Timesdelhi.com

September 24, 2018
Category archive

computer security

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

in computer security/Delhi/exploits/India/NVR/Politics/privacy/Security/surveillance/TC/video surveillance/vulnerability by

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

“This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its Github page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 3.9.0.1. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software out to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.

News Source = techcrunch.com

Weak passwords let a hacker access internal Sprint staff portal

in computer security/Delhi/e-commerce/India/mobile phone/multi-factor authentication/Politics/Security/security breaches/sprint by

It’s not been a great week for cell carriers. EE was hit with two security bugs and T-Mobile admitted a data breach. Now, Sprint is the latest phone giant to admit a security lapse, TechCrunch has learned.

Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.

Sprint is the fourth largest US cell network with 55 million customers.

TechCrunch passed on details and screenshots of the issue to Sprint, which confirmed the findings in an email.

“After looking into this, we do not believe customer information can be obtained without successful authentication to the site,” said a Sprint spokesperson.

“Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” the spokesperson said.

We’re not disclosing the passwords, but suffice to say they were not difficult to guess.

The first set of credentials let the researcher into a prepaid Sprint employee portal that gave staff access to Sprint customer data — as well as Boost Mobile and Virgin Mobile, which are Sprint subsidiaries. The researcher used another set of credentials to gain access to a part of the website, which he said gave him access to a portal for customer account data.

A screenshot shared with TechCrunch showed that anyone with access to this portal allowed the user to conduct a device swap, change plans and add-ons, replenish a customer’s account, check activation status and view customer account information.

A screenshot showing an internal customer portal.

All a user would need is a customer’s mobile phone number and a four-digit PIN number, which could be bypassed by cycling through every possible combination.

The researcher said there were no limits on the number of PIN attempts.

Account PIN numbers are highly sensitive as they can be used to transfer ownership from one person to another. That gives hackers an easier route to carry out a “SIM swapping” attack, which target and hijack cell phone numbers. Hackers use a mix of techniques — such as calling up customer service and impersonating a customer, all the way to recruiting telecom employees to hijack SIM cards from the inside. In hijacking phone numbers, hackers can break into online accounts to steal vanity Instagram usernames, and intercept codes for two-factor authentication to steal the contents of cryptocurrency wallets.

SIM swapping is becoming a big, albeit illegal business. An investigation by Motherboard revealed that hundreds of people across the US have had their cellphone number stolen over the past few years. TechCrunch’s John Biggs was one such victim.

But the authorities are catching up to the growing threat of SIM swapping. Three SIM swappers have been arrested in the past few weeks alone.

News Source = techcrunch.com

Google makes it easier for G Suite admins to investigate security breaches

in cloud applications/computer security/Delhi/G Suite/Google/Google Cloud Next 2018/India/Politics/Security by

Google is announcing a fair number of updates to G Suite at its Next conference today, most of which focus on the user experience. In addition to those, though, the company also launched a new security investigation tool for admins that augments the existing tools for preventing and detecting potential security issues. The new tool builds on those and adds remediation features to the G Suite security center.

“The overall goal of the security center in G Suite is to provide administrators with the visibility and control they need to prevent, detect and remediate security issues,” said David Thacker, Google’s VP of product management for G Suite. “Earlier this year, we launched the first major components of this security center that help admins prevent and detect issues.”

Now with this third set of tools in line, G Suite admins can get a better understanding of the threats they are facing and how to remediate them. To do this, Thacker said, analysts and admins will be able to run really advanced queries over many different data sources to identify the users who have been impacted by a breach and then investigate what exactly happened. The tool also makes it easy for admins to remove access to certain files or to delete malicious emails “without having to worry about analyzing logs, which can be time-consuming or require complex scripting,” as Thacker noted.

This new security tool is now available as an Early Adopter Program for G Suite Enterprise customers.

News Source = techcrunch.com

A simple solution to end the encryption debate

in Atlanta/Column/computer security/computing/crypto wars/cryptography/Cyberwarfare/Delhi/encryption/executive/Federal Bureau of Investigation/India/law enforcement/mobile devices/mobile security/Politics/smartphone/smartphones/Symphony Communications by

Criminals and terrorists, like millions of others, rely on smartphone encryption to protect the information on their mobile devices. But unlike most of us, the data on their phones could endanger lives and pose a great threat to national security.

The challenge for law enforcement, and for us as a society, is how to reconcile the advantages of gaining access to the plans of dangerous individuals with the cost of opening a door to the lives of everyone else. It is the modern manifestation of the age-old conflict between privacy versus security, playing out in our pockets and palms.

One-size-fits all technological solutions, like a manufacturer-built universal backdoor tool for smartphones, likely create more dangers than they prevent. While no solution will be perfect, the best ways to square data access with security concerns require a more nuanced approach that rely on non-technological procedures.

The FBI has increasingly pressed the case that criminals and terrorists use smartphone security measures to avoid detection and investigation, arguing for a technological, cryptographic solution to stop these bad actors from “going dark.” In fact, there are recent reports that the Executive Branch is engaged in discussions to compel manufacturers to build technological tools so law enforcement can read otherwise-encrypted data on smartphones.

But the FBI is also tasked with protecting our nation against cyber threats. Encryption has a critical role in protecting our digital systems against compromises by hackers and thieves. And of course, a centralized data access tool would be a prime target for hackers and criminals. As recent events prove – from the 2016 elections to the recent ransomware attack against government computers in Atlanta – the problem will likely only become worse. Anything that weakens our cyber defenses will only make it more challenging for authorities to balance these “dual mandates” of cybersecurity and law enforcement access.

There is also the problem of internal threats: when they have access to customer data, service providers themselves can misuse or sell it without permission. Once someone’s data is out of their control, they have very limited means to protect it against exploitation. The current, growing scandal around the data harvesting practices on social networking platforms illustrates this risk. Indeed, our company Symphony Communications, a strongly encrypted messaging platform, was formed in the wake of a data misuse scandal by a service provider in the financial services sector.

(Photo by Chip Somodevilla/Getty Images)

So how do we help law enforcement without making data privacy even thornier than it already is? A potential solution is through a non-technological method, sensitive to the needs of all parties involved, that can sometimes solve the tension between government access and data protection while preventing abuse by service providers.

Agreements between some of our clients and the New York State Department of Financial Services (“NYSDFS”), proved popular enough that FBI Director Wray recently pointed to them as a model of “responsible encryption” that solves the problem of “going dark” without compromising robust encryption critical to our nation’s business infrastructure.

The solution requires storage of encryption keys — the codes needed to decrypt data — with third party custodians. Those custodians would not keep these client’s encryption keys. Rather, they give the access tool to clients, and then clients can choose how to use it and to whom they wish to give access. A core component of strong digital security is that a service provider should not have access to client’s unencrypted data nor control over a client’s encryption keys.

The distinction is crucial. This solution is not technological, like backdoor access built by manufacturers or service providers, but a human solution built around customer control.  Such arrangements provide robust protection from criminals hacking the service, but they also prevent customer data harvesting by service providers.

Where clients choose their own custodians, they may subject those custodians to their own, rigorous security requirements. The clients can even split their encryption keys into multiple pieces distributed over different third parties, so that no one custodian can access a client’s data without the cooperation of the others.

This solution protects against hacking and espionage while safeguarding against the misuse of customer content by the service provider. But it is not a model that supports service provider or manufacturer built back doors; our approach keeps the encryption key control in clients’ hands, not ours or the government’s.

A custodial mechanism that utilizes customer-selected third parties is not the answer to every part of the cybersecurity and privacy dilemma. Indeed, it is hard to imagine that this dilemma will submit to a single solution, especially a purely technological one. Our experience shows that reasonable, effective solutions can exist. Technological features are core to such solutions, but just as critical are non-technological considerations. Advancing purely technical answers – no matter how inventive – without working through the checks, balances and risks of implementation would be a mistake.

News Source = techcrunch.com

1 2 3 4
Go to Top