Information Security News
A security system used in more than 200,000 homes has an unfixable flaw that allows tech-savvy burglars to disarm the alarm from as far away as a few hundred feet.
The wireless home security system from SimpliSafe is marketed as costing less than competing ones and being easier to install, since it doesn't use wires for one component to communicate with another. But according to Andrew Zonenberg, a researcher with security firm IOActive, the system's keypad uses the same personal identification number with no encryption each time it sends a message to the main base station. That opens the system to what's known as a replay attack, in which an attacker records the authentication code sent by the valid keypad and then recycles it when sending rogue commands transmitted over the same radio frequency.
"Unfortunately, there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg wrote in a blog post published Wednesday. "Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced."
Apple has been served with a court order at the FBI's request, demanding that it assist the government agency with unlocking an iPhone 5C that was used by Syed Rizwan Farook. Farook and his wife, Tashfeen Malik, killed 14 and injured 24 in an attack in San Bernardino, California on December 2, 2015.
In response, Apple CEO Tim Cook said that the FBI was demanding the equivalent of a backdoor and that complying with the FBI's demand would undermine the security of all iPhones.
Whether you call it a "backdoor" or not, it's important to recognize that the ordered changes to the iPhone operating system would not circumvent the core of the iPhone's encryption. The court isn't asking Apple to defeat the encryption in any way. Nor does the court require Apple to create a vulnerability that would jeopardize the security of any other phone. Rather, it's asking Apple to do the one thing that Apple alone can do: use the iPhone's built-in method of installing firmware written by Apple.
by Sean Gallagher
Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital's electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.
"HPMC has restored its EMR on Monday, February 15th," President and CEO of Hollywood Presbyterian Medical Center Allen Stefanek wrote in a statement published by the hospital late Wednesday. "All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event."
The first signs of trouble at HPMC came on February 5, when hospital employees reported being unable to get onto the hospital's network. "Our IT department began an immediate investigation and determined we had been subject to a malware attack," Stefanek wrote. "The malware locked access to certain computer systems and prevented us from sharing communications electronically."
by Kelly Fiveash
Twitter has applied a fix to what it described as a "password recovery bug" that has exposed nearly 10,000 accounts on the microblogging site.
The company added in a blog post that the e-mail addresses and phone numbers attached to those accounts had been affected by the security flaw. It said:
We take these incidents very seriously, and we’re sorry this occurred.
Any user that we find to have exploited the bug to access another account’s information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.
In this instance, Twitter said that the security blunder had not revealed the affected users' passwords.