Mobile Trust Telecommunications

07/09/2015

End-to-end encryption is key for securing the Internet of Things

The Internet of Things (IoT) is one of the hottest buzzwords these days. It seems like almost everything is being connected, including cars, streetlights, oil rigs, wearables and more. By the end of this decade, Gartner estimates there will be 26 billion IoT devices in service, while IDC predicts 28.1 billion.

There’s no safety in those numbers. Just the opposite: Every IoT device is an endpoint, like a PC or smartphone, which means every one is a potential back door for hackers. Worse, many IoT devices are connected to mission-critical equipment, such as switches at electric utility substations, or telemedicine monitors in patients’ homes. Those roles make IoT devices tempting targets for terrorists, rogue nations and others who want to wreak a lot of havoc with a single attack.

Those attacks are in addition to those that leverage the IoT to steal credit information, corporate secrets and other data. The Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis says the average cost of each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 this year. IoT will drive that cost even higher simply because it increases the number of attack opportunities. In fact, IDC predicts that by the end of 2016, 90 percent of all IT networks will have experienced an IoT-based security breach.

There are other consequences when businesses, organizations and entire industries don’t take IoT security seriously – and fast. One example is a IoT-enabled attack on railway infrastructure so big and embarrassing that results in onerous, expensive new regulations that the industry could have avoided by being proactive. Another is an automotive brand sullied by the public’s perception that its smart vehicles are easily hacked.

Securing the IoT begins with understanding why it requires a fundamentally different set of strategies and tools than those currently used in IT, telecom and other domains. IoT networks are typically not behind a firewall, but rather mobile or spread over too large of an area. SSL/TLS is not sufficient for small devices with the need to protect the data in use, in motion and at rest. SSL was simply not designed for the challenges facing IoT Therefore, firewalls and SSL won’t be able to keep up with IoT’s scale and device fragmentation, which spans everything from wearable health devices to smart vehicles to industrial controls. And although IDC estimates that there are already more than 9 billion IoT devices in service today, it’s still a relatively new space, where many standards and best practices that would aid security are still in development.

For some perspective, consider how enterprises currently struggle to keep up with evolving attacks on a relatively small set of familiar devices, such as servers, PCs and smartphones. IoT makes that look like a walk in the park.

Next-gen encryption for a new paradigm

Within the next five years, 90 percent of all IoT data will reside in third-party clouds, IDC predicts. That statistic is just one example of why enterprises, government agencies and other organizations should take adopt an “encrypt-everything” strategy to protect against IoT-enabled breaches.

This strategy maximizes protection regardless of whether the data resides in a public or private cloud, on an IoT endpoint and when it’s in transit. Encrypting everything also complements the traditional focus on network security because even when that initial line of defense fails, the data remain protected. That wasn’t the case in several recent, high-profile attacks such as Anthem, where hackers accessed unencrypted personal information for 80 million policy holders.

For every organization, network breaches are a matter of when, not if, and IoT means more of them simply because it’s increasing the number of endpoints exponentially. So why don’t more organizations encrypt everything? One reason is because standards such as AES and IPSec are so processor-intensive, making them a poor fit for laptops, smartphones and IoT devices such as wearables. It’s not just battery life that suffers. The IoT market is notoriously price-sensitive, so those devices have limited processor capabilities in order to keep the bill-of-materials cost low enough to enable the widest possible adoption.

That’s why organizations should build their encrypt-everything strategy around next-generation technologies, which are much less resource-intensive but with no trade-offs in protection. For example, instead of encryption methods based on blocks or files, look for solutions that encrypt and compress data in real time in a single pass at the byte level. This design also ensures that the user experience isn’t compromised, such as slow performance.

Network data efficiency is also essential for any large scale IoT solution – if the IoT devices send too much wireless data then the costs become too high. For example, many IoT devices will use cellular or wireless connections, so compression becomes an important feature to reduce the cost that the user pays for that connectivity or bandwidth. The sheer amount of IoT devices also will create traffic loads large enough to overwhelm even the most robust wired network. An efficient low-latency data compression technology can be an effective means to minimize the workload for wired and wireless networks alike.

The ideal next-gen solution also adds synchronized data to the standard encryption key, making it impossible to decrypt the information remotely even if the key is compromised. Secure device authentication with near real-time speed to reduce latency is another key to IoT security and efficiency. Device authentication and packet encapsulation can also mitigate DDoS attacks to reduce service interruptions.

Best of all, an encrypt-everything strategy can be applied to non-IoT devices and applications. That broad applicability increases the return on those encryption investments by expanding that protection throughout an organization.

In the Internet of Everything, data will reside everywhere, which means a lot of that data can’t be protected by traditional, network-centric devices such as firewalls. Only end-to-end encryption can provide the security necessary to minimize IoT-enabled breaches. However, the encryption technology must be designed for modern use cases and devices, such as by making the most efficient possible use of processors and batteries. Organizations that choose the right encryption solution and then apply it everywhere will be best equipped to address IoT-enabled threats.

http://www.net-security.org/article.php?id=2379&utm_source=dlvr.it&utm_medium=twitter

The Internet of Things (IoT) is one of the hottest buzzwords these days. It seems like almost everything is being connected, including cars, streetlights, oil rigs, wearables and more. By the end of this decade, Gartner estimates there will be 26 billion IoT devices in service, while IDC predicts 28…

01/09/2015

Here's How Iranian Hackers Can Hack Your Gmail Accounts

Hackers are getting smarter in fooling us all, and now they are using sophisticated hacking schemes to get into your Gmail.
Yes, Iranian hackers have now discovered a new way to fool Gmail's tight security system by bypassing its two-step verification – a security process that requires a security code (generally sent via SMS) along with the password in order to log into Gmail account.
Researchers at Citizen Lab released a report on Thursday which shows how the hackers are using text messages and phone-based phishing attacks to circumvent Gmail's security and take over the Gmail accounts of their targets, specifically political dissidents.
The report detailed and elaborated three types of phishing attacks aimed at Iranian activists. Researchers also found one such attack targeting Jillian York, the Director for International Freedom of Expression at the Electronic Frontier Foundation.
Here's How the Attack Works
Via Text Messages:
In some cases, the hackers use text messages and send it to their targets. The message appears to come from Google, which warns users of an unauthorized attempt to access their Gmail accounts.
The text message then follows a carefully crafted email notification, also disguised to be from Google, that redirects victims to a "Password Reset Page," designed to collect the victim's password.
The hackers then, in real time, use the password to login to the victim's account and trigger the sending of a security code to the target.
Gmail uses this security code as a two-factor authentication that adds an extra layer of security on top of a Gmail user's password.
After this, the hackers wait for the targeted victim to enter the code and then collect it through the bogus website, and then use it to take control of the victim's Gmail account.
Via Phone Call:
In other cases, the hackers contact a target over the phone regarding some fake business proposals that usually promises thousands of dollars.
The fake proposal is then send to the victim's Gmail account containing a fake Google Drive link that would prompt a victim to login with the Google credentials as well as the two-factor identification code, just like in the case of the text messages.
The users fell for the phishing attacks, as some hackers pretend to be Reuters journalists who wanted to arrange an interview.
Attempts to fool two-factor authentication security are nothing new. We have seen hackers releasing millions of Gmail usernames and passwords on underground online forums.

http://thehackernews.com/2015/08/how-to-hack-gmail-accounts.html?m=1

Iranian hackers have found new way to bypass Google's two-step verification system and hack your Gmail account.

01/09/2015

Jailbreak attack reportedly stole more than 225,000 Apple logins

Researchers for Weiptech and Palo Alto networks revealed today that more than 225,000 valid Apple accounts were stolen from jailbroken users without their knowledge.

The credentials were stolen via malware that was distributed using the popular jailbreak tool Cydia, which makes it easy to install tweaks and researchers report that accounts from 18 countries were stolen.

More than half the email addresses discovered used Tenecent’s email services, though qq.com, 163.com and icloud.com were the next most popular.

The malware, called KeyRaider, uploaded stolen logins to a server which contained vulnerabilities itself.

The researchers reverse-engineered the hack and attacked the control server where the data was stored, getting in via a SQL injection vulnerability and downloading around half of the entries before being cut off.

KeyRaider was only found to be distributed via apps found in Weiphone’s Cydia repositories and sent back credentials, purchasing receipts, device IDs and other data without user knowledge.

If you’re into the nitty-gritty, you can read more details here, but the news highlights yet another reason to not jailbreak iPhones in 2015.

Earlier this year we learnt that Hacking Team was exploiting jailbroken users to gather information about them without their knowledge on behalf of rogue governments.

What’s the best way to protect against such attacks? Avoiding jailbreak, as tempting as it may be. These days it’s far less necessary than it used to be and isn’t worth the risk.

http://thenextweb.com/insider/2015/08/31/jailbreak-attack-reportedly-stole-more-than-225000-apple-logins/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheNextWeb+%28The+Next+Web+All+Stories%29

Researchers for Weiptech and Palo Alto networks revealed today that more than 225,000 valid Apple accounts were stolen from jailbroken users without their

01/09/2015

Russia, China said to use hacked databases to find US spies

Foreign intelligence agencies are reportedly cross-checking compromised information

Foreign spy agencies, including those from Russia and China, are cross-checking hacked databases to identify U.S. intelligence operatives, according to a news report.

One secret network of U.S. engineers and scientists providing technical assistance to the country's overseas undercover agencies has been compromised, according to a story Monday in the Los Angeles Times.

Foreign intelligence agencies are cross-referencing several compromised databases, whose information includes security clearance applications and airline records, to identify U.S. intelligence agents, the report said.

The U.S. Office of Personnel Management announced a breach of its security clearance database in June. That breach compromised information on the government’s Standard Form 86, a 127-page questionnaire that asks about an applicant’s past military experience, criminal background, computer hacking activities, financial problems and links to terrorism groups.

U.S. lawmakers have worried that the OPM breach would endanger intelligence agents and open up applicants to blackmail.

With the OPM breach and other recent compromises, "our biggest fear has been that these data breaches were not isolated incidents, but part of a larger campaign with the intent to expose intelligence agents and others with security clearances around the world," Ken Westin, security analyst for cybersecurity Tripwire, said by email.

There is growing evidence that exposing intelligence agents was the motivation behind several breaches, he added.

The report raises several concerns for government agencies and private businesses, Westin said. "Our risk and threat models don't take into account the exponential damage that can come when datasets from multiple breaches are correlated," he said. "Big data isn't just used in business, but also cybercrime and espionage, and this is more apparent now than ever."

A "massive amount of data" that people willingly share helps make this type of espionage possible, said Tim Erlin, director of IT security and risk strategy at Tripwire. "The actual government records provide a key set of data, but when correlated with other information, enemy nation-states can assemble a dangerously complete picture," he said.

http://www.csoonline.com/article/2978298/data-protection/russia-china-said-to-use-hacked-databases-to-find-us-spies.html .rss_all

Foreign spy agencies, including those from Russia and China, are cross-checking hacked databases to identify U.S. intelligence operatives, according to a news report.

19/08/2015

MTT AG company has produced a first animated movie on the information security

The wisdom of folk tales impresses me. It’s so exciting the tales become more relevant with every passing year. You get a feeling that people get a glimpse of the future and want to prevent the disasters yet to come.
Just think of “The Wolf and Seven Little Goats” tale. The Wolf
falsified his voice and ate the goat kids up. Nowadays, this is a way to
kidnap people. I plan to produce a set of such movies on information
security. A lot of people still do not realize the hazards and dangers
hackers pose. Currently hackers not only steal the information but are
able to purposefully falsify it. For instance, in Moscow criminals
gained millions of USD by falsifying speech of relatives talking over
mobile phones to squeeze money. Kidnapping cases using mobile phones and falsifying human speech have recently greatly increased as the technology easily enables to achieve this. Modern speech synthesizer may falsify any voice. This crime has become especially popular in Latin America: Brazil, Argentina, Mexico, Columbia. We have created the animated movie to inform the people on the danger the hackers pose and offer them a security against fraudsters.
http://www.youtube.com/watch?v=ECbcdwlE7IE

10/08/2015

WANT TO STEAL A MOBILE APP'S SECRETS? THERE'S AN APP FOR THAT

The Internet security ante has officially been raised. Again.

Whereas some degree of hacking expertise and sophistication were once necessary to intercept and decrypt the transmissions between a mobile device and the services it interacts with, now there's an app -- available for free from the Google Play Store -- that makes it possible for average techies to spy on (and reverse-engineer) supposedly secure communications. In tests of the app with a variety of popular mobile applications, ProgrammableWeb was not only able to expose a majority of the secrets (including user IDs and passwords) that apps exchange with their back-end services, it was able to reverse-engineer the structure of the APIs associated with those services in such a way that we could have tampered with the services as well. The potential for disruption is not to be underestimated.

For example, even though many apps communicate with their back-end services over HTTPS (in a way that's thought to securely encrypt all transmissions), ProgrammableWeb had no trouble using the free app -- called SSL Packet Capture -- to not only intercept and decrypt those transmissions, but to discover sensitive and supposedly confidential information like API keys and OAuth tokens. In fact, so long as the application was active on our test device, pretty much all traffic between the device (from the Web browser as well any mobile apps) and the Internet was being monitored and decrypted. The app also handily inspected transmissions that were compressed or zipped (another technique used to ever so-lightly raise the barrier to hackers).

Over the last two years, the Internet's reliability as a secure channel for communicating sensitive information has been marred by a series of hacks and attacks that all too often, have exploited vulnerabilities in the API layer between front-end applications (e.g.: mobile apps) and their backend services. These attacks have proven two important lessons for the time being. First, users of anything that relies on the Internet as a communications channel should assume that the information they are sending or receiving can fall prey to some form of exploitation. Second, even the largest brands (ie: Google, Facebook, etc) who employ the best digital security talent that money can buy are fallible, proving how difficult API security is and will continue to be for much lesser-capitalized organizations.

Read more: http://www.programmableweb.com/news/want-to-steal-mobile-apps-secrets-theres-app/analysis/2015/08/03

ProgrammableWeb tests reveal how a free app from Google's App Store makes it possible to reverse engineer secure traffic between mobile apps and the services they call home to.

10/08/2015

Watch what you wear: Smartwatches vulnerable to attack

Wearable tech is all the rage and the smartwatch market is expected to dominate. But new research suggests that if you want to keep your data private, you may want to skip the latest tech craze.

Smartwatches could be a new and open frontier for cybercriminals. Wearable tech is all the rage and the smartwatch market is expected to dominate.

But new research suggests that if you want to keep your data private, you may want to skip the latest tech craze.

It turns out, smartwatches are not too smart about protecting your personal information, ultimately giving cyber criminals a chance to intercept that information and use it to their advantage.

A group of elite, "white hat" computer hackers and cyber forensic researchers at the University of New Haven recently extracted a swath of personal information from the LG G Watch and Samsung Gear 2 Neo.

The information includes messages, e-mails, contacts and health and fitness data, according to Dr. Frank Breitinger, assistant professor and associate director of the UNH Cyber Forensics Research & Education Group/Lab, or UNHcFREG, which was established in 2013.

"The main idea of us, what we tried to do, was to see what data is stored on the device - is it encrypted yes or no," Breitinger said.

The group's research uncovered that much of that information is unencrypted.

They plan to present their "Watch what you wear: preliminary forensic analysis of smartwatches" at a digital forensics conference in Toulouse, France later this month.

"We're really out there to break the security as much as we were out there to find out what evidence we could retrieve from them," assistant professor and director of UNHcFREG Dr. Ibrahim (Abe) Baggili said. "From a privacy perspective, it could be quite invasive."

WEB EXTRA: Researchers detail their findings.

Roberto Mejia, graduate research assistant and UNHcFREG researcher, told Local 10 News investigative reporter Christina Vazquez in a Skype interview, "We want to raise consumer awareness...People need to realize that these companies are making a lot of money based on information that we don't even realize that we are giving up."

WEB EXTRA: Giving it away for free: Free tool reveals if mobile apps send unencrypted data.

In a recent HP study, researchers found that all of the 10 smartwatches they tested are vulnerable to attack. These security and privacy vulnerabilities include insufficient authentication, insecure interfaces, insecure software and lack of encryption.

"Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities," Jason Schmitt, general manager, HP Security, Fortify, said in a news release. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks."

WEB EXTRA: HP study reveals smartwatches vulnerable to attack

"It's about convenience, so I'm not sure if I would be willing to give that up over the fact that my information may be compromised because I just feel like nothing is really protected," Hughes said.

Just weeks ago, two tech industry associations wrote a letter to President Obama urging the White House to support encryption, addressing concerns about the balance between privacy and national security.

The Information Technology Industry Council and the Software & Information Industry Association wrote: "We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat crime and threats. However, mandating the weakening of encryption or encryption 'work-arounds' is not the way to address this need."

READ: Full letter sent to President Obama

"So in the area that is very much still being developed, and again it speaks to the overall concept, is that we are uploading everything about us on to servers that we don't even know where they are," data privacy attorney Aldo Leiva said. "The overall concept is that we are uploading everything about us."

Local 10 News contacted Apple, LG and Samsung for a statement and is awaiting a response.

https://trove.com/a/Watch-what-you-wear-Smartwatches-vulnerable-to-attack.Hr5R9?utm_campaign=hosted&utm_medium=twitter&ts=1438856980&utm_source=sns&nocrawl=1

06/08/2015

Global Internet Authority — ICANN Hacked Again!

ICANN (Internet Corporation for Assigned Names and Numbers) – the organisation responsible for allocating domain names and IP addresses for the Internet – has been hacked, potentially compromising its customers’ names, email addresses, hashed passwords, and more.
The US-administered non-profit corporation admitted on Wednesday that its server security was breached within the past week and that…
…an "unauthorised person" gained access to usernames, email addresses, and encrypted passwords for profile accounts on ICANN.org public website.
The organisation believes that the leaked information includes harmless information such as user preferences, public biographies, interests, newsletters, and subscriptions.
Less than ten months ago, ICANN was hacked by a hacker who gained access to its internal system following a spear phishing attack in November last year. Employees were tricked into handing over their credentials after receiving malicious emails apparently sent from the ICANN's own domain.
With those details, the hackers then managed to access ICANN systems, including the Centralized Zone Data System (CZDS), the domain registration Whois portal, the wiki pages of the ICANN Governmental Advisory Committee (GAC), and ICANN blog.
The passwords compromised in the latest data breach were encrypted one-way using the bcrypt algorithm.
"These encrypted passwords (hashes) are not easy to reverse," ICANN said, "but as a precaution we [require] that all users reset their passwords."
However, there's no evidence that any profile accounts, or its internal systems have been accessed without authorization, nor any operational data, financial data, or IANA (Internet Assigned Numbers Authority) systems were involved.
The IANA is also a part of ICANN, which performs the actual management of the DNS root zone, globally-unique names and numbers.
Users are recommended to change their online account passwords, or just not using the same password across multiple websites.

http://thehackernews.com/2015/08/icann-hacked.html

Global Internet Authority ICANN Hacked Again. Hacker stole usernames, email addresses, and encrypted passwords.

05/08/2015

Editorial: Encryption loophole for government will welcome all hackers

Crushing the potential of the Internet is a bad idea that dies hard, and it’s back again.

Earlier this month, taking a page from the Clipper Chip debate 20 years ago, FBI and justice department officials appeared on Capitol Hill to ask for a backdoor that would allow them to circumvent encryption to eavesdrop on data and communications.

Congress should reject this access to data, as it did in 1993 during the Clinton administration. The request may sound reasonable in these unsettled times, but a backdoor is bad for business, bad for communications — and bad for security.

Powerful encryption is what makes secure e-commerce, social networking and online communication possible. The government should support the security of those systems, not undermine them with backdoors and loopholes.

If a loophole is created, the government won’t be the only one exploiting it. A recent report from experts in encryption concluded that it’s impossible to create access for law enforcement without letting criminals in through the same back door. Hackers would have access to everything we send online, and it might take years for us to even realize the software was breached.

This is not hypothetical. Google’s Gmail service was infiltrated in 2010 by Chinese hackers who exploited a backdoor required by the Chinese government so it could gather intelligence and personal information in the United States.

In Senate hearings, the FBI has played to recurring fears that communications are “going dark,” becoming inaccessible to law enforcement because of encryption. But experts say that problem doesn’t really exist. The New York D.A.’s office, which handles 100,000 cases a year, has had only 74 cases where full-disk encryption of iPhones locked out a law enforcement investigation. Law professor Peter Swire argues the data shows that this is a “golden age of surveillance,” with unprecedented law enforcement access to communications data.

Requiring technology companies to compromise the integrity of their own encryption systems destroys their competitiveness and leaves consumers and companies far less secure.

A backdoor requirement here would be a windfall for competitors abroad. Criminals certainly would use foreign software to avoid eavesdropping, and, as the Electronic Frontier Foundation argues, “so will anyone concerned about privacy and security.”

There’s also a question of legality. The 9th U.S. Circuit Court of Appeals ruled in the 1996 Bernstein vs. United States decision that software code is protected as speech. Any attempt to provide a government backdoor for encryption software that could compromise users’ privacy will almost certainly face a court challenge.

The government’s job is to keep systems secure, not undermine the good work that’s being done in the private sector to protect data. Listen to the experts, and let U.S. technology be as secure as it can be.

http://www.delcotimes.com/general-news/20150803/editorial-encryption-loophole-for-government-will-welcome-all-hackers?utm_campaign=Contact+SNS+For+More+Referrer&utm_medium=twitter&utm_source=snsanalytics

Crushing the potential of the Internet is a bad idea that dies hard, and it’s back again.

04/08/2015

Broken Windows Theory

Windows 10 is the operating system Microsoft needs. In other words, it’s not Windows 8, a Frankenstein’s monster of a tablet-plus-desktop OS that alienated everyone from PC manufacturers to corporate users. Instead, Windows 10 is an incremental improvement on Windows 7, one that is faster, slicker, and has some new bells and whistles, like virtual desktops and functional tablet support. One of Windows 10’s leaps, unfortunately, is straight into your personal data.

Apple and Google may have ignited the trend of collecting increasing amounts of their customers’ information, but with Windows 10, Microsoft has officially joined that race. By default, Windows 10 gives itself the right to pass loads of your data to Microsoft’s servers, use your bandwidth for Microsoft’s own purposes, and profile your Windows usage. Despite the accolades Microsoft has earned for finally doing its job, Windows 10 is currently a privacy morass in dire need of reform.

The problems start with Microsoft’s ominous privacy policy, which is now included in the Windows 10 end-user license agreement so that it applies to everything you do on a Windows PC, not just online. (Disclosure: I worked for Microsoft in the days of Windows XP.) It uses some scary broad strokes:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.

Please, read the complete article here: http://www.slate.com/articles/technology/bitwise/2015/08/windows_10_privacy_problems_here_s_how_bad_they_are_and_how_to_plug_them.html

Windows 10 is the operating system Microsoft needs. In other words, it’s not Windows 8, a Frankenstein’s monster of a tablet-plus-desktop OS that alienated everyone from PC manufacturers to corporate users. Instead, Windows 10 is an incremental improvement on Windows 7, one that is faster, slicker,…