Category: Security

Android phones vulnerable to booby trapped wi-fi signals

 Android phones are vulnerable to attacks that use booby trapped wi-fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used wi-fi chipset manufactured by Broadcom and used in both iOS and Android devices. Before anyone claims it was poor Android programming, the Fruity Cargo-Cult Apple was also vulnerable to the hack but patched the vulnerability with Monday’s release of iOS 10.3.1.

The Google Project Zero researcher Gal Beniamini who discovered the flaw said that an attacker within range may be able to execute arbitrary code on the wi-fi chip.

In a highly detailed blog post Apple said that the flaw  allowed the execution of malicious code on a fully updated 6P “by wi-fi proximity alone, requiring no user interaction”.

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over the air update to those who are eligible.

Company representatives didn’t respond to an e-mail seeking comment for this post. The proof-of-concept exploit uses wi-fi frames that contain irregular values.

The values, in turn, cause the firmware running on Broadcom’s wireless system-on-a=chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode.

Beniamini’s code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Mounties always get their LAN

Canadian coppers have admitted that they is spying on mobile phones throughout Canada because they are worried about illegal monitoring by criminals and foreign spies.

The RCMP held the briefing in the wake of a CBC News investigation that found evidence that devices known as IMSI catchers may be in use near government buildings in Ottawa for the purpose of illegal spying.

After hiding their own use of the technology in secrecy for years, the RCMP spoke out about the devices — also known as Stingrays or Mobile Device Identifiers (MDIs).

The RCMP says that MDIs – of which it owns 10 – have become “vital tools” deployed scores of times to identify and track mobile devices in 19 criminal investigations last year and another 24 in 2015.

RCMP Chief Supt. Jeff Adam said that in all cases but one in 2016, police got warrants. The one exception was an exigent circumstance — in other words, an emergency scenario “such as a kidnapping”.

Adam’s office tracks every instance where an MDI has been used by the RCMP. He says using an MDI requires senior police approval as well as getting a judge’s order.

And he says the technology provides only a first step in an investigation allowing officers to identify a device. He says only then can police apply for additional warrants to obtain a user’s “basic subscriber information” such as name and address connected to the phone.

Then, he says, only if the phone and suspect are targets of the investigation can police seek additional warrants to track the device or conduct a wiretap to capture communications. Adam says the RCMP currently has 24 technicians trained and authorized to deploy the devices across Canada. He knows other police forces own and use them too, but declined to name them.

General Motors connects its robots to StarNet

In living proof that not enough people go to sci-fi movies, General Moters connected a quarter of its 30,000 factory robots to the internet.

The largest US  automaker already is reaping the benefits of less down time by analyzing data they sent to external servers in the cloud.

Mark Franks, director of global automation, said connectivity is preventing assembly line interruptions and robot replacements that can take as long as eight hours. Internet monitoring allows GM to order parts when it detects they’re wearing out instead of having to store them at the factory.

He said that reduces inventory and saves cash.

Hooking robots to the internet for preventive maintenance is just the start of a spurt of new robotics technology, Franks said.

GM is using robots that can work safely alongside humans in the factory that produces the Chevrolet Volt plug-in hybrid, he said.

Of course putting stuff on the internet makes it less secure and if an AI collective consciousness develops among internet connected devices, then it could use all these robots to take over the world.

You will know this has happened when a GM robot starts to assemble a robot to look for Sara Conner. But in the meantime, GM will be saving a bob or two before that, so that is ok.

Intel finally gets rid of McAfee

After seven years and a lawsuit from its founder, Intel is finally getting rid of McAfee.

The chip maker has divested its majority holdings in McAfee to investment firm TPG for US$3.1 billion.

McAfee will become a standalone security company, but Intel will retain a minority 49 percent stake. Chipzilla is apparently only interested in internal operations on hardware-level security.

The selloff is a loss for Chipzilla, which spent $7.68 billion to acquire McAfee in 2010. Some analysts think it was the worst thing that Intel ever bought.

Although the idea was good. Intel wanted to add layers of security to hardware and components. It McAfee technology in firmware at the PC and server chip level, and developed security management tools. McAfee technology was used in hardware using real-time operating systems. But most of McAfee was software based and had little ties to Intel’s core hardware strategy.

To fix the problem, Intel ran a parallel hardware security strategy that had little to no ties to McAfee.

London terror case creates calls for back-doors

 

Tory hawks have discovered that the London terrorist was a Whatsup subscriber and are demanding the social notworking site give it a back door to prevent these attacks happening again.

British-born Khalid Masood sent an encrypted message moments before killing four people last week by ploughing his car into pedestrians and fatally stabbing a copper as he tried to get into parliament in an 82-second attack that struck terror in the heart of London.

British interior minister Amber Rudd said that technology companies must cooperate more with law enforcement agencies and should stop offering a “secret place for terrorists to communicate” using encrypted messages.

The only problem with this claim is that even if the spooks had a back door to Masood’s phone they would have had to have gone through a mountain of data of someone who they did not suspect was a terrorist, read the correct message and rushed to respond.

There have been lots of calls for messaging services to either abandon encryption or to allow the government to monitor them 24/7.  Practically this means checking the emails of known terrorists to see if they use a list of terrorist type words.  This does not work if they don’t or are not known terrorists or have terrorist connections.

Lithuanian phishes two big US tech companies

A 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him $100 million.

According to the US Department of Justice, Rimasauskas  masqueraded as a prominent Asian hardware manufacturer and tricked employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries.

What is amazing about this rather bog standard phishing scam is how much cash he walked away with and the fact it was the IT industry, which should have known better.

The indictment does not name and shame the companies.  The first company is “multinational technology company, specializing in internet-related services and products, with headquarters in the United States”. The second company is a “multinational corporation providing online social media and networking services”.

Both apparently worked with the same “Asia-based manufacturer of computer hardware,” a supplier that the documents indicate was founded some time in the late ’80s.

Representatives at both companies with the power to wire vast sums of money were still tricked by fraudulent email accounts. Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money.

Rimasauskas has been charged with one count of wire fraud, three counts of money laundering, and aggravated identity theft. In other words, he faces serious prison time of convicted — each charge of wire fraud and laundering carries a max sentence of 20 years.

 

Farmers turn to hackers to save them from tractor makers

US farmers are paying Eastern European hackers to crack their tractors so that they can actually repair them.

Tractor maker John Deere puts locks on its tractors because it does not want farmers to  perform “unauthorised” repairs on farm equipment. It wants the farmers to wait for one of its dealers to show up and repair it. They are also worried that the tractor maker could remotely shut down a tractor and there wouldn’t be anything a farmer could do about it.

A licence agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for “crop loss, lost profits, loss of goodwill, loss of use of equipment … arising from the performance or non-performance of any aspect of the software”.

The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and “authorised” repair shops can work on newer tractors.

However this does not sit well with farmers who feel that if they have bought a tractor they should be allowed to do with it what they like. So they go to some dodgy part of the internet and pay for a crack from the nice man in the Ukraine.

This saves a fortune in time and money. If you want to replace a transmission and you take it to an independent mechanic—he can put in the new transmission but the tractor can’t drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorise the part.

 

FBI is investigating Russian gaming of the US election

 

The FBI is investigating how Russia used an internet army to bombard America with right-wing news and fake stories when candidate Donald (Prince of Orange) Trump was on the defensive during the 2016 election.

The Untouchables are concerned that some of those news outlets might have worked to help Russian operatives.

Led by the FBI’s Counterintelligence Division, the investigation is examining how stories from sites like Breitbart News, InfoWars, and the Kremlin-backed RT News and Sputnik News, were spread across the internet.

The investigation, the sources said, is examining whether certain far-right sites took any action to aid Tsar Putin.

In early January 2017, America’s intelligence agencies concluded Russia had mounted a disinformation campaign to influence the US election and picked out RT’s American division as one of the culprits.

FBI Director James Comey told a House Intelligence Committee hearing on the issue that Russia’s efforts were targeted to “hurt our democracy” and specifically “hurt” Democratic candidate Hillary Clinton and “help” current President Donald Trump.

Of course, he did a little bit of that himself during the election and managed to keep his job after Trump took office.

Investigators are now looking at millions of Twitter and Facebook posts carrying links to real stories, and others that mixed fact and fiction, on conservative websites sent out by social media bots. These computer programmes, of “bots,” were operated by Russia on multiple social media accounts and were programmed and coordinated to spread and amplify messages across the internet.

Russia apparently used these social media accounts to bombard the internet with pro-Trump stories at times during the campaign when he was on the defensive against Clinton.

Russian bots and paid trolls used the timed release of information “to propagate stories underground and these stories appear to have been amplified by fringe elements of our media like Breitbart.

The investigation into the bots is just one branch of several investigations being run by the FBI probing Russia’s attempts to influence the 2016 election. Others are working to identify those behind the hacks and publication of the Democratic National Committee’s emails, leading Republicans, and Hillary Clinton’s campaign manager John Podesta.

Others are pursuing leads from informants and foreign communications intercepts about the Trump campaign’s contacts with Russian intelligence officers before the November election.

This is the first time that Comey has revealed officially that the FBI is investigating the Trump campaign.

Meanwhile Alex Jones of the conspiracy theory website InfoWars has claimed that the whole thing is a witch hunt by the left. “I’m not gonna sit here and say, ‘I’m not a Russian stooge,’ because it’s a ******* lie,” said on his talk show.

Trump insists that Obama was listening through his microwave

 

Donald (Prince of Orange) Trump is standing by his bizarre claim that former president Barrack Obama was listening into his election conversations through his microwave.

While every other member of the US Senate Intelligence Committee rejected Trump’s bizarre claim that the Obama administration wire-tapped him during the 2016 presidential campaign, Trump is sticking to his guns, or rather his nukes.

The top Republican in Congress, House of Representatives Speaker Paul Ryan, added his voice to a growing chorus of lawmakers saying there was no sign of a wiretap.

But White House spokesman Sean Spicer forcefully defended the president, citing news reports of intelligence collection on possible contacts between Trump associates and Russia in the presidential campaign.

“There is no question that there were surveillance techniques used throughout this,” Spicer said.

The Republican president has accused his predecessor, Democrat Barack Obama, of wiretapping him near the end of the campaign. An Obama spokesman said that was “simply false”.

“Based on the information available to us, we see no indications that Trump Tower was the subject of surveillance by any element of the United States government either before or after Election Day 2016,” Richard Burr, the Republican chairman of the Senate Intelligence Committee, and Senator Mark Warner, the committee’s Democratic vice chairman, said in a statement.

Ryan also said there was no evidence of surveillance.

“The point is, the intelligence committees in their continuing, widening, ongoing investigation of all things Russia, got to the bottom – at least so far – with respect to our intelligence community that – that no such wiretap existed,” the House speaker told reporters.

Pressed at the White House briefing on whether Trump would back down from his wiretap accusations, Spicer said: “He stands by it”.

Spicer also chastised the media for focusing so much attention on comments disparaging Trump’s claim about surveillance. He said reporters had not focused enough on comments from officials denying evidence of any collusion between Russia and the Trump campaign.

But that might have been because the news is really about Trump’s allegations that his associates had ties to Russian officials and the White House wants that buried. Trump fired his national security adviser, Michael Flynn, last month after he failed to disclose contacts with Russia’s ambassador before Trump took office on January 20.

An official familiar with the investigations by Congress and intelligence and law enforcement agencies said investigators had looked as aggressively and thoroughly as they could for evidence of any spying on Trump or his associates but had found none.

At least four congressional committees included the startling accusation in their investigations of possible Russian meddling in the election campaign and Russian ties to Trump and his associates.

IT security is still a man’s world darling

A new survey shows that while the IT world is pretty sexist, no part of it is worse than the IT Security industry, which is so backward it makes Neanderthals look like Homo Superior.

A report from the Centre for Cyber Safety and Education and the Executive Women’s Forum (EWF) said that not only do women make up one in ten of the cyber security workforce, they are paid much less despite having a better education than their sexist male colleagues.

The survey of more than 19,000 participants around the world finds that women have higher levels of education than men, with 51 percent holding a master’s degree or higher, compared to 45 percent of men.

Yet despite out qualifying them, women in cybersecurity earned less than men at every level and the wage gap shows very little signs of improvement. Men are four times more likely to hold C and executive level positions, and nine times more likely to hold managerial positions than women, globally.

More worrying is that 51 percent of women report encountering one or more forms of discrimination in the cybersecurity workforce. In the Western world, discrimination becomes far more prevalent the higher a woman rises in an organisation.

Lynn Terwoerds, executive director of the EWF said that companies who under-represent and under-use female talent were facing both a critical business issue.

They were also hindering the development of world class cybersecurity organizations and resilient companies, as well as the nation’s safety and protection.

Women who feel valued in their position are in organisations which provide training and leadership development resources.