Tuesday, 23 December 2014

Quantum Encryption Makes Credit Cards Fraud-Proof

Credit cards chained up with padlock
Credit card frauds are very common these days – today a data breach occurs in retailer’s shop, online shopping site or banking site and at the next moment millions of cards appears in the underground black market – how simple is that for cyber criminals nowadays.
But imagine if there is no possible way to hack credit cards and ID cards. Seems like next to impossible, but quantum cryptography ensures that stealing people’s personal data will soon be very difficult for hackers and cyber thieves due to an extra layer of verification.
The research at the University of Twente in Enschede, Netherlands has suggested that “fraud-proof” credit cards are possible to develop using Quantum Physics that will protect users’ financial and personal information from hackers. Security researchers describe this extra layer of verification as Quantum-Secure Authentication (QSA) of a “classical multiple-scattering key.”
With the help of QSA method, people will be able to create a physical “key” which is impossible to copy or create similar ones. So, this new technology will not allow any person to copy someone’s credit card and can validate the identity of any person or object, including debit and credit cards, even if the most important data has been stolen, the Optical Society reported in the Dec. 15, 2014 edition of the journal Optica.
However, Chip-and-Pin payment cards are opted by the major organisations to promote additional security solutions like tokenization and point-to-point encryption. Chip technology generates a unique code for every transaction, making it nearly impossible for criminals to use the card for counterfeit fraud. But we have also seen that the latest “Chip-and-PIN” technology are vulnerable to Card Cloning.
Now, the important thing to note is that how is it possible and how Quantum Physics works with the Credit card technology ??
Quantum Encryption Makes Credit Cards Fraud-Proof
This innovative technology depends on two unique quantum properties of light to create a secure and unique Question-and-Answer (Q&A) exchange that cannot be ‘spoofed’ or copied. As a single photon of light can occupy more than one location at the same time and because light has so many separate wavelengths that hacking a credit card would take centuries to find the right combination.
Single photons of light have very special properties that seem to defy normal behavior,” said a study lead author Pepijn Pinkse of the University of Twente’s MESA and Institute for Nanotechnology. “When properly harnessed, they can encode information in such a way that prevents attackers from determining what the information is.
The “quantum credit cards” would be more secure and fraud-proof because QSA technology leverages the immutable properties of quantum mechanics to create a perfectly secure encryption system, instead of any mathematical interpretation.
According to Pepijn Pinkse, such a security layer would be “straightforward to implement with current technology,” used by credit cards.
Quantum credit cards would be outfitted with a strip of white paint containing millions of nanoparticles. Researchers could project individual photons of light onto this paint with the help of a laser that would bounce around the nanoparticles as if in a pinball machine before escaping back to the surface and forming a unique pattern.
It would be like dropping 10 bowling balls onto the ground and creating 200 separate impacts. It’s impossible to know precisely what information was sent (what pattern was created on the floor) just by collecting the 10 bowling balls,” researcher said.
This new technology could help in protecting government buildings, personal bank and credit cards, and even vehicles, according to the research.

Hackers Can Read Your Private SMS and Listen to Phone Calls

Security researchers have discovered a massive security flaw that could let hackers and cybercriminals listen to private phone calls and read text messages on a potentially vast scale – no matter if the cellular networks use the latest and most advanced encryption available.
The critical flaw lies in the global telecom network known as Signal System 7 that powers multiple phone carriers across the world, including AT&T and Verizon, to route calls, texts and other services to each other. The vulnerability has been discovered by the German researchers who will present their findings at a hacker conference in Hamburg later this month.
“Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers,” said The Washington Post, which first uncovered flaws in the system earlier this year.
SS7 or Signaling System Number 7 is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data. It allows cell phone carriers to collect location information from cell phone towers and share it with each other. A United States carrier will find its customer, no matter if he or she travels to any other country.
According to the security researchers, the outdated infrastructure of the SS7 makes it very easy for hackers to hack, as it is loaded with some serious security vulnerabilities which can lead to huge invasions of privacy of the billions of cellular customers worldwide.
“The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network,” the report reads.
So far, the extent of flaws exploited by hackers have not been revealed, but it is believed that using the flaws hackers can locate or redirect users’ calls to themselves or anywhere in the world before forwarding to the intended recipient, listen to calls as they happen, and record hundreds of encrypted calls and texts at a time for later decryption.
No matter how much strong or advanced encryption the carriers are using, for example AT&T and Verizon use 3G and 4G networks for calls, messages, and texts sent from people within the same network, but the use of that old and insecure SS7 for sending data across networks the backdoor open for hackers.
Not just this, use of SS7 protocol also makes the potential to defraud users and cellular carriers, according to the researchers.
The American Civil Liberties Union (ACLU) has also warned people against using their handset in light of the breaches.
“Don’t use the telephone service provided by the phone company for voice. The voice channel they offer is not secure,” principle technologist Christopher Soghoian told Gizmodo. “If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel.”
Soghoian also believes that security agencies – like the United states’ NSA and British security agency GCHQ – could be using these flaws. “Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They’ve likely sat on these things and quietly exploited them,” he said.

China fingered for Afghan Govt attacks

Aussie embassy among Govt websites serving malware

Chinese hackers have targeted nearly all major Afghanistan Government websites by hacking an official content delivery network (CDN) and gaining a foothold to attack western governments.
Hackers popped the network run by the Afghan Ministry of Communications and IT which delivered malware to many of the Government's websites including the Australian embassy.
Afghanistan's agencies for finance, education and justice were among the nine listed as falling victim to the attack, according to ThreatConnect researchers who found the watering hole attacks closely coincided with a meeting on infrastructure development and bilateral cooperation in Kazakstan between China's Prime Minister Li Keqiang and Afghanistan's government chief executive officer Abdullah Abdullah.
The researchers said an image used to serve the malware was modified only hours after it appeared to be taken at the meeting.
Such a hack would be of interest to China, researchers said, given that the country is building regional influence and might see an opportunity in the vacuum of the West's military withdrawal from Afghanistan.
Beijing is also building transport infrastructure in the region and facilitating multilateral peace talks with the Taliban under its South Asian strategy.
"By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan's government websites as a topical and trusted distribution platform, exploiting a single hidden entry point," the threat intelligence team (TSIRT) wrote in an advisory.
"This being a variant of a typical watering-hole attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction."
Naming conventions used in the Afghanistan attack dubbed Operation Helmand were similar to those in East Asia hacking operations.
The attack also bore similarities to a June watering hole attack in which a malicious Java file was served on the website of the Greece embassy in Beijing during a diplomatic meeting to Athens.
The team warned enterprises to monitor content delivery networks and ensure server response headers were configured to push third party content from narrow white lists.

Hack attack causes 'massive damage' at steel works

Melted steel  
The hack attack led to failures in plant equipment and forced the fast shut down of a furnace
A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network, says a report.
Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI).
It said attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems.
This led to parts of the plant failing and meant a blast furnace could not be shut down as normal.
The unscheduled shutdown of the furnace caused the damage, said the report.
In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a "spear phishing" campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords.
The phishing helped the hackers extract information they used to gain access to the plant's office network and then its production systems.
Once inside the steel mill's network, the "technical capabilities" of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant.
BSI did not name the company operating the plant nor when the attack took place. In addition, it said it did not know who was behind the attack nor what motivated it.
The attack is one of only a few on industrial systems known to have caused damage. The most widely known example of such an attack involved the Stuxnet worm which damaged centrifuges being used by Iran in its nuclear enrichment programme.
Benjamin Sonntag, a software developer and digital rights activist, told Reuters: "We do not expect a nuclear power plant or steel plant to be connected to the internet.
"To be computerised, but to be connected to the internet and to be hackable - that is quite unexpected," he said.

South Korea nuclear plant hit by hacker

Computers at a nuclear power plant in South Korea have been compromised by a hacker, but the plant's operator says no critical data has been leaked.
The hacker was able to access blueprints, floor maps and other information on the plant, the South Korean Yonhap News Agency reported Sunday. Using a Twitter account called "president of anti-nuclear reactor group," the hacker has released a total of four postings of the leaked data since December 15, each one revealing internal designs and manuals of the Gori-2 and Wolsong-1 nuclear reactors run by Korea Hydro and Nuclear Power Co. (KHNP), Yonhap added. The hacker has threatened to leak further information unless the reactors are shut down.
KHNP has insisted that the leaked information is not critical and does not undermine the safety of the reactors. The company also played down the threat of any type of cyberattack, saying that the reactors' controllers are protected because they're not linked to any external networks, according to the Wall Street Journal.
The hacking against KHNP nuclear plants occurs in the midst of a major hack against Sony Pictures over its movie "The Interview," a comedy about an assassination attempt against North Korean leader Kim Jong-un. The FBI has accused North Korea of orchestrating the Sony hack, though the country has denied any involvement. As a further response, North Korea suggested a joint investigation into the hack with the US but then accused the US of being involved in the making of the film, according to The Guardian.
Despite the increased tension, no fingers have been pointed at North Korea for the hacking against the KHNP power plants. An official at KHNP told Reuters that the hacking appeared to be the work of "elements who want to cause social unrest," but added that he had no one specific in mind.
Government officials looking into the incident were able to trace the hacker's IP address to a PC located in a specific location, Yonhap said. Investigators have been sent to the location as well as to the plant's reactors to probe further.