Monthly Archives: July 2016

Beware! Your iPhone Can Be Hacked Remotely With Just A Message

Do you own an iPhone? Mac? Or any Apple device?

Just one specially-crafted message can expose your personal information, including your authentication credentials stored in your device’s memory, to a hacker.

The vulnerability is quite similar to the Stagefright vulnerabilities, discovered a year ago in Android, that allowed hackers to silently spy on almost a Billion phones with just one specially-crafted text message.

Cisco Talos senior researcher Tyler Bohan, who discovered this critical Stagefright-type bug in iOS, described the flaw as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.”

The critical bug (CVE-2016-4631) actually resides in ImageIO – API used to handle image data – and works across all widely-used Apple operating systems, including Mac OS X, tvOS, and watchOS.

All an attacker needs to do is create an exploit for the bug and send it via a multimedia message (MMS) or iMessage inside a 
Tagged Image File Format (TIFF).

Once the message received on the victim’s device, the hack would launch.

“The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online,” Bohan quoted as saying by Forbes.

The attack could also be delivered through Safari web browser. For this, the attacker needs to trick the victim into visiting a website that contains the malicious payload.

In both the cases, no explicit user interaction would be required to launch the attack since many applications (like iMessage) automatically attempt to render images when they are received in their default configurations.

It is quite difficult for the victim to detect the attack, which if executed, could leak victims’ authentication credentials stored in memory such as Wi-Fi passwords, website credentials, and email logins, to the attacker.

Since iOS include sandbox protection to prevent hackers exploiting one part of the OS to control the whole thing, a hacker would require a further iOS jailbreak or root exploit to take total control of the complete iPhone.

However, Mac OS X does not have sandbox protection that could allow an attacker to access the Mac computer remotely with the victim’s passwords, potentially making users of Apple’s PCs completely vulnerable to the attack.

Apple has patched this critical issue in iOS version 9.3.3, along with patches for other 42 vulnerabilities, including memory corruption bugs in iOS’ CoreGraphics that helps render 2D graphics across those OSes, according to Apple’s advisory.

Apple also addressed serious security vulnerabilities in FaceTime on both iOS and OS X platforms, allowing anyone on the same WiFi network as a user to eavesdrop on the audio transmission from FaceTime calls even after the user had ended the call.

“An attacker in a privileged network position [could] cause a relayed call to continue transmitting audio while appearing as if the call terminated,” reads Apple description.

The FaceTime vulnerability (CVE-2016-4635) was discovered and reported by Martin Vigo, a security engineer at Salesforce.

So users are advised to patch their devices as it would not take enough time for bad actors to take advantage of the vulnerabilities, which are now known.

Via: thehackernews

DARPA Challenges Hackers to Create Automated Hacking System — WIN $2 Million

Why we can’t detect all security loopholes and patch them before hackers exploit them?

Because… we know that humans are too slow at finding and fixing security bugs, which is why vulnerabilities like HeartbleedPOODLE and GHOST remained undetected for decades and rendered almost half of the Internet vulnerable to theft by the time patches were rolled out.

Now to solve this hurdle, DARPA has come up with an idea: To build a smart Artificial Intelligence System that will automatically detect and even patch security flaws in a system.

Isn’t it a revolutionary idea for Internet Security?

The Defense Advanced Research Projects Agency (DARPA) has selected seven teams of finalists who will face off in a historic battle, as each tries to defend themselves and find out flaws without any human control.

The DARPA Cyber Grand Challenge will be held at the annual DEF CON hacking conference in Las Vegas next month.


Winner team will be awarded $2 MILLION in Prize Money

The winner team will be awarded a prize money of $2 Million for building a system that can not only detect vulnerabilities but also write its own patches and deploy them without crashing.

“Cyber Grand Challenge [CGC] is about bringing autonomy to the cyber domain,” CGC program manager Mike Walker said in a conference call Wednesday. “What we hope to see is proof that the entire security lifecycle can be automated.”

Walker said software bugs go undetected for an average of 312 days, which hackers can often exploit. In fact, even after detecting the flaws, the human takes much time to understand the bugs, develop patches, and then release them to the broader community.

The CGC aims to make this issue much easier, building a system that can sniff out software vulnerabilities and fix them within minutes, or even seconds, automatically.

Recognize, Detect and Fix Issues without Human Intervention

For Cyber Grand Challenge, the seven teams of finalists will be given a DARPA-constructed computer powered by a thousand Intel Xeon processor cores and 16TB (terabytes) of RAM.

Each team has the task to program their machine with a “cyber reasoning system” that will be able to recognize and understand previously-undisclosed software, detect its flaws, and fix them without human intervention.

Moreover, once the challenge starts, the teams will not be able to jump on their machine’s keyboards and do anything more.

The cyber reasoning systems will be networked in such a way that the teams can also examine their competitors’ systems for issues, but can’t actually hack them, and get extra points if they are able to generate automatically proof-of-concept (POC) exploits for flaws found in their opponents.

The contest will be held at 5 pm on August 4 for over 10 hours in the Paris hotel ballroom in Las Vegas. The first winner team will take home $2 Million in prize money, while the second and third winner will get $1 Million and $750,000, respectively.

After the competition, all the teams’ code, along with DARPA’s own test code, will be made available online under an open-source license.

Via: thehackernews

GDPR is Coming – Penalty Primer

It has been eight months since the Court of Justice for the European Union struck down the 15-year-old Safe Harbor arrangement between the EU and US. At the time, there was a good deal of consternation over the future of EU-US data exchange and just how businesses would continue to operate.

Despite several fits and starts, parties on both sides of the pond worked hard to remove and address their own respective internal barriers and to create the necessary legal framework to reestablish data exchange connectivity.

Officially, the General Data Protection Regulation (GDPR) 2016/679 went into force on May 24, 2016, but it will not enter into full force until May 6, 2018. In other words, companies, individuals and agencies that are impacted by the GDPR have just under two years to right the proverbial ship and be ready to operate in the new GDPR environment. For an overview of the GDPR, click here to read a run-through of the upcoming changes offered by Tripwire’s Paul Edon.

With the broader points in context, this article will focus on the penalties, fines and punishments that can be levied against entities who run afoul of GDPR. As a threshold issue, unlike many regulatory frameworks, there is not a rigid timeframe of changes to be made. Rather, GDPR expects each member country to create their own timeline and update the Commission as to progress made towards the May 2018 deadline.

With that in mind, the focus of today are the penalties of failure.

Before digging into that, it is important to note one key shift in the GDPR from the previous framework. Under the new regime, the focus in not where the business is located but more on where the business activity occurs. The implication of this shift is that the GDPR effectively becomes global law.

If your company is doing business, offering services, or performing activities on behalf of EU citizens, the GDPR may apply. It also bears mentioning that the new framework has the mechanisms in place to allow member states to create criminal penalties that can include deprivation of profits.

Probably the most significant changes under GDPR are the powers given to the Data Protection Regulators (DPR) who have the authority to create a penalty framework that will range from simple reprimands to hefty fines. Regardless of the DPR penalty framework, the GDPR states that all penalties must be effective, proportionate to the offense, and dissuasive.

With that in mind, here is the penalty breakdown within the regulation:

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

  • Child consent;
  • Transparency of information and communication;
  • Data processing, security, storage, breach, breach notification; and
  • Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

  • Data processing;
  • Consent;
  • Data subject rights;
  • Non-compliance with DPR order; and
  • Transfer of data to third party.

Three very important notes regarding the above schedule: First, the penalty will be whichever number is greater, either the flat fine or the percentage of global turnover. Global turnover applies to all sales of a company, net of taxes. Second, the GDPR authorizes penalties in the event of both material and non-material damages. Finally, the above list is a summary and not intended to be exhaustive. Rather it represents the authors’ amalgamation of a wide array of possible situations contained within the regulation into a digest form.

GDPR is coming. Prepare now!

Via: tripwire

Pokemon Go: What security awareness programs should be doing now

Pokemon Go represents a tremendous security threat. As with all tremendous threats, it can also be your greatest opportunity.

I have to admit that Pokemon Go took me by surprise. I had no idea why people just told me they were going out for no apparent reason. Younger people were more blatant, but it was not until early this week that I realized that it was a phenomenon that was impacting the workplace.

People of all ages, including your coworkers, are playing at record rates. Most important, they are bringing the app into the workplace, and using it on cellphones that also access work related information. It is a significant security vulnerability.

That being said, it means that awareness programs are at the front and center to protect corporate assets. At the same time, you can also appear to be the champion for the workers. Security awareness might never be more welcome. Even if people think the app is “stupid”, frequently they have family members or other loved ones playing the game.

People hear about malicious apps spoofing the actual Pokemon Go app. They hear about the app tracking them and having access to all of their data. They hear about people being mugged and finding dead bodies. People are excited, but they are concerned. This is your time to shine.

All security programs, led by the security awareness team, should immediately create information about the security concerns, and what to do about them.

Clearly, there is a focus on mobile device security, but there are also issues concerning privacy, password security, and safety. For this reason, I recommend that you create tip sheets for distribution to all employees. Possible content to include would be:

  • Ensure that you only download the official Pokemon Go app
  • Ensure that your cellphone operating system is up to date
  • As the app preferably uses Google accounts for authentication and tracking, consider creating a Google account just for that purpose
  • Ensure that your password is strong
  • Review app permissions, and remove as many permissions as possible
  • Consider installing anti-malware software on your cellphone
  • Be aware of the potential for crime
  • Remain alert. Carelessness will cause more injuries than crime
  • Never drive while playing the game
  • Most important, if your organization uses Google apps, clearly state that employees should never use their corporate account for Pokemon Go or any other games.

You may want to provide references to additional resources for mobile device management, creating a strong password, and other relevant issues. Providing contact information for the security team would be welcome. In defining the additional resources, consider that many people may want to share the information with their friends and family, so avoid using links and resources that are only available on your intranets.

It is a unfortunately extremely likely that some of your employees will eventually compromise information due to downloading malware on their mobile devices. It is guaranteed that the productivity of many employees will be impacted by the game. You can warn people about these issues, but you do not have ultimate control of them. You can however take advantage of the situation, and seem like their protector, and more than their overseer.

Personally, I am impressed by the business success of the game. I am also impressed that the gamification success. Pokemon Go would be a considered a huge gamification success for corporate wellness programs given how it encourages people to exercise. A companion article will be published shortly that highlights the true gamification principles used in Pokemon Go, and how it differs than most self-proclaimed gamification programs.

From a security perspective, Pokemon Go, itself, is as security nightmare. It is a productivity nightmare. However, you can take advantage of the situation and use it to highlight the importance of practicing good security behaviors. Don’t let a great opportunity go to waste.

Via: csoonline

Massachusetts General Hospital Suffers Third-Party Data Breach

Approximately 4,300 patients’ names, birthdates and Social Security numbers were exposed.

Massachusetts General Hospital (MGH) recently began notifying approximately 4,300 dental patients that their personal information may have been compromised when an unauthorized individual gained access to the systems of third-party software vendor Patterson Dental Supply Inc. (PDSI), Kaspersky reports.

In a statement, MGH said that while the breach was discovered on February 8, 2016, “law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation.”

The files stored by PDSI held the Mass General patients’ names, birthdates and Social Security numbers, and in some cases, dates and types of dental appointments, dental provider names, and medical record numbers.

“We are committed to the security of all of the sensitive information maintained by our third-party vendors and are taking this matter very seriously,” the hospital said in a statement. “To help prevent this type of incident from happening again, PDSI took steps to enhance the security of its systems that maintain dental practice data.”

RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the breach is unfortunately indicative of the broader problem of third-party vendors. “The healthcare industry is being aggressively targeted by attackers aiming to access and pilfer valuable patient medical data,” he said. “For hospitals and medical organizations, the stakes are high — in addition to critical patient data that’s jeopardized, hospitals and medical organizations also have to be aware of loss of reputation and potential HIPAA/HITECH violations that could also result in costly penalties.”

“Like other industries, healthcare organizations struggle to wrap their hands around copious risk associated with their numerous third-party vendors,” Fantuzzi added. “But you can’t manage what you can’t see. Without clear visibility into their risk posture, it’s nearly impossible to develop an effective plan to identify suspicious activity coming from third parties and apply the appropriate risk controls in order to mitigate the threat.”

A recent Soha Systems survey of more than 200 enterprise IT and security C-level executives, directors and managers found that just 2 percent of respondents see third-party access as their top priority in terms of IT initiatives and budget allocation.

Still, 56 percent of respondents have strong concerns about their ability to control or secure their own third-party access, and 75 percent of respondents acknowledge that enabling third-party access requires them to touch numerous network and application hardware and software components.

Forty-eight percent of respondents have seen third-party access grow over the past three years, and 40 percent say they expect growth to continue over the next three years.

“For business reasons, organizations are increasingly providing third parties with access to their IT infrastructure, but IT and security leaders really need to help their business leaders understand the risks of third-party access and take steps to help manage these risks to an unacceptable level,” Aberdeen Group vice president and research fellow Derek Brink said in a statement.

Via: esecurityplane

Nukeware: New malware deletes files and zaps system settings

When you’ve paid up, but there’s nothing to unlock.

Lazy but sneaky cybercrooks are slinging a new ransomware variant that falsely claims to have encrypted files when in reality it has deleted them.

Ranscam tricks victims by falsely claiming that files have been moved onto an hidden, encrypted partition.

In reality the malware has deleted files and comprehensively messed with system settings (removing executables associated with System Restores, deleting shadow copies, hobbling Safe Mode etc.) such that it is difficult or impossible to recover from an infection.

Victims are encouraged to pay a 0.2BTC ($125) ransom but in reality the crooks have no mechanism to restore compromised files. The attackers provided the same wallet address for all payments and for all samples identified by Cisco’s Talos security division.

The malware features a fake payment verification process that automatically returns notices of failure, possibly in the hopes that desperate victims might make a fresh payment.

Ranscam scam screenshot (source: Cisco Talos blog post)

The Ranscam campaign does not appear to be widespread. The threat is, nonetheless, noteworthy because it shows hows chancers and skiddies are jumping on the ransomware bandwagon.

“The lack of any encryption (and decryption) within this malware suggests this adversary is looking to ‘make a quick buck’ – it is not sophisticated in anyway and lacks functionality which is associated with other ransomware such as Cryptowall,” Cisco Talos researchers conclude in a blog post.

“While many high profile sources advise organisations and individuals to pay the ransom, Ranscam illustrates the importance of having a sound, offline backup strategy in place rather than a sound ransom payout strategy.”

Via: theregister

Healthcare Hacks Face Critical Condition

It’s not just SSNs and credit cards — detailed patient records and full EHR databases are targeted by cybercriminals today.

Cybercriminals have moved well beyond the theft of social security numbers (SSNs) and credit card data when it comes to healthcare organizations: They’re now employing more complex schemes to pick up detailed health records, as one new report out this week explains.

According to a new study by researchers at InfoArmor of four attacks against US-based healthcare organizations, attackers in a theft campaign this spring were able to steal at least 600,000 detailed patient records and place 3 terabytes of associated data on the Dark Web’s black market. These included MRI and X-ray images, patient-specific biometrics, and doctor’s treatment notes. In initial reports of the breaches that came to light last month, the threat actors themselves claimed they had access to millions of records, as well as persistent unauthorized access to medical organizations’ systems for ransomware distribution.

Initial reports show at least part of the compromise was achieved through a zero-day attack against the remote desktop protocol (RDP), and that one of the databases was being shopped around for nearly $500,000.

According to InfoArmor Chief Intelligence Officer Andrew Komarov, who led research into this campaign and wrote the brief released this week, attackers like these are building momentum with their attacks. They are broadly targeting the healthcare IT infrastructure, digging not just into weakly defended traditional networks, but also connected medical devices, mobile computing devices used by medal staff and, most profitably, electronic health records (EHR) systems. In this instance, the bad actors were able to gain access to victims’ centralized EHR records through a compromised host for EHR software SRSsoft.

“In some cases, these systems stored all of the data in local files or in the Microsoft Access desktop databases without any special user access segregation, which created a serious risk of data theft once the network host was compromised,” Komarov says, noting that this was how one healthcare institution in Montana was hit.

According to a report out from the Brookings Institution in May, 23% of all reported data breaches occur at healthcare organizations, and IBM reported that last year the rate of attacks struck healthcare more than any other industry.

Further, the Ponemon Institute reported that almost 90% of healthcare organizations have been hit by a breach in the past two years, costing the industry $6.2 billion.

The heat on healthcare has cranked up this year as attackers are learning new, nefarious ways of monetizing the industry’s poor security posture, including through profitable cyber-extortion attacks. The first half of this year has seen a wave of successful ransomware bids against healthcare organizations and hospitals, nabbing the bad guys as much as $17,000 per system hostage.

Via: darkreading

Google Maps gets multi-stop directions and vacation memories on mobile

Google is bringing long awaited multi-stop directions to mobile with its new summer update. Travelers can now hit as many tourist traps as they want on their cross country treks. Just like in the web version, users can swiftly rearrange the order of stops. Android users will get the feature first, followed by iOS in the near future.


The summer update caps off an active week for Maps. Earlier this week, Google also rolled out sharper satellite imagery.

Google also wants to help travelers remember everything from rural ice mines to giant Adirondack chairs with its new Timeline feature. Your Timeline is for those moments when you just can’t remember that definitely fun memorable thing you did last Wednesday to tell your friends and family. Users can drop notes right next to activities. Unfortunately this feature seems to be only rolling out for Android users at this time.

All we need now is an update for multi-planet directions and a nifty feature to track time dilation.

Via: techcrunch

Surf Air is expanding its “all-you-can-fly” service to Europe

Surf Air, the travel startup that offers “all you can fly” service to paying members, will begin running routes in Europe this October, the company announced today.

Specifically, Surf Air’s European routes will include multiple daily flights between UK’s London Luton Airport, and other business hubs like Cannes, Geneva and Zurich.

The company also intends to offer weekend flights to popular holiday destinations like Ibiza, with expanded, European service to Dublin, Paris, Amsterdam and Barcelona in 2017.

In the U.S. Surf Air flies its subscribers to small airports near major business and tourism destinations including: Los Angeles, San Francisco, Reno (via Truckee), Palm Springs, and Napa.

Members pay a $1,000 initiation fee and $1,950 a month for the service domestically. The company’s fleet is comprised of Pilatus PC-12 NG aircraft, which are seven-seat business turboprops, with cabins designed by BMW DesignworksUSA.

Members of the European service will pay £2500 a month, after an initiation fee, to fly an unlimited number of times between Surf Air’s destinations. They can also purchase guest passes for friends and family for £750 one-way.

The company’s app lets member’s book flights and valet parking also provided by the company at the airport.

The European expansion will make Surf Air more competitive with business travel offerings from fractional jet ownership, or charter services, such as Vista Jet and NetJets already operating there, and startups like JetSmarter, which lets its members book unused seats on someone else’s private jet.

Surf Air’s competition in the U.S. also includes Wheels Up, which charges its members for hours flown after a lower annual membership fee.

Founded in 2011, Surf Air has raised $18.76 million in equity funding from investors including Anthem Venture Partners, Baroda Ventures, Base Ventures, NEA, ff Venture Capital and Mucker Lab. It has also raised debt to purchase aircraft and support its expansion.

Via: techcrunch

Google unveils new features for shopping ads and hotel search

Google is giving more tools to retail and travel businesses hoping to promote themselves through search results and ads.

These new features were announced at a New York City press event this morning, and then outlined in an AdWords blog post.

On the retail side, changes include a new Showcase Shopping ad format. The company says those ads are designed for broader shopping search terms like “women’s athletic clothing” or “living room furniture,” where just presenting users with a single product might not be the best result. Instead, merchants can create a gallery of related products.

Google is also tweaking shopping ads on YouTube. The core idea of allowing viewers to buy products that were featured in a video is the same, but now advertisers can add a companion banner ad below the video to highlight more products, as well as a product picker that will allow them to select the specific products featured in an ad (rather than just going with Google’s automatic choices).

The final shopping announcement involves cross-border searches and purchases — Google says it’s testing tools that will automatically convert prices into the searcher’s local currency. So if you’re buying a product from another country, you don’t have to wonder what it will really cost you.

Then on the travel side, Google says it’s adding “smart filters,” where users can filter their hotel results based on specific factors (such as like pricing or ratings) with a single tap. It will also support more complex searches like “pet friendly hotels in San Francisco for under $170.”

Google is also adding Deal labels to hotel results to help searchers spot unusually low prices, tips for how travelers can get those lower prices (like changing their travel dates slightly) and notifications when there are significant price changes to flights that you’re tracking.

The broader theme of the event was a general shift to mobile. For example, the company says that according to its own data, visits to mobile sites made up 42 percent of all travel-related web traffic in the first three months of 2016, while shopping- and travel-related searches have grown 30 percent over the past year.

“Mobile has really become the new normal in shopping and travel,” said Jonathan Alferness, Google’s vice president of shopping and travel products. He said these new features will likely become available on Google’s desktop and laptop interfaces, but he described them as “certainly mobile-first products.”

Via: techcrunch