Timesdelhi.com

December 12, 2018
Category archive

hacking

Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds

in computer security/Delhi/DJI/Gadgets/hacking/India/internet security/north america/Politics/Security/spokesperson/vulnerability by

It took about six months for popular consumer drone maker DJI to fix a security vulnerability across its website and apps, which if exploited could have given an attacker unfettered access to a drone owner’s account.

The vulnerability, revealed Thursday by researchers at security firm Check Point, would have given an attacker complete access to a DJI users’ cloud stored data, including drone logs, maps, any still or video footage — and live feed footage through FlightHub, the company’s fleet management system — without the user’s knowledge.

Taking advantage of the flaw was surprisingly simple — requiring a victim to click on a specially crafted link. But in practice, Check Point spent considerable time figuring out the precise way to launch a potential attack — and none of them were particularly easy.

For that reason, DJI called the vulnerability “high risk” but “low probability,” given the numerous hoops to jump through first to exploit the flaw.

“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” said Oded Vanunu, Check Point’s head of products vulnerability research.

A victim would have had to click on a malicious link from the DJI Forum, where customers and hobbyists talk about their drones and activities. By stealing the user’s account access token, an attacker could have pivoted to access the user’s main account. Clicking the malicious link would exploit a cross-site scripting (XSS) flaw on the forum, essentially taking the user’s account cookie and using it on DJI’s account login page.

The researchers also found flaws in DJI’s apps and its web-based FlightHub site.

By exploiting the vulnerability, the attacker could take over the victim’s account and gain access to all of their synced recorded flights, drone photos, and more. (Image: Check Point)

Check Point reached out in March, at which time DJI fixed the XSS flaw in its site.

“Since then, we’ve gone product-by-product through all the elements in our hardware and software where the login process could have been compromised, to ensure this is no longer an easily replicable hack,” said DJI spokesperson Adam Lisberg.

But it took the company until September to roll out fixes across its apps and FlightHub.

The good news is that it’s unlikely that anyone independently discovered and exploited any of the vulnerabilities, but both Check Point and DJI concede that it would be difficult to know for sure.

“While no one can ever prove a negative, we have seen no evidence that this vulnerability was ever exploited,” said Lisberg.

DJI heralded fixing the vulnerability as a victory for its bug bounty, which it set up a little over a year ago. Its bug bounty had a rocky start, after the company months later threatened a security researcher, who “walked away from $30,000” after revealing a string of emails from the company purportedly threatened him after finding sensitive access keys for the company’s Amazon Web Services instances.

This time around, there was nothing but praise for the bug finders.

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” DJI’s North America chief Mario Rebello said.

Good to see things have changed.

News Source = techcrunch.com

A pair of new Bluetooth security flaws expose wireless access points to attack

in computer security/Delhi/exploit/hacking/Hardware/Healthcare/India/Politics/Security/wireless by

Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.

The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.

Security company Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow — or bleed — which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.

The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.

Although the security researchers say the bugs allow remote code execution, the attacks are technically local — in that a would-be attacker can’t exploit the flaws over the internet and would have to be within Bluetooth range. In most cases, that’s about 100 meters or so — longer with a directional antenna — so anyone sitting outside an office building in their car could feasibly target an affected device.

“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” Armis said in a technical write-up.

Ben Seri, vice president of research at Armis, said that the exploit process is “relatively straight forward.” Although the company isn’t releasing exploit code, Seri said that all an attacker needs is “any laptop or smartphone that has built-in Bluetooth in it.”

But he warned that the Bluetooth-based attack can be just one part of a wider exploit process.

“Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location,” he said. That would give an attacker persistence on the network, making it easier to conduct surveillance or steal data once the attackers drive away.

“Bleeding Bit” allows an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. (Image: Asrmis/supplied)

Armis doesn’t know how many devices are affected, but warned that the vulnerabilities are found in range of other devices with Bluetooth Low Energy chips.

“This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”

Seri said that the vulnerabilities aren’t within the Bluetooth protocol, but with the manufacturer — in this case, the Bluetooth chip itself. As an open standard, device makers are largely left to decide for themselves how to implement the protocol. Critics have long argued that the Bluetooth specifications leave too much room for interpretation, and that can lead to security issues.

For its part, Texas Instruments confirmed the bugs and issued several patches, but attacked Armis’ findings, calling its report “factually unsubstantiated and potentially misleading,” said spokesperson Nicole Bernard.

After Armis privately disclosed the bugs in July, the three affected device makers have also released patches.

Aruba said it was “aware” of the vulnerability and warned customers in an advisory on October 18, but noted that its devices are only affected if a user enables Bluetooth — which Aruba says is disabled by default. Cisco, which also owns the Meraki brand, said some of its devices are vulnerable but they too have Bluetooth disabled by default. Fixes are already available and the company has a list of vulnerable devices noted in its support advisory. A Cisco spokesperson said that the company “isn’t aware” of anyone maliciously exploiting the vulnerability.

Carnegie Mellon University’s public vulnerability database, CERT, also has an advisory out for any other devices that might be affected.

News Source = techcrunch.com

The United States needs a Department of Cybersecurity

in China/Column/computer security/Congress/cyberattack/cybercrime/Cyberwarfare/Delhi/department of defense/Department of Homeland Security/department of justice/executive/Federal Bureau of Investigation/Government/hacking/India/national security/Politics/Russia/San Francisco/Security/spy/United States/Washington by

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy.

For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13 Russians yet the attack on US sovereignty and stability has gone largely unanswered.  The $120 million set aside by Congress to address the Russian attacks remains unspent. We expelled Russian diplomats but only under international pressure after the poisoning of a former Russian spy and his daughter.

Recent sanctions are unlikely to change the behavior of the Putin administration. To put it bluntly, we have done nothing of substance to address our vulnerability to foreign cyberattacks. Meanwhile, our enemies gain in technological capability, sophistication and impact.

Along with the Russians, the Chinese, North Koreans, Iranians and newly derived nation states use cyber techniques on a daily basis to further their efforts to gain advantage on the geopolitical stage. It is a conscious decision by these governments that a proactive cyber program advances their goals while limiting the United States.

Krisztian Bocsi/Bloomberg via Getty Images

We were once dominant in this realm both technically and with our knowledge and skillsets. That playing field has been leveled and we sit idly by without the will or focus to try and regain the advantage. This is unacceptable, untenable and will ultimately lead to potentially dire consequences.

In March of this year, the US CyberCommand released  a vision paper called “Achieve and Maintain Cyberspace Superiority.” It is a call to action to unleash the country’s cyber warriors to fight  for our national security in concert with all other diplomatic and economic powers available to the United States.

It’s a start but a vision statement is not enough.  Without a proper organizational structure, the United States will never achieve operational excellence in its cyber endeavors.  Today we are organized to fail.  Our capabilities are distributed across so many different parts of the government that they are overwhelmed with bureaucracy, inefficiency and dilution of talent.

The Department of Homeland Security is responsible for national protection including prevention, mitigation and recovery from cyber attacks. The FBI, under the umbrella of the Department of Justice,  has lead responsibility for investigation and enforcement. The Department of Defense, including US CyberCommand, is in charge of national defense.  In addition, each of the various military branches  have their own cyber units. No one who wanted to win would organize a critical  capability in such a distributed and disbursed manner.

How could our law makers know what policy to pass? How do we recruit and train the best of the best in an organization, when it might just be a rotation through a military branch? How can we instantly share knowledge that benefits all when these groups don’t even talk to one another? Our current approach does not and cannot work.

Image courtesy of Colin Anderson

What is needed is a sixteenth branch of the Executive — a Department of Cybersecurity — that  would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.  By uniting our cyber efforts we would make the best use of limited resources and ensure seamless communications across all elements dealing in cyberspace. The department would  act on behalf of the government and the private sector to protect against cyberthreats and, when needed, go on offense.

As with physical defense, sometimes that means diplomacy or sanctions, and sometimes it means executing missions to cripple an enemy’s cyber-operations. We  have the technological capabilities, we have the talent, we know what to do but unless all of this firepower is unified and aimed at the enemy we might as well have nothing.

When a Department of Cybersecurity is discussed in Washington, it is usually rejected because of the number of agencies and departments affected. This is code for loss of budget and personnel. We must rise above turf battles if we are to have a shot at waging an effective cyber war. There are some who have raised concerns about coordination on offensive actions but they can be addressed by a clear chain of command with the Defense Department to avoid the potential of a larger conflict.

We must also not be thrown by comparisons to the Department of Homeland Security and conclude a Cybersecurity department would face the same challenges. DHS was 22 different agencies thrust into one. A Department of Cybersecurity would be built around a common set of skills, people and know-how all working on a common issue and goal. Very different.

Strengthening our cyberdefense is as vital as having a powerful standing army to defend ourselves and our allies. Russia, China and others have invested in their cyberwar capabilities to exploit our systems almost at will.

Counterpunching those efforts requires our own national mandate executed with Cabinet level authority. If we don’t bestow this level of importance to the fight and set ourselves up to win, interference in US elections will not only be repeated …  such acts will seem trivial in comparison to what could and is likely to happen.

News Source = techcrunch.com

Averon closes $8.3M funding to make your smartphone the key to ID online

in Averon/Delhi/hacking/India/Politics/TC by

Because of the threat of cyber attacks, sign in and identity verification procedures are becoming utterly cumbersome. There’s no “identity” layer to the internet (until there is a mainstream Blockhain solution perhaps?). However, using signalling and data packets, and the SIM/eSIM chips already found in smartphones, you could make this much easier. It would also require no installation and much less effort for users, and could be rolled out in areas like IoT.

This is what SF-based startup Averon is working on. They call it Direct Autonomous Authentication (DAA), or a mobile identity verification standard that is both pretty frictionless and very secure.

Averon has now closed an $8.3 million Series A financing round led by Avalon Ventures. The idea is to make the hacks involving Equifax, Target, Home Depot, Anthem Medicare, a thing of the past.

Developed in stealth for nearly two years, Averon’s security solution takes the real-time mobile network signal from your phone and the SIM/eSIM chips to create authentication.

With existing solutions, users manually enter ID info on their device, use 2-factor authentications, and biometric info that is easily breached and prone to human error. Your mobile carrier actually knows who you are, but so far packet device origination tracking (SIM) has been limited to carrier use and carriers themselves have been viewed as siloed networks. This solution breaks down the barriers.

Wendell Brown, CEO and chairman of Averon says DAA “has the potential to substantially reduce the exposure each of us has to the growing wave of cybercriminals.” His co-founder is Lea Tarnowski, a former UK-based VC partner.

Tarnowski was formerly an investment manager at Northzone Ventures, one of Europe’s leading global venture capital funds.

Brown is an acclaimed computer scientist, entrepreneur, and inventor known for his innovations in telco and mobile security with 20 years of expertise in cryptosecurity and a U.S. Department of Defense security.

Averon is led by a cadre of business leaders, engineers and cybersecurity experts with backgrounds spanning MIT, Harvard Business School, Stanford, USC, Cornell, the NSA, the Israel Defense Force, PayPal, Microsoft, and other top universities and institutions. It’s also the creator and holder of IP protected by 15 U.S. and international patents

Featured Image: Getty Images

News Source = techcrunch.com

Kaspersky fights spying claims with code review plan

in antivirus/computer security/Delhi/espionage/eugene kaspersky/Europe/Government/hacking/India/intelligence/kaspersky labs/Politics/Russia/Security/TC by

Russian cybersecurity software maker Kaspersky Labs has announced what it’s dubbing a “comprehensive transparency initiative” as the company seeks to beat back suspicion that its antivirus software has been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.

In a post on its website today the Moscow-based company has published a four point plan to try to win back customer trust, saying it will be submitting its source code for independent review, starting in Q1 2018. It hasn’t yet specified who will be conducting the review but says it will be “undertaken with an internationally recognized authority”.

It has also announced an independent review of its internal processes — aimed at verifying the “integrity of our solutions and processes”. And says it will also be establishing three “transparency centers” outside its home turf in the next three years — to enable “clients, government bodies and concerned organizations to review source code, update code and threat detection rules”.

It says the first center will be up and running in 2018, and all three will be live by 2020. The locations are listed generally as: Asia, Europe and the U.S.

Finally it’s also increasing its bug bounty rewards — saying it will pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

That’s a substantial ramping up of its current program which — as of April this year — could pay out up to $5,000 per discovered remote code execution bugs. (And, prior to that, up to $2,000 only.)

Kaspersky’s moves follow a ban announced by the US Department of Homeland Security on its software last month, citing concerns about ties between “certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks”.

The US Senate swiftly followed suit, voting to oust Kaspersky software from federal use. While three months earlier the General Services Administration also removed Kaspersky Lab from a list of approved federal vendors.

The extensive system-wide permissions of antivirus software could certainly make it an attractive target for government agents seeking to spy on adversaries and scoop up data, given the trust it demands of its users.

The WSJ has previously reported that Russian hackers working for the government were able to obtain classified documents from an NSA employee who had stored them on a personal computer that ran Kaspersky software.

Earlier this month CEO Eugene Kaspersky blogged at length — rebutting what he dubbed “false allegations in U.S. media”, and writing: “Our mission is to protect our users and their data. Surveillance, snooping, spying, eavesdropping… all that is done by espionage agencies (which we occasionally catch out and tell the world about), not us.”

But when your business relies so firmly on user trust — and is headquartered close to the Kremlin, to boot — words may evidently not be enough. Hence Kaspersky now announcing a raft of “transparency” actions.

Whether those actions will be enough to restore the confidence of US government agencies in Russian-built software is another matter though.

Kaspersky hasn’t yet named who its external reviewers will be, either. But reached for comment, a company spokeswoman told us: “We will announce selected partners shortly. Kaspersky Lab remains focused on finding independent experts with strong credentials in software security and assurance testing for cybersecurity products. Some recommended competencies include, but are not limited to, technical audits, code base reviews, vulnerability assessments, architectural risk analysis, secure development lifecycle process reviews, etc. Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at transparency@kaspersky.com

She also sent the following general company statement:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.

As there has not been any evidence presented, Kaspersky Lab cannot investigate these unsubstantiated claims, and if there is any indication that the company’s systems may have been exploited, we respectfully request relevant parties responsibly provide the company with verifiable information. It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20 year history, has never helped any government in the world with its cyberespionage efforts.

In addition, with regards to unverified assertions that this situation relates to Duqu2, a sophisticated cyber-attack of which Kaspersky Lab was not the only target, we are confident that we have identified and removed all of the infections that happened during that incident. Furthermore, Kaspersky Lab publicly reported the attack, and the company offered its assistance to affected or interested organisations to help mitigate this threat.

Contrary to erroneous reports, Kaspersky Lab technologies are designed and used for the sole purpose of detecting all kinds of threats, including nation-state sponsored malware, regardless of the origin or purpose. The company tracks more than 100 advanced persistent threat actors and operations, and for 20 years, Kaspersky Lab has been focused on protecting people and organisations from these cyberthreats — its headquarters’ location doesn’t change that mission.

“We want to show how we’re completely open and transparent. We’ve nothing to hide,” added Kaspersky in another statement.

Interestingly enough, the move is pushing in the opposite direction of US-based cybersecurity firm Symantec — which earlier this month announced it would no longer be allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products.

Featured Image: CeBIT Australia/Flickr UNDER A CC BY 2.0 LICENSE

News Source = techcrunch.com

Go to Top