Tag Archives: hacking

Cybersecurity Insurance Not Paying for NotPetya Losses

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/03/cybersecurity_i_2.html

This will complicate things:

To complicate matters, having cyber insurance might not cover everyone’s losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the “hostile or warlike action in time of peace or war” exemption.

I get that $100 million is real money, but the insurance industry needs to figure out how to properly insure commercial networks against this sort of thing.

Japanese Government Will Hack Citizens’ IoT Devices

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/01/japanese_govern.html

The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what’s insecure, and (2) help consumers secure them:

The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras. Devices in people’s homes and on enterprise networks will be tested alike.

[…]

The Japanese government’s decision to log into users’ IoT devices has sparked outrage in Japan. Many have argued that this is an unnecessary step, as the same results could be achieved by just sending a security alert to all users, as there’s no guarantee that the users found to be using default or easy-to-guess passwords would change their passwords after being notified in private.

However, the government’s plan has its technical merits. Many of today’s IoT and router botnets are being built by hackers who take over devices with default or easy-to-guess passwords.

Hackers can also build botnets with the help of exploits and vulnerabilities in router firmware, but the easiest way to assemble a botnet is by collecting the ones that users have failed to secure with custom passwords.

Securing these devices is often a pain, as some expose Telnet or SSH ports online without the users’ knowledge, and for which very few users know how to change passwords. Further, other devices also come with secret backdoor accounts that in some cases can’t be removed without a firmware update.

I am interested in the results of this survey. Japan isn’t very different from other industrialized nations in this regard, so their findings will be general. I am less optimistic about the country’s ability to secure all of this stuff — especially before the 2020 Summer Olympics.

Hacking the GCHQ Backdoor

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/01/hacking_the_gch.html

Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:

In fact, we think when the ghost feature is active­ — silently inserting a secret eavesdropping member into an otherwise end-to-end encrypted conversation in the manner described by the GCHQ authors­ — it could be detected (by the target as well as certain third parties) with at least four different techniques: binary reverse engineering, cryptographic side channels, network-traffic analysis, and crash log analysis. Further, crash log analysis could lead unrelated third parties to find evidence of the ghost in use, and it’s even possible that binary reverse engineering could lead researchers to find ways to disable the ghost capability on the client side. It should be obvious that none of these possibilities are desirable for law enforcement or society as a whole. And while we’ve theorized some types of mitigations that might make the ghost less detectable by particular techniques, they could also impose considerable costs to the network when deployed at the necessary scale, as well as creating new potential security risks or detection methods.

Other critiques of the system were written by Susan Landau and Matthew Green.

EDITED TO ADD (1/26): Good commentary on how to defeat the backdoor detection.

Hacking Construction Cranes

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/01/hacking_constru.html

Construction cranes are vulnerable to hacking:

In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).

The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.

News article. Report.

New Attack Against Electrum Bitcoin Wallets

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/01/new_attack_agai_3.html

This is clever:

How the attack works:

  • Attacker added tens of malicious servers to the Electrum wallet network.
  • Users of legitimate Electrum wallets initiate a Bitcoin transaction.
  • If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
  • User clicks the link and downloads the malicious update.
  • When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
  • The malicious Electrum wallet uses the 2FA code to steal the user’s funds and transfer them to the attacker’s Bitcoin addresses.

The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets.

Marriott Hack Reported as Chinese State-Sponsored

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/12/marriott_hack_r.html

The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.

Reuters:

Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing’s espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014, said one of the sources.

I used to have opinions about whether these attributions are true or not. These days, I tend to wait and see.

Banks Attacked through Malicious Hardware Connected to the Local Network

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/12/banks_attacked_.html

Kaspersky is reporting on a series of bank hacks — called DarkVishnya — perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

That Bloomberg Supply-Chain-Hack Story

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/11/that_bloomberg_.html

Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to — among others — Apple and Amazon. Pretty much everybody has denied it (including the US DHS and the UK NCSC). Bloomberg has stood by its story — and is still standing by it.

I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

More Spectre/Meltdown-Like Attacks

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/11/more_spectremel.html

Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start:

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

We saw several variants over the year. And now researchers have discovered seven more.

Researchers say they’ve discovered the seven new CPU attacks while performing “a sound and extensible systematization of transient execution attacks” — a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU’s internal caches, and other internal execution stages.

The research team says they’ve successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.

Microprocessor designers have spent the year rethinking the security of their architectures. My guess is that they have a lot more rethinking to do.

How to Punish Cybercriminals

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/11/how_to_punish_c.html

Interesting policy paper by Third Way: “To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors“:

In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that:

  • There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches. This is likely a vast undercount since many victims don’t report break-ins to begin with. Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.
  • There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.

  • There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them. We believe that the United States is as far from this human attacker strategy as the nation was toward a strategic approach to countering terrorism in the weeks and months before 9/11.

In order to close the cyber enforcement gap, we argue for a comprehensive enforcement strategy that makes a fundamental rebalance in US cybersecurity policies: from a heavy focus on building better cyber defenses against intrusion to also waging a more robust effort at going after human attackers. We call for ten US policy actions that could form the contours of a comprehensive enforcement strategy to better identify, pursue and bring to justice malicious cyber actors that include building up law enforcement, enhancing diplomatic efforts, and developing a measurable strategic plan to do so.

China’s Hacking of the Border Gateway Protocol

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/10/chinas_hacking_.html

This is a long — and somewhat technical — paper by Chris C. Demchak and Yuval Shavitt about China’s repeated hacking of the Internet Border Gateway Protocol (BGP): “China’s Maxim ­ Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking.”

BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it “network shaping” or “traffic shaping.” Here’s a document from the Snowden archives outlining how the technique works with Yemen.

EDITED TO ADD (10/27): BoingBoing post.

Another Bloomberg Story about Supply-Chain Hardware Attacks from China

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/10/another_bloombe.html

Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.)

Again, I have no idea what’s true. The story is plausible. The denials are about what you’d expect. My lone hesitation to believing this is not seeing a photo of the hardware implant. If these things were in servers all over the US, you’d think someone would have come up with a photograph by now.

EDITED TO ADD (10/12): Three more links worth reading.

Networked knitting machine: not your average knit one, purl one

Post Syndicated from Alex Bate original https://www.raspberrypi.org/blog/knitting-network-printer/

The moment we saw Sarah Spencer‘s knitted Stargazing tapestry, we knew we needed to know more. A couple of emails later, and here’s Sarah with a guest blog post telling you all you need to know about her hacking adventure with a 1980s knitting machine and a Raspberry Pi.

Knitting Printer! (slowest speed)

Printing a scarf on a Brother KM950i knitting machine from the 1980’s. To do this I have a Brother Motor arm to push the carriage back and forth and a homemade colour changer that automatically selects the colour on the left (the white and purple device with the LED).

Here’s Sarah…

Raspberry Pi: what’s there not to like? It’s powerful, compact, and oh so affordable! I used one as a portable media box attached to a pico projector for years. Setting one up as a media box is one of the most popular uses for them, but there’s so much more you can do.

Cue a 1980s Brother domestic knitting machine. Yep, you read that right. A knitting machine – to knit jumpers, hats, scarves, you name it. They don’t make domestic knitting machines any more, so a machine from the 1980s is about as modern as you can get. It comes with an onboard scanner to scan knitting patterns and a floppy drive port to back up your scans to an old floppy disk. Aah, the eighties – what a time to be alive!

Building a networked knitting machine

But this is an article about Raspberry Pi, right? So what does a 30-year-old knitting machine have to do with that? Well, I hacked my domestic knitting machine and turned it into a network printer with the help of a Raspberry Pi. By using a floppy drive emulator written in Python and a web interface, I can send an image to the Raspberry Pi over the network, preview it in a knitting grid, and tell it to send the knitting pattern to the knitting machine via the floppy drive port.

Sarah Spencer Networked knitting machine

OctoKnit

I call this set-up OctoKnit in honour of a more famous and widely used tool, OctoPrint for 3D printers, another popular application for Raspberry Pi.

Sarah Spencer Knitting Network Printer

I’ve made the OctoKnit web interface open source. You can find it on GitHub.

This project has been in the works for several years, and there’s been a few modifications to the knitting machine over that time. With the addition of a motor arm and an automatic colour changer, my knitting is getting very close to being hands-free. Here’s a photo of the knitting machine today, although the Raspberry Pi is hiding behind the machine in this shot:

Sarah Spencer Networked knitting machine

I’ve specialised in knitting multicolour work using a double-layered technique called double Jacquard, which requires two beds of needles. Hence the reason the machine has doubled in size from when I first started.

Knitting for Etsy

I made a thing that can make things, so I need to make something with it, right? Here are a few custom orders I’ve completed through my Etsy store:

Sarah Spencer Networked knitting machine

Stargazing

However, none of my previous works quite compares to my latest piece, Stargazing: a knitted tapestry. Knitted in seven panels stitched together by hand, the pattern on the Raspberry Pi is 21 times bigger than the memory available on the vintage knitting machine, so it’s knitted in 21 separate but seamless file transfers. It took over 100 hours of work and weighs 15kg.

Sarah Spencer Networked knitting machine

Stargazing is a celestial map of the night sky, featuring all 88 constellations across both Northern and Southern hemispheres. The line through the center is the Earth’s equator, projected out into space, with the sun, moon and planets of our solar system featured along it. The grey cloud is a representation of our galaxy, the Milky Way.

Heart of Pluto on Twitter

Happy 6pm, Fri 31st Aug 2018 😊 The tapestry is installed and the planets in the sky have now aligned with those in the knitting

When I first picked up a Raspberry Pi and turned it over in my hand, marvelling at the computing power in such a small, affordable unit, I never imagined in my wildest dreams what I’d end up doing with it.

What will you do with your Raspberry Pi?

The post Networked knitting machine: not your average knit one, purl one appeared first on Raspberry Pi.

Security Risks of Government Hacking

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/09/security_risks_14.html

Some of us — myself included — have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include:

  • Disincentive for vulnerability disclosure
  • Cultivation of a market for surveillance tools
  • Attackers co-opt hacking tools over which governments have lost control
  • Attackers learn of vulnerabilities through government use of malware
  • Government incentives to push for less-secure software and standards
  • Government malware affects innocent users.

These risks are real, but I think they’re much less than mandating backdoors for everyone. From the report’s conclusion:

Government hacking is often lauded as a solution to the “going dark” problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched.

The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that’s a big ask, but the alternatives are worse.

This is the canonical lawful hacking paper.

You wouldn’t download a car…

Post Syndicated from Alex Bate original https://www.raspberrypi.org/blog/you-wouldnt-download-car-telsa-hack/

You wouldn’t download a car…but is that just because none of us know how to? And OF COURSE none of us know how to: it’s a really hard thing to do!

Raspberry Pi Tesla

Dramatic reenactment using a Mini because, c’mon, as if I can afford a Tesla!

Nikola Tesla was in love with a pigeon 😍🐦

True story. He was also the true father of the electrical age (sorry, not sorry, Edison) and looked so much like David Bowie that here’s David Bowie playing Nikola Tesla:

David Bowie as Nicola Tesla — Raspberry Pi Tesla

Not even pigeon love

Which is the perfect segue, as here’s a Tesla playing David Bowie, and here’s also where our story truly begins…

Some people dislike Tesla (the car manufacturer, not the scientist) but we love them

But some people also dislike going to the dentist, so ¯\_(ツ)_/¯. (I also love going to the dentist.)

I’m pretty sure the reason some people have issues with Tesla is that electric cars still seem like a form of magic we’re not quite comfortable with.

Whatever people’s reason for holding a grudge against Tesla, recent findings at a university in Belgium this week have left the tech community aflutter: the academics announced that, with the aid of a “$35 computer”, they can clone your Tesla car key and steal. Your. Car.

If you haven’t guessed yet, we’re the ones behind the $35 computer. (Hi!)

Says WIRED: A team of researchers at the KU Leuven University in Belgium on Monday plan to present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam, revealing a technique for defeating the encryption used in the wireless key fobs of Tesla’s Model S luxury sedans. With about $600 in radio and computing equipment, they can wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing them to steal the associated car without a trace.

When I said that the tech community was all aflutter, what I meant was, on the whole, we find this hack somewhat entertaining but aren’t all that shocked by it. Not because we hate Tesla, but because these things happen. Technology is ever evolving, and that $600 worth of kit can do a thing to another thing isn’t all that unbelievable.

Sweet Cyber Jones on Twitter

The keys to my new Tesla https://t.co/jNViEZBxrB

The academics showed an example of the hack using “just” a couple of radios, a Raspberry Pi, some batteries, and your basic, off-the-shelf “pre-computed table of keys on a portable hard drive”. And through the magic of electric car IoT technology, Tesla instantly released a series of fixes to allow existing Tesla users to protect their cars against the attack, which is all kinds of cool.

Alex, why are you making such light of this?!

Because The Fast and the Furious isn’t real. And I highly doubt there’s a criminal enterprise out there that’s capable of building the same technology as well-funded university researchers.

Yes, this study from KU Leuven University is interesting. And yes, we all had a good laugh at the expense of Tesla and Elon Musk, but we don’t need academics to provide material for that. And I genuinely love Tesla and the work Elon is doing. True love.

Instead, we should be seeing this as a reminder that data encryption and online security are things we all need to take seriously in this digital world. So stop connecting your phone to whatever free WiFi network you can find, stop using PASSWORD123 for all your online accounts, and spend a little more time learning how you can better protect yourself and your family from nasty people on the internet.

And leave Britney Tesla alone!

The post You wouldn’t download a car… appeared first on Raspberry Pi.

Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/09/using_a_smartph.html

It’s amazing that this is even possible: “SonarSnoop: Active Acoustic Side-Channel Attacks“:

Abstract: We report the first active acoustic side-channel attack. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a smart phone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim’s finger movements can be inferred to steal Android phone unlock patterns. In our empirical study, the number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 Android phone can be reduced by up to 70% using this novel acoustic side-channel. Our approach can be easily applied to other application scenarios and device types. Overall, our work highlights a new family of security threats.

News article.

Hacking Police Bodycams

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/08/hacking_police_.html

Suprising no one, the security of police bodycams is terrible.

Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it could deliver all sorts of malicious code: a Windows exploit that could ultimately allow an attacker to gain remote access to the police network, ransomware to spread across the network and lock everything down, a worm that infiltrates the department’s evidence servers and deletes everything, or even cryptojacking software to mine cryptocurrency using police computing resources. Even a body camera with no Wi-Fi connection, like the CeeSc, can be compromised if a hacker gets physical access. “You know not to trust thumb drives, but these things have the same ability,” Mitchell says.

BoingBoing post.