CAT | Security Breaches
The point of sales (POS) breaches at Hilton, and Starwood before that, suggest that a group of hackers is specifically targeting hotels, probably because most travelers have above average income. It should also make us brace for a likely wave of further POS breaches in many other businesses during the holiday shopping season.
It really makes me wish that more merchants accepted secure payment tools like Apple Pay, or even that more than a small fraction accepted the new chip and signature cards.
There is a lot of Schadenfreude going around about the Ashley Madison website hack. People are often treating it as more of a joke than a serious incident.
For those of you who have been under a rock, Ashley Madison is a dating site for married people who want to have affairs. Their tag line is even “Life is short. Have an affair” so they are very not subtle about it.
Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.
For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization. (more…)
Security researcher Emil Kvarnhammar of TrueSec announced the discovery of a new vulnerability in Mac OS X from 10.8.5 though the current 10.10.
The attack is against a unix utility called “sudo” which allows commands to run as the “root” user (which has absolute power on the system). Normally a user with admin privileges needs to type in their password and approve the running of these tasks, but this attack bypasses the user authentication step.
They have not released details on the vulnerability to give Apple time to issue a fix. In the mean time, it looks like you can protect yourself by making your your normal account is not an admin account. (more…)
Two new attacks on Tor were recently announced.
A couple of months ago researcher Karsten Nohl demonstrated a security vulnerability that he called BadUSB. Basically it was a demonstration that an attacker could alter the firmware in a USB device to automatically attack anything it was plugged in to. At the recent DerbyCon, researchers Adam Caudill and Brandon Wilson demonstrated their version of the attack and released sample code for how to implement it. This really opens pandora’s box.
The problem here is that this is not actually a bug in USB. It is exactly how USB is designed to work (as insecure as that might be), and changing that behavior is likely to break a lot of other things. A good and effective fix for this vulnerability is probably years away.
In the mean time, take great care with USB devices. My suggestion is to never use another person’s USB device. Don’t use USB to transfer files, and make sure that any USB devices you do use are obtained directly in unopened packaging. There could still be exploits introduced in manufacturing, but at least you are as safe as reasonably possible.
The Internet is on fire with discussions of the recent release of stolen nude photos of over 100 female celebrities. This is a massive invasion of their privacy, and it says something sad about our society that there is an active market for such pictures. While this particular attack was against the famous, most of us have information in the cloud that we would like to stay secret.
While there is not a definitive explanation of the breach the current consensus is that it was probably caused by a vulnerability in Apple’s “Find My iPhone” feature. Apparently the API interface to this service did not check for multiple password failures, a standard security practice. This allowed attackers to test effectively unlimited numbers of passwords for each of the accounts they wanted to access.
Because most people use relatively weak passwords, this attack is quite effective. Once they gained access to the accounts, they could sync down photos or any other information stored in iCloud.
Of course, the first rule of secrecy is: If it does not exist, it can’t be discovered.
If you do want to create something that you would be pained to see released publicly, then make sure you keep close control of it. Store it locally, and encrypted.
Wherever you keep it, make sure it has a strong password. Advice for strong passwords has changed over time because of the increasing speed of computers. It used to be that fancy pneumonics would do the trick but now the fundamental truth is: if you can remember it, it is too weak.
This is particularly true because you need to be using completely different passwords for every website. Changing a good password in a simple obvious way for every website is obvious. It might prevent brute force attacks but if some other attack gives access to your password, the attacker will be able to easily guess your password on all other websites.
You need to be using a password manager like 1Password (Mac), LastPass, Dashlane, etc. Let the password manager generate your passwords for you. This is what a good password should look like: wL?7mpEyfpqs#kt9ZKVvR
Obviously I am never going to remember that, but I don’t try. I have one good password that I have taken the time to memorize, and it unlocks the password manager which has everything else.
UPDATE: There appears to be some question about whether this vulnerability is actually to blame.
This article describes a clever attack against Secret, the “anonymous” secret sharing app.
Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.
In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.
On Friday I was asked to come on The Social Network Show to talk about the fact and questions surrounding the theft of over 1 Billion passwords.