It’s A Vulnerable World: mid-August 2015

Early August brought renowned security conferences Black Hat and USENIX, and with them came a seemingly endless list of vulnerabilities. With Tor, Apple and even the Internet of Things on the roundup below, it’s hard not to wonder if anything remains secure:

Challenging the notion that Apple computers are inherently secure, researchers proved that even the Mac can succumb to the attack of a firmware worm. Researcher Xeno Kovah highlighted the severity of such an attack: “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

The United States Food and Drug Administration warned that the Hospira Symbiq Infusion System is vulnerable to takeover by hackers and advised against its use. The pump system is commonly used to send medication into the bloodstream of patients in hospitals and other healthcare facilities.

RSA reported that a China-based VPN, dubbed the“Terracotta” network, has obtained many of its hundreds of exit nodes by hacking into vulnerable Windows servers across the globe, which are then used to exploit government and commercial organizations. Hackers such as those responsible for the U.S.’s OPM attack are thought to be operating out of the Terracotta VPN. 

Researchers successfully unhid hidden Tor servers. [Source: EFF]

MIT and QCRI researchers proved that Tor, a network that protects anonymity by routing traffic through a series of tunnels, has its flaws: by analyzing traffic patterns and without breaking encryption, the researchers determined what sites users were visiting.

Within days of the release of Windows 10, Cisco reported an accompanying ransomware scam. A phishing email masking as a Windows 10 update releases CTB-Locker and asks for payment within 96 hours.

Security researcher Paul Rosenzweig argued that Apple’s iPhone is anything but end-to-end secure, citing cellular provider and metadata records, brute-force password unlocking, iCloud backup and potential for wiretapping as concerns. Before you abandon your iPhone for Android, keep in mind ACLU technologist Christopher Soghoian’s recent tweet: “If law enforcement can’t hack the hundreds of millions of Android phones running out-of-date, vulnerable software, they’re not trying.”

Vulnerable encryption keys were found in Zigbee, a wireless language that connects 1000+ Internet of Things devices, meaning door locks, lights and other smart home devices could all fall into the hands of hackers. A Symantec report released at Black Hat 2015 further suggested that Internet of Things vulnerabilities could be ransomware's next frontier.

The Internet of Things is increasingly a part of (insecure) everyday life. [Source: datasciencebe.com]

A committee investigation reported alarming structural flaws in the U.S. Food and Drug Administration, the National Institute of Health and the Department of Health and Human Services. In the authors’ words, “Americans should not have to worry that the U.S. government is left so vulnerable to attack…Unfortunately, the bar has been set low and we have nowhere to go but up.”

Israeli researchers proved it is possible to take data from an air-gapped computer with an out-of-date features (i.e. not smart) phone, technology that is frequently allowed in otherwise secure areas.

Government ministries in India are taking measures to defend themselves against Pakistani attempts to retrieve sensitive information. The ministries of Defense, External Affairs, Civil Aviation, Finance, Power and Telecoms are all on alert.

Security researchers Alexandrea Mellen and John Moore revealed the danger of using a Square Reader to complete a credit card transaction: “In the [point of sale] market, we’ve seen new hardware and software coming out from lots of providers usually implementing their own solutions. These are cheap, compact and compatible. They also face the challenge of being secure. Lower hardware budgets and their ability to interface with cell phones that are used for other purposes is leaving customer card information vulnerable and making it harder to secure devices.” Mellon and Moore cracked a Square Reader in less than 10 minutes.

Anonymous has threatened Malaysia with an Internet war. [Source: Anonymous]

Anonymous Malaysia has threatened an “all-out Internet war” against the government if Prime Minister Najib Razak does not resign by August 29. In response, government agencies are in the process of upgrading software and patching security vulnerabilities.

A study presented at the USENIX Security Symposium showed that journalist practices are frequently inadequate for protecting sensitive information. According to senior author Franzisksa Roesner, “It’s not just a matter of giving journalists information about the right tools to use—it’s that the tools are often not usable. They often fail because they’re not designed for journalists.”

If we’ve missed any vulnerabilities, let us know in the comments below. Surf secure and stay Rando!