Wednesday, 3 July 2013

Car Hack Attacks


Many new cars can be turned on and off with a tap of a smartphone. Others can apply the brakes while a driver is distracted, park themselves and maintain safe distances from surrounding vehicles. But with their increasing reliance on electronic controls, cars open themselves up to malicious manipulation.

As researchers from the University of California San Diego and Washington University proved in 2010, hacking a car's electronics system is not only possible, but in some cases quite easy. The scientists successfully tapped into a car's electronic control module (ECM), which interfaces with most of a car's dynamic systems, including engine, transmission, traction controls and braking systems. By doing so, they were able to tinker with combustion rates and even completely disable the engine. Further tests showed that they could render brakes useless, even while the car was running at 40mph, as well as keep a car running when it was turned off. Their testing culminated with a full system shutdown: the horn at full wail, doors locked, automatic-unlock buttons disabled and engine shut off.
NHTSA's concern is that hackers could wreak similar havoc over wireless connections. "Whether the entry point into the vehicle is the internet, aftermarket devices, USB ports or mobile phones, these new portals bring new challenges," Strickland said in his remarks.

So-called vehicle-to-vehicle (V2V) and vehicle-to-grid (V2G) communication technologies, as well as the advent of semi-autonomous vehicles, present additional layers of intrigue. NHTSA is currently testing self-driving cars and recently established standards for a car's level of automation. As vehicles take over more decision-making processes and communicate with each other, the administration is trying to set standards for how these communications occur.

NHTSA can compel automakers to follow standards only under certain conditions, and it is unclear whether its efforts would stifle innovation or have any measurable effect on automakers’ product strategies. The contradictory impulses in the debate are most clear in states like Nevada, California and Florida, which permit self-driving vehicles, yet in a policy statement released last month, NHTSA said it did not recommend “that states permit operation of self-driving vehicles for purposes other than testing."

There is consensus, however, around how to safeguard against potential hacks of increasingly networked passenger cars. Automakers must acknowledge the potential threats to their vehicles – and those vehicles’ purchasers – and move to safeguard their systems. Meanwhile, the government must ensure these protections are put in place. But with NHTSA only setting up its electronics division to focus on those issues in the past weeks, a lack of urgency may be the greatest immediate threat to drivers.



Limitations first: hackers cannot magically gain control of a car. While cars are increasingly computerized, not every system involved in driving is hooked up to external controls. Let me repeat that for clarity: in almost every car currently on the road, it's impossible to hack the steering. A hacker trying to kill someone via car can't just take over and pilot the vehicle into a tree or off a cliff. 

Attacks that irritate or confuse the driver.

Researchers demonstrated that hackers could permanently activate the car horn, shoot windshield wiper fluid continuously, disable headlights, falsify the speedometer reading, increase radio volume, and turn off auxiliary lights. In testing, none of these attacks could be stopped by a manual override--which might be enough to cause a car accident on a dimly lit road at night. Alternatively, a well-timed burst of full-volume sound with cut lights and a wiper-fluid-obscured windshield could provoke a sudden accident, but that's a lot of effort and leaves a lot to chance. Mucking about with the speedometer can cause problems, though a driver who can roughly keep up with traffic will be able to get by without it. Most likely result of these attacks? A driver would be annoyed, pull over, get out of the car, and have a long weird call with AAA.

Attacks that change the speed of the car.

Far deadlier are hackers manipulating brakes. In testing, the researchers demonstrated an ability to engage the left and right brakes of a car independently, as well as unevenly engaging right side brakes, and perhaps scariest of all, release all brakes and prevent braking. That, more than anything else, provides the real risk in a car hacking attack. A car that can't brake is a hazard, straight-up, to the driver and everyone around them, but it's not necessarily fatal unless it's so well timed as to be a scripted moment in a Hollywood film.
While car hacking is potentially deadly, it's a really, really uncertain way to attack someone. The effort involved in finding, hacking, and monitoring the car, and then picking the exact right moment to disable the breaks, make such an idea more like "Enemy of the State" than a real threat. It's complicated and probably requires a surveillance team. Bullets are a usually but not always more reliable means, and they require much less planning and coordination.
Failing that, there's always the option of poisoning by polonium-210, most famously used against an ex-KGB agent in London in 2006. If a car must be used, car-bomb assassinations have precedent both in the United States and abroad.

PayWave system just as safe as chip and pin, argue Visa and O2

Orange and Barclaycard launch the quick-tap newsagent purchase
NFC mobile payments are just as secure and tamper proof as traditional chip and pin transactions, according to O2 and Visa, who are hoping to entice consumers and businesses to embrace mobile payment tools.
Visa head of mobile business, Sandra Alzetta, told V3 the firm is ensuring the company's existing and future NFC payment services are held to the same security standards as its existing card payment services.
"PayWave is made to be as secure as our chip and pin card. It has the same security and encryption standards. We did that because we believe it is the future and we don't to take a step backwards," she said.
The Visa head added the firm is ensuring the features protect users personal data and are designed to let people use them with anonymity. "We do collect a huge amount of data. But in terms of what we collect we don't know whose account number it is. So we don't know if it's a man or a woman, or if they're in their mid-twenties," she said.
"We don't know any of that, we just know that there's an account number and it does certain things. That can still help companies quite a lot and we're looking at how we can take that data, if you buy in and only if you buy into combine it with other data. Visa has no idea who you are."
O2 strategy business director Tomas Masar confirmed the firm is taking the same approach with its Visa-compliant NFC Sim-cards. The Sim-cards are created in partnership with Visa, O2 and participating banks and let users sync their bank account with their phone, storing the information on a sandboxed area of the card.
Masar said the cards have been designed with customer security in mind. "There will be a standardised way to transfer the bank data. We'll give them [banks] a secure place on the Sim card. We then give them a one-time password so they can load the data onto the Sim card and encrypt it. Then we close the door and password so it's secure," he said.
The O2 director said users' more personal relationships with their mobile phones will also lead to a number of fringe security features. "We bring additional safety features to the phone, by adding remote access to the payment service and remote wipe," he said.
"Also, an additional safety aspect is you don't want to be without your phone, meaning you'll notice if it goes missing. With your traditional payment card you can lose it and only find days later, whereas, with a phone you use it all the time, so you'll know within half an hour."
The new comes during a wider push by Visa to increase interest in its mobile payment services. The push has seen the firm strike strategic partnerships with numerous network carriers and mobile phone manufacturers to integrate its NFC payment solutions into their products, Visa claims the deals will cause a boom in the number of mobile transactions made in Europe, prophesying half of all payments will be made using a mobile by 2020.

AT&T iPad hacker Andrew 'Weev' Auernheimer launches appeal of conviction

Apple iPad
A group of lawyers have launched a new legal effort on behalf of convicted hacker Andrew 'Weev' Auernheimer.
Auernheimer's defence team is looking to overturn his conviction for felony violations of the Computer Fraud and Abuse Act under allegations of misconduct.
According to the attorneys and lawyers from the Electronic Frontier Foundation (EFF), federal prosecutors misused the act when they charged Auernheimer for his role in the breach of AT&T account data related to the Apple iPad.
Auernheimer and researcher Daniel Spitler were working as part of the Goatse Security group when they discovered a vulnerability in AT&T's web portal, which allowed access to a customer database. The researchers later released parts of the database that contained information on some 114,000 iPad users.
While proponents of the group said that Auernheimer and Spitler were doing users a service by uncovering and reporting the vulnerability, authorities charged the pair with computer misuse.
Spitler agreed to a plea bargain while Auernheimer fought the charges in court and was eventually sentenced to 41 months in prison.
EFF staff attorney Hanni Fakhoury said in a statement: “The government set out to make an example of Auernheimer. But the only message this sends to the security research community is that if you discover a vulnerability, you could go to jail for sounding the alarm."
An appeal in the case is not entirely unexpected. Auernheimer and his team have long said that they would be appealing the verdict and expect to have a long fight in court.
The EFF noted that the Auernheimer appeal was part of a larger effort by the digital rights community to convince lawmakers to overturn parts of the Computer Fraud and Abuse Act.
Lawmakers have sought to loosen penalties with the introduction of Aaron's Law, a bill named after Reddit co-founder Aaron Swartz. Earlier this year Swartz committed suicide while awaiting trial on copyright infringement charges.

California puts 2.5 million citizens' data at risk after suffering 131 data breaches in 2012

Security threats - password theft
The state of California received 131 reports of data breaches last year as firms are failing to adopt best practices for data security.
A report from Attorney General Kamala Harris found that around 2.5 million citizens had their data put at risk from the leaks, many of which would have been preventable had companies used basic security practices.
According to the report, 1.4 million people would have been protected from the breaches had the firms handling their data simply encrypted the information before moving it offsite. Lack of encryption was blamed for 28 percent of the reported leaks.
“Data breaches are a serious threat to individuals' privacy, finances and even personal security,” said Harris. “Companies and government agencies must do more to protect people by protecting data.”
The study found that each reported data breach exposed on average around 22,500 users, while the five largest breaches leaked the data of more than 100,000 people. Retailers reported the most leaks, accounting for 26 percent of breaches.
According to the study, more than half of all data breaches – 55 percent – were the work of outside attackers, while the remaining 45 percent were inside leaks perpetrated by malicious or careless employees.
Of particular interest to hackers was social security data. The study found that 56 percent of the reported breaches involved social security numbers.
The state of California is among a growing group of government agencies calling for greater scrutiny on data breaches. The European Commission recently proposed a set of tighter standards that would force companies to disclose data breaches to government officials.

PRISM: European Commission demands answers over 'disturbing' NSA surveillance

de-montfort-university-deloitte
The European Commission (EC) has responded in no uncertain terms to the allegations of NSA surveillance taking place at its premises, demanding full clarification and transparency from the US government over its activities.
Documents seen by the German newspaper Spiegel suggest that not only were bugs installed by US surveillance in the EU's offices in Washington, but also that the building's computer network was infiltrated. Through this, surveillance teams had the capability to listen to discussions in several offices belonging to the EU, as well as being able to access emails and documents on computers.
The EC said it took immediate action to raise the matter with the European External Action Service, who will liase with US authorities.
A statement from the EC said: "These are disturbing news [sic] if proven true. They demand full clarification."
The newspaper also alleges that offices in New York and Brussels also came under the watch of US surveillance teams, with EU security officials apparently noticing suspicious telephone calls targeting a remote maintenance system of a building in Brussels, where the EU Council of Ministers and the European Council are based. The calls are said to have been traced back to a NATO headquarters in Brussels, from a building used by NSA employees.
The EC asked for openness over the allegations, putting the ball firmly in the US authorities' court. "The EU is now expecting to hear from the US authorities. Clarity and transparency is what we expect from partners and allies, and this is what we expect from the US," the EC noted.
On Sunday, Spiegel also revealed that the NSA typically taps half a billion phone calls, emails and text messages per year in Germany alone. The paper also indicated that surveillance in the country was stronger than in any other EU country.
Last week, shadow home secretary David Davis told the House of Commons that UK laws to protect citizens from surveillance were ‘completely useless'. Founder of the web Tim Berners-Lee also weighed in last week, urging further advances in web freedom.
This follows allegations that security organisations such as the NSA and GCHQ were monitoring personal emails of people across the world, and accessing data from companies such as Facebook, Microsoft and Google.
The former NSA contractor Edward Snowden's location is still unknown after he failed to take a flight to Ecuador he had been booked onto last week, although it is believed he is in Russia and is seeking asylum there. The US government has issued a warrant for his arrest, with WikiLeaks founder Julian Assange expressing his allegiance to Snowden.

PDF: njRAT uncovered

In the past thirty days (30) an increase attack activity has been observed using the "njRAT" malware. This remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID.
Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.

Egyptian army spying on the Egyptian president

The Egyptian army has a plan ready to push President Mohamed Mursi aside and suspend the constitution if the president fails to strake a power-sharing deal with his opponents within 24 hours.
The Egyptian army is prepared to shed blood to preserve Egypt. This developments that have been in Egypt show that the country is taking big steps to ensure their existence in the future - the people of Egypt demand that the President resigns and the Military has told Reuters that the army is prepared to deploy troops on the streets of Cairo and other cities to prevent clashes.

Mursi supporters and opponents

Fighting between Mursi supporters and opponents broke out on Tuesday afternoon in the Cairo suburb of Giza, in Alexandria and in the town of Qalyubia, north of Cairo, security sources said.
In Alexandria, soldiers intervened to separate rival factions.
Protesters remained encamped overnight in Cairo's central Tahrir Squareand protest leaders called for another mass rally later in the day, dubbed a "Tuesday of persistence", to try to force the president out

Spy equipment found earlier - is it still there?

The spying software FinFisher or FinSpy has been found in Egypt earlier - the software would have enabled the government to spy and monitor activists and censor websites.
During the last years the world has seen that there are multiple packages that can supply the same as the Gamma International's FinFisher software.

Spying software used in 

Citizenlab.org has made a overview which will show you were FinFisher has been reported.

Of course there are more spying tools which will allow the government to spy on it's citizens. We have made a report on those spying tools which you can find here.

PRISM

The well known program PRISM that also allows the users to spy on people has brought a lot of attention to the world of espionage and monitoring. Edward Snowden is still searching for a safe haven and Obama has said that he will not send fighter jets to get Edward Snowden.

The future of Egypt

Egypt has had a lot of clashes in the last years - how do we see the future of Egypt? Will there be peace? or will it just escalate? I would like to hear what the readers think about this subject.

HTML Injection

HTML Injection is a vulnerability which occurs in web applications that allows users to insert html code via a specific parameter for example or an entry point.
This type of attack can be used in combination with some sort of social engineering in order to trick valid users of the application to open malicious websites or to insert their credentials in a fake login form that it will redirect the users to a page that captures cookies and credentials.
In this tutorial we are going to see how we can exploit this vulnerability effectively once it is discovered. For the needs of the article the Mutillidae will be used as the vulnerable application.
Let’s say we have a page like the following:

                                               Vulnerable Form
Of course in this example there is an indication that this form is accepting HTML tags as it is part of the functionality of the application. A malicious attacker will think that he can exploit the users of this application if he set up a page that is capturing their cookies and credentials in his server. If he has this page then he can trick the users to enter their credentials by injecting into the vulnerable page a fake HTML login form. Mutillidae has already a data captured page so we are going to use this page for our tutorial.

                              Mutillidae – Data Capture Page
Now we can inject HTML code that it will cause the application to load a fake login form.

                       Injecting HTML Code – Fake Login
The next image is showing the fake login form:

                                                      Fake Login Form
Every user that will enter his credentials it will redirected to another page where his credentials will stored. In this case the credentials can be found at the data capture page and we can see them below:

                                        Credentials
Conclusion
As we saw in this article HTML injection vulnerabilities are very easy to exploit and can have large impact as any user of the web application can be a target. System admins must take appropriate measures for their web applications in order to prevent these type of attacks.

njRAT Trojan Target Middle East

A remote access trojan (RAT) that can hijack computers to steal data stored in browsers, log keystrokes and activate webcams has targeted high-level organizations in the Middle East.
According to a white paper published by General Dynamics Fidelis Cybersecurity Solutions, the malware, dubbed “njRAT,” has been used specifically against the government, telecommunications and energy sectors in the region.
The white paper analysed a variant of the trojan using a file, named “authorization.exe,” to deliver a payload to unsuspecting users.
Attackers designed the executable to appear as Microsoft Word or PDF files when emailed to victims as attachments. The trojan also infects users via drive-by download and can spread through USB drives. It seeks to give its purveyors unlimited access to the networks of compromised organisations.
In addition to logging keystrokes, accessing the camera of infected computers and stealing login credentials, njRAT also allows its operators to upload or download files, view what's on a victim's desktop, and manipulate their system registry (to edit, delete or create keys and values). It can also update the malware with other malicious features.
“The ‘njRAT' is a robust remote access trojan that, once it reaches and infects the endpoint, allows the attacker to have full control over the victim system,” the white paper said. “With this access, the attacker can start scanning other systems in the victim network to perform lateral movement.”
The malware sends encrypted data to its command-and-control (C&C) server, including a string of text identifying its attack campaign. This allows those running the operation to keep track of malware dispatched for various purposes.
The C&C hub also receives the volume serial number of infected systems, the victim's computer name and machine location, the operating system used, and which version of the malware is on the machine, the white paper said.
Researchers warned that although the campaign is currently only targeting organizations in the Middle East, njRAT could easily be repurposed to infect others. Fidelis discovered that a site hosting the malware was linked to IP addresses in Vietnam and the U.K., but attackers are capable of faking their true locations.

Ubisoft hacked: Database accessed by hackers

One of the websites of Ubisoft Entertainment has been hacked. The company their headquarter is based in Montreuil, France but it originated from Carentoir, Brittany. They are known for their best selling games like Assassins Creed.
Toda Ubisoft released a security update regarding Ubisoft accounts.Ubisoft asks the users to update their Ubisoft password.
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems.
During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

No personal payment information accessed

The security update tells the users that their financial information has not been accessed as it is not stored in Ubisoft itself. 

Change your other accounts 

Ubisoft also warned the users that they should also change the password of the accounts which have the same password. 
If you have some questions left for Ubisoft you can find them at this forum.

Natural gas plants in U.S. face wave of brute force cyber attacks

Cybercriminals have targeted U.S. energy companies with a wave of brute force cyber attacks, according to the Industrial Control Systems Emergency Response Team (ICS-CERT).

A series of attacks were directed against companies operating natural gas compressor stations in the Midwest and Plains states in February and March this year, according to  ICS-CERT’s Monitor report.

“While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry,” ICS-CERT said. “ The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution.”

The organization says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.

“The majority of these incidents involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. In all cases, ICS-CERT evaluates the information available to determine if successful compromise has occurred, the depth and breadth of the compromise, and the potential consequences to critical infrastructure networks,” the organization said.

This April, a spear-phishing attack which targeted an American electrical company was documented in ICS-Cert’s Monitor.

A Congressional survey of electrical utilities earlier this year found that companies claimed to face up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”

Ubisoft Online System Exploited,Change Password!

Ubisoft support published on its website that , We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems.
We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems.
we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending you to change your password by clicking this link.
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
An official forum thread has been created for you to post your questions.
We sincerely apologize for any inconvenience and thank you for your understanding.

Anonymous Hacker Dr. Evil caught and charged

Michael Mancil Brown, who allegedly called himself "Dr. Evil" on the internet, has been charged with six counts of extortion and six counts of wire fraud for attempting to extract $1 million in Bitcoins from Mitt Romney.

During the election season, an anonymous "hacker" claimed to have gotten hold of the presidential candidate's tax forms by sneaking into his accountant's office.

The hacker threatened to release the private documents if Romney didn't pay up. It didn't work. There is no evidence that Brown actually possessed the documents, which were a major subject of scrutiny during the campaign; the government claims Brown made the whole thing up. The original ransom note, posted on Pastebin.com, is no longer available.

Department of Justice Office of Public Affairs

Michael Mancil Brown was indicted today by a federal grand jury in Nashville, Tenn., for allegedly engaging in an extortion and wire fraud scheme involving former Presidential candidate Mitt Romney’s tax returns, announced Acting Assistant Attorney General Mythili Raman of the Justice Department’s Criminal Division and Todd Hudson, Special Agent in Charge of the U.S. Secret Service, Nashville Field Office.

Brown, 34, of Franklin, Tenn., was charged in U.S. District Court in the Middle District of Tennessee with six counts of wire fraud and six counts of extortion.

The indictment alleges that Brown devised a scheme to defraud Romney, the accounting firm of PricewaterhouseCoopers LLP and others by falsely claiming that he had gained access to the PricewaterhouseCoopers internal computer network and had stolen tax documents for Romney and his wife, Ann D. Romney, for tax years prior to 2010.

According to the indictment, Brown allegedly caused a letter to be delivered in August 2012 to the offices of PricewaterhouseCoopers in Franklin.  The letter demanded that $1 million worth of the digital currency Bitcoin be deposited to a specific Bitcoin account to prevent the release of the purportedly stolen Romney tax returns.  The letter also invited interested parties who wanted the allegedly stolen Romney tax documents to be released to contribute $1 million to another Bitcoin account.

The indictment alleges that Brown delivered similar letters to the offices of the Democratic and Republican parties in Franklin and caused similar statements to be posted to Pastebin.com.

The charges contained in the indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty. 

This case was investigated by the Nashville Field Office of the U.S. Secret Service with assistance from the Nashville Resident Agency of the FBI.  The case is being prosecuted Senior Counsel Anthony V. Teelucksingh of the Criminal Division's Computer Crime and Intellectual Property Section  and Assistant U.S. Attorney Byron Jones of the Middle District of Tennessee.