Wednesday, 14 August 2013

Blackout warning: Philips “Smart lightbulbs” can be switched off by malware – and won’t come back on

Philips Hue lighting system is vulnerable to attacks which can cause a “perpetual blackout” in the homes of users, according to a security researcher.
The Hue wireless system – on sale in Apple store – controls wireless LED light bulbs in the home via a wireless bridge, and can be controlled by iOS and Android apps. But researcher Nitesh Dhanjani says that the system it uses to authenticate devices means that it’s all too easy to turn lights on and off in other people’s homes. .
Attackers could “black out” all the Hue lights from nearby (any nearby location within reach of the same Wi-Fi network) by using malware to capture one of the list of “whitelisted tokens” – and then “issue ‘all lights off’ instructions.” Dhanjani says that it’s also difficult for users to regain control of their system.
“The script infinitely issues a blackout command. If the victim manually switches the bulbs off and on, the lights will flicker on for less than half a second and then go off again until the victimrecognized and terminates the script. Alternatively, the victim can disconnect the bridge – however, the blackout will reoccur when the victim reconnects the bridge.”
Dhanjani explains that the system’s method of “recognizing” devices leaves it open to attack. “The hue bridge uses a whitelist of associated tokens toauthenticate requests. Any user on the same network segment as the bridge can issue HTTP commands toit to change the state of the lightbulb. In order to succeed, the user must also know one of the whitelisted tokens.It was found that in case of controlling the bulbs via the hue website and the iOS app, the secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP
cache of the infected machine.”
At the recent Black Hat security conference in Las Vegas, researchers showed off hacks that could affect “connected” devices such as televisions, door alarms and toilets.
“By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development,” Dhanjani says. “Our society is starting to increasingly depend upon Internet of Things devices to promote automation and increase our well being. As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.”
Hacks against the Hue website could also allow access, Dhanjani warns.
“The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system,” Richard Chirgwin writes in a report on The Register.
“Lighting is critical to physical security. Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences,” Dhanjani writes. “It is important that Philips and other consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences.”
ESET Security Evangelist Stephen Cobb offers a basic guide to securing a household full of digital devices in a blog post here.“On a typical evening or weekend at home, how many computing devices is your household using?” Cobb asks. “In my house the answer is 10, and that’s just my wife and I. Before you decide we’re an extreme example, make sure your household computer count includes all of the laptops, tablets, iPods, smartphones and the like. Then think about the TV and DVD player, one or both of which may be connected to the home network. The fact is, many homes today are multi-device households, with numerous PCs, Macs, tablets and smartphones.”

YouTube download plug-ins hijack browsers to deliver malware-laced adverts

Two video plug-ins for YouTube hijack users visits to the site and insert extra adverts – some of which are being hijacked by “malvertisers”, sending users to fake adverts which attempt to infect their PCs., a London analytics company which works in advertising fraud, say that two plug-ins, Easy YouTube Video Downloader and Best Video Downloader, supplied as part of a bundle of browser tools, deliver unwanted adverts whenever users visits the YouTube homepage.
“When a user who has installed these plugins visits multiple display ad slots are injected across the YouTube homepage, channel pages, video pages and search results pages,” writes. Some of these advert slots are being bought by major advertisers including “Domino’s, Ford, Kellogg’s, Norton, Toyota, Sprint, Walgreens and Western Union.”
Others are being bought by less reputable companies, and deliver “malware-laden” advertisements to users, warns.
“The display ad slots injected by Sambreel are also being bought today by malvertisers—advertisers who provide malicious or malware-laden advertisements with a view to spreading malware to new users,” the company writes. “The first screenshot shows a fake alert, which suggests to the user that a Java update is required. If the user clicks the OK button, then the user is taken to the disreputable site shown in the second screenshot.”
A Google spokesperson, speaking to London’s Financial Times, said that the plug-ins violated YouTube’s Terms of Service, ““Applications that change users’ experiences in unexpected ways and provide no value to publishers are bad for users and bad for the web. We’re continuing to look into these types of bad actors and have banned them from using Google’s monetisation and marketing tools.” and the FT point out that Sambreel, the company behind the plug-ins, has already been blocked by Facebook for injecting adverts via adware browser plug-ins. The new tools were marketed by two companies, Yontoo and Alactro, which says are subsidiaries of Sambreel.
Yontoo’s web page now says, “This product has been discontinued.”
An earlier blog post by ESET Security Evangelist Stephen Cobb described the impact of Yontoo on Mac OS X machines, “If you fall for it, a wealth of unwanted ads and redirections will likely follow, injected into pages on otherwise innocent sites. There are also reports of infection via phoney media players. The point is, criminals are using this plug-in to cheat online advertisers out of money by redirecting victims to sites that pay for traffic or clicks.”
“On December 9, 2011, the Wall Street Journal called Sambreel out for illegitimately injecting ads into Facebook and Google webpages via adware browser plugins like PageRage and BuzzDock,” writes. “Facebook subsequently blocked its users from using Sambreel’s adware browser plugins whilst accessing Facebook webpages. With Sambreel’s adware publicly exposed, major sell-side platforms and ad exchanges like PubMatic, Rubicon Project, and OpenX dropped Sambreel as a supplier of display ad inventory in 2012.”

Cyber criminals target the Dalai Lama website with Java watering hole exploit

Criminals have launched a watering hole attack, using the Dalai Lama's Central Tibetan Administration website to spread data-stealing malware.
Kaspersky Labs' principal security researcher Kurt Baumgartner reported discovering the attack in a blog post, confirming that a hacker group has hijacked control of the site and is using it to redirect unaware users to a malicious web page. He said the attack is interesting as the malicious code is written to specifically target Chinese and American visitors.
"The attack itself is precisely targeted, as an appended, embedded iframe redirects ‘xizang-zhiye(dot)org' visitors (this is the Chinese-translated version of the site) to a java exploit that maintains a backdoor payload. The English and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more," he wrote.
Marta Janus, security researcher at Kaspersky Lab, said the attack uses an old Java exploit to bypass security protocols, deliver the malware payload and gain access to data stored on the infected machine. "The attackers injected malicious code into the Chinese version of the website, causing the users to be redirected to the Java exploit, which tries to install the backdoor application on their computers. The backdoor then enables the attackers to harvest information from infected computers," she told V3.
Janus said attacks towards Tibetan activists are nothing new, and have been taking place for a couple of years now, yet the attackers are constantly coming up with more and more sophisticated techniques.

"Although this particular advanced persistent threat (APT) doesn't seem to affect non-Chinese speaking people, cyber criminals can reuse some of the methods for distributing other malware in other countries as well. That's why it's always important to be aware of such threats and adequately protect ourselves, even if we are not falling into the "target" category this time."
Janus added that, while troubling, the attack is of little concern to most business. “It affects only those users, who visit the Chinese version of the website. Therefore, we can say that the target was Chinese-speaking people interested in Tibet and it's political situation,” she said.

“From the server side, the problem can be fixed by removing the malicious code from the website, investigating the breach and addressing the potential security flaws in the software that runs on the server. To prevent infection, the users should always ensure that their computers and AV software are up to date.”
Watering hole attacks are a growing challenge facing the security community. Security firm Context reported detecting a number of state-sponsored cyber attacks targeting businesses with government or military contracts.

Microsoft fixes critical flaws in Internet Explorer, Exchange Server and Unicode Scripts Processor

Microsoft has issued fixes for critical vulnerabilities in its Internet Explorer, Exchange Server and Unicode Scripts Processor services in its latest patch Tuesday update.
The patch rollout included eight security bulletins addressing 23 vulnerabilities. The most serious are the MS13-059 Internet Explorer, MS13-060 Unicode Scripts Processor and MS13-061 Microsoft Exchange Server updates, which are all listed as critical fixes.
Qualys chief technology officer Wolfgang Kandek listed the Internet Explorer vulnerabilities as being particularly dangerous as they exist in multiple versions of the web browser.
"For MS13-059, the affected software is Internet Explorer (IE) and is definitely installed. It fixes 11 vulnerabilities in all versions of IE from IE6 to IE10 on Windows RT. It is rated ‘critical' on all operating systems and should be installed as soon as possible, as its exploitation index is a low ‘1', indicating that Microsoft believes that exploit code can be crafted relatively quickly (within 30 days)," he said.
"As usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing email. Patch this immediately as the highest priority on your desktop system and wherever your users browse the web."
Kandek said the other two critical vulnerabilities, while serious, relate to more specific versions of Windows or have already been patched by other companies, meaning most businesses with up-to-date systems should be safe.
"MS13-060 addresses a font vulnerability in the Bangali font, part of the Indic language pack. MS13-060 can only be exploited in Windows XP, so your organisation might escape this patch if the language pack is not installed or if you are not running on XP anymore," he said.
"The critical bulletin MS13-061 addresses three vulnerabilities in Microsoft Exchange that can be traced back to the third-party library Outside In from Oracle. Oracle published new versions of Outside In in April and July, and Microsoft has incorporated these new versions in this update."
He added that while other vulnerabilities addressed in the patch update are lower priority, the three critical releases should act as a stark reminder for businesses to follow cyber best practice guidelines and install fixes as soon as possible.
"Overall [it was] a normal Patch Tuesday with the Internet Explorer patch, which is now a normal monthly occurrence and the expected Microsoft Exchange fixes for the Oracle library Outside In, plus a good reminder of the Windows XP end-of-life," he said.
Patch Tuesday is a monthly event for Microsoft, where it releases fixes for newly discovered vulnerabilities in its services. Last month the patch rollout saw the tech giant release fixes for six critical vulnerabilities in its .Net Framework and Silverlight packages.

Oracle chief Larry Ellison defends PRISM as 'essential' but calls Google 'evil'

Oracle chief executive Larry Ellison
Oracle CEO Larry Ellison has lashed out at Google, branding their actions concerning his firm's Java tools as "evil" in a TV interview. He also defended the NSA's tactics regarding PRISM, calling them "essential".
In an interview broadcast on the US show CBS This Morning, Ellison still appeared to be reeling from the failed lawsuit his company filed against Google in 2012, in which Oracle claimed that Google had infringed patents with its use of Java components in its Android operating system.
"The only guys I have trouble with are the Google guys. Larry [Page, Google CEO] specifically," he said. "We don't compete with Google, we just think Google took our stuff, and that was wrong. I think what they did was absolutely evil. I know his [Page] slogan is don't be evil, but I think he slipped up this time."
In a wide-ranging interview – which also touched on Ellison's friend and Apple founder Steve Jobs, who he described as "irreplaceable" – the Oracle CEO also sought to defend the NSA's practices with its internet-surveillance practices.
"Who's ever heard of this information being misused by the government? It's great," he said, adding: "President Obama thinks it's essential. It's essential if we want to minimise the kind of strikes we just had in Boston."
He made clear that the tactics were only justifiable when hunting terrorists, saying it would only be an issue "if the government used it to do political targeting. If we stopped looking for terrorists and we started looking for people on the other side of the isle."
Ellison is well known for dividing opinions when speaking in public, having previously savaged HP over its 2010 CEO appointment of Léo Apotheker and ridiculing software firm SAP in his first and only Tweet.

PRISM: Spooks only touched 0.00004 percent of the world's web traffic, claims NSA

The US National Security Agency (NSA) claims its agents only saw 0.00004 percent of the world's web traffic while conducting their PRISM missions.
The agency made the claim in a report entitled The National Security Agency: Missions, Authorities, Oversight and Partnerships, and said: "According to figures published by a major tech provider, the internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6 percent of that. However, of the 1.6 percent of data, only 0.025 percent is actually selected for review.
"The effect is that NSA analysts look at 0.00004 percent of the world's traffic in conducting their mission – that's less than one part in a million. Put another way, if a standard basketball court represented the global communications environment, NSA's total collection would be represented by an area smaller than a dime on that basketball court."
The NSA's claims follows numerous reports that it siphoned vast amounts of data from tech companies, such as Microsoft, Google, Yahoo, Twitter and Facebook as part of its PRISM cyber intelligence program. The report moved to downplay concerns about what data it collected, promising that safeguards put in place by the Foreign Intelligence Surveillance Act (FISA) meant the analysts could not access non-relevant data from businesses.
"Under NSA's Business Records FISA program (or BR FISA), first approved by the Foreign Intelligence Surveillance Court (FISC) in 2006 and subsequently re-authorised during two different administrations, four different Congresses, and by 14 federal judges, specified that US telecommunications providers are compelled by court order to provide the NSA with information about telephone calls to, from, or within the US," read the report.
"The information is known as metadata, and consists of information such as the called and calling telephone numbers and the date, time, and duration of the call, but no user identification, content, or cell site locational data. The purpose of this particular collection is to identify the US nexus of a foreign terrorist threat to the homeland. The Government cannot conduct substantive queries of the bulk records for any purpose other than counterterrorism."
The document alleged that PRISM is an essential tool in the government's ongoing War on Terror, claiming that the 9/11 attacks proved the need for the advanced intelligence-gathering program.
"After the al-Qaeda attacks on the World Trade Center and the Pentagon, the 9/11 Commission found that the US Government had failed to identify and connect the many dots of information that would have uncovered the planning and preparation for those attacks. We now know that 9/11 hijacker Khalid al-Mihdhar, who was on board American Airlines flight 77 that crashed into the Pentagon, resided in California for the first six months of 2000," read the report.
"While NSA had intercepted some of Mihdhar's conversations with persons in an al-Qaeda safe house in Yemen during that period, NSA did not have the US phone number or any indication that the phone Mihdhar was using was located in San Diego. NSA did not have the tools or the database to search to identify these connections and share them with the FBI. Several programs were developed to address the US Government's need to connect the dots of information available to the intelligence community and to strengthen the co-ordination between foreign intelligence and domestic law enforcement agencies."
Despite the NSA's report, numerous businesses have continued to express concerns regarding the PRISM program. Most recently Lavabit and Silent Circle have discontinued their respective secure email services, hoping to pre-empt future snooping requests from the NSA.

GCHQ anti-hacker cyber security response services open for business

The GCHQ has launched two cyber incident response initiatives to help UK businesses better respond to cyber attacks.
The schemes will see the GCHQ collaborate with the Centre for the Protection of National Infrastructure (CPNI) and the Council of Registered Ethical Security Testers (CREST), to help businesses prepare and for and mitigate the damage of cyber attacks.
The two schemes are the next step in the GCHQ's Cyber Incident Response initiative, which began running on a trial basis in November 2012. The first new initiative will continue the original trial's work, offering businesses a list of government-assured, cyber response and cleanup service providers to help them deal with the aftermath of a successful cyber attack on their networks.
The second initiative will see CREST work with GCHQ to create a set of clear standards detailing what cyber security providers should have in place to protect their clients' information. Companies that meet the standard will be granted special certification by CREST and will earn a place on the GCHQ's recommendations list.
Minister for cyber security Chloe Smith, said the schemes will help businesses operating in the UK deal with the recent wave of sophisticated threats targeting them. "We know that UK organisations are confronted with cyber threats that are growing in number and sophistication. The best defence for organisations is to have processes and measures in place to prevent attacks getting through, but we also have to recognise that there will be times when attacks do penetrate our systems and organisations want to know who they can reliably turn to for help," she said.
"I am delighted to announce a unique Government-industry partnership to tackle the effects of cyber incidents. This scheme and others like it, together with the 10 Steps to Cyber Security guidance for business launched last year, are an important part of our effort to provide assistance to industry and government in order to protect UK interests in cyberspace."
The two initiatives are a part of the UK's wider cyber strategy. The strategy was launched in 2011 when the UK government pledged to invest £650m to improve the nation's cyber defences.
The strategy has seen several initiatives designed to improve collaboration between the public and private sector when dealing with cyber threats. This included the launch of the Cyber Security Information Sharing Partnership (CISP) in March.

Syrian Electronic Army Hacked FB&Twitter Accounts of the New York Post

The compromised Twitter accounts are the ones of the New York Post (@newyorkpost), from which all tweets have been removed except one urging users to follow @nypost, Brian Lewis (@NYPost_Lewis), Paul Swartz (@NYPost_Schwartz), Mike Puma (@NYPost_Mets) and NY Post Business (@nypostbiz).
From the hijacked accounts, the Syrian Electronic Army posted “Syrian Electronic Army was here” messages.
Currently, all accounts, except for @newyorkpost, appear to have been recovered and are working properly.
However, the New York Post hasn’t made any statements regarding the incident.
The only one who mentioned the hack is Brian Lewis who tweeted: “Working on fixing this.”
The hackers haven’t revealed why they’ve targeted the New York Post. However, judging by past attacks, it’s possible that the media organization published something about Syria that the hackers didn’t like.
E Hacking News reports that in addition to the New York Post accounts, the Twitter of Washington Post columnist Jason Reid was also hijacked by the Syrian Electronic Army.
So how did the hackers manage to take over the social media accounts? They did it by breaching the systems of social media optimization platform SocialFlow.
“Update: today an employee's email account was compromised in a phishing attack. As a result, our Twitter and FB accounts were compromised,” SocialFlow representatives stated.
“No customer access or data was compromised in this attack. As part of our security controls, we immediately took our service offline,” they added.
“We are following our security protocols to restore service and are communicating with customers directly.”
After the statement was published, the Syrian Electronic Army told the company “not to lie to its customers.”
“Your main website and blog was hacked too,” the hackers said.

Baby monitor hacked, spies on Texas child

Marc and Lauren Gilbert were terrified when they heard a strange voice calling out to their 2-year-old daughter Allyson, through a baby monitor in her room. The Texas family learned the hard way that almost anything connected to the Internet can get hacked.
According to ABC News, Gilbert was washing dishes on the night of Aug. 10., when he heard noises coming from his daughter's room. He and his wife went in to investigate the situation, when they witnessed something more disturbing than they thought possible.
A voice coming through a baby monitor, that was hooked up to the home's wireless Internet system, appeared to be operating on its own. CNN reports that the hacker used the device to curse and say sexually explicit things to the sleeping girl -- calling her by name and telling her to wake up.
Gilbert says the hacker was able to take control of the camera and see his daughter's name on the wall. In a panic, he pulled the plug on the device. The girl was not disturbed by the hacker's calls because she was born deaf, having to depend on a cochlear implant to hear.
Dave Chronister, who is the managing partner of Parameter Security, did not consult the Gilbert family, but works for an ethical hacking company that is familiar with these types of hacks. Chronister believes that the Gilberts were using a webcam, equipped with speakers, that was compromised.
"In this case, what it sounds like is that they set this camera up, and someone cracked into the wireless network," Chronister told
Chronister says that cracking into these webcams is similar to breaking into a website. If a password is not set, or is weak, the website that is used to manage the device can be compromised.
Parents can protect their homes by setting a strong password. Chronister recommends using Wi-Fi Protected Access 2 (WPA2) to set up a password because it uses better encryption standards and is very difficult to crack, especially combined with a good password.
Chronister says that these hacks are often times just kids pulling a prank, and warns of a phenomenon called "wardriving" -- where people drive around looking for homes with weak wireless security.
"The thing to understand is that not all hackers have pointed at you as a target. You just happened to have a device that they know how to hack, so they hack it," Chronister says.
To parents worried about their own home monitors being hacked, Chronister says: "Make sure you punch in a password and make sure it's long."
Gilbert says the family will probably ditch the device permanently.