Meet Reuben Paul: 8 year old CEO, Cyber Security Ambassador and Haxpo Highlight Speaker

Credit: HITB Haxpo 2015

This year's HITB Haxpo in Amsterdam features Reuben Paul, an 8 year old CEO, as one of the highlight speakers.
Taking place at De Beurs van Berlage from the 27th till the 29th of May, HITB Haxpo 2015, will be a free-to-attend technology exhibition featuring the latest hacker and maker goodies along with it's own set of talks and briefings by a variety of speakers. There will also be a Capture the Flag competition run by the HITB.nl CTF Crew, a Lock Picking Village by TOOOL Netherlands and in addition to featuring various EU based hackerspaces there will also be an area featuring hacker and maker startups!
Reuben is 8 years old today and a 3rd grader at Harmony School of Science in Austin, TX. When asked by his 1st grade teacher to illustrate his future career, he drew on a sheet that he wanted to become a Cyber Spy. Reuben Paul is an example of what we're trying to achieve with HITB Haxpo - to show the world that anyone can be a hacker, maker, breaker or builder. As an eight year old CEO and hacker, he sets an example for a lot of us and we are thrilled to have Reuben join us as one our highlight speakers for this year's Haxpo.
In it's first podcast episode of the year, Paul Assadoorian and the guys at Security Weekly interviewed Reuben and spoke to him about a variety of topics including his adventures in 2014, his plans for the year ahead and what it's like being the 'The Kung Fu Kid'!

Thieves Jackpot ATMs With ‘Black Box’ Attack

Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.
At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.
In this particular attack, the thieves included an additional step: They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.

WhatsApp users top 700 million, could hit 1 billion in a year

Mobile messaging platform WhatsApp has accumulated more than 700 million monthly active users and seems on track to reach 1 billion in about a year, a target Facebook set when it acquired the company in 2014.
The announcement comes about 11 months after Facebook acquired the app for $16 billion, a move that reflected the importance that Facebook places on mobile users.
The latest WhatsApp milestone is significant because it also highlights the recent rise of messaging apps as a more popular and economical option than SMS text messaging, which has suffered declines of nearly 5 percent in countries such as the U.K. In France operators saw SMS traffic on Jan. 1 decline by 10 to 20 percent compared to last year, while the use of MMS, messaging apps and other data traffic rose, according to local media.

Lizard Squad's Stresser Is Mostly Powered By Hacked Home Routers

Lizard squad, the infamous hacker group who knocked Xbox live and PSN Offline has released a paid DDoS tool, lizard stresser, after the christmas eve. Now the security expert Brian Krebs of KrebsOnSecurity says the Lizard stresser tool draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.

Krebs says LizardSquad’s botnet is not made entirely of home routers. It also makes use of commercial routers at universities and companies as well as other devices.

The malicious code that converts vulnerable systems into stresser bots not only turns routers into attack zombies, but also uses the infected system to scan the internet for more devices that use factory default settings.

His research states that, there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.

So the existence of such botnets is not only a threat to internet society but also remindes us to change our default router passwords.

Security Vulnerability Found In North Korea's Own OS

In a technological perspective, North korea is a country that runs on their own Operating System, that is, Red Star OS, first introduced in 2003, was originally derived from Red Hat Linux to improve level of security against outside attacks.

Now an anonymous security researcher have identified a mistake (Flaw) in permissions settings on a key file that allows anyone with access to the system to run commands as root. "Red Star 3.0 desktop ships with a world-writeable udev rules '/etc/udev/rules.d/85-hplj10xx.rules' which can be modified to include 'RUN+=' arguments executing commands as root by udev.d," the researcher wrote.

The flaw would allow any user to elevate their privileges and bypass North Korean government's security policies.

Udev.d is a generic kernel device manager that can identify hardware "hot-plugged" into a Linux system. The rules file determines how to handle the events associated with the connection of a new device and can include commands to be launched when certain devices are connected—commands that are run with system-level privileges. The "85-hplj10xx.rules" file is the ruleset associated with drivers for a USB-connected devices and is common to most Linux distributions.

The permissions on that file are set as "world writable," any user regardless of permission levels could make changes to the rules to activate it for any device and execute any command they wanted with system-level privileges.

Researcher also discovered a similar file permission error in Red Star OS 2.0's desktop version, which is easier to abuse - the system configuration file for Linux's rc utility, which manages the operating system's boot-up. That vulnerability would allow anyone to add commands to be executed during system boot--a great way to ensure that surveillance software or other malware loads up persistently.

This story reminds us a fact - "Nobody is fully protected from cyber attacks".

Cal State San Bernardino to hold Cyber Security Summit

Cal State San Bernardino will hold a Cyber Security Summit 7:30 a.m. to 4:30 p.m. Jan. 20 at Cal State’s Santos Manuel Student Union.
The summit will cover a variety of topics related to cyber security and feature a number of experts in the field.
Sessions are “Cyber security is the new business priority,” “The cyber security skills shortage no one is talking about,” “How secure is your bank information,” “Hacking gets physical: Who turned off the power” and “Women in cyber security.”
Scheduled speakers include Betsy Bevilacqua, information security risk manager, Facebook; Lesley Piper, cyber security engineer, MITRE Corp.; Lea Deesing, chief innovation officer, city of Riverside; Vaughn Book, chief information officer, Arrowhead Credit Union; and Corrine Sande, computer information systems officer, Whatcom Community College.
The luncheon speaker will be B. Lynne Clark, division chief, IAD Education, Training and Academic Outreach, National Security Agency.
The summit is sponsored by Cal State San Bernardino, the CSUSB Business Alliance and the Cal State College of Business and Public Administration.
Organizations and company participants include Facebook, City National Bank, National Security Agency, Federal CIO Council, Accent Computer Solutions, Ahern Adcock Devlin LLP and the city of Riverside.
The summit is free and open to the public.
To register, visit eventbrite.com or call 909-537-5771.
Parking on campus is $5.
For information, contact the Cal State Office of Public Affairs at 909-537-5007 or visit news.csusb.edu.

Sony post-mortem: Obama lobbies for new legal powers to thwart hackers

Moon on stick proposals include cheaper broadband access

In the aftermath of the massive hack attack on Sony Pictures – which the US government continues to insist was carried out by North Korea – President Barak Obama is expected to lobby hard for legislative overhauls to battle online threats.
He will reveal those proposals early next week, an unnamed White House spokesperson told reporters today, according to Reuters.

It's understood that Obama will set about attempting "to improve confidence in technology by tackling identity theft and improving consumer and student privacy" during a visit to the Federal Trade Commission.
Later this month, during the president's first State of the Union address since the Republican party snatched control of the Senate last November, Obama will apparently push for laws and executive powers to specifically crack down on hackers and ID thieves.
As part of his moon on a stick cyber security lobbying effort next week, Obama will drop in on the FTC, lay out his plans to cross-party Congress members and visit Iowa to push for faster, cheaper broadband connections across the country.

Zappos must pay $106K post-breach

Zappos must pay nine states $106,000 in a settlement reached after a 2012 data breach potentially exposed data on a server that contained information on the online shoe retailer's 24 million customers.
Intruders gained access to parts of the company's internal network in 2012 through one of its servers in Kentucky.
Investigators believed the hackers harvested names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers. Because the hackers stole hashes for customer accounts, all access codes to the website were reset, and customers had to create new credentials.
The settlement requires Zappos to pay up within 30 days and hire a third-party provider to audit its security policies and systems. Any shortcomings must be presented to the states along with a plan to correct them.

Mr Cameron goes to Washington for PESKY HACKERS chinwag with Pres Obama

Yo, Barak, how do we tackle naughty Norkers, then?

U.S. President Barak Obama will end his week of lobbying for more powers to fight hackers online, by hosting Britain's Prime Minster David Cameron on Thursday and Friday, when the two leaders will discuss internet security.
Thwarting malefactors who attack companies' computer systems, such as the recent, devastating assault on film studio Sony Pictures, is a topic that is expected to dominate the conversation between the pair.

The confab will come after a GCHQ report on threats from hackers has been released by the UK's eavesdropping nerve centre, a spokeswoman at Number 10 confirmed to The Register today.
Cameron and Obama are also expected to talk about national security and counter-terrorism, the global economic outlook and growth and free trade, Downing Street said.
Blighty's Sunday papers were briefed on the upcoming GCHQ report, which apparently revealed that more than 80 per cent of UK firms had tackled an internet security breach in 2014.
The agency's boss Robert Hannigan was quoted as saying that "the scale and rate of these attacks show little sign of abating."

Paris terror attacks: ISPs face pressure to share MORE data with governments

Government ministers from European states, who met in Paris today in the wake of the atrocious attacks that stunned the French capital's population last week, have called on internet firms to do a better job of cooperating with spooks and police to help them fight terrorism.
In a joint statement (PDF) from a number of Europe's interior ministers including France's Bernard Cazeneuve and Britain's Home Secretary Theresa May, the politicians said:

We are concerned at the increasingly frequent use of the internet to fuel hatred and violence and signal our determination to ensure that the internet is not abused to this end, while safeguarding that it remains, in scrupulous observance of fundamental freedoms, a forum for free expression, in full respect of the law.
With this in mind, the partnership of the major internet providers is essential to create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible.

The missive followed a march attended, not only by the politicos, but also by millions of French citizens in a show of democratic defiance against the terrorist acts, which started at the offices of satirical magazine Charlie Hebdo when 12 people were murdered last Wednesday. It was signed in the presence of U.S. Attorney General Eric Holder.
But privacy warriors were quick to hit out at the proposals on Sunday.
Tory MP and former Secretary of State for Defence Dr Liam Fox, meanwhile, took to the pages of the Sunday Telegraph today to lobby for more powers for the UK's spies. He argued:

In 1993, there were only 130 websites in the world. By the end of 2012 there were 654 million – a lot of haystacks in which terrorist needles can hide.
That is why our security services need to be given access to the data they require to help to keep us safe. It is also why the appalling misjudgement of those such as the Guardian newspaper in helping Edward Snowden, now residing with the Russian secret service in Moscow, is so unforgivable.
When Snowden took data to China and Russia, some 58,000 files came from GCHQ, information that had played a vital role in preventing terrorism in Britain over the past decade.

Separately, the U.S. administration confirmed it would convene a meeting on 18 February to discuss tackling the global fight against Islamic extremism.
The take-away from politicians on both sides of the pond today, once you set aside the posturing about freedom of expression: demands for greater surveillance of citizens' movements online are back on the agenda in a big way.

SURPRISE: Norks Linux disto has security vulns

Well, that didn't take long: mere days after North Korea's Red Star OS leaked to the west in the form of an ISO, security researchers have started exposing its vulnerabilities.
According to this post at Seclists, the udev rules in version 3.0 of the US and the rc.sysint script in version 2.0 are both world-writable. Both of these have root privilege.
Because of the slack file permission management in Red Star 3.0, the device manager for HP 1000-series LaserJet printers, /etc/udev/rules.d/85-hplj10xx.rules, can be modified to include RUN+= arguments. These commands will run on on the udev daemon as root. There's a demonstration at github.
Udev's main job is to watch the /dev (devices) directory, and when a device is plugged into a USB port, it loads the appropriate ruleset.
By writing to the rc.sysint file in the older Red Star 2.0, an attacker can execute commands as root (demonstration).

Rooted: "HackerFantastic's" Red Star 3.0 vulnerability demo

Both vulnerabilities provide privilege escalation for local users.
As The Register noted when the OSX-skinned operating system first leaked, there's also an error in the OS's Software Manager. Although root access is denied by default, users can install unsigned software. Developer RichardG has created an RPM that gets around the default restrictions.
The OSX-like skin put on top of Red Star OS's Linux innards was first seen in February after Will Scott spent time in Pyongyang teaching computer science and returned with screenshots.
El Reg expects the current crop of vulns will by no means be the last to emerge in the OS.