Use your iPhone for biometric scanning

AOptix unveiled AOptix Stratus, the first comprehensive mobile identity solution “Made for iPhone” delivering iris, fingerprint, voice, and face recognition in a truly integrated solution.


The first mobile biometric product built with an open architecture, AOptix Stratus enables SI/VAR partners to develop applications meeting the specific requirements of their customers in a broad range of vertical markets, such as:

• Public safety and border management
• National and civil ID programs
• Humanitarian aid and disaster relief
• Defense
• Healthcare.

“The launch of AOptix Stratus provides a capability for Smart Mobile Identity around iPhone that will open up a new range of applications for biometrics,” said Dr. Peter Waggett, Emerging Technology Program Leader at IBM. “The product provides the basis for an ecosystem of Smart Mobile Identity products and apps that we will use to develop and deliver solutions.”

AOptix Stratus is the only mobile biometric device with iris and fingerprint recognition that is Made for iPhone. Employing familiar Apple iOS conventions, it is designed to be highly intuitive like the iPhone itself. Previous biometric identity systems have been difficult to use and bulky. AOptix Stratus resolves these issues, enabling the use of the product for many applications that cannot be addressed by traditional biometric systems.

The AOptix Stratus family includes AOptix Stratus MX, AOptix Stratus App for iOS and AOptix Stratus SDK. AOptix Stratus MX is a sleek, rugged hardware peripheral that houses an iPhone 4 / 4S and contains a fingerprint sensor and an advanced AOptix iris imaging system.

“Our objective in developing AOptix Stratus was to create a product family that would deliver the benefits of biometric identification to a host of new users,” said Chuck Yort, Vice President and General Manager of Identity Solutions at AOptix. “We’ve received a great deal interest from law enforcement and border control, national and civil ID programs, and defense. We anticipate AOptix Stratus will be embraced by healthcare, disaster relief, humanitarian aid and other areas where identity verification is essential but previous biometric techniques have been impossible or unacceptable. We’ve received strong encouragement from our partners and end users throughout our development and beta process and are delighted that the product is now available for purchase.”

Black Hat Europe: Hacking to spy & remotely control video conferencing systems

Thanks to video conferencing, we don’t always need to travel in order to conduct important business. But the reality of the situation is that an attacker can secretly conduct surveillance by taking control of the video conferencing camera and microphone. At Black Hat Europe, Moritz Jodeit presented “Hacking Video Conferencing Systems” [PDF] and demonstrated how to remotely compromise all variants of the popular Polycom HDX systems.

You might recall when Rapid7’s HD Moore alerted the public to the dangers of poorly configured video conferencing equipment being connected to the Internet. Moore highlighted the need to secure the configuration after showing that “thousands of videoconferencing systems were publicly accessible over the Internet and had the call auto-answer feature turned on." But Jodeit took it to an entirely new level and demonstrated how to remotely own the device.
Jodeit’s Black Hat presentation research [PDF] [slides] is divided into two main sections. First, he shows how to get root access to the Polycom HDX devices in order to find vulnerabilities and to develop exploits. He found vulnerabilities a malicious user might exploit such as by escalating privileges, a command injection when using the firmware update, a format string vulnerability, SQL injection, and a PUP file header MAC signature bypass. Then he explains how to remotely compromise the Polycom video conferencing system in its most secure configuration.

Hijacking airplanes with an Android phone

An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.


Teso, who has been working in IT for the last eleven years and has been a trained commercial pilot for a year longer than that, has combined his two interests in order to bring to light the sorry state of security of aviation computer systems and communication protocols.

By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes' Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircrafts by making virtual planes "dance to his tune."

One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity.

The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter.

Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the "behavior" of the plane.


Based on his own research, Teso developed the SIMON framework that is deliberately made only to work in a virtual environment and cannot be used on real-life aircrafts. His testing laboratory consists of a series of software and hardware products, but the connection and communication methods, as well as ways of exploitation, are absolutely the same as they would be in an actual real-world scenario.

Since it's nearly impossible to detect the framework once deployed on the Flight Management System, there is no need to disguise it like a rootkit. By using SIMON, the attacker can upload a specific payload to the remote FSM, upload flight plans, detailed commands or even custom plugins that could be developed for the framework.

To make things even more interesting - or easier - Teso showcased an Andorid application that uses SIMON's powers to remotely control airplanes on the move. The application, fittingly named PlaneSploit, sports a clean and simple interface, but is packed full with features. This is a remarkable example of technology evolution - ten years ago we barely had phones with a color screen, today we can use them to hack aircrafts.


PlaneSploit uses the Flightradar24 live flight tracker and you can tap on any airplane found in range. When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

The user interface is divided by its main functions which are self-explanatory: discovery, information gathering, exploitation and post exploitation. The attacker can click on any active airplane and is receives its identification, current location and final destination. In case a nearby airplane system is exploitable (a number of vulnerability vectors mentioned, not much details provided), the application alerts the user via an in-application alert or a push message. The payload can be uploaded with a tap of a button and from that point on, the flight management system is remotely controlled by an attacker. There are a number of other systems connected to FMS, so further exploitation is possible.

Here are some of the functions Teso showed to the HITBSecConf Amsterdam audience:

• Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane's course.
• Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
• Visit ground: Crash the airplane.
• Kiss off: Remove itself from the system.
• Be punckish: A theatric way of alerting the pilots that something is seriously wrong - lights start flashing and alarms start buzzing.

By showing a sample scenario of a drunk pilot flying over Berlin, Teso mentioned that the Android application also uses the benefits of the accelerometer and therefore a remote attacker can transform the motion of its smartphone into physical changes in the plane's movement.

It's amazing to discover that aviation - an industry where safety is of vital importance and every physical element has one or even two fail-safe mechanisms - is failing to secure the onboard computer, the heart and brain of the plane.

Teso has not shared too many details about the tools he used to effect the attack, as the vulnerabilities have yet to be fixed. He says that he was pleasantly surprised by the reaction of the industry to his research and discoveries, as the companies didn't try to deny the existence of the problems and have vowed to aid him in his research.

He says that older, legacy systems harking back to the 1970s will be difficult, if not impossible, to fix, but that modern ones will easily be updated with patched and modified firmware and software.

The vulnerabilities, of course, differ from system to system and from plane to plane, but it's easy to discover just which ones are present once the attacker identifies the type, model of the plane, and the airline for which it flies.

There is a solution for pilots to regain the control of the plane and land it safely, he says. Attacks of this kind work only when the auto-pilot is on, so the trick is to switch it off, then fly the plane by using analog instruments.

The bad news is that there aren't that many on modern planes, and that the pilots have to detect that the plane's computer is being hacked in order to effect these maneuvers, and that is no easy feat.

Israel Confirms Hacking Attack on PM's Website

Anti-Israel hackers succeeded in bringing down temporarily the website of Prime Minister Benjamin Netanyahu and the site of the Likud party, the Avnet information security company said Tuesday. "The )PMO's) site is suffering from an attack on its connection between the database and the web server," Avnet's Ronni Becher said, The Jerusalem Post reported.

"At this stage we don't know how the attack was carried out exactly, and what can be done to defend against it. Overnight, we saw dozens of attempts to hack and attack Israeli websites. Much information was released online…," he added.

More than 100,000 Israeli websites came under attack from Anonymous hacktivists around the world.

The websites of the Israeli parliament, banks, ministries and other government organizations were down for some time on Sunday during the assault, dubbed Operation Israel. The loosely-knit hacking group Anonymous threatened to "disrupt and erase Israel from cyberspace" in protest over its mistreatment of Palestinians.

The hackers also released a list of email addresses and credit card numbers, reportedly lifted from the online catalog of Israel Military, a privately-owned business that sells military surplus, Haaretz reported. Israel Military officials indicated that the information made public did not come from its site.

A Middle East hacker, who took part in the massive cyber assault, said that the operation's aim was "to show the world the true face of Israel and its armed forces."

"We are the sons of Palestinian people and we feel the pressure of the Israeli occupation not only in Gaza but also in all the Arab and Muslim world. And as the first retaliation we committed a fast and full-scale attack on Israeli websites to warn Israel and all its supporters about the threat that hangs over them. They have weapons and we have our own means. As a result of this attack we've received the names of those who cooperate with Israel. The aim of the attack was to show the world the true face of Israel and its armed forces. And we coped with our task".

"So now we make a clear warning to Israel: "In the future be ready for new larger surprises"," he stated.

Israel responded to mass cyber attacks on Sunday by launching a series of raids in which several Palestinian activists were arrested, President Mahmoud Abbas' advisor for communications and information technology Sabri Saydam told WAFA.

Nothing indicates that the Palestinians have anything to do with the hacking of Israeli sites, Saydam added, calling it "a cyberspace battle" and stressing that the Internet "is open to all".

In a message released Saturday the group addressed the Israeli government saying: "You have NOT stopped your endless human rights violations. You have NOT stopped illegal settlements. You have NOT respected the ceasefire. You have shown that you do NOT respect international law."

Vudu Security Breach

Video streaming service Vudu recently acknowledged that hard drives containing customer data were stolen when thieves broke into its offices on March 24.
According to Vudu, the data on the drives included customer names, e-mail addresses, mailing addresses, phone numbers, account activity, birthdates, encrypted passwords, and the last four digits of some credit card numbers. No full credit card numbers were exposed, as the company doesn't store that information.
"We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft," the company stated in a FAQ. "Therefore, we have reset all customer passwords."
All customers whose passwords may have been exposed are being offered one year of identity protection services from AllClear ID, starting on April 9, 2013.
Vudu says it's implementing additional measures to protect against physical theft in the future. "We are also increasing the password strength requirements for Vudu passwords in order to ensure a greater degree of protection," the company states.
Anyone who suspects that their account has been accessed fraudulently is advised to contact Vudu at 855-968-8838 or at passwordreset@vudu.com.

Steps to Discourage Hackers from Your Infrastructures

When hackers broke in to the New York Times' network, evaded its anti-virus software and began plundering its computer systems, it highlighted a rather uncomfortable truth:  Anti-virus software is not that good at keeping systems secure.

That means that any company that relies on an anti-virus package to secure its endpoints is exposing itself to a huge security risk. "To some extent the problem is the fault of the security industry who have been selling these products," says Graham Cluley, a senior technical consultant at anti-virus vendor Sophos.

Anti-virus Weaknesses
Anti-virus products don't have magic powers; you still have to worry about security. While anti-virus software is good at spotting known malware by matching its digital signatures with a signature database, the type of sophisticated hackers that are believed to have masterminded the New York Times attack would likely write new exploit code that no anti-virus product would have ever seen before.

And it appears -- though this is not certain -- that the New York Times was relying on the signature matching protection of Symantec's anti-virus product to maintain the security of its systems. In a statement after the attack was publicized, Symantec said in a statement: "Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

Most anti-virus products -- including Symantec's -- go beyond signature based protection by offering generic protection against malware types that are similar to specimens that have been seen before, and by offering behavioral protection which detects when software demonstrates suspicious behavior such as changing certain registry settings or causing a buffer overflow.

But this more sophisticated anti-virus protection is also not sufficient. Here's why: In a nutshell, whether or not a given anti-virus product will detect a piece of malware is entirely predictable.

All a hacker has to do when designing a piece of malware is run it on a computer with that anti-virus product to see if it will be detected. If it is, then the hacker can modify the code until the anti-virus software no longer detects it.

So what should a company do to protect its endpoints? The answer is to deploy several layers of security measures to reduce the risk of compromise. Some of these are included in security "suites" sold by anti-virus software vendors in addition to their core anti-virus products.

7 Ways to Discourage Hackers
These seven practices -- one of which doesn't even involve software -- should discourage hackers:

• Anti-virus software. While anti-virus software alone is not enough, it certainly has a role to play in catching known malware, spotting malicious behavior, and checking the reputation of unknown files and URLs to see if they have been blacklisted.
• Personal firewall. Most desktop operating systems include a personal firewall of some sort. It's important that this is used in addition to the corporate firewall to protect against internal threats -- perhaps from hackers who have infiltrated the network and are already inside the network perimeter.
• Encryption. Many hackers attempt to infiltrate corporate systems to steal (or modify) data such as intellectual property, proprietary information and confidential items such as tender documents. It therefore makes sense to encrypt such data so that it has no use to hackers even if they are able to access it.
• Update management software. Sophisticated hackers discover new vulnerabilities in operating systems and application software, which they exploit to get a foothold in corporate systems. But many hackers use known vulnerabilities which haven't been updated or patched to make them secure. For that reason it's vital to have an effective process in place for applying updates and patches to endpoints as soon as they are available. Update management software runs an inventory of all the software installed on a system on a regular basis and installs patches or updates automatically. It may also flag any software that has known vulnerabilities for which a security patch is not yet available.
• Data loss prevention (DLP) software. Available as a standalone product or part of many security suites, DLP software is designed to spot when sensitive data such as credit card numbers or entire databases are leaving a system and going out over the Internet. Although hackers can attempt to bypass DLP software in many ways (such as encrypting the data themselves before exfiltrating it), it is still a worthwhile layer of protection to put in place.
• Password managers. Employees should always use long, random passwords to access corporate resources or cloud services. Since these passwords are impossible to remember, it's sensible to use a password manager application which can generate long passwords, store them in an encrypted database, and enter them when appropriate after the user has supplied a single master password. An added benefit of using a password manager is that it provides an element of protection against phishing sites. That's because a password manager will automatically enter the correct password for a given intranet or Internet site, but will spot when a user attempts to access a replica phishing site at a false URL.
• Training. Arguably the simplest way for hackers to gain access to resources on corporate systems is to bypass security software. They do this by using social engineering techniques to trick users into divulging passwords and other security details. Training programs that raise awareness about these techniques and how to spot social engineering phone calls or emails can reduce the likelihood that a social engineering attack will succeed.

A determined group of skilled hackers sponsored by a foreign state such as China will likely be capable of penetrating any defenses that you put in place, given enough time and resources. But that doesn't mean there is no point in bothering with anything more than the most rudimentary signature-based anti-virus protection.