film izle hd

Archive for the ‘Security’ Category

« Older Entries

Security trends for 2012

Tuesday, January 10th, 2012

Here is my collection of security trends for 2012 from different sources:

Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”

F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.

Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.

Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?

crystalball

Cyber ​​criminals are developing more sophisticated attacks and the police will counterattack.

Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.

Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.

You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.

When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.

crystalball

Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.

Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.

Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.

Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.

According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.

Posted in Computers, Mobile, Security, Telecom and Networking, Trends and predictions | 102 Comments »

SCADA systems security issues

Wednesday, December 14th, 2011

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (”if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747’s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.

Posted in Computers, Security, Telecom and Networking | 22 Comments »

Phone spying busted

Wednesday, November 30th, 2011

BUSTED! Secret app on millions of phones logs key taps article tells that Android app developer Trevor Eckhart has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.

Many Android, Nokia, and BlackBerry smartphones have software called Carrier IQ. Carrier IQ is a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues. But it seems that it is collecting more information than smartphone user might like it to have. Carrier IQ allows allows your carrier full access into your handset, including keylogging, which apps have been run, URLs that have been loaded in the browser, etc.

CarrierIQ tried to silence Eckhart, but later backtracked. Eckhart labeled the software a “rootkit,” and software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats.

In a YouTube video, Trevor Eckhart shows how software from Carrier IQ recorded in real time the keys he pressed into a stock handset. The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.

After all this you just have to learn to trust your phone operator even more than you wanted before… or hack your phone to get rid of this kind of programs. By the way, it cannot be turned off without rooting the phone and replacing the operating system. Why aren’t mobile-phone customers informed of this and given a way to opt out?

Posted in Mobile, Security | 22 Comments »

Captcha security

Monday, November 21st, 2011

Outsmarted: Captcha security not much of a gotcha article tells that a team of Stanford University researchers has bad news to report about Captchas, those often unreadable, always annoying distorted letters that you’re required to type in at many a Web site to prove that you’re really a human. Captcha is often used to defend against malicious ‘bots, including operators of botnets who try to automatically create accounts on Web e-mail services to send spam.

Modern-captcha

Many Captchas don’t work well at all. More precisely, the researchers invented a standard way to decode those irksome letters and numbers found in Captchas on many major Web sites. Fortunately for normal users and the owners of those web sites the researches have no plans to release their Decaptcha. This gives the Captha users some time to fix their systems before the “bad guys” can work out their own decaptha program (trust me, it will happen sooner or later).

The major problem according to the researches is that most Captchas are designed without proper testing and no usability testing and are fundamentally unable to fully guarantee application security. Capatcha was always doomed to degrade over time, so they need to evolve. Even there are considerable problems, Captchas are still useful for protecting against certain threats.

Google’s slanted-red-letters Captcha (used in Gmail) and the fuzzy-lettered ReCaptcha was found to be pretty secure against the attacks (everything else tested much less secure). Free ReCaptcha is used by what Google estimates to be over 100,000 Web sites including Twitter, Facebook, Craigslist, Ticketmaster, and Microsoft. If you are looking for Captcha solution, try fuzzy-lettered ReCaptcha and do try to make your own weaker solution. For more details read The Robustness of Google CAPTCHAs paper.

Posted in Security, WWW dev | No Comments »

Surveillance system to monitor mobile phones

Monday, November 7th, 2011

Met police using surveillance system to monitor mobile phones article from theguardian magazine article tells that civil liberties group raises concerns over The Metropolitan police purchase of technology to track public handsets over a targeted area.

Britain’s largest police force is operating covert surveillance technology that can masquerade as a mobile phone network. This allow authorities to intercept SMS messages and phone calls by secretly duping mobile phones within range into operating on a false network, where they can be subjected to “intelligent denial of service”. The surveillance system has been procured by the Metropolitan police from Leeds-based company Datong plc. The disclosure has caused concern among lawyers and privacy groups.

This is just one new way to do mobile phone surveillance. Mobile phone surveillance has been possible in many ways earlier. Mobile Surveillance – A Primer highlights some of the potential surveillance risks posed by the use of mobiles. It is the nature of mobile cellular systems that the network operator knows the approximate location of all phones currently on the network, as well as maintaining extensive call and messaging records. And all data and voice you send and receive goes through the operator systems.

tonyk_phone

Posted in Mobile, Security, Telecom and Networking | 1 Comment »

Keylogging using smartphone motion sensor

Monday, August 22nd, 2011

Researchers have studied keystroke inference based on side channels, such as sound, electromagnetic wave, and timing. Since these attacks exploit characteristics of physical keyboards, they become ineffective on smartphones with soft keyboards.

Attacks using sensors on smartphone raises the awareness of privacy attacks on smartphone sensors. Besides the obvious privacy concern over the GPS sensor, researchers have shown attacks using the camera and microphone.

TouchLogger: Inferring Keystrokes On Touch Screen From Smartphone Motion is the first paper to show the privacy risks of motion sensors. Since typing on different locations on the screen causes different vibrations, motion data can be used to infer the keys being typed.

Both Android and iOS provide three accuracy levels based on event frequencies. For example, at the highest accuracy level, the average interval of device orientation events on an HTC Evo 4G phone is about 30ms, while that on a Motorola Droid phone is about 110ms. TouchLogger using motion sensor achieved an accuracy rate of over 70% on tests performed by researchers.

Posted in Mobile, Security | No Comments »

USB phone charging a security risk?

Saturday, August 20th, 2011

Many modern cellular phone use USB plug for charging and many places offer nowadays charging possibility. But plugging your phone into an untrusted USB cable is, indeed, a security risk according to Juicejacking – an emergency phone charge can be a security risk article. The article fortunately tells that it’s easy to avoid the risk in both directions: Always carry and use the charging adapter which came with your device and use it instead of charging station. It’s a lot safer than trusting an unknown cable hanging out of an unknown cabinet in a public place

GS_portable_hard_disk

Posted in Mobile, Security | No Comments »

Why isn’t the Web using it HTTPS always?

Monday, May 2nd, 2011

You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to any service that uses a plain HTTP connection that’s essentially what you’re doing.

There is a better way, the secure version of HTTPHTTPS. HTTPS has been around nearly as long as the Web, but it’s primarily used by sites that handle money. HTTPS is the combination of HTTP and TLS. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over the Internet.

1in9ui5t_HTTPS_Application_Layer

Web security got a shot in the arm last year when the FireSheep network sniffing tool made it easy for anyone to capture your current session’s log-in cookie insecure networks. That prompted a number of large sites to begin offering encrypted versions of their services via HTTPS connections. So the Web is clearly moving toward more HTTPS connections; why not just make everything HTTPS?

HTTPS is more secure, so why isn’t the Web using it? gives some interesting background on HTTPS. There are some practical issues most Web developers are probably aware of.

The real problem is that with HTTPS you lose the ability to cache. For sites that don’t have any reason to encrypt anything (you never log in and just see public information) the overhead and loss of caching that comes with HTTPS just doesn’t make sense. The most content on this site for example don’t have any reason to encrypt anything.

HTTPS SSL initial key exchange also adds to the latency, so HTTPS-only Web would, with today’s technology, be slower. The fact that more and more websites are adding support of HTTPS shows that users do value security over speed, so long as the speed difference is minimal.

The cost of operations for HTTPS site is higher than normal HTTP: you need certificated that cost money and more server resource. There is cost of secure certificates, but obviously that’s not as much of an issue with large Web services that have millions of dollars. The certificate cost can be a showstopper for some smaller low budget sites.

Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn’t work well with virtual hosts. There is a way to make virtual hosting and HTTPS work together (the TLS Extensions protocol Server Name Indication (SNI)) but so far, it’s only partially implemented.

In the end there is no real technical reason the whole Web couldn’t use HTTPS. There are practical reasons why it isn’t just yet happening today.

Posted in Security, Telecom and Networking, WWW dev | 24 Comments »

Location data collecting smart-phones

Wednesday, April 27th, 2011

A location-based services (LBS) are a hot topic among mobile services developers. A location-based service (LBS) is an information or entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device. Modern smart-phones have abilities to locate the position of the mobile phone using using GPS and/or based on the radio signal delay of the closest cell-phone towers.

Location information can be used for all kind of services including mobile phone tracking. GPS real time tracking of a person is technically quite possible, by using certain software and hardware tools. The phone could be sending the location data in real time or collecting the places visited to a file inside the phone. A malware can turn your smart-phone to a tracking device.

The widespread collection of location information is the latest frontier in the booming market for personal data. It seems that very many smart-phones track user location and store it on the device (or even send to the phone manufacturer), usually without the permission of the device owner.

Researchers found that iPhones store unencrypted databases containing location information sometimes stretching back. iPhone Tracker open-source application maps the information that your iPhone is recording about your movements to hidden files.

Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit their locations back to Apple and Google, respectively, according to data and documents analyzed by The Wall Street Journal. This is intensifying concerns over privacy and the widening trade in personal data. Should you care that your iPhone’s logging your location? Apple gives some answers on their side.

gps

Recent news have surfaced that also Nokia phones and Windows Phone 7 phones also collect and send out the location information.

Cellphones have many reasons to collect location information, which helps provide useful services like local-business lookups and social-networking features. Some location data can also help cellphone networks more efficiently route calls.

Google also has said it uses some of the data to build accurate traffic maps. Apple gathers the data to help build a “database with known location information”. Windows Phone 7 transmits to Microsoft a miniature data dump including a unique device ID, details about nearby Wi-Fi networks, and the phone’s GPS-derived exact latitude and longitude.

Maybe the phone manufacturers should have informed the customers on the customers on this beforehand and get their permission to do this. This kind of data collecting can be a potential privacy problems, but maybe the companies can to this because most Smartphone users do care about location privacy according to a new research from Nielsen.

The user is identifiable if you have a series of events. One privacy concern is that location databases can be a gold mine for police or civil litigants: requesting cell phone location information from wireless carriers has become a staple of criminal investigations.

Before the smart-phone era your operator knew your location at certain accuracy. It is needed for the cell phone network to work correctly. A cellphone is continuously sending and receiving signals to and from the nearest operator tower. Even in the standby mode, a cellphone is ‘active’ with the wireless communication. The signals received from cellphones are located by the cellphone service provider by analyzing the signals. Initially, two or three towers nearest to the cellphone are located. These figures are then compared with regards to the relative strengths of their signals. Using this method, a cellphone can be traced to within a 100 meters of its exact place. Your telephone operator could be using this information and even store it. You need to trust them if you use using cell phone.

Posted in Mobile, Security | 13 Comments »

Mag-stripe readers

Wednesday, June 23rd, 2010

iPhone mag-stripe reader stalled article tells that Square, the expected to be breakthrough business launched by twitter-founder Jack Dorsey, won’t be shipping as scheduled. Interesting is that Square was just a magnetic-stripe reader, and that there were a dozen credit card-processing applications on the iPhone. Only this time, it comes with a plastic lump that reads the card number by taking advantage of a feature banks have been trying to phase out for a decade or two. That fact didn’t stop venture capitalists pouring $10m into the company. According to article much of the invested money has been spent refining the hardware, but the real complexity has been underwriting the security of a system.

square_reader

I expect that this iPhone mag-stripe card reader hardware is pretty simple. It seem to plug to the external mic connector of the iPhone, so I quess the hardware could be just the read head and some software for decoding the signal from card stripe. The magnetic stripe read head is pretty similar to compact cassette tape player read/write head. The head from old tape deck work quite OK for this but is not as good as a reading head specifically designed for magnetic stripe reading. The signal level from from compact cassette tape deck read head is usually pretty close to microphone level.

Magnetic Stripe Reading web page shows how to read magnetic stripe using using a computer sound card and magnetic head from cassette deck. The article text as it appears in the Spring 2005 issue of 2600 Magazine. The output of the magnetic head is directly to the mic input of a sound card and a simple Linux software does the decoding.

orig-1t

Since all the data obtained from the reader itself is audio, the device can be even interfaced to a digital audio recording device. Later, you’d view and edit the captured audio file, saving the clean waveform to a standard .wav file to be analyzed with software. At least in theory this works and Magnetic Stripe Reading article says that it works in practice.

When playing with the magnetic stripes of credit cards is nowadays that easy, is no wonder that banks are trying to get rid of that old technology for a safer smartcard technology.

Posted in Computers, Electronics Design, Mobile, Security | 41 Comments »

« Older Entries
korku filmleri film izle seyret romantik komedi izle 2012 filmleri