Tuesday, 22 July 2014

Beware Keyloggers at Hotel Business Centers

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.
A DHS/Secret Service advisory dated July 10, 2014.
A DHS/Secret Service advisory dated July 10, 2014.
In a non-public advisory distributed to companies in the hospitality industry on July 10, the Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) warned that a task force in Texas recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort Worth areas.
“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.
“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
The advisory lists several basic recommendations for hotels to help secure public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs. This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one.
While there are a range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session (Steady State, Clean Slate, et. al), most such security approaches can be defeated if users also are allowed to insert CDs or USB-based Flash drives (and few hotel business centers would be in much demand without these features on their PCs).
Attackers with physical access to a system and the ability to reboot the computer can use CDs or USB drives to boot the machine straight into a stand-alone operating system like Linux that has the ability to add, delete or modify files on the underlying (Windows) hard drive. While some computers may have low-level “BIOS” settings that allow administrators to prevent users from booting another operating system from a USB drive or CD, not all computer support this option.
The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”
The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.

Twitter and Facebook spammers exploit MH17 crash

Scammers are using the MH17 disaster in east Ukraine to spread objectionable links, online security experts have warned.
A link to a pornographic website disguised as a video of the Malaysia Airlines crash was posted on a Facebook page dedicated to one victim.
Many tweets have been posted that appeared to report the disaster, but actually included spam links. One expert said the firms should take more responsibility for removing them. The chief intelligence officer of anti-spam body Spamhaus, Richard Cox, said that it was common for spammers to exploit anything being discussed by a lot of people online.

Israeli hi-tech firm to launch Energy Cyber Security Center

Aiming to tackle threats to infrastructure around the globe, the company plans to launch its Energy Cyber Security Center in Hadera on September 15.

THIS COMPUTER-GENERATED image shows the Nation-E cyber security firm’s new Energy Cyber Security Center, set to open in Hadera in September Photo: NATION-E
In a world where web-based hacker attacks have reached far beyond lifting personal credit card information, a Herzliya- based firm is preparing to launch a first-of-its-kind Energy Cyber Security Center this fall.

“We are now in the position to help every country, every utility – whether it’s gas, water, or energy – to secure their digital network, to integrate today with electric cars, with energy infrastructure, with storage devices,” Daniel Jammer, founder and CEO of energy cyber security firm Nation-E told The Jerusalem Post.

Aiming to tackle threats to infrastructure around the globe, the company plans to launch its Energy Cyber Security Center in Hadera on September 15.

There, Nation-E and its growing team of professional hackers will provide testing for companies around the globe – evaluating the strength of microgrids, smart meters, and all grid-connected devices, and determining how and why attackers are able to infringe.

“We are talking here about what is not a game – it is real life, real responsibility,” Jammer said. “To integrates renewables, to integrate our new century of grid becomes dangerous. We need to start securing it, we need to start monitoring it. “ At the recent World Cup, Nation-E was chosen by the Brazilian government to provide full support for the broadcasting infrastructure, including constant monitoring and securing of the energy supply, Jammer said. Such monitoring was crucial, Jammer explained, due to the hundreds of electricity meters, batteries, 6,000 diesel generators, and other devices all connected to one system.

As Nation-E works to build up its customer base for the Energy Cyber Security Center, Jammer has identified many potential clients: sea ports and airports, production lines, hospitals, data centers, financial services, sports and entertainment centers, utilities, telecommunications – such as smart-home infrastructure, machine-to-machine communication, and consumer data – and global engineering houses like Siemens, General Electric, and IBM. At the center, professional team members will provide energy cyber security, energy risk management, and business continuity.

“Everybody wants to have data, to understand what’s happening,” Jammer said. “But these data are vulnerable.”

Jammer and his employees are aiming to provide a solution to that problem – to prevent future infringements into increasingly smart electricity networks, against hackers who can get into these networks and from there, access all of the data stored within tomorrow’s “smart house.”

“The first layer of smart grid can be rolled out in a very smart way if you understand that you need to secure your customer,” Jammer explained.

In the modern utility, having a “dynamic network where you can reach millions of customers at the same time” is essential, according to Jammer.

Such communication must be bi-directional, so that consumers – who are increasingly becoming producers – can determine when to feed the renewable energy they generate at home to the grid.

“To communicate with someone who has energy is a gift,” Jammer said.

“Either utilities need to invest more and more into generation assets, or they are working with people like you and me.”

Nation E’s cyber security system works by targeting several different fronts. For the private consumer, an energy cyber security router sits in the home, connected to personal computers, mobile devices, smart meters, and any renewable energy infrastructure that may feed electricity to the home and the national grid, Jammer explained.

Utilities, on the other hand, can make use of the company’s Cerebrum system, which allows them to act as a command and control center that communicates securely with consumers. In the future, consumers will potentially be able to provide the grid with electricity through home solar or wind energy generators.

For the energy cyber router, the company will be charging a one-time fee of $299 plus $2.50 per month for each at-home infrastructural connection, such as solar energy generators, storage units, or automotive charging spots.

As far as utilities and the Cerebrum software are concerned, these companies will receive the software itself for free but will need to pay $2.50 for every consumer they want to connect.

“The idea is to give all the companies in the world the possibility to test it, to integrate it, to mitigate it, to challenge it, and to say they want to install it,” Jammer said.

At the center, utilities will be able to learn how to integrate these cyber security features within their particular network, specifying their individual needs and receiving risk mitigation recommendations from the center’s employees.

The center’s “Red Team” – essentially a hacking team – will try to attack energy storage, fuel cells, inverter-converters, wind and solar energy generators, and other pieces connected to the grid.

“This team will give you everything that you need in order to integrate and have a certified approach. Your network is cyber secure and ready to go,” Jammer said.

Thus far, about 40 utilities from Germany, Luxembourg, France, and a number of other countries have begun approaching Nation-E about the future center and the company’s technology, Jammer said.

Nation-E’s Energy Cyber Security Center will work in cooperation with the Israel Electric Corporation’s “Cyber Gym,” also located in Hadera, which serves a different, but related function, Jammer explained.

While the IEC’s Cyber Gym also works on preventing vulnerabilities in grid infrastructure, it is doing so on a more macro level, focusing on the larger supervisory control and data acquisition (SCADA) and information technology systems, according to Jammer.

“What we are doing is we are giving them the possibility to integrate with our system and give a complete holistic approach to a utility, from the command and control center to the last point of the energy infrastructure,” he said.

Energy cyber security is becoming increasingly critical, commenting on a particular incident in which utilities faced threats earlier this month, Jammer stressed in a recent follow-up phone interview. At the beginning of July, media sources around the globe reported on the Russian “Energetic Bear” virus that enabled hackers to penetrate power plants in Europe and the United States.

“A cyber-attack has no face, and that’s the problem,” Jammer said. “It has no sender and doesn’t matter from where it comes. In order to mitigate it we need to position ourselves correctly.”

Hidden network packet sniffer in MILLIONS of iPhones, iPads – expert

An analysis of iOS by a security expert has highlighted various tools in the operating system that could be used for surveillance.
Jonathan Zdziarski concluded that the vast majority of iThing owners are unaware of lax mechanisms protecting their data.
Data forensics expert and author Zdziarski wrote an academic paper on his findings in March, and gave a related talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday.
The results of his research – triggered by reports of the NSA spying on Apple products – indicate a backdoor in iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.
This data includes a copy of the user's address book, stored photos, the voicemail database and audio files, any accounts configured on the device such as iCloud, Facebook or Twitter, a cache of screenshots, keystrokes and the device's clipboard, GPS data, and – on iOS 7 – metadata disk sparseimage of the iOS file system.
Zdziarski notes that this is a one-way tool, in that it's very useful for taking data off the device but not for putting it back on for a backup service. The data is also in too raw a format to be of any use to a Genius Bar tech support team.
In addition there is also, we're told, a packet sniffer dubbed com.apple.pcapd on the device that fires up without notifying the iOS device's owner. This can log and export network traffic and HTTP request/response data from the device and could be targeted via Wi-Fi for remote monitoring, Zdziarski said.
This software isn't some legacy code left on the device by Apple engineers for testing – it has been actively updated and expanded in various iOS revisions, according to Zdziarski.
But it's not something Apple has talked about, or even officially documented, and seems to have little to offer other than for those who seek to slurp data off iOS devices. It is separate from the packet-tracing techniques described on the Apple developer website.

When the cops coming knocking...

One possibility is that the software is needed so that the gadgets conform to the 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires tech firms to have systems in place to allow properly accredited law enforcement limited access for wiretapping.
But Zdziarski told El Reg that the software didn’t look fit for that purpose.
"I think Apple has exceeded any requirements the CALEA law has with these tools," he said. "The existence of these interfaces exceeds anything that law requires. It could be that there's some kind of secret court order requiring this, but if there is then the public needs to know about and understand that."
Of course, to access all these hidden tools you'd need access to the target's iPhone, and Apple's security is invincible, right? Not so fast there: Zdziarski has also uncovered a way to get around this that, while hard for common-or-garden hackers, wouldn't be too tough for law enforcement.
When an iOS device pairs with a desktop system to sync data, the mobile operating system establishes a trusted connection and stores a set of keys and certificates on the PC and the device, and stores it in a single file on both machines. Only a factory reset wipes this pairing data from the iOS device.
While pairing is done over USB, if someone has access to this pairing data, the device becomes much easier to crack. The pairing data is exchanged via TCP port 62078, and an attacker could log onto the device in seconds if they share the same Wi-Fi network.
Getting access to pairing data would be tricky for a hacker working alone, but if law enforcement impounds someone's desktop, it's easy for a cop or g-man to crack any iOS device the PC is paired with. If you're the NSA, with a Tailored Access Operations division that specializes in this sort of thing, getting into Apple's backdoor is easy as pie.
Zdziarski said he was inspired to delve deeper into iOS security after reading a report in Der Spiegel that the NSA was targeting iOS gadgets and the systems they are paired with. While Zdziarski says he doesn't want to be sensationalist about his findings, it's clear Apple owes customers some answers.
Cook & Co were unavailable for comment at time of going to press. ®

Updated to add

After publication, Apple apparently briefed journalists that the services identified by Zdziarski are not deliberately provided for government agencies to exploit. Instead, they are for "diagnostic" purposes and to allow enterprise IT bods to manage workers' devices.
"The problem with this is that these services dish out data (and bypass backup encryption) regardless of whether or not 'Send Diagnostic Data to Apple' is turned on or off, and whether or not the device is managed by an enterprise policy of any kind," Zdziarski responded on his blog.
"Every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device."
Defenders of Apple have been quick to suggest that the mechanisms highlighted by Zdziarski are known to some developers; for example, an unofficial open-source client exists for the file-relay service so that Linux computers can talk to iThings, and some notes exist for lockdownd. However, the presence of these services are not flagged up to users, and the pcapd daemon remains unexplained – indeed, Apple's documentation insists: "iOS does not support packet tracing directly." All of which is a cause for concern.
"The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user," he added.
"I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."