March 8th, 2010
Computer scientists at the University of Michigan have found a way to uncover the secret cryptographic keys of devices secured with the OpenSSL crypto library. By modifying the current running through a device’s power supply as it processed encrypted data, researchers were able to extrapolate small bits of the device’s private crypto key. After repeated interventions, they were successful in assembling the entire 1024-bit key.
According to a recent article on The Register,
The attack is enabled by what the researchers described as a “severe vulnerability” in the OpenSSL innards that carry out authentication based on the RSA public key encryption algorithm. It resides in the so-called fixed window exponentiation algorithm of the open-source crypto library, which is used when errors arise. By triggering a single-bit error in a multiplication operation, the scientists were able to force OpenSSL to divulge 4 bits of the secret key.
Once they gathered about 8,800 malformed messages from the targeted device, they fed the data into an 81-machine cluster of 2.4 GHz Pentium-4 systems running a custom-designed algorithm…and were able to extract its 1024-bit private key in 104 hours.
The Register reports that an OpenSSL representative has confirmed that a patch is currently in development.
Tags: openssl, security
Posted in Uncategorized | 1 Comment »
March 8th, 2010
We’ve reported on new devices shipping with pre-installed malware before, and this time it’s the Android-based HTC Magic phone.
As reported today on Threat Post, a researcher at Panda Security connected the new phone–from European distributor Vodafone–to her PC and was alerted by her anti-virus software that the handset was infected with the Mariposa botnet client malware, which quickly attempted to infect other PCs in the network.
And perhaps even more shocking, this was not the only malware pre-loaded on the phone:
Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days…
Tags: botnet, conficker worm, malware, mariposa, mobile-security
Posted in Uncategorized | 2 Comments »
March 8th, 2010
As recently reported in The Guardian, Parliament has issued a scathing report accusing top executives at British tabloid-paper News of the World of lying about the extent of the paper’s knowledge of, and involvement in, an ongoing mobile phone hacking scandal.
The 167-page report…is withering about the conduct of the News of the World, with one MP saying its crimes “went to the heart of the British establishment, in which police, military royals and government ministers were hacked on a near industrial scale”.
MPs condemned the “collective amnesia” and “deliberate obfuscation” by NoW executives who gave evidence to them, and said it was inconceivable that only a few people at the paper knew about the practice.
According to cabinet minister Ben Bradshaw, “This report…says lawbreaking was condoned and that the company sought to conceal the truth. We welcome the report and are considering what further action may be needed to be taken.”
The report is the latest action in a continuing scandal surrounding the illegal interception of voice messages on phones belonging to members of the British government, military, and royal household by journalists at News of the World, the top-selling newspaper in Rupert Murdoch’s News International media conglomerate.
Posted in Uncategorized | No Comments »
March 8th, 2010
Google’s open source Android platform has been a popular entry into the smartphone market. And, as shown on a recent NetworkWorld slideshow, manufacturers–from Archos to Compaq–are quickly developing a range of Android-based network devices, including tablet computers, netbooks and portable media players.
But with an already established list of security breaches and weaknesses,
-“Security Flaws in Google Android”
-“Security…practically nonexistent with Google”
-“Android Security Vulnerability Discovered”
-Android 2.0.1 Security Flaw Allows Screen Lock Bypass
concerns remain about the rapid spread of a device platform that still functions without a developed, comprehensive security architecture.
Tags: android, security, smartphone
Posted in Uncategorized | No Comments »
March 8th, 2010
A recent article on Wired.com reports that, with Smart Grid utility technologies being implemented at a rapid rate, experts are concerned that the cybersecurity of these systems is seriously lagging.
…[S]ecurity research on the systems is lagging behind the deployment of smart meters, which has already occurred in some places in the United States. PG&E [Pacific Gas & Electric] is in the lead with 5 million gas and electric smart meters deployed since 2006, which represents about half of its customer base. PG&E expects to deploy an additional 5 million smart meters by 2012.
According to one researcher,
…[T]he most common vulnerability…is susceptibility to “cross-site request forgery” on the control systems…. Cross-site request forgery allows an attacker to hijack an authentication cookie stored in a user’s browser — to authenticate him, for example, to his bank or, in this case, a utility control system — and obtain access to the system as that user.
Security experts also warn that the electronic remote-shutoff function–present in most smart meters, allowing utility companies to remotely shut-down electric service–should be completely disabled until smart grid cybersecurity solutions are more thoroughly understood and implemented.
However, according to the Wired.com article, of PG&E’s 2.5 million currently deployed electricity smart meters, only approximately 300,000 have had their remote-shutoff switches disabled. This leaves nearly 2.2 million deployed smart meters capable of remote shutoff.
Tags: security, smart-grid
Posted in Uncategorized | 1 Comment »
February 28th, 2010
Mocana is pleased to announce our participation in the 2010 RSA Conference, taking place in San Francisco, March 1-5, 2010.
As part of the “Governance, Risk & Compliance” track on March 3, 2010, we will present “Recent Attacks on Medical Devices”:
A new generation of connected medical devices is dramatically lowering healthcare costs. But many of these devices, including popular pacemakers, insulin pumps, and remote patient monitoring systems, have been fielded without adequate security. We detail newly discovered attacks and vulnerabilities on these devices, and suggest possible solutions.
To register, click here or visit www.rsaconference.com.
Tags: medical devices, Mocana, rsa, security
Posted in Uncategorized | No Comments »
February 28th, 2010
Computer science researchers at Rutgers University are demonstrating that modern smartphones can be overtaken by a serious kind of malware previously only associated with regular computers. “Rootkits”–malware systems that target the operating system and remain undetected–could become a serious security threat to the rapidly expanding smartphone market.
According to Rutgers,
In one test, the researchers showed how a rootkit could turn on a phone’s microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone telling it to place a call and turn on the microphone, such as when the phone’s owner is in a meeting and the attacker wants to eavesdrop.
In another test, they demonstrated a rootkit that responds to a text query for the phone’s location as furnished by its GPS receiver. This would enable an attacker to track the owner’s whereabouts. Finally, they showed a rootkit turning on power-hungry capabilities, such as the Bluetooth radio and GPS receiver to quickly drain the battery. An owner expecting remaining battery life would instead find the phone dead.
The researchers suggest that developing defenses which can monitor and detect this kind of malware would be the next step for smartphone security.
Tags: malware, rootkits, security, smartphone
Posted in Uncategorized | No Comments »
February 28th, 2010
With the country’s utility, security, and financial systems all vulnerable to cyberattacks, security experts are telling Congress that increased government oversight is necessary to insure the nation’s cybersecurity.
According to the Associated Press,
U.S. computer networks — from the Defense Department to small companies — are scanned and probed millions of times a day. The assaults range from small time hackers looking to steal credit card data to nation states and terror groups aimed at espionage or disrupting vital computer systems….
Sen. Jay Rockefeller, D-W.Va., chairman of the [Senate Commerce, Science and Transportation Committee], said the government must work with the private sector, because neither can do it alone. He noted that private industry owns or controls roughly 85 percent of computer networks, and said companies meeting with the committee have balked at greater government control.
Tags: networks, security
Posted in Uncategorized | No Comments »
February 28th, 2010
According to a recent article in The Sydney Morning Herald, security company Symantec is planning to release a solution for ensuring the security of mobile phone apps and they networks they connect to.
The solution will be based on the reputation-based security algorithm already used by the Norton 360 security suite to build a live database of reputable mobile apps. The database will be housed in the cloud and will be customisable according to corporate policy.
Users will then be able to download and use applications knowing they have a high reputation score. Apps already downloaded may show a warning or be centrally disabled by an IT department if their reputation score changes.
According to Symantec Research Labs vice president Joe Pasqua, “In the Android world anyone can sign their own application. Google has taken an approach that says we’ll be completely open. And what is Apple vetting for? APIs, network bandwidth use, copyright, but not necessarily from a security perspective. Even if they are, we’ve already seen how badly-developed apps for phones have brought down mobile phone towers, not intentionally, but it happened…”
Additionally, a hacker was recently able to post his phishing app–which attempted to trick users into submitting their banking details–to Google’s Android Market.
Tags: android, apps, mobile-phishing, security, symantec
Posted in Uncategorized | No Comments »
February 22nd, 2010
As devices in the home become increasingly networked and internet-connected–e.g., the “internet fridge”–the missing link could be a simple, portable, user-oriented device that acts as an interface, wirelessly connecting the range of devices that make up the “Internet of Things.”
A recent article on ReadWriteWeb suggests that this central device could be Apple’s iPad:
…[T]he mistake we’ve made with Internet fridges in the past was to think of them like a dumb sensor…it’s not the instrumentation that is important in an Internet fridge – it’s the network.
The data will probably be collected by the fridge, in time via RFID-enabled food packaging. But the fridge itself is a clumsy interface to that data. Early examples of Internet fridges have tried to be an interface for the consumer. Although some have had tablet-like devices that could be disconnected from the fridge and used on the kitchen bench, users have not found even those very compelling….
The iPad, however, will be used anywhere and everywhere by its users – inside and outside the house. So it’s a natural device to use to connect (virtually, not physically) to your fridge – along with other appliances and objects.
Tags: internet of things, iPad, rfid
Posted in Uncategorized | No Comments »