Silent Killer - BAD USB
We could begin with one of the most alarming disclosures, where researchers from Security Research Labs claim that they have developed a proof-of-concept attack which looks at targetting the thumb drive's firmware, instead of the files on the drive. The infected drive, on plugging into any computer, acts like a keyboard to download malware.
The hard-to-find, hard-to-stop malware and any thumb drive that can be connected to PCs can be thoeretically used as most of the thumb drive makers do not usually protect their firmware and since antimalware solutions do not scrutinize firmware for any wicked activities. Luckily, this kind of an attack is not found.
Heaven's Falling
Ruben Santamarta, a researcher at IO interactive, claims he's detected imperfections that would enable him to hack into the satellite communications of airplanes through their Wi-Fi and in-flight entertainment systems. This could further open doors for attackers to interfere with the plane's navigation and safety systems, resulting in more physical repercussions.
However, the initiators of the communications equipment understated the threat, stating the odds of an attack as well as the potential damage as "neglible." They further mentioned that they're working at plugging the holes, as told to Rueters.
Say cheese..!!!
Is your Dropcam live feed spyed by an unknown?
Dropcam being hacked !! thats exactly what Synack's Patrick Wardle and Colby Moore found out when they tore apart one of the $200 security cameras. In order to check how it works, they investigated on one of the cameras and found numerous flaws that would open doors for attackers and allow them to to view the videos stored by a hacked Dropcam. It could also allow them to upload third-party videos that would appear as originated from the camera. "It would basically allow the attacker to hijack or take over the video stream," as told by Wardle to PCWorld.
But to get a hand at this scary-sounding hack: The hacker would need to get his hand on to your Dropcam physically. And if the attacker has got himself enough unchained, undisturbed access to your home for time long enough it would take to enact this hack, then the victim is in all likelihood going to face larger issues than just a spied-on video feed.
Take a note of..
When the Tor network was in the limelight in the past year, due to Edward Snowden, NSA leaker for his Silk Road drug trading post and endorsements, it offered anonymity while one browses the web. It stated that by shifting your traffic from the various cycles of relay node before the finishing line, each node getting to know the identity of the nodes it directly connects with. However Carnegie Mellon researcher Alexander Volynkin mentioned that it's not very expensive to break the Tor network's anonymity.
Although he did not confirm how that would be done. Volynkin abruptly called off his Black Hat demonstration on the CMU's urge. And, eventhough Tor's operators have revealed a group of malicious relay nodes undertaking the activity of decryptying user anonymity, those nodes are surmised to be bound to the now-cancelled demonstration.
Symantec Endpoint Un-Protection
Symantec's Endpoint Protection was detected with a trio of vulnerabilitie that could offer attackers high-level access to victims' computers - Mati Aharoni, lead trainer and developer for Offensive Security, found. This could mean that attackers could rupture your defenses through your own security software. Fortunately Symantec has done its homework and already plugged the holes.
Expelled routers
Why blame the software when your own home networking equipment is the source of your security downfall. At the Black Hat keynote, Dan Geer - In-Q-Tel chief information security officer, brought to everyone's notice that your router is one of the most elementary and exciting targets for attackers, Ars Technica. These are easily available in online scans. More often than not they retain their default login information, and almost all infact majority of the people do not update their routers to the newest and latest firmware.
But yes, readers are very well informed that home networking is the most vulnerable. Its THE STORY of 2014. A router hacking contest sponsored by Electronic Frontier Foundation - dubbed as "SOHOplessly Broken" will be played during the Def Con.
No NAS
A researcher claimed that Network-attached storage devices (NAS) are much more flawed than routers. In 2013, a major study into router vulnerabilities was led by Jacob Holcomb, a security analyst at Independent Security Evaluators. He focused on NAS boxes in his Black Hat talk this year.
Holcomb said, "There wasn't one device that I literally couldn't take over. At least 50 percent of them can be exploited without authentication." He further said "By compromising a NAS device an attacker could also hijack traffic from other devices on the same network, using techniques like ARP spoofing.
Halcomb also said that although he had reported all the vulnerabilities to NAS box makers, the ones that he showcased at the show have not yet been touched on and it could take months for the fixes to reach the customers.
The wrong kind of network management
Network management gone wrong and how..!! Does Carrier IQ ring any bells.??? Well, at first is was termed to be a rootkit for carriers to spy on all your traffic, however it was found to be more mundane. It was termed to be a tool to help carriers manage network capacity. Your phone is vulnerable to attack, with the device management tools that carriers load onto handsets, said Accuvant's Mathew Solnik and Marc Blanchou at Black Hat. They also said that exploits can be used to run remote code and avoid the operating system's indigenous defenses.
70 to 90 percent of all phones sold worldwide,including other devices like laptops, wireless hotspots, and Internet of Thing gizmos that include the device management systems are at risk from the vulnerable OMA-DM protocol, as per research.
Who needs Slim Jims?
Although the vulnerability of the Internet of Things is the freshly brewed topic among hackers this weekend, but one should not bypass the fact that security of objects used daily with built-in wireless connections goes beyond Dropcam spies and Tweeting coffee pots. A tool made from cheap and easily available parts are assembled together and that is very much capable of capturing the keyless entry systems of automobiles- says Qualsys researcher Silvio Cesare
He's tried the technique on his 10-year-old car, but mentioned that it requires the attackers to stay in range for up to two hourws in order to be effective."I can use this to lock, unlock, open the trunk, it effectively defeats the security of the keyless entry." Cesare told Wired. Therefore don't look for carjackers to trade in their crowbars for computers!!!!
Hacking hotels
Jesus Molina, security consultant gave a detailed and a practical presentation at Black Hat on The IoT vulnerabilities. It was indeed an eye opener. He figured out how to reverse-engineer the "Digital Butler" iPad app provided to guests, therefore abusing a flaw in the KNX/IP home automation protocol powering the app at the five-star St. Regis Shenzhen hotel in China where he was staying.
Molina restricted his idle jobs to causing various Do Not Disturb lights in hallways. He brought to attention that the flaw can be used to control the lights, TVs, temperature, in-room music, and even to control the automated blinds in over 200 rooms—without the attacker in the same country as the hotel.
Although The St. Regis dismissed the claim as "unsubstantiated," but nevertheless "temporarily suspended the control system of the in-room iPad remote controls for system upgrading" as told to the South China Morning Post.
What more?: Massive Russian hacker database
Las Vegas desert did not bring out the scariest security news of the week, but rather, it came from Asia, where a massive database of 1.2 billion stolen username/password combinations and 500 million email addresses were accumulated by the Russian hackers - said Alex Holden of Hold security.
Although the report is debatable as there are some unanswered doubts, the announcement of a $120 per month security service made by Hold Security's which reveals that it lets you know if your name gets up in the database has left some doubts on its accuracy, knowing Holden's strong reputation in the security industry. Therefore, Brian Krebs - noted security researcher and journalist has claimed to have seen Holden's data and research firsthand and can vouch for it stating "can definitely say it's for real." Time to pull up your socks and revise on those critical security habits.
Keep on pawning in the real world
Eventhough all these stories leave you a bad after taste and one would want to be cushioned from these nighmares, it is important to know that most of these stories revealed at the Black Hat and Def Con are mostly academic and not actively used by attackers. They can give you the shivers but are less worse in reality.
But the eight scariest digital security stories of 2014 are true!!
No comments:
Post a Comment