Frank Abagnale, world-famous con-man, explains why technology won’t stop breaches

Frank Abagnale is world-famous for pretending to be other people. The former teenage con-man, whose exploits 50 years ago became a Leonardo DiCaprio film called Catch Me If You Can, has built a lifelong career as a security consultant and advisor to the FBI and other law enforcement agencies. So it’s perhaps ironic that four and a half years ago, his identity was stolen—along with those of 3.6 million other South Carolina taxpayers.

“When that occurred,” Abagnale recounted to Ars, “I was at the FBI office in Phoenix. I got a call from [a reporter at] the local TV news station, who knew that my identity was stolen, and they wanted a comment. And I said, ‘Before I make a comment, what did the State Tax Revenue Office say?’ Well, they said they did nothing wrong. I said that would be absolutely literally impossible. All breaches happen because people make them happen, not because hackers do it. Every breach occurs because someone in that company did something they weren’t supposed to do, or somebody in that company failed to do something they were supposed to do.” As it turned out (as a Secret Service investigation determined), a government employee had taken home a laptop that shouldn’t have left the office and connected it—unprotected—to the Internet.

Government breaches of personal information have become all too common, as demonstrated by the impact of the hacking of the Office of Management and Budget’s personnel records two years ago. But another sort of organization is now in the crosshairs of criminals seeking identity data to sell to fraudsters: doctors’ offices. Abagnale was in Orlando this week to speak to health IT professionals at the 2017 HIMSS Conference about the rising threat of identity theft through hacking medical records—a threat made possible largely because of the sometimes haphazard adoption of electronic medical records systems by health care providers.

Read 16 remaining paragraphs | Comments

At death’s door for years, widely used SHA1 function is now dead

For more than six years, the SHA1 cryptographic hash function underpinning Internet security has been at death’s door. Now it’s officially dead, thanks to the submission of the first known instance of a fatal exploit known as a “collision.”

Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used. Git, the world’s most widely used system for managing software development among multiple people, relies on it for data integrity. The GnuPG e-mail encryption program still deems SHA1 safe. And hundreds if not thousands of big-name software packages rely on SHA1 signatures to ensure installation and update files distributed over the Internet haven’t been maliciously altered.

A collision occurs when the two different files or messages produce the same cryptographic hash. The most well-known collision occurred sometime around 2010 against the MD5 hash algorithm, which is even weaker than SHA1. A piece of nation-sponsored espionage malware known as Flame used the attack to hijack the Windows update mechanism Microsoft uses to distribute patches to hundreds of millions of customers. By forging the digital signature used to cryptographically prove the authenticity of Microsoft servers, Flame was able to spread from one infected computer to another inside targeted networks.

Read 8 remaining paragraphs | Comments

Hacks all the time. Engineers recently found Yahoo systems remained compromised

Some five months after Yahoo disclosed a security breach that exposed sensitive data for 500 million accounts, some of its systems remained compromised, according to a report published Tuesday. The report said that in light of the hacks, Verizon would knock $350 million off the price it would pay to acquire Yahoo’s Internet business.

“A recent meeting between technical staff of the two companies revealed that some of Yahoo’s systems were compromised and might be difficult to integrate with Verizon’s AOL unit,” The Wall Street Journal reported, citing unnamed people. Verizon remains concerned that the breaches may hamper user engagement and in the process make the assets less valuable. Yahoo responded by cutting $350 million from the original $4.83 billion price tag, bringing the deal value to about $4.48 billion. It wasn’t clear precisely when the meeting occurred.

Tuesday’s report comes a week after Yahoo sent a new round of notifications warning users that their accounts may have been breached as recently as last year. The disclosure caused concerns because previously all the hacks were believed to have taken place in 2013 and 2014. The much more recent compromises were carried out by forging the browser cookies Yahoo servers set after a user logs in to an account. Once a computer has the authentication cookie, it no longer requires a user to enter a password to access the account. Yahoo first disclosed the cookie attack in October but didn’t say how recently it had occurred.

Read 1 remaining paragraphs | Comments

Hackers who took control of PC microphones siphon >600 GB from 70 targets

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including critical infrastructure, news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails. Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it’s retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.

“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” the CyberX researchers wrote. “In particular, the operation requires a massive back-end infrastructure to store, decrypt, and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”

Read 7 remaining paragraphs | Comments

Trump’s apparent security faux-pas-palooza triggers call for House investigation

Representative Ted Lieu, a congressman from Los Angeles County, California, led fourteen other House Democrats on Friday in urging the House Government Oversight Committee to investigate “troubling reports” of President Donald Trump’s apparently poor security practices and the potential danger to national security posed by them—including his continued use of an unsecured Android device to post to Twitter, discussion of sensitive information (including nuclear strategy) in the restaurant at his Mar-A-Lago resort, and leaving classified material unlocked while visitors were in the Oval Office.

In a letter to Oversight Committee chairman Jason Chaffetz and ranking Democratic member Elijah Cummings, the fifteen representatives wrote:

Referring to the complex problem of cybersecurity, President Trump recently said in an interview, “I’m not sure you have the kind of security that you need.” We fully agree—which is why we are writing to request that the House Oversight and Government Reform Committee hold a hearing into troubling reports that the President is jeopardizing national security by egregiously failing to implement commonsense security measures across the board, from using an insecure, consumer-grade Android smartphone to discussing nuclear strategy openly in a dining room at his Mar-a-Lago Club in Florida. Cybersecurity experts universally agree that an ordinary Android smartphone, which the President is reportedly using despite repeated warnings from the Secret Service, can be easily hacked.

Lieu and the other signatories of the letter expressed concern that Trump’s Android device, “most likely the Samsung Galaxy S3,” is particularly vulnerable to attack, and that someone could alter the information the President viewed on it—which could “have a huge impact on his beliefs and actions.” They also feared that someone could gain control of his Twitter account, “causing disastrous consequences for global stability,” or use it as a listening device to pick up sensitive conversations.

Read 4 remaining paragraphs | Comments

“Secure” Trump website defaced by hacker claiming to be from Iraq

Someone calling themselves “Pro_Mast3r” managed to deface a server associated with President Donald Trump’s presidential campaign fundraising on Sunday, The server, secure2.donaldjtrump.com, is behind Cloudflare’s content management and security platform, and does not appear to be directly linked from the Trump Pence campaign’s home page. But it does appear to be an actual Trump campaign server—its certificate is legitimate, but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.

The page, now displaying an image of a man in a fedora, displays the following text:

Hacked By Pro_Mast3r ~
Attacker Gov
Nothing Is Impossible
Peace From Iraq

The source code contains a link to  javascript malware on a now-nonexistent Google Code account, masterendi, previously associated with the hacking of at least three other websites.

Read 1 remaining paragraphs | Comments

Android connected car apps could give up the keys to criminals

In a presentation at this week’s RSA security conference in San Francisco, researchers from Kaspersky Labs revealed more bad news for the Internet of drivable things—connected cars. Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.

The security vulnerabilities of connected cars have been a hot topic at security conferences for the past few years—particularly after researchers Charlie Miller and Chris Valasek demonstrated that they could control many of the functions of a Jeep Grand Cherokee (including its brakes and steering) remotely through the vehicle’s built-in cellular data connection. There have also been repeated demonstrations of vulnerabilities in how the mobile applications from various connected vehicle services connect to vehicles, such as Sammy Kamkar’s demonstration of intercepting data from the mobile app for GM’s OnStar.

The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner’s smartphone is compromised. Chebyshev and Kuzin wrote:

Read 2 remaining paragraphs | Comments

USB Killer now lets you fry most Lightning and USB-C devices for $55

Remember the USB Killer stick that indiscriminately and immediately fries about 95 percent of devices? Well, now the company has released a new version that is even more lethal! And you can also buy an adaptor pack, which lets you kill test devices with USB-C, Micro USB, and Lightning ports. Yay.

If you haven’t heard of the USB Killer before, it’s essentially a USB stick with a bunch of capacitors hidden within. When you plug it into a host device (a smartphone, a PC, an in-car or in-plane entertainment system), those capacitors charge up—and then a split second later, the stick dumps a huge surge of electricity into the host device, at least frying the port, but usually disabling the whole thing. For more information on its technical operation, read our original USB Killer explainer.

Read 10 remaining paragraphs | Comments