Information Security News
by Cyrus Farivar
One of the world’s foremost academic experts in GPS spoofing—University of Texas assistant professor Todd Humphreys—released a short video on Monday showing how he and his students spoofed the GPS equipment aboard an expensive superyacht.
Humphreys conducted the test in the Ionian Sea in late June 2013 and early July 2013 with the full consent of the “White Rose of Drachs” yacht captain. His work shows just how vulnerable and relatively easy it is to send out a false GPS signal and trick the on-board receiver into believing it.
“What we did was out in the open, it was against a live vehicle, a vessel—an $80 million superyacht, controlling it with a $2,000 box,” he told Ars. “This is unprecedented. This has never been shown in this kind of demonstration. That’s what so sinister about the attack that we did. There were no alarms on the bridge. The GPS receiver showed a strong signal the whole time. You just need to have approximate line of sight visibility. Let’s say you had an unmanned drone, you could do it from 20 to 30 kilometers away or on the ocean you could do two to three kilometers.”
BGP multiple banking addresses hijacked
On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is not a new attack, it has happened numerous times in the past, both malicious attacks and accidental typos have been the cause.
The announcements from AS 25459 can be seen at:
A sampling of some of the owners of the IP addresses that were hijacked follow:
1 AMAZON-AES - Amazon.com, Inc.
2 AS-7743 - JPMorgan Chase & Co.
1 ASN-BBT-ASN - Branch Banking and Trust Company
2 BANK-OF-AMERICA Bank of America
1 CEGETEL-AS Societe Francaise du Radiotelephone S.A
1 FIRSTBANK - FIRSTBANK
1 HSBC-HK-AS HSBC HongKong
1 PFG-ASN-1 - The Principal Financial Group
2 PNCBANK - PNC Bank
1 REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION
Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers. So, the question is:
Makes you wonder about the fundamental (in)security of this set of experimental protocols we use called the Internet doesn't it?
Adrien de Beaupré
by Cyrus Farivar
On Monday, a major Russian newspaper reported that Moscow’s metro system is planning what appears to be a mobile phone tracking device in its metro stations—ostensibly to search for stolen phones.
According to Izvestia (Google Translate), Andrey Mokhov, the operations chief of the Moscow Metro system’s police department, said that the system will have a range of five meters (16 feet). “If the [SIM] card is wanted, the system automatically creates a route of its movement and passes that information to the station attendant,” Mokhov said.
Many outside experts, both in and outside Russia, though, believe that what local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a device that can fool a phone and SIM into reading from a fake mobile phone tower. (IMSI, or an International Mobile Subscriber Identity number, is a 15-digit unique number that sits on every SIM card.) Such devices can be used as a simple way to see what phone numbers are being used in a given area or even to intercept the audio of voice calls.
Remote Workers' Success Starts With IT Support
Allan Pratt, an InfoSec strategist and Computing Technology Industry Association (CompTIA) certification instructor, said that if employees spend a great deal of time traveling or working in public work spaces, it is best to invest in VPN. "VPNs can be ...
Just about everything these days ships with tiny embedded computers that are designed to make users' lives easier. High-definition TVs, for instance, can run Skype and Pandora and connect directly to the Internet, while heating systems have networked interfaces that allow people to crank up the heat on their way home from work. But these newfangled features can often introduce opportunities for malicious hackers. Witness "Smart TVs" from Samsung or a popular brand of software for controlling heating systems in businesses.
Now, security researchers are turning their attention to the computers in cars, which typically contain as many as 50 distinct ECUs—short for electronic control units—that are all networked together. Cars have relied on on-board computers for some three decades, but for most of that time, the circuits mostly managed low-level components. No more. Today, ECUs control or finely tune a wide array of critical functions, including steering, acceleration, braking, and dashboard displays. More importantly, as university researchers documented in papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and "telematics" units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it's theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there's no telling how far the hack could extend.
by WIRED UK
A high court judge has ruled that a computer scientist cannot publish an academic paper over fears that it could lead to vehicle theft.
Flavio Garcia, from the University of Birmingham, has cracked the algorithm behind Megamos Crypto—a system used by several luxury car brands to verify the identity of keys used to start the ignition. He was intending to present his results at the Usenix Security Symposium.
But Volkswagen's parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands, asked the court to prevent the scientist from publishing his paper. It said that the information could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car."
Calls for incoming government to develop another cyber security white paper
As well as monitoring digital intelligence, it also works on what's known as InfoSec - information and communications security. In 2011-2012, DSD reported more than 400 cyber incidents against government systems. But it's not only government ...
So you call yourself a geek?
Wannabe infosec geeks squawk "Linux is more secure". Wannabe design geeks squawk "Comic Sans isn't a proper typeface". Dressing up as a hacktivist no more grants you "1337 H4x0r skillz" than sitting in a hen-house holding a feather grants you the ...
Posted by InfoSec News on Jul 29http://www.defenseone.com/technology/2013/07/pentagon-says-asian-spies-are-targeting-radiation-hardened-electronics/67505/
Posted by InfoSec News on Jul 29http://www.nation.co.ke/News/Workers-beat-old-security-system-to-steal-banks-billions--/-/1056/1928984/-/mfnkt7z/-/index.html
Posted by InfoSec News on Jul 29http://news.techworld.com/security/3461099/worm-outbreak-downs-chicago-highway-department-network-for-two-weeks/
Posted by InfoSec News on Jul 29http://www.csoonline.com/article/737044/infosec-community-mourns-the-loss-of-well-known-hacker-barnaby-jack
Posted by InfoSec News on Jul 29http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/