Posts tagged Security
SEO and Internet Security: How They Go Hand in Hand
Business 2 Community
You may not think that SEO has much to do with internet security, or vice-versa, but the two do have quite a bit to do with each other. Certain types of SEO practices can be damaging to your website security, and high-quality website security can …
View full post on SEO – Google News
Security researchers recently found gaping vulnerabilities in a wide variety of critical business and industrial equipment. It turns out that weak or absent passwords made it easy to break into more than 100,000 terminal servers used to provide their Internet connections. Fixing the problem is simple. Change the credentials dramatically reduces the risk. But for many companies, actually solving the problem is nearly impossible.
Vulnerable, But Hidden
The threats discovered by security firm Rapid7 exemplify the difficulties organizations face in plugging even known holes in critical gear. In this case, the affected systems include industrial control equipment, traffic-signal monitors, fuel pumps, retail point-of-sale terminals and building automation equipment such as alarms and heating and ventilation (HVAC) systems.
Rapid7 found more than 114,000 unprotected terminal servers, mostly from Digi International or Lantronix, that a hacker could use to take control of the underlying systems. Finding the serial ports on the server requires the use of a scanning tool, such as Nmap. Once an active port is found, a command-line program similar to what those used in 1980s vintage home computers is all that’s needed to access a control panel or menu or capture data.
Fortunately, while tech-savvy saboteurs or terrorists would have no difficulty gaining access to the equipment, they most likely would not know who owns it or where it is located. Without that information, the find would not be very useful. “There’s no telling who they are going to hurt, if they don’t know where the device is,” explained HD Moore, chief research officer for Rapid7.
How Security Gets Missed
Nevertheless, any hole that can provide access to critical equipment is worth plugging, but it’s not likely to happen in many of these cases. Often, companies do not even know the terminal server exists, much less that it needs security updates.
How is that possible? Well, picture a vendor working with the facilities crew installing an HVAC system that uses a terminal server so the equipment can be monitored from a remote location. No one knows the server exists, and no one cares, as long as everything works. “A lot of times IT is not even aware of these systems,” said Matthew Neely, director of research at risk management company SecureState.
Vendor marketing can also exacerbate the problem. Equipment is often sold as being “secured,” when in fact it is only “capable of being secured.” That means the buyer still has to add the technology or turn on and configure the security features.
This can get missed if the installers assume the equipment is “plug and play,” said Joe Weiss, a security consultant for Applied Control Solutions. ”It’s like getting a toy for Christmas and you pull it out of the box expecting it to run, because the box doesn’t tell you it needs two AA batteries,” Weiss added.
Terminal servers, also called serial port servers, often get missed by electric utility companies because they are not covered under federal cybersecurity requirements. So the devices never make it on the utility’s compliance checklist. “They don’t even have to check these out to find out if they are or not secure,” Weiss said.
This bizarre situation demonstrates that ensuring the security of critical equipment is never a matter of technology alone. True security requires people to pay attention, not just sweep everything under the rug.
Image courtesy of ShutterStock.
View full post on ReadWrite
You’ve installed antivirus software on your computers, configured your operating system to update its security automatically and password-protected your Wi-Fi. So your home network is safe against hackers, right?
Guess again. And then take a long look at your wireless router.
What Can Happen (Hint: It’s Bad)
For years, manufacturers of home routers have all but ignored security issues, at least when it comes to making sure that consumers update their firmware to close exploitable vulnerabilities. Let’s put it this way: Have you ever updated the firmware on your router? If not, odds are good that it’s got one or more security holes through which a properly motivated hacker could slip.
Attacks on routers aren’t common, partly for logistical reasons that make them uneconomical for hackers. But that could change as technology evolves, criminal incentives shift and security tightens up in other areas. One big potential trouble spot: the embedded Web browsers that many routers use for managing their settings — including, of course, security.
Router manufacturers have done a lousy job informing users about firmware updates that would patch security flaws, and are even worse making it easy for users to obtain and install those updates. Such patches are seldom available through automatic services, forcing users to look up the fixes on manufacturer websites.
“These are low-priced, low-power devices,” Tod Beardsley, a researcher with application security vendor Rapid7, said. Manufacturers “may not have the margins on these devices to provide ongoing software support.”
To see what can happen when a flaw remains unpatched, look no further than a major intrusion in Brazil in 2011, when hackers broke into 4.5 million home DSL modems over the Internet. The modems were reconfigured to send users to malware-carrying imposter websites, primarily so thieves could steal their online banking credentials.
From Brazil With Love
That exploit in Brazil was similar to one that application security tester Phil Purviance recently employed against a wireless Linksys EA2700, which was released about a year ago. Called a cross-site request forgery, the technique allowed Purviance to break into the router’s embedded management Web site. Once in, Purviance found he could change the login information and remotely manage the hardware.
“What I found was so terrible, awful, and completely inexcusable!” Purviance wrote in his blog. “It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!”
Purviance found a total of five vulnerabilities in two Linksys routers, the EA2700 and WRT54GL. Separately, flaws recently found in Linux-based routers from D-Link and Netgear could enable a hacker on the network to gain access to the command prompt on the operating system, Rapid7 reported.
D-Link and Netgear didn’t respond to requests for comment. Belkin, which bought Linksys from Cisco last month, said in an email sent to ReadWrite that the EA2700 was fixed in a firmware update released last June. Called Smart Wi-Fi, the firmware is available through an opt-in update service.
What Hackers Want
Manufacturers have gotten away with sloppy security practices because breaking into wireless routers usually requires physical proximity. That made it far harder for hackers to bust into multiple computers, because they’d have to move from network to network in order to target them. Thus hackers have tended to favor blasting out malware-carrying spam from a single location over attacking individual wireless routers.
But that could change. Industrial control systems that run manufacturing operations, power grids and other critical infrastructure are increasingly under pressure from cyberespionage campaigns. Vulnerabilities in these systems are as bad as in home routers. You can see just how bad is is via the search engine Shodan, which collects information on 500 million connected devices, such as routers, printers, webcams and servers, each month.
In time, hackers will develop better tools and malware for breaking into hardware, and this technology will eventually find its way into the criminal underground.
How To Safeguard Your Router
In other words, it makes sense to safeguard your router now. Here are a few steps you can take to make your home network a less inviting target:
- In your router security settings, make sure you’ve changed any default usernames and passwords. These will be the first things any hacker tries, much the way a burglar jiggles a doorknob to see if it’s unlocked.
- Disable wireless access to your router’s management console, which allows you to manage its settings by pointing a Web browser to an address such as 192.168.1.1. Disabling wireless access means you’ll have to be physically plugged into the router in order to manage it, making it far more difficult to hack.
- If you’re sufficiently technically minded, consider replacing your router’s doubtless buggy internal software with an open-source alternative such as DD-WRT, Tomato or OpenWRT. While these options aren’t particularly consumer friendly, their firmware is less likely to contain obvious vulnerabilities — and will probably offer you some cool new features, too.
Image courtesy of Shutterstock
View full post on ReadWrite
Google is fighting a National Security Letter (NSL) issued by the U.S. government. A court filings revealed Google’s opposition to handing over users’ data. Google is one of the first communications companies to fight an NSL, according to the EFF.
View full post on Search Engine Watch – Latest
Bloomberg News reports Google has filed a petition to the government request for information after receiving a “National Security Letter.” The details of the requested information are currently not disclosed, as you would imagine. Bloomberg says it is rare for a company to fight back…
Please visit Search Engine Land for the full article.
When it comes to user security at Apple, it’s one step forward, two steps back.
Yesterday, the company belatedly announced long-needed two-step verification security for Apple IDs, only two years after Google rolled out the protective measure for its users. Today comes word of a massive security flaw that reportedly lets anyone reset your account password if they know your email and your birthday.
But here’s the punch line: While two-step verification would protect Apple users from this exploit, the company has subjected all requests to activate the security measure to a three day delay. Even then, two-step verification is only available to users in the U.S., the UK, Australia, Ireland, and New Zealand.
How To Protect Yourself
A step-by-step guide to exploiting this vulnerability is still available online, although we won’t link to it here. Basically, it involves pasting in a modified URL on Apple’s iForgot page when prompted to answer the date-of-birth security question to reset your password.
The surest way to protect yourself in the short term — i.e., without two-step verification — is to change your birthday, the Verge’s Chris Welch writes. To its credit, Apple has already disabled its password reset page, presumably to disrupt any attempts to hijack user accounts. With any luck it will have the flaw fixed as soon as possible, although the company has yet to make any public statements regarding the flaw.
This turn of events follows by just days an earlier Apple security faux paux. The company released iOS 6.1.3 for the sole purpose of fixing a lock-screen bypass that let users with a knack for expert timing access an iPhone’s contacts and photo library. Yet later that day it become clear that the update contained yet another lock-screen bypass flaw.
This password reset hack is considerably more destructive than the lockscreen problem, which essentially only allows a would-be hacker to peek at a stolen iPhone’s contacts and photo library. Still, it’s certainly been a bad week for Apple in the user-security department.
View full post on ReadWrite
Apple is beefing up its security for users of its iTunes, App Store and iBookstore consumers. Starting today, Apple is offering two-step verification for Apple ID, the authentication mechanism it uses for customers using iPhone, iPad and Mac computers.
The move is long overdue for Apple. Two-step verification is a security feature that requires users to verify their identity in more than one way. Previously, if you bought an app in the App Store, Apple would only ask you for your password. That’s a one-step verification. Two-step verification adds another hurdle — asking users to swipe a card, for instance, or to enter a PIN texted to their phone. The idea is that each additional factor used to authenticate a customer makes it that much harder for spammers and crooks to log in as someone they’re not.
Apple is enabling two-step verification as an “optional security feature” for Apple ID. To set it up, you must register one or more trusted devices — say, your smartphone (though technically any device you control that can receive 4-digit verification codes via SMS text or the “Find My iPhone” feature of iOS will do). Apple will also send users a 14 character “Recovery Code” you can print out and save as a way of getting back into your account should you lose your smartphone or forget your password.
The Importance Of Two-Step Authentication
Many companies use multi-factor authentication. Google has offered two-step authentication to all users for more than two years. Facebook also offers it.
The biggest cautionary tale about Apple security and two-step authentication recently is that of technology reporter Mat Honan. Honan, now a senior writer at Wired, had many of his important accounts hacked, including his Twitter, Google and Apple ID. The hackers, who Honan said were after his three letter @mat Twitter account, were able to remotely erase his iPhone, iPad and MacBook after gaining access to his Apple account.
Apple, which lacked two-factor authentication at the time, more or less allowed the hackers into Honan’s accounts after they had tracked some personal information about him through his Amazon account. If Apple ID had two-factor authentication at the time, the malicious attack might well have stopped dead when trying to dive into Honan’s Apple accounts.
How To Set Up Two-Factor Authentication
Go to Apple’s support page here and follow the directions. It’s fairly simple. First, you want to sign in to your account with “Manage your Apple ID.” Then click on “Password and Security.” Click on “Two-Step Verification” and follow the onscreen instructions.
Many smartphone users are clueless on how much access their unique IDs allow them. Many people, such as Honan, have most of their gadget and social accounts tied through Apple ID or like services. To stay safe, best to make sure that:
- your passwords are unique;
- your accounts aren’t tied together through a single service (so that if it gets hacked, they all do);
- you use two-step authentication whenever possible.
Lead image via Flickr user thisisanicephoto, CC 2.0
View full post on ReadWrite
Another hacker bites the dust. This morning, Andrew Auernheimer — aka “weev” — got handed a sentence of 41 months in prison, 3 years of supervised release and a $36,500 fine. All for basically exposing a major security hole at AT&T and publicly shaming the company that hadn’t ever bothered to fix it.
Back in 2010, Auernheimer and his partner Daniel Spitler, part of a team calling itself Goatse Security, hacked into a public server owned by AT&T. That server housed hundreds of thousands of email addresses of customers who owned 3G iPads. Through trial and error and some ingenuity, group members discovered they could randomly guess iPad identification numbers and then use them to extract matching email addresses from that server.
AT&T’s Security Loophole, Exposed
This security loophole on AT&T’s site returned email addresses associated with ICC IDs, the unique serial numbers used to track and link SIM cards on mobile devices with specific subscribers. A PHP script that automated the process ended up harvesting a whopping 114,000 email addresses. Auernheimer then sent news of the group’s work as an exclusive to Gawker.
A day later in a blog post on the Goatse Security site, Auernheimer and company wrote:
I want to summarize this explicitly:
- All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration.
- The dataset was not disclosed until we verified the problem was fixed by the vendor.
- The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
We did this to help you.
By its own account, AT&T responded with “swift action” to prevent additional intrusions:
Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.
Problem solved, right? Wrong. A week later Auernheimer was arrested after the FBI raided his house. He was then charged with major computer crimes under the Computer Fraud and Abuse Act (CFAA), the same legal club prosecutors have used to go after Aaron Schwartz and, last week, Reuters social editor Matthew Keys.
During the trial, AT&T admitted the server was publicly accessible, yet claimed Auernheimer’s access was unauthorized. Under the CFAA, unauthorized access is a crime. But the statute’s ambiguity on that score has opened the door for egregious prosecutorial overreach in this and other cases.
On Nov. 20, 2012, a jury found Auernheimer guilty of one count each of identity theft and conspiracy to violate the CFAA. Today, Auernheimer was sentenced.
Fair Or Fanning The Flames?
Supporters of Auernheimer say what he did was not a crime. Maybe it wasn’t smart to expose a major vulnerability at AT&T and then rub the company’s nose, but stupidity shouldn’t be a federal offense. Friends and colleagues point out that the point of hacking is to gain something from it — and in this case, there was no money involved and nothing else to gain but besides a measure of celebrity.
Australian journalist and hacktivist Asher Wolf wrote a poignant piece today arguing that’s it’s insane to publicly tar and feather someone who spurred a company to fix a problem, even if he didn’t choose the most orthodox means of doing it:
Putting Weev behind bars is pointless and tragic. Jailing the most outspoken men and women amongst our generation won’t stop the leaks, the hacks, the news revelations, the whistleblowers — and most of all it won’t stop the rage of the malcontent, dispossessed youth from eventually tumbling down upon the heads of the bureaucrats who sold us out and then tried to lock us up when we complained.
Bees To Honey
AT&T’s vulnerability was basically low hanging fruit — just too easy a target for hackers to ignore. But the question of whether AT&T was asking for it is more complicated.
Sure, poor security is asking for trouble. But playing with fire will get you burned no matter how righteous and ethical you claim to be. “Our conduct doesn’t happen in a vacuum,” hacker Adrian Lamo — the guy who alleged dropped a dime on Bradley Manning — wrote on Twitter today. “I don’t think 3+ years is warranted for Weev, but in totality of circumstances, it’s understandable.”
I respect weev’s reasons and even his means for their ethical consistency. But he got exactly what he planned to. He owns his outcome.
— Adrian Lamo (@6) March 18, 2013
Still, this is significant time for essentially not hurting anyone, as the British journalist Laurie Penny pointed out. By comparison, the Steubenville rapists were sentenced to just one year in juvenile jail.
— Laurie Penny (@PennyRed) March 18, 2013
This isn’t over. Auernheimer is appealing his conviction. And either another example will be made to hackers everywhere, or the sentence will be reduced.
At the end of the day, Weev and co. were nicer to AT&T than, say, hacker HD Moore — who published unpatched iPhone flaws and exposed another big bug in Apple’s WiFi — was to Apple. But that doesn’t seem to matter much in the boardrooms and courtrooms of America. In their view, all hackers are criminals.
Even many mainstream journalists think all hacking is a crime. Last night on 60 Minutes, for instance, Lara Logan basically accused Jack Dorsey’s early work of bordering on just that. And even with the best of intentions, hackers’ attempts to route around the system will likely never gain the benefit of the doubt with the public.
Instead, they’ll just keep earning jail sentences, at least unless and until the courts — or Congress, though don’t hold your breath — push back against prosecutorial overreach. And that, at least, will give them plenty of time to repent at leisure.
View full post on ReadWrite
At the RSA Conference in San Francisco last week, I got the chance to sit down with Stephen Cobb, a distinguished security researcher for the IT security company ESET. We talked about a lot of things, including Android security issues and how walled gardens have their uses.
It was a great conversation, touching on a wide variety of fascinating aspects of online and mobile security, and I wanted to share as many of them as possible.
This list seemed like the best way to do that. And while not every one of the dirty-dozen points presented here may surprise you, I can pretty much guarantee that few people will already know – or agree with - everything on the list:
1. Big Data is not new to the anti-virus industry. Turns out the anti-virus companies have been doing traffic analysis, incident sharing and code sharing for decades, Cobb claims. They just didn’t call it Big Data until the term become fashionable.
2. Anti-virus companies have been practicing co-opetition since the 1980s, when they realized there was no percentage in one company being able to stop one virus while you needed another company to stop a different virus. They quietly began sharing virus signatures and other information, Cobb says.
3. All the major Web browsers share information on malware sites and other threats. Chrome, Internet Explorer, Firefox and the others all share which URLs to flag, for example. That’s why when NBC.com was hacked recently and started spewing malware, everybody was able to block it almost immediately.
4. One of the hardest parts of securing Big Data is knowing where the data is actually stored. In the old days, when data was collected and stored, it didn’t really move much. Now, in the cloud, Cobbs says we don’t really know where data is stored. Malware creators are intent on exploiting that, but what form that will take remains to be seen.
5. One reason more high-value targets haven’t been hacked is that there is still so much low-hanging fruit for the bad guys to go after. According to Cobb, so far, there hasn’t been much need to try and crack the hardest targets.
6. Most attacks take the form of malware or hacking. Of the hacking attacks, Cobb says, 80% go after passwords that are either non-existent, guessed or stolen.
7. Anti-virus hasn’t been about matching virus signatures for years. Some people say the anti-virus model doesn’t work because so much new malware is coming out all the time that anti-virus solutions can’t possibly keep up. But Cobb protests that most anti-virus software is continually detecting previously unseen malware.
8. People who know what they’re doing on the Internet might be able to get by with no anti-virus software. But Cobb says people are fooling themselves when they claim: “I don’t run anti-virus software and I’ve never been hacked.” “Are you really OK telling everyone you know – your mom, for instance – not to run anti-virus software?” he asks.
9. There’s still an incredible amount of spam out there. You don’t see it, but it’s still there. It’s using a a huge amount of datacenter power to block it, but it’s built into the network security appliance and you don’t have to deal with it.
10. The overall trend is for increasing levels of security to be compressed into the core, to become part of a standard install. That’s happened to anti-spam, to firewalls and it’s happening to anti-virus, too.
11. It’s a lot harder to write 64-bit malware than it is to write 32-bit malware. And that could help lower the number of attacks on 64-bit systems.
12. In many ways, hacking behavior seems to have gotten better over the years – at least in the United States, Cobb says. But we are now increasingly exposed to other, more dangerous places. The globalization of the Net has caught up with us even as the value of hacking has one way up. Today, hackers aren’t just messing with us, Cobb notes, they’re stealing from us. And that’s a big new incentive.
View full post on ReadWrite
Guest author Kris Barker is co-founder and CEO of Express Metrix Asset Management Software.
Even the smallest network is under threat from botnets, hacking, Trojans, denial of service (DoS) attacks and information leakage. Malicious or criminal attacks, the most expensive cause of data breaches, are on the rise and the consequences of poor network protection are harsh.
A Ponemon Institute and Symantec study published in March 2012 shows a jump in data breaches caused by malicious attacks from 31% in 2010 to 37% in 2011, with an average cost of $222 per incident. Negligence accounted for a further 39% of reported breaches. The majority of serious breaches result from failings in people, process and technology.
The majority of threats originate from within an organization. The U.S. Computer Emergency Response Team (Cert) estimates that insiders – whether malicious or merely careless – are responsible for almost 40% of IT security breaches. Security technology such as firewalls, content security appliances or desktop programs can’t entirely compensate for people’s ability to deliberately or innocently bypass the rules.
Meanwhile, changes in workplace habits like mobile working and the use of multiple devices have upped the security ante. Outside the office, employees connect to corporate systems and programs via VPN tunnels or Web-based remote access applications, using corporate, personal or even public computers and devices. With so many access methods, the network perimeter remains porous, leading IT security managers on a constant search for additional protection and monitoring capabilities.
The situation is exacerbated by the rise in employees’ use of their own devices for work, whether authorized or as an under-the-radar aid to productivity. Despite increasing acceptance of BYOD (Bring Your Own Device) practices, there’s a growing gap between what employees actually do and what organizations have accommodated into their security and corporate best practices. Research by Information Law LLC from March 2012 indicates that 31% of companies surveyed had no company policy governing employees’ use of their own devices at work, while a further 26% said they ‘sort of’ did.
The Case for Deeper Software Insight
In addition to securing the network perimeter, corporate desktops and mobile devices, IT departments need to quickly and easily monitor the software that users are installing and accessing, and ensure that only authorized individuals are using programs with access to sensitive information.
To this end, software asset management (SAM) tools add a valuable weapon to the IT security arsenal. SAM helps tackle potential risks from the software usage perspective, helping IT managers detect and halt threats in four major areas:
- Identifying malicious programs, hacking tools and other unauthorized software
- Preventing the use of suspect or malicious applications
- In the event of a security breach, examining application usage data to see who was running suspect applications
- Identifying and reducing the number of underused software titles so IT can support and patch fewer applications
Acceptable Application Matrix
It is much easier to maintain a robust security posture if acceptable software titles and types are defined and documented from the outset. Maintaining a matrix of tested, validated, approved and documented software helps strengthen policies and support existing technology. Establishing a matrix helps IT set policies preventing workers from using unauthorized software.
Despite the most stringent software usage policies, portable storage and mobile communications devices can insert unwelcome software behind the organization’s firewall at any moment. But disabling unacceptable programs can be a powerful weapon against potential security breaches. Application control also helps ensure that only authorized users can gain access to specific programs.
While most applications through which sensitive data can be accessed are protected by authentication controls, SAM solutions add a further layer of security by providing an instant snapshot – at any time – of which employees are accessing which program. The ability to retroactively trace the origins of a breach is an important reporting tool – especially for companies subject to regulatory compliance.
Improved Patch Management
Better SAM tools give IT a streamlined way to identify and eliminate underused or redundant software titles, and to restrict access on a needs-only basis. IT departments no longer have to act as detectives, and they can save time by supporting and patching fewer applications. They can also help ensure that all devices on the network are running the appropriate security software, a huge time saver.
Knowledge is power – and security. Your level of protection is significantly higher when you know exactly what software your organization authorizes, see who is accessing which programs, prevent the use of unacceptable programs and identify any breaches.
View full post on ReadWrite