Menu

Timesdelhi.com

March 19, 2019
Category archive

computer security

The responsibility for a sustainable digital future

in articles/Column/computer security/cryptography/cybercrime/Cyberwarfare/Delhi/e-commerce/Europe/Facebook/France/G7/Getty-Images/India/national security/Paris/Politics/Tim-berners lee by

On March 12, 2019, we celebrate the 30th anniversary of the “World Wide Web”, Tim Berners-Lee’s ground-breaking invention.

In just thirty years, this flagship application of the Internet has forever changed our lives, our habits, our way of thinking and seeing the world. Yet, this anniversary leaves a bittersweet taste in our mouth: the initial decentralized and open version of the Web, which was meant to allow users to connect with each other, has gradually evolved to a very different version, centralized in the hands of giants who capture our data and impose their standards.

We have poured our work, our hearts and a lot of our lives out on the internet. For better or for worse. Beyond business uses for Big Tech, our data has become an incredible resource for malicious actors, who use this windfall to hack, steal and threaten. Citizens, small and large companies, governments: online predators spare no one. This initial mine of information and knowledge has provided fertile ground for dangerous abuse: hate speech, cyber-bullying, manipulation of information or apology for terrorism – all of them amplified, relayed and disseminated across borders.

Laissez-faire or control: between Scylla and Charybdis

Faced with these excesses, some countries have decided to regain control over the Web and the Internet in general: by filtering information and communications, controlling the flow of data, using digital instruments for the sake of sovereignty and security. The outcome of this approach is widespread censorship and surveillance. A major threat to our values ​​and our vision of society, this project of “cyber-sovereignty” is also the antithesis of the initial purpose of the Web, which was built in a spirit of openness and emancipation. Imposing cyber-borders and permanent supervision would be fatal to the Web.

To avoid such an outcome, many democracies have favored laissez-faire and minimal intervention, preserving the virtuous circle of profit and innovation. Negative externalities remain, with self-regulation as the only barrier. But laissez-faire is no longer the best option to foster innovation: ​​data is monopolized by giants that have become systemic, users’ freedom of choice is limited by vertical integration and lack of interoperability. Ineffective competition threatens our economies’ ability to innovate.

In addition, laissez-faire means being vulnerable to those who have chosen a more interventionist or hostile stance. This question is particularly acute today for infrastructures: should we continue to remain agnostic, open and to choose a solution only based on its economic competitiveness? Or should we affirm the need to preserve our technological sovereignty and our security?

Internet of Things connecting in cloud over city scape.

Photo courtesy of Getty Images/chombosan

Paving a third way

To avoid these pitfalls, France, Europe and all democratic countries must take control of their digital future. This age of digital maturity involves both smart digital regulation and enhanced technological sovereignty.

Holding large actors accountable is a legitimate and necessary first step: “with great power comes great responsibility”.

Platforms that relay and amplify the audience of dangerous content must assume a stronger role in information and prevention. The same goes for e-commerce, when consumers’ health and safety is undermined by dangerous or counterfeit products, made available to them with one click. We should apply the same focus on systemic players in the field of competition: vertical integration should not hinder users’ choice of goods, services or content.

But for our action to be effective and leave room for innovation, we must design a “smart regulation”. Of course, our goal is not to impose on all digital actors an indiscriminate and disproportionate normative burden.

Rather, “smart regulation” relies on transparency, auditability and accountability of the largest players, in the framework of a close dialogue with public authorities. With this is mind, France has launched a six-month experiment with Facebook on the subject of hate content, the results of which will contribute to current and upcoming legislative work on this topic.

In the meantime, in order to maintain our influence and promote this vision, we will need to strengthen our technological sovereignty. In Europe, this sovereignty is already undermined by the prevalence of American and Asian actors. As our economies and societies become increasingly connected, the question becomes more urgent.

Investments in the most strategic disruptive technologies, construction of an innovative normative framework for the sharing of data of general interest: we have leverage to encourage the emergence of reliable and effective solutions. But we will not be able to avoid protective measures when the security of our infrastructure is likely to be endangered.

To build this sustainable digital future together, I invite my G7 counterparts to join me in Paris on May 16th. On the agenda, three priorities: the fight against online hate, a human-centric artificial intelligence, and ensuring trust in our digital economy, with the specific topics of 5G and data sharing.

Our goal? To take responsibility. Gone are the days when we could afford to wait and see.

Our leverage? If we join our wills and forces, our values can prevail.

We all have the responsibility to design a World Wide Web of Trust. It is still within our reach but the time has come to act.

News Source = techcrunch.com

Researchers obtain a command server used by North Korean hacker group

in computer security/cyberattacks/Cyberwarfare/Delhi/Europe/Government/Hack/hacker/India/malware/McAfee/North Korea/Politics/Security/Sony/United Kingdom/United States by

In a rare move, government officials have handed security researchers a seized server believed to be used by North Korean hackers to launch dozens of targeted attacks last year.

Known as Operation Sharpshooter, the server was used to deliver a malware campaign targeting governments, telecoms, and defense contractors — first uncovered in December. The hackers sent malicious Word document by email that would when opened run macro-code to download a second-stage implant, dubbed Rising Sun, which the hackers used to conduct reconnaissance and steal user data.

The Lazarus Group, a hacker group linked to North Korea, was the prime suspect given the overlap with similar code previously used by hackers, but a connection was never confirmed.

Now, McAfee says it’s confident to make the link.

“This was a unique first experience in all my years of threat research and investigations,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee, told TechCrunch in an email. “In having visibility into an adversary’s command-and-control server, we were able to uncover valuable information that lead to more clues to investigate,” he said.

The move was part of an effort to better understand the threat from the nation state, which has in recent years been blamed for the 2016 Sony hack and the WannaCry ransomware outbreak in 2017, as well as more targeted attacks on global businesses.

In the new research seen by TechCrunch out Sunday, the security firm’s examination of the server code revealed Operation Sharpshooter was operational far longer than first believed — dating back to September 2017 — and targeted a broader range of industries and countries, including financial services and critical infrastructure in Europe, the U.K. and the U.S.

The modular command and control structure of the Rising Sun malware. (Image: McAfee)

The research showed that server, operating as the malware’s command and control infrastructure, was written in the PHP and ASP web languages, used for building websites and web-based applications, making it easily deployed and highly scalable.

The back-end has several components used to launch attacks on the hackers’ targets. Each component has a specific role, such as the implant downloader, which hosts and pulls the implant from another downloader; and the the command interpreter, which operates the Rising Sun implant through an intermediate hacked server to help hide the wider command structure.

The researchers say that the hackers use a factory-style approach to building the Rising Sun, a modular type of malware that was pieced together different components over several years. “These components appear in various implants dating back to 2016, which is one indication that the attacker has access to a set of developed functionalities at their disposal,” said McAfee’s research. The researchers also found a “clear evolutionary” path from Duuzer, a backdoor used to target South Korean computers as far back as 2015, and also part of the same family of malware used in the Sony hack, also attributed to North Korea.

Although the evidence points to the Lazarus Group, evidence from the log files show a batch of IP addresses purportedly from Namibia, which researchers can’t explain.

“It is quite possible that these unobfuscated connections may represent the locations that the adversary is operating from or testing in,” the research said. “Equally, this could be a false flag,” such as an effort to cause confusion in the event that the server is compromised.

The research represents a breakthrough in understanding the adversary behind Operation Sharpshooter. Attribution of cyberattacks is difficult at best, a fact that security researchers and governments alike recognize, given malware authors and threat groups share code and leave red herrings to hide their identities. But obtaining a command and control server, the core innards of a malware campaign, is telling.

Even if the goals of the campaign are still a mystery, McAfee’s chief scientist Raj Samani said the insight will “give us deeper insights in investigations moving forward.”

News Source = techcrunch.com

Thousands of industrial refrigerators can be remotely defrosted, thanks to default passwords

in computer security/Delhi/India/Password/Pharmaceutical/Politics/Prevention/refrigerator/search engine/Security by

Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost.

More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems.

Many of these vulnerable units are found in industrial refrigerators in restaurants, hospitals, and supermarkets and grocery stores from the U.K., Ireland, and as far away as Sweden, Germany and China. The researchers also found a pharmaceutical company in Malaysia and a cooling facility in Germany.

Defrosting the refrigerators could lead to untold water damage, financial losses, and the destruction of inventory. In the case of high-value industries, that could amount to hefty losses.

The web interface of an industrial freezer at a Marks & Spencer in Hong Kong. (Image: TechCrunch)

“The systems can be accessed through any browser,” said Rotem in his write-up. shared with TechCrunch before his public disclosure. “All you need is the right URL, which as our tests show, isn’t too difficult to find.”

Rotem said defrosting a machine takes only a “click a button and enter the default username and password,” both of which are near-universal across the company’s devices. TechCrunch found several hundred refrigerators on Shodan, a search engine for publicly available devices and databases, confirming the researchers’ findings, but did not use the credentials as doing so would be unlawful.

It’s also possible to modify user settings, alarms, and other features on the exposed devices, said Rotem.

In an email, a representative from Resource Data Management said: “We clearly state in our documentation that the default passwords must be changed when the system is installed.” However, the change isn’t mandatory. According to Rotem, many device owners don’t bother. The company also distanced itself from its own security practices. “We have no control over how our systems are set up by the installer and we suggest your article is directed at the users and installers of our equipment,” the representative said. “We will inform owners that we have new software available with new functions and features but ultimately it is up to them to request an upgrade.”

The company said it will write to all its known customers “reminding them of the importance of changing the default user names and passwords.”

Starting next year, California will ban internet-connected devices manufactured or sold in the state if they contain a weak or default password that isn’t unique to each device.

News Source = techcrunch.com

Houzz resets user passwords after data breach

in computer security/cryptography/data breach/Delhi/Hack/Houzz/India/Password/Politics/salt/Security/Startups by

Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach.

A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, or if a hacker to blame or if it was a data exposure that the company could’ve prevented.

Houzz spokesperson Gabriela Hebert would not comment beyond an FAQ posted on the company’s website, citing an ongoing investigation.

In that FAQ, the company said it “recently learned that a file containing some of our user data was obtained by an unauthorized third party.” It added: “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts.”

The company said it was notifying all of its users who may have been affected.

An email from a Houzz user. (Image: supplied)

Houzz said some publicly visible information from a user’s Houzz profile, such as name, city, state, country and profile description, along with internal identifiers and fields “that have no discernible meaning to anyone outside of Houzz,” such as the region and location of the user and if they have a profile image, for example, the company said.

The company also said that usernames and scrambled passwords were also taken.

Houzz said that the passwords were scrambled and salted using a one-way hashing algorithm, but did not provide specifics on what kind of hashing algorithm was used. Some algorithms, like MD5, are old and outdated but still in use, while newer hashing algorithms — like bcrypt — are stronger and can be more difficult to crack, depending on the number of rounds the passwords go through.

Regardless, the company recommended users change their passwords.

No financial information was taken, according to the FAQ.

The company was last year among many mocked for sending out emails to users alerting them of mandatory changes to their privacy policies ahead of the 2018-introduced EU General Data Protection Regulation (GDPR) law, saying it “value[s]” its customers privacy. “Their opening lines offer a glimpse of the way legal policy and user experience are colliding under the new regulations,” said Fast Company.

But it’s not clear if the company will face penalties — up to four percent of its global revenue — as a result of the regulation, only that the company “notified EU authorities within the statutory period,” said the spokesperson.

Another day, another breach.

News Source = techcrunch.com

Massive mortgage and loan data leak gets worse as original documents also exposed

in Amazon-S3/cloud storage/computer security/data breach/data security/database/Delhi/email/Finance/Government/India/New York/ocr/Politics/Prevention/privacy/Security/texas/United States/web browser by

Remember that massive data leak of mortgage and loan data we reported on Wednesday?

In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren’t easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again — but this time, it was the original documents.

Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.

In a note to TechCrunch, Diachenko said he was “very surprised” to find the server in the first place, let alone open and accessible. Because Amazon storage servers are private by default and aren’t accessible to the web, someone would have made a conscious decision to set its permissions to public.

The bucket contained 21 files containing 23,000 pages of PDF documents stitched together — or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday’s report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information.

Two of the files — redacted — found on the exposed storage server. (Image: TechCrunch)

Many of the files also contained names, addresses, phone numbers, and Social Security numbers, and more.

When we tried to reach OpticsML on Wednesday, its website had been pulled offline and the listed phone number was disconnected. After scouring through old cached version of the site, we found an email address.

TechCrunch emailed chief executive Sean Lanning, and the bucket was secured within the hour.

Lanning acknowledged our email but did not comment. Instead, OpticsML chief technology officer John Brozena confirmed the breach in a separate email, but declined to answer several questions about the exposed data — including how long the bucket was open and why it was set to public.

“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”

He added that OpticsML is “working to notify all affected parties” when asked about informing customers and state regulators, as per state data breach notification laws.

But Diachenko said there was no telling how many times the bucket might have been accessed before it was discovered.

“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” he said.

News Source = techcrunch.com

1 2 3 8
Go to Top