Information Security News
by Ars Staff
Ramon Lobato is senior research fellow at Swinburne University of Technology in Australia. His book Geoblocking and Global Video Culture, coedited with James Meese, has recently been published by Institute of Network Cultures (free PDF). Thanks to Hadi Sohrabi, Jinying Li, and other contributors to the book for their insights on VPN regulation.
As info security expert Bruce Schneier and his Berkman Centre for Internet and Society colleagues pointed out in a report last week, there are now about 865 encryption-related products available globally. From free and paid VPNs to voice encryption tools, this market stretches far beyond the borders of the United States. Today, the encryption economy includes no fewer than 55 different countries across Europe, Latin America, the Asia-Pacific, and the Caribbean.
The sprawling ecology of software development creates an obvious problem for governments and security agencies seeking to monitor or contain privacy software. Free software and other distributed projects typically exist “on multiple servers, in multiple countries, simultaneously,” and companies selling anonymization software can relocate across borders with relative ease.
What was the best way to steal cash from an ATM in 2015? Skimming still remains king, but a survey of 87 members of the ATM Industry Association (ATMIA) says that card trapping and transaction reversal fraud are on the rise around the world.
In November 2015, ATMIA internally published a survey (PDF) describing the state of ATM hacking in the previous year, from how ATMs were attacked to how much money was lost from the attacks. The results showed that ATM operators were wising up to skimming operations, in which devices are placed in or on the ATM to capture card information so the skimmer can reuse the card numbers later. This caused "a deflection of crime from traditional electronic skimming towards more physical and less sophisticated forms of attack, especially card trapping and Transaction Reversal Fraud.”
Fourteen percent of respondents said they saw an increase in card skimming hacks, but 28 percent of respondents said they actually saw skimming operations decrease. Still, credit card skimming outpaces other techniques for committing ATM fraud overall. Of those instances of skimming, 73 percent involved skimmers placed within the ATM, and 27 percent involved skimmers placed on the verification device of the bank access door.
Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined.
The critical code-execution vulnerability, which Microsoft patched last month, was actively exploited for two years in attack code owned by Italy-based exploit broker Hacking Team. As Ars reported last July, the Silverlight exploit came to light following a hack on Hacking Team's network that exposed gigabytes worth of private e-mails and other data. Researchers with Russian antivirus provider Kaspersky Lab later discovered the vulnerability being exploited in the wild and privately reported it to Microsoft.
Now, exploit code for the patched vulnerability is being distributed through Angler, one of several toolkits that criminals use to seed websites with code that carry out drive-by attacks. The Silverlight attack was spotted earlier this week by a researcher who goes by the moniker Kafeine. The vulnerability is indexed as CVE-2016-0034.
Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities . The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date.
Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately.
Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface (PAN-SA-2016-0005)
This issue affects PANs SSL VPN, which implies that it will be difficult to limit traffic to the GlobalProtect portal to trusted IPs. An SSL VPN like this is often used to allow users from untrusted networks to connect to internal resources.
Unauthenticated Command Injection in Management Web Interface (PAN-SA-2016-0003)
All too often, web-based APIs do not use the same rigor to provide authentication as we find it in web applications they support. This appears to be another case where a particular API function was left unguarded, and arbitrary commands may be executed. However, this vulnerability only affects the management web interface, which should not be wide open and access should be limited to carefully selected IP address ranges. Exploits like CSRF may on the other hand still be used to trick users at an authorized workstation to send an exploit to the device. We dont know enough about the vulnerability to understand if this is possible or not.
by Jonathan M. Gitlin
Want another reason to be skeptical about the idea of connected cars? Here's one: when Nissan put together the companion app for its Leaf electric vehicle—the app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan's APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.
Hunt started poking into NissanConnect after running a workshop in Norway in January. Norway is overflowing with EVs, and one of them belonged to an attendee. "What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs." Upon discovering that his friend Helme also owned a Leaf, the pair began to investigate just how insecure NissanConnect was.
In a lengthy post describing the details of the security flaw, Hunt also lays out a timeline as well as the ethical justification for doing so. He first contacted Nissan to alert it to the problem on January 23rd, describing the company as "receptive" and their behavior as "exemplary" during the process. But it didn't move with sufficient speed for Hunt, as he received an e-mail from a Canadian Leaf owner last week about the issue. He let Nissan know he was planning on going public, doing so on Wednesday.