White House data breach: what are the risks?

The news of a security incident involving public institutions is always treated with high importance, taking into consideration the volume of sensitive information stored by these entities. The recent White House data breach didn’t involve any classified information but hacking into the West Wing computer network might have been just enough to provide the attackers with important data: correspondence with certain diplomats or details about White House visitors.

Although it’s not been officially confirmed if the authorities are up against professional cyber thieves or foreign spies, personal information of American citizens can now be used by the attackers however this may serve their purposes.

An urgent letter signed by the U.S. Senate Commerce Committee was addressed to President Barack Obama raising several concerns about the White House data breach.

Committee chairman John Thune released a statement last night expressing his concern over the hacking episode.

 ‘Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise. If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves.’ said Committee chairman John Thune.

The letter mentions that the White House computer system contained not only personal data of the White House visitors but also sensitive information such as schedules, policy discussions and emails, including exchanges with diplomats. Do you think this type of information ending up in the hands of the attackers can do more harm than everybody initially thought?

Read more on the topic: http://www.dailymail.co.uk/news/article-3066787/U-S-Senate-panel-raises-privacy-concerns-White-House-hacking-incident.html#ixzz3ZBDTuy8h


Software Vulnerability in Boeing’s 787 Dreamliner

“The bug resembles an integer overflow and was discovered in laboratory testing. It is located in an electrical system which generates power, and is triggered when a generator has been running non-stop for just over eight months. After such a period of continuous operation, all four of the plane’s main generator control units will fail at the same time – which could be catastrophic should it occur during a flight”

The software bug was reported by Boeing itself and is currently under investigation by the US aviation authority, a temporary solution being already discovered. In order to avoid becoming a victim of the vulnerability that exists in their software, planes have to be rebooted every 248 days so that the generators don’t reach eight continuous months of operation.

The FAA now requires Boeing to reboot the 787s every 120 days while waiting for an official fix to address the software vulnerability by the end of the year.

The recently discovered bug shows one again how many software vulnerabilities can cause irreparable damage, especially when they might also be exploited by criminals. How safe would you want globally used software to be, when your life depended on it?

Read more about the security vulnerability in Boeing 787: http://www.itnews.com.au/News/403500,critical-software-bug-could-down-boeing-787s-mid-flight.aspx#ixzz3ZANjtbvE

Can your next password be found in your browsing history?

Some companies try to help us out and make the login process into mobile phones and other devices easier – the most recent example being Yahoo with its ideas of using you ear and knuckles to do so. It sounds cool, but will it help you getting rid of the good old password altogether? Probably not.

Researchers believe that a very personalized authentication process could help out though. It would be a bit creepy if your smartphone asked you “Which YouTube-Video did you watch yesterday evening”, but at the same time it would also be pretty secure.  Romit Roy Choudhury, an associate professor at the University of Illinois who researched the topic and wrote a paper on it, says: “Whenever there’s something you and your phone share and no one else knows, that’s a secret, and that can be used as a key.”

There are some drawbacks though:

  • We all have horrible memories. To actually work, the event apparently has to be unique enough to jog our memory, and not much older than a day.
  • Good friends might be able to predict some of the answers (and consequently your password).

Overall the results were not bad. The study showed that the password prompt works well enough – users were able to answer three questions correctly 95% of the time.

For more information head over to the article from MIT Technology Review.

Social Networks: How Their Privacy Settings Compare

Particularly Facebook has often been the in the media when it comes to privacy issues and concerns. But do you really know what can and cannot be set in the sometimes rather confusing options? And what about all the other social networks likes Twitter, LinkedIn, and Google+?

ITWorld decided to check out the top social networks and compare their privacy setting – in one handy chart. The list of things they checked out for you is rather extensive and includes the following points:

  • Profile visibility limits upon sign-up
  • Control how people can search for you
  • Control who can connect with you
  • Control whether people can message you
  • Control who can see your connections
  • Prevent users from tagging you in posts
  • Choose who can see your photos
  • Block users
  • Opt out of photo tagging
  • Disable facial recognition
  • Opt out of search engine indexing
  • Review recent logins
  • Set login alerts
  • Enable two-factor authentication
  • Automatically supports a secure connection
  • Control connected applications
  • Limit data sharing with third-party apps
  • Turn off location tracking
  • Delete location information
  • Manage advertising
  • Opt out of all advertising
  • Request an archive of your data
  • Delete your account

Just head over to ITWorld to read the whole article which also includes instructions for finding and updating these options in the different social networks.

WordPress 4.2.1 Patches Zero-Day exploit

This vulnerability is affecting all previous versions and can be leveraged via the comment section of a website running WordPress, by hiding malicious code that is executed on the server.

An attacker exploiting the flaw can execute arbitrary code on the server, create new administrator accounts, or make changes with the same privileges as the currently logged-in admin.

The bug is very similar to the one patched in 4.1.2.

The problem with this bug resides in the way WordPress stores the large comments (more than 64k): such comments are truncated when stored in the database, resulting in malformed HTML being generated.

Now one might ask why someone would allow a 64K comment in the first place. But, since it is allowed to comment in HTML, the full HTML is stored in the database.

If you add some formatting to the comment, the 64K can be consumed rather quickly.

By setting up special attributes of the supported HTML tags, the attacker can hide a short malicious JavaScript code in the comment and execute it without any visible sign when the administrator viewed it in the Dashboard before approving it.

As an immediate reaction to this exploit, WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

You can also download WordPress 4.2.1 manually or update over to Dashboard → Updates and simply click “Update Now”.

For more information, see the release notes.

Hackers Could Exploit Phones With an Implanted NFC Chip

Biohacking or wetware hacking is the practice of engaging biology with the hacker ethic. It encompasses a wide spectrum of practices and movements one of which are the “grinders” who design and install do-it-yourself body-enhancements such as magnetic implants.

It sounds rather “out there”, right? But it apparently isn’t, as Wahle decided to demonstrate. You only need a good stomach. In order to show that an implanted NFC chip can be sneaked passed scanners at the airport and other high-security locations, he had to not only acquire a chip designed to normally be injected into cattle but also needed to use a needle that was rather big and made him want to vomit.

Said chip has a NFC (Near Field Communications) antenna which pings Android phones that are in close vicinity and then asks them to open a link. If followed, the link will lead to a malicious file which, once installed, will establish a connection to a remote computer from which the owner can carry out further exploits. With the right amount of social engineering this could become a real danger.

“In Miami, Wahle and Soto are planning to detail the steps hackers will need to go through to add implants to their arsenal, including how to acquire the hardware and program the chip. Could this be the beginnings of the democratisation of malevolent biohacking?” writes the Forbes magazine in its article. And security consultant Rod Soto adds: “This is just the tip of the iceberg … anyone can do this.”

Banned From the Internet: The Life of an Ex-Hacker

Higinio Ochoa, a former hacker who went by the name “wOrmer” when online, talks about it on Reply All. He recounts how he got the ultimate punishment for his crime: “I’m not to touch any computer, smartphone or device that has internet connectivity. That would be against my rules.”

Just imagine how hard it would be for you to not be allowed and use the internet. It’s everywhere nowadays – you shop online, you chat with your friends and family online, you sometimes even have a job that requires you to be online all the time!

Ochoa is a programmer, which means he still works with computers. Not being allowed on the internet makes this job pretty weird though: He codes from his home in Austin, but in order to get whatever he did to his boss, he has to actually put the file on an usb stick and mail it because he is – of course – not allowed to use an email program.

Find out more about how Ochoa lives without the net in the digital age in this article on Digg or listen to the Reply All podcast over here. He also talks about what he did to get arrested and his first computer experience.

Surgical Robots and the Remote Surgery Hacking Threat

This sounds horrible but it could never happen in real life anyway, right? Wrong! Telesurgery is something that is already happening today, and while it is not all that common yet it’s likely that it will become more and more popular in the near future. The tech allows a doctor to perform surgery on a patient even though they are not physically in the same location. All in all a great thing, considering how many lives can be saved that way.

But how secure are those lifesaving robots when it comes to cyber threats? The answer to this question, presented in a recent research paper called „To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots”, is shocking. A team from the University of Washington identified a slew of possible cyber security threats.  They were also able to “maliciously control a wide range of robots functions, and even to completely ignore or override command inputs from the surgeon.” Just imagine a denial of service attack which is launched during a crucial point during surgery! It could be fatal to the patient.

Luckily a scenario like this has not happened yet – but would you feel comfortable being under the knife knowing some hacker could end your life just because he feels like starting a DDoS attack?

Read the rest of the article over here to find out what the team concluded and gain a deeper insight into the research paper.

Mobile Apps: The Privacy Insanity

Security expert Troy Hunt took a look at three apps (one of them being the Paypal one) and the results are shocking: While they were all way too invasive most of the tested apps had serious security issues as well.

When it comes to your privacy especially Paypal seems to want far more information from you than necessary. Hunt took the time to point out the extra personal requests on his blog:

  1. BSSID: This is the unique device ID of my home router which is the same as the MAC address. Google got themselves into hot water for siphoning this up via their mapping vehicles a little while back because that one unique ID ties back to my precise device.
  2. Device model and name: You could argue that comparable information is sent via your browser courtesy of the user agent, but that would only apply to the model and not the name of the device which is explicitly not passed in requests. This is private – it’s my device name.
  3. Internal IP address: The internal address assigned to my iPhone via the router when it associated to the network. This can give a sense of how many devices are on the network.
  4. Location: There’s my lat and long again and for all the same reasons I don’t really want to share it with Aussie Farmers, I also don’t really want to share it with PayPal.
  5. SSID: We’re talking about the name of my internal network here. I name mine in a non-identifying fashion because frankly, I want to keep it somewhat private and that’s from those in my immediate vicinity, let alone those on the other side of the world.
  6. Storage space: Ok, so it’s a 128GB iPhone, do they really need to know that? Back to the user agent comparison, this is not the sort of stuff that’s typically “leaked” by generic requests to the web because it’s an internal metric of no external consequence.”

In addition to that the security of two of the tested apps was so bad that he concluded: “Perhaps I should just stick to the browser that doesn’t leak this class of data yet one would assume is still sufficiently secure.”

Do you want to find out more? Then take a look at the whole in-depth article.

Student Wanted to Improve Grades, Got Jailed Instead

Nowadays, with all the technological advances and everything being stored on a PC or even online, committing such a crime is actually easier than ever if the school isn’t prepared for it and has no security measures in place to prevent incidents as this one. But crime doesn’t pay even if it is “only” in order to change one’s grades, as Imran Uddin had to discover.

According to The Independent, the 25 year old student hid four logging devices into computers at the University of Birmingham. He apparently wanted to steal staff logins and then use the information to access the grading system to improve his own grades.

Fortunately the students trick was discovered, the police got involved, and – after pleading guilty to six offences under the Computer Misuse Act – he has been jailed for four months. While this might sound harsh to some let’s not forget that he actually committed a real crime that would have provided him with false qualifications would he have been successfull.

Detective Constable Mark Bird, from the Regional Cyber Crime Unit, said: “The audacity of Uddin to install not just one but four of these devices showed how determined he was to cheat his way to a better degree.”

You can read the whole article over here.