Wednesday 25 July 2012

This power strip is actually a powerful hacking tool

Are you a professional spy/hacker/nerd? If so, we have a gadget for you! Disguised as an everyday power strip, the Power Pwn by Pwnie Express (take a moment here to enjoy the pwn puns) is actually a Linux-based computer stuffed with hacking software as well as Wi-Fi and Bluetooth antennas and dual Ethernet ports.



What’s that? Can it use cell networks? You bet! There’s an external 3G/GSM adapter for penetration over digital cell networks.

I took a moment and tried to come up with any legitimate use for this device, but came up with nothing. This is a hacking tool, pure and simple. Unless the owner is Ethan Hunt trying to break into the Kremlin’s databases, Power Pwn’s user is probably up to no good. That said, the idea is to quietly swap out an existing power strip for the Power Pwn strip. Since the Power Pwn is indeed a working power strip, your target shouldn’t even notice there’s a powerful hacking tool sitting under his desk.
Once in place, an attacker/penetration tester can communicate with the device via text message, sending command-line input via SMS, and establish an SSH secure shell session. It can then detect and launch attacks on any detected wired or wireless network or Bluetooth device. [Ars Technica]

Power Pwn is available for pre-order here.

Friday 20 July 2012

Is your next password in the palm of your hand?


Here at SumRando, we’ve harped again and again on the importance of using strong passwords.  But in light of the massive password leaks we’ve seen this year, we’re starting to wonder if even the best passwords are no longer cutting it. After all, if a cybercriminal can simply download a list of login data from a vulnerable web service, it really doesn’t matter how long or complicated your login is. So what do we do if passwords are no longer secure?

Enter biometrics.

Last year, IBM made a series of predictions regarding the development of technology over the next five years. In addition to mind-reading devices (awesome!), the tech giant predicted the password going the way of the floppy disk and the advent of biometrics on a large scale.

If you haven’t watched any spy movies recently, biometric security involves systems that confirm who you are based on things like your fingerprints, iris, heartbeat, or any other physiological input.

Already, some banks are utilizing voice recognition biometrics for phone-based banking or as a double-check for ATMs and several U.S. based police departments employ smartphone based retinal scans that compare an individuals biometric data with a database for identification purposes.

So what might be in store for the average Joe’s smartphone or laptop?

Napa Sae-Bae, a graduate student at the Polytechnic Institute of New York University, is creating an iPad app to verify users' hand shape and finger length. Sae-Bae's biometric analyzing algorithm has already yielded a 90 percent accuracy rate, suggesting her innovation may have widespread application when it debuts in a year.
 This project improves on Sae-Bae's existing tablet app, which unlocks iPads in response to hand gestures like palm rotation. 
"Unlike gestures, fingerprints are physiological physical traits that you can't change," she explained about her current research. "There's the feeling that these are supposed to be secure and private." [mobiledia]

And while biometrics are certainly more secure than traditional passwords, there are definitely drawbacks.

The Samsung Galaxy Note Android phone uses face recognition in its lock screen. Unfortunately, a picture of the phone’s owner will also unlock the device.



Of course, advances in accuracy can make spoofing devices like this more difficult, but what happens if your detailed biometric data is cracked? If your password is hacked or leaked, it takes only a minute to regain a secure login by changing it to something new. If your biometric information is hacked or leaked, you can’t very well change your fingerprints or irises.

While it’s safe to say passwords are on the way out and safer security measures like biometrics are on the way in, as long as security measures are taken, hackers and cybercriminals will find ways to compromise them.

Thursday 19 July 2012

Security Experts bring down 3rd Largest Botnet

There you are, in Naboo’s capital city, hopelessly outnumbered and surrounded by battle droids. All hope seems lost. But then, abruptly, the droids stop moving. Resistance forces have destroyed the control ship guiding the droid army’s movements – rendering the battle droids disabled. The planet is finally at peace.


Yeah, that pretty much happened yesterday.

Security experts at FireEye brought down the massive Grum botnet yesterday. Responsible for about 18 billion spam messages per day, world spam levels are expected to drop by about 18% in the wake of the shutdown.

Grum operated primarily out of servers in Panama and the Netherlands. But when those main servers were shut down on Tuesday, the “bot herders” immediately set up new servers in Russia and the Ukraine. FireEye immediately began working with Russian and Ukrainian ISPs and successfully brought down the new servers as well.

Experts at FireEye say that restarting the botnet won’t be as simple as building new servers.

"It's not about creating a new server. They'd have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again," Atif Mushtaq, a computer security specialist at FireEye, told the Times. "They'd have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server." [NY Times]

Friday 13 July 2012

The Top 7 Ways to Stay Safe Online

There’s no silver bullet for online privacy and security. In fact, no matter what you do, if someone wants your information badly enough, there’s likely a way for them to get at it. That said, there are several measures every web surfer should be using to employ a solid level of security.

Anti-Virus Software

This one’s been mentioned a number of times on this blog and should pretty much go without saying. Unfortunately – and I’m looking your way Mac users – there are still a lot of people out there who just don’t use this basic security measure.

Anti-virus software typically works with a two-pronged approach. First and foremost, the software monitors all programs opened on the operating system and compares them against a dictionary of known malware. Anything that matches up is snuffed out. The dictionary approach requires regular updates, so, for the love of God, don’t ignore that update prompt!

The second approach monitors programs for suspicious behavior. This part is key for picking up new malware that might not be part of a dictionary yet. So, if one program starts writing code on another program, your anti-virus software will let you know. The trouble with this bit, however, is that is tends to pick up a lot of false positives and users are often numb to the warnings by the time an actual piece of malware is detected.

And remember, even if you have a Mac or Linux system, malware is out there, so get that anti-virus program installed!

Manage Tracking Cookies

It’s like being on a reality show where viewers see everything you do, except the viewers are trying to sell you things and the cameras are little devices called tracking cookies.

Online advertising is a big business and top dollar is paid to sites that provide advertisers with your most intimate details. Tracking cookies are little files installed by advertisers through your favorite websites that tell companies what sites you go to and what links you click on. And while tracking cookies aren’t the only way advertisers learn about your habits, it’s a big step in the right direction to stop them from reporting your activity.

Currently, nothing’s available that flawlessly blocks tracking, however, most browsers offer plug-ins that do a pretty good job. Notably, Taco (Targeted Advertising Cookie Opt-Out) for Mozilla Firefox maintains a list of opt-out cookies and regularly updates to keep advertisers at bay.

VPN

Virtual Private Networks or VPNs are simply awesome and among the best ways to keep your information safe online. If you work in an office environment, you probably use a company VPN to connect to your work email and files. But the incredible level of security offered through a VPN should not be limited only to your work materials. Logging onto a VPN client should be as second nature as opening your laptop.

Imagine a VPN as a tunnel through which all your online activity runs. When you web surf – especially if you’re surfing over an unsecured wireless network – your information is floating out there, ripe for the taking by unscrupulous hackers. But if you have VPN software installed and you log onto the Internet through it, all your data is encoded and appears as only garbled gibberish to cybercriminals. Better yet, since VPN’s route your information through their own servers, companies that want to track your IP address’s activity will never know who you actually are – all they get is the VPN’s address.

SumRando is pretty much the best VPN ever and you can sign up for its beta here.

Check Certificates

This issue popped up recently, but deserves another mention. Whenever you are prompted to run a plug-in, program, or anything by a website, your operating system will tell you whether or not it trusts the program’s certificate.

Think of a certificate as a signature. These signatures are issued by established third party organizations that verify the content on the web site is legitimate and trusted. If a window pops up to tell you the certificate is not trusted, stop. Make sure you know what you're downloading or running.

Passwords

This should be pretty obvious, but a frightening number of people don’t take password security seriously. Remember the big Yahoo! password leak last week? The list below represents the 10 most popular passwords.

·       123456
·       password
·       welcome
·       ninja
·       abc123
·       123456789
·       12345678
·       sunshine
·       princess
·       qwerty

Admittedly, ninjas are pretty neat, but maybe not so great when it comes to online security.

A good password should avoid words or numbers that are obviously relevant to you. Baxter416 might seem like a good password since it mixes letters and numbers and has a change of case, but if your dog is named Baxter and you were born on April 16th, it won’t take long to figure out.

Use a separate browser for online banking

Attacks through browser vulnerabilities are very common and typically work to gain access to users’ sensitive data. And, without a doubt, banking information is the holy grail of sensitive information we’d rather not see in the hands of cybercriminals.

One of the best ways to avoid any sort of security compromise is to keep your banking sessions on a separate browser. That way, even if a hacker reveals your passwords and other login information, your hard earned money will remain safe.

Don’t be stupid

Your brain should be your first line of defense. I’m sorry, that Nigerian prince didn’t actually leave you $8 million in his will and nobody is sending you anonymous love letters.

When you are given a link to a website, look at it. Does the domain match where you should be going? The fact is, if something sounds too good to be true, it probably is. None of the mentioned security measures will do much if you're going to voluntarily put yourself in harm’s way.

Wednesday 11 July 2012

Malware runs on OS X, Linux and Windows

Researchers at F-Secure discovered a backdoor-exploit program that can run on OS X, Windows, and Linux.

Always check certificates!
According to the F-Secure blog, the malware was found on a compromised Colombian transport company’s website. Visitors to the site would be prompted with a Java applet using a self-signed certificate. Fortunately, a warning appears on all platforms notifying users that the certificate is not from an official agency. Unfortunately, since most people have no idea what a certificate is, it matters very little.

After the user runs the applet, the program sniffs out the operating system and then downloads the appropriate content. For Mac users, the malware is written for PowerPC based Macs and won’t run on anything using an Intel processor, so unless you’re rocking a retro-mac or Rosetta, you’re probably safe.

This malware figures out which OS you're running,
then executes the proper code.
Overall, this malware is a pretty low threat, but does serve as a great reminder to always check certificates and never assume that just because you’re running Linux or OS X that you’re safe.

Update (7/13): Reports are out describing a new variant of this virus that can run on OS X Snow Leopard and Lion, even if Rosetta is not used -- so watch out!

Friday 6 July 2012

Stop the Russian Blacklist Bill

It’s kind of like the world’s worst game of Whack-a-Mole. Every time a destructive piece of Internet censorship legislation is smacked down, another one pops up somewhere else. And with ACTA suffering epic defeat in the European Parliament last Thursday, of course, it’s Russia’s turn to introduce the next terrible idea.

Image courtesy of CNN
This time, that idea comes as an amendment to a law signed in January called "On protection of children from information harmful to their health and development” and it provides the government the power to censor pretty much anything it wants online.


According to the Russian News agency Ria Novosti, the new bill will create a blacklist of sites that contain pornography, drug references, promote suicide, or – wait for it – contain other “extremist ideas”. Conveniently, “extreme” is not defined in the bill’s language and could potentially pertain to anything from legitimate national threats to everyone that disagrees with newly inaugurated President Vladimir Putin.

Under the new amendment, Roskomnadzor, the communications regulator,
would run the blacklist, but Russia’s intelligence services would also be able to add content considered extremist (nope, no chance at corruption there). Federal courts, which already have the power to blacklist content, will also be allowed to add sites to the list. Once in place, violators hosting blacklist-worthy material will be given 24 hours for removal. After 24 hours, the website will be taken down and added to the blacklist.

And as if the censorship wasn’t bad enough, the amendment also compels Russian ISPs to install new censorship equipment that is expected to cost anywhere from $5 million to $10 billion dollars.

But this law is not entirely new. The Justice Ministry already maintains a blacklist and has the power to shut down websites they say violate laws. Currently, there are about 1,200 websites on the list, but the new amendment would quickly grow that figure because blacklisted sites wouldn’t even need to break a law to get shut down.

And even without the proposed expansion of blacklisting power, we’ve already seen the ease with which lists like these can be abused. Compromat.ru, a website focused on publishing corruption reports was forced to shutdown their .ru domain last week and migrate to .net after Moscow city prosecutors ordered their shutdown. Additionally, news site Moscow-post.ru was forced to move to .com. Both sites were accused of publishing “unchecked information” and blacklisted by order of the Putin administration.

The Russian Presidential Council for Human Rights, a watchdog group set up by the Kremlin, has already come out in condemnation of the amendments, and warned that the bill's language – specifically its vagueness with regard to what can be considered blacklist-worthy – leaves it open for abuse. The Council said the proposed measures would put financial burdens on Internet providers and would negatively affect the Internet’s speed, stability and security.

Although the bill has yet to be formally discussed in the Duma, it already has support from all four major political factions and is expected to be on the fast-track to passage.

Ironically, speaking on the original bill to which this amendment would be made, then-President Medvedev spoke on the possibility of abuse and the creation of an Internet blacklist and described online censorship as “impossible and simply senseless.”

Tuesday 3 July 2012

European Court rules in favor of digital resale

Better mow your digital lawn – we’re having an online yard sale! Ok, not really. But we could if we wanted to.

The European Court of Justice ruled today that it is, in fact, legal to resell used software regardless of whether the software was originally distributed on a physical disk or downloaded over the internet. The ruling ended a legal battle involving software giant Oracle who claimed a resale of their software was the same as pirating content.
Software vendors have long argued that software is "licensed, not sold." This claim is in tension with the doctrine of copyright exhaustion (called the first sale doctrine in the United States), which holds that copyright law does not give rightsholders control over used copies of their work. And the principle has gotten even more murky as software is increasingly distributed directly over digital networks, meaning that there's no physical copy of the work to resell. 
Oracle distributes its software online. Once a customer has signed a licensing agreement, it has an unlimited right to download copies of its database software from Oracle's website, and to install as many copies of the software as specified in its licensing agreement. A company called UsedSoft acted as a broker for used Oracle licenses, allowing Oracle customers who no longer needs (sic) their licenses to resell them to another firm that could put them to better use. [Ars Technica]
The decision handed down by the Court made the case that an online sale is essentially the same process as a physical sale and therefore licenses should be transferable.

The Court did, however, place some restrictions on software resale, stating that it is not legal to split up multiseat licenses and emphasizing that a legitimate resale requires that the seller's copy of the software be rendered inoperable at the time of the sale.