloaded the firmware from the manufacturer. The reader found not only the private keys, but also the passphrases needed to sign into the software. Tweakers handed the problem over to Dutch security firm Fox-IT, which confirmed the findings. I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version, Fox-IT researcher Yonathan Klijnsma told security news site Threatpost.

BT has announced the global launch of BT Assure Ethical Hacking for Finance, a new security service designed to test the exposure of financial services organizations to cyber-attacks. The wealth of valuable and sensitive personal data held by financial organizations, such as retail and investor banks and insurance companies, makes them among the most attractive targets for malicious hackers and cyber-criminals. This risk has intensified in recent years as more and more retail financial services move online and electronic trading is one the rise. Assure Ethical Hacking for Finance uses mature methodologies that mimic those of black hats or malicious attackers to provide a range of tests targeted at the various entry points to a banks IT systems as well as perceived weak points of an organization. These include phishing scams, mobile devices and hardware from laptops to printers, internal and external networks, databases and complex enterprise resource planning systems. BT not only tests and verifies systems that can access the network but also checks for risks of human failure, for example by using social engineering to test how employees apply the policies in place. The new service draws on the ethical hacking expertise gained by working closely with large financial institutions in the U.S. for nearly two decades. Within the confines of strict rules of engagement, BTs ethical hackers have been able to perform database dumps of tens of thousands of social security and credit card numbers; intercept and modify mobile cheque deposit data; reverse engineer proprietary encryption streams; generate enormous, valid gift cards with payment details from other test accounts; create admin accounts by having an employee simply open an email; escape remote access sessions and get shell access to systems, including subsequent establishment of tunnels into the company; transfer funds between unauthorized test accounts or harvest complete account data for all users by attacking machine-to-machine communications. The ultimate objective is to identify vulnerabilities that would impact an organizations primary business processes and thus its brand and reputation. The new Assure Ethical Hacking for Finance will enable BT to use CREST (www.crest-approved.org) certified Simulated Targeted Attack and Response (STAR) services to help financial services firms to develop the most robust security solutions, ensuring sensitive customer data remains secure. BT was in 2014 one of the first companies in the world accredited by CREST to provide STAR services. Working alongside the Bank of England (BoE), UK Government and industry, CREST developed the STAR framework to deliver controlled bespoke, intelligence-led cyber security testing. STAR incorporates advanced penetration testing and threat intelligence services to more accurately replicate cyber security threats to critical assets. Mark Hughes, president of BT Security, said: The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage. While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers. We encourage all financial institutions to put themselves through a rigorous series of cyber-security simulations, whereby our ethical hacking consultants push the cyber defences of financial institutions to the limit. BT has a strong, award-winning, global team of security specialists, including ethical hacking consultants, who provide a standardized method to test systems by imitating hacker attacks, reporting identified vulnerabilities and providing clear remediation steps that customers can use to quickly patch applications and affected systems.

A bug has ben found which allows anyone in possession of an Android smartphone running Lollipop to unlock the device by bypassing the lockscreen with a very long password. The vulnerability, discovered by researchers at Texas University in Austin, potentially affects 21% of Android devices in use and requires the attacker to simply overload the lockscreen with text. The bug affects only those users with smartphones running Googles Android Lollipop using a password to protect their devices – Pin or pattern unlock are not affected. The attacker need only enter enough text into the password field to overwhelm the lockscreen and cause it to crash, revealing the homescreen and giving full access to the device, whether encrypted or not. John Gordon from Texas university said: By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilise the lockscreen, causing it to crash to the home screen. Google released a fix for the security hole on Wednesday for its line of Nexus devices, describing the bug as of moderate severity, but that it was not actively being exploited by attackers according to the companys knowledge.

Several Seagate wireless hard-drives have been found to be affected by multiple vulnerabilities, the CERT Coordination Center of the Software Engineering Institute at Carnegie Mellon University warns. The first one allows an attacker to access undocumented Telnet services by using root as both username and password. The second one allows an attacker to download files stored in the device. The third one allows him (or her) to upload files onto the device, and if they are malicious, they could end up compromising other endpoints when opened. An attacker that wishes to exploit these bugs must be within range of the devices wireless network. Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL with firmware versions 2.2.0.005 and 2.3.0.014 have been confirmed to be affected, and its possible that other products might be vulnerable, as well. Seagate has released firmware (v3.4.1.105) to plug the holes, and users are advised to update it as soon as possible. There is no evidence that attackers have been exploiting the holes in attacks in the wild

A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozillas Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw. The bug in a built-in PDF reader allowed attackers to steal sensitive files stored on the hard drives of computers that used the vulnerable Firefox version. The attack was used against both Windows and Linux users, Mozilla researcher Daniel Veditz wrote in a blog post published Thursday. The exploit code targeting Linux users uploaded cryptographically protected system passwords, bash command histories, secure shell (SSH) configurations and keys. The attacker downloaded several other files, including histories for MySQL and PgSQL and configurations for remina, Filezilla, and Psi+, text files that contained the strings pass and access in the names. Any shell scripts were also grabbed.

Major cloud services such as Box, Google Drive, Dropbox and Microsoft OneDrive are at risk of man-in-the-cloud (MITC) cyber attacks, according to a research paper published by Imperva. The firm said at the Black Hat security conference in Las Vegas that cloud-based businesses are vulnerable to exploitation by hackers, even claiming that data can be accessed without needing usernames or passwords. Imperva revealed that if hackers gain access to a users authentication token, a unique log-in file, they can steal data and even inject malware or ransomware into an account. The research team explained that hackers are able to insert an internally developed tool named Switcher into a system through a malicious email attachment or a drive-by download that uses a vulnerability in browser plug-ins. From an attackers point of view, there are advantages in using this technique. Malicious code is typically not left running on the machine, and the data flows out through a standard, encrypted channel. In the MITC attack, the attacker does not compromise explicit credentials, the report stated. Furthermore, this method of hacking works in such a way that end users may not be aware that their account has been compromised.