Security

European risk report flags 5G security challenges

Posted by | 5g, 5g security, Europe, european union, Internet of Things, Mobile, mobile networks, risk management, Security, telecommunications, United Kingdom | No Comments

European Union Member States have published a joint risk assessment report into 5G technology which highlights increased security risks that will require a new approach to securing telecoms infrastructure.

The EU has so far resisted pressure from the U.S. to boycott Chinese tech giant Huawei as a 5G supplier on national security grounds, with individual Member States such as the UK also taking their time to chew over the issue.

But the report flags risks to 5G from what it couches as “non-EU state or state-backed actors” — which can be read as diplomatic code for Huawei. Though, as some industry watchers have been quick to point out, the label could be applied rather closer to home in the near future, should Brexit comes to pass…

Some parts of the 5G report on risk of non-EU cyberattacks may accidentally gain a new unexpected meaning after #Brexit (https://t.co/o7gyV0hqCv) https://t.co/VgU30kRz4p

— Lukasz Olejnik (@lukOlejnik) October 9, 2019

Back in March, as European telecom industry concern swirled about how to respond to US pressure to block Huawei, the Commission stepped in to issue a series of recommendations — urging Member States to step up individual and collective attention to mitigate potential security risks as they roll out 5G networks.

Today’s risk assessment report follows on from that.

It identifies a number of “security challenges” that the report suggests are “likely to appear or become more prominent in 5G networks” vs current mobile networks — linked to the expanded use of software to run 5G networks; and software and apps that will be enabled by and run on the next-gen networks.

The role of suppliers in building and operating 5G networks is also noted as a security challenge, with the report warning of a “degree of dependency on individual suppliers”, and also of too many eggs being placed in the basket of a single 5G supplier.

Summing up the effects expected to follow 5G rollouts, per the report, it predicts:

  • An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
  • Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
  • An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
  • In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
  • Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
  • Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.

The high level report is a compilation of Member States’ national risk assessments, working with the Commission and the European Agency for Cybersecurity. It’s couched as just a first step in developing a European response to securing 5G networks.

“It highlights the elements that are of particular strategic relevance for the EU,” the report says in self-summary. “As such, it does not aim at presenting an exhaustive analysis of all relevant aspects or types of individual cybersecurity risks related to 5G networks.”

The next step will be the development, by December 31, of a toolbox of mitigating measures, agreed by the Network and Information Systems Cooperation Group, which will be aimed at addressing identified risks at national and Union level.

“By 1 October 2020, Member States – in cooperation with the Commission – should assess the effects of the Recommendation in order to determine whether there is a need for further action. This assessment should take into account the outcome of the coordinated European risk assessment and of the effectiveness of the measures,” the Commission adds.

For the toolbox a variety of measures are likely to be considered, per the report — consisting of existing security requirements for previous generations of mobile networks with “contingency approaches” that have been defined through standardisation by the mobile telephony standards body, 3GPP, especially for core and access levels of 5G networks.

But it also warns that “fundamental differences in how 5G operates also means that the current security measures as deployed on 4G networks might not be wholly effective or sufficiently comprehensive to mitigate the identified security risks”, adding that: “Furthermore, the nature and characteristics of some of these risks makes it necessary to determine if they may be addressed through technical measures alone.

“The assessment of these measures will be undertaken in the subsequent phase of the implementation of the Commission Recommendation. This will lead to the identification of a toolbox of appropriate, effective and proportionate possible risk management measures to mitigate cybersecurity risks identified by Member States within this process.”

The report concludes with a final line saying that “consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc” — packing an awful lot into a single sentence.

The implication is that the business of 5G security will need to get commensurately large to scale to meet the multi-dimensional security challenge that goes hand in glove with the next-gen tech. Just banning a single supplier isn’t going to cut it.

Powered by WPeMatico

Police hijack a botnet and remotely kill 850,000 malware infections

Posted by | botnets, cybercrime, Gadgets, Hack, hardware, head, malware, mining, ransomware, russia, Security, U.S. government | No Comments

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

Powered by WPeMatico

Apple still has work to do on privacy

Posted by | Android, Apple, artificial intelligence, data processing, data protection, data security, digital privacy, digital rights, Europe, european union, General Data Protection Regulation, human rights, identity management, iPhone, privacy, Security, siri, TC, Tim Cook | No Comments

There’s no doubt that Apple’s self-polished reputation for privacy and security has taken a bit of a battering recently.

On the security front, Google researchers just disclosed a major flaw in the iPhone, finding a number of malicious websites that could hack into a victim’s device by exploiting a set of previously undisclosed software bugs. When visited, the sites infected iPhones with an implant designed to harvest personal data — such as location, contacts and messages.

As flaws go, it looks like a very bad one. And when security fails so spectacularly, all those shiny privacy promises naturally go straight out the window.

The implant was used to steal location data and files like databases of WhatsApp, Telegram, iMessage. So all the user messages, or emails. Copies of contacts, photos, https://t.co/AmWRpbcIHw pic.twitter.com/vUNQDo9noJ

— Lukasz Olejnik (@lukOlejnik) August 30, 2019

And while that particular cold-sweat-inducing iPhone security snafu has now been patched, it does raise questions about what else might be lurking out there. More broadly, it also tests the generally held assumption that iPhones are superior to Android devices when it comes to security.

Are we really so sure that thesis holds?

But imagine for a second you could unlink security considerations and purely focus on privacy. Wouldn’t Apple have a robust claim there?

On the surface, the notion of Apple having a stronger claim to privacy versus Google — an adtech giant that makes its money by pervasively profiling internet users, whereas Apple sells premium hardware and services (including essentially now ‘privacy as a service‘) — seems a safe (or, well, safer) assumption. Or at least, until iOS security fails spectacularly and leaks users’ privacy anyway. Then of course affected iOS users can just kiss their privacy goodbye. That’s why this is a thought experiment.

But even directly on privacy, Apple is running into problems, too.

To wit: Siri, its nearly decade-old voice assistant technology, now sits under a penetrating spotlight — having been revealed to contain a not-so-private ‘mechanical turk’ layer of actual humans paid to listen to the stuff people tell it. (Or indeed the personal stuff Siri accidentally records.)

Powered by WPeMatico

Google to pay security researchers who find Android apps and Chrome extensions misusing user data

Posted by | Android, browser extension, chrome os, gmail, Google, google-chrome, Mobile, operating systems, Security, Software | No Comments

Google said it will pay security researchers who find “verifiably and unambiguous evidence” of data abuse using its platforms.

It’s part of the company’s efforts to catch those who misuse user data collected through Android apps or Chrome extensions — and to avoid its own version of a scandal like Cambridge Analytica, which saw millions of Facebook profiles scraped and used to identify undecided voters during the U.S. presidential election in 2016.

Google said anyone who identifies “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent” is eligible for its expanded data abuse bug bounty.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store,” read a blog post. “In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed.” The company said abuse of its developer APIs would also fall under the scope of the bug bounty.

Google said it isn’t providing a reward table yet but a single report of data misuse could net $50,000 in bounties.

News of the expanded bounty comes in the wake of the DataSpii scandal, which saw browser extensions scrape and share data from millions of users. These Chrome extensions uploaded web addresses and web page titles of every site a user visited, exposing sensitive data like tax returns, patient data and travel itineraries.

Google was forced to step in and suspend the offending Chrome extensions.

Instagram recently expanded its own bug bounty to include misused user data following a spate of data incidents.

Powered by WPeMatico

Eero updates subscription plans

Posted by | Eero, Eero Secure, Gadgets, privacy, Router, Security | No Comments

Router maker Eero is expanding its focus on subscriptions with a new two-tier system. Eero already had a $10 per month subscription called Eero Plus. It is now called Eero Secure+. The company is adding a cheaper plan with fewer features for $3 per month.

It seems a bit counterintuitive that Eero is selling software subscriptions. The company is mostly known for its tiny mesh routers that you can put in every room of your house.

Eero originally introduced a subscription back in 2017. It was designed as a sort of Amazon Prime of internet services focused on security. It included family plans to password manager 1Password, VPN service Encrypt.me and antivirus MalwareBytes.

Eero Secure+ is more or less a new name for Eero Plus. It costs $9.99 per month or $99 per year and includes the same services, as well as a few software additions, such as parental controls, filtering of dangerous websites at the network level as well as ad blocking.

Essentially, Eero intercepts DNS queries and blocks the ones to suspicious content — it could be a phishing site, an adult site or an ad network. The company replaces your default DNS with ZScaler’s DNS for that feature.

If you don’t want 1Password, Encrypt.me or MalwareBytes, you can now subscribe to Eero Secure to get those DNS-powered features. It costs $2.99 per month or $29.99 per year.

eeroSecure plans

As a reminder, Amazon acquired Eero in February 2019. Eero promised that its privacy policy wouldn’t change after the acquisition.

Still, paying a subscription for DNS filtering is a bit odd. Some public DNS services, such as Quad9, block access to malicious websites.

And if you’re looking for a fun weekend project, you can buy a cheap Raspberry Pi and play with Pi-Hole, an open-source project that basically does everything Eero Secure+ does. You also can build your own VPN service, as you should never trust VPN services. They don’t make you more secure and they can basically see all your network traffic.

Powered by WPeMatico

Hackers to stress-test Facebook Portal at hacking contest

Posted by | Apps, computer security, computing, cryptography, cybercrime, Facebook, Facebook Portal, Hack, hacker, hardware, Mobile, national security, Oculus, privacy, pwn2own, Security, Software, tokyo, Trend Micro, Virtual reality, web browser | No Comments

Hackers will soon be able to stress-test the Facebook Portal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year.

Pwn2Own is one of the largest hacking contests in the world, where security researchers descend to find and demonstrate their exploits for vulnerabilities in a range of consumer electronics and technologies, including appliances and automobiles.

It’s not unusual for companies to allow hackers put their products through their paces. Tesla earlier this year entered its new Model 3 sedan into the contest. A pair of researchers later scooped up $375,000 — and the car they hacked — for finding a severe memory randomization bug in the web browser of the car’s infotainment system.

Hackers able to remotely inject and run code on the Facebook Portal can receive up to $60,000, while a non-invasive physical attack or a privilege escalation bug can net $40,000.

Introducing the Facebook Portal is part of a push by Trend Micro’s Zero Day Initiative, which runs the contest, to expand the range of home automation devices available to researchers in attendance. Pwn2Own said researchers will also get a chance to try to hack an Amazon Echo Show 5, a Google Nest Hub Max, an Amazon Cloud Cam and a Nest Cam IQ Indoor.

Facebook said it also would allow hackers to find flaws in the Oculus Quest virtual reality kit.

Pwn2Own Tokyo, set to be held on November 6-7, is expected to dish out more than $750,000 in cash and prizes.

Powered by WPeMatico

Apple patches previously fixed security bug that allowed iPhone jailbreak

Posted by | Apple, espionage, iOS, iPad, iPhone, Israel, Jamal Khashoggi, Mobile, operating systems, Security, smartphones, Software, Spyware | No Comments

Apple has fixed a security flaw for a second time after it accidentally reintroduced an old bug in a recent software update.

Released Monday, iOS 12.4.1 contains a security fix that was first patched months earlier in iOS 12.3. Apple rolled out a fix in May, but accidentally undid the security patch in its latest update, iOS 12.4, in July.

In a brief security advisory published after the software’s release, Apple said it fixed a kernel vulnerability that could have allowed an attacker to execute code on an iPhone or iPad with the highest level of privileges.

Screen Shot 2019 08 26 at 2.27.33 PM 1

Apple’s latest security advisory for iOS 12.4.1

Those privileges, also known as system or root privileges, can open up a device to running apps that are not normally allowed by Apple’s strict rules. Known as jailbreaking, apps can access parts of a device that are normally off-limits. On one hand that allows users to extensively customize their devices, but it can also expose the device to malicious software, like malware or spyware apps.

Spyware apps often rely on undisclosed jailbreak exploits to get access to a user’s messages, track their location and listen to their calls without their knowledge. Nation states are known to hire mobile spyware makers to remotely install malware on the devices of activists, dissidents and journalists. Washington Post journalist Jamal Khashoggi, who was murdered by agents of the Saudi regime, is believed to have been targeted by mobile spyware, according to reports. The company accused of supplying the spyware, Israel-based NSO Group, has denied any involvement.

Apple confirmed it pushed out a fix in its security notes, which included a short acknowledgement to Pwn20wnd, the team that confirmed last week that its jailbreak was working again.

The same kernel vulnerability was fixed in a supplemental update for macOS 10.14.6.

Powered by WPeMatico

IBM’s quantum-resistant magnetic tape storage is not actually snake oil

Posted by | encryption, Enterprise, Gadgets, hardware, IBM, quantum computing, quantum encryption, Security | No Comments

Usually when someone in tech says the word “quantum,” I put my hands on my ears and sing until they go away. But while IBM’s “quantum computing safe tape drive” nearly drove me to song, when I thought about it, it actually made a lot of sense.

First of all, it’s a bit of a misleading lede. The tape is not resistant to quantum computing at all. The problem isn’t that qubits are going to escape their cryogenic prisons and go interfere with tape drives in the basement of some data center or HQ. The problem is what these quantum computers may be able to accomplish when they’re finally put to use.

Without going too deep down the quantum rabbit hole, it’s generally acknowledged that quantum computers and classical computers (like the one you’re using) are good at different things — to the point where in some cases, a problem that might take incalculable time on a traditional supercomputer could be done in a flash on quantum. Don’t ask me how — I said we’re not going down the hole!

One of the things quantum is potentially very good at is certain types of cryptography: It’s theorized that quantum computers could absolutely smash through many currently used encryption techniques. In the worst-case scenario, that means that if someone got hold of a large cache of encrypted data that today would be useless without the key, a future adversary may be able to force the lock. Considering how many breaches there have been where the only reason your entire life wasn’t stolen was because it was encrypted, this is a serious threat.

IBM and others are thinking ahead. Quantum computing isn’t a threat right now, right? quantum tapeIt isn’t being seriously used by anyone, let alone hackers. But what if you buy a tape drive for long-term data storage today, and then a decade from now a hack hits and everything is exposed because it was using “industry standard” encryption?

To prevent that from happening, IBM is migrating its tape storage over to encryption algorithms that are resistant to state of the art quantum decryption techniques — specifically lattice cryptography (another rabbit hole — go ahead). Because these devices are meant to be used for decades if possible, during which time the entire computing landscape can change. It will be hard to predict exactly what quantum methods will emerge in the future, but at the very least you can try not to be among the low-hanging fruit favored by hackers.

The tape itself is just regular tape. In fact, the whole system is pretty much the same as you’d have bought a week ago. All the changes are in the firmware, meaning earlier drives can be retrofitted with this quantum-resistant tech.

Quantum computing may not be relevant to many applications today, but next year who knows? And in 10 years, it might be commonplace. So it behooves companies like IBM that plan to be part of the enterprise world for decades to come to plan for it today.

Powered by WPeMatico

T-Mobile customers report outage, can’t make calls or send text messages

Posted by | Mobile, mobile phone, privacy, Security, T-Mobile, telecommunications, text messaging, United States | No Comments

T-Mobile customers across the U.S. say they can’t make calls or send text messages following an apparent outage — although mobile data appears to be unaffected.

We tested with a T-Mobile phone in the office. Both calls to and from the T-Mobile phone failed. When we tried to send a text message, it said the message could not be sent. The outage began around 3pm PT (6pm ET).

Users took to social media to complain about the outage. It’s not clear how many customers are affected, but users across the U.S. have said they are affected.

A T-Mobile support account said the cell giant has “engaged our engineers and are working on a resolution.”

In a tweet two hours into the outage, chief executive John Legere acknowledged the outage, adding that the company has “already started to see signs of recovery.”

T-Mobile is the third largest cell carrier after Verizon (which owns TechCrunch) and AT&T. The company had its proposed $26.5 billion merger with Sprint approved by the Federal Communications Commission, despite a stream of state attorneys general lining up to block the deal.

Updated with acknowledgement by chief executive John Legere.

Powered by WPeMatico

Yubico launches its dual USB-C and Lightning two-factor security key

Posted by | Apps, authentication, computer security, cryptography, Gadgets, gmail, hardware, iPad, iPhone, macbooks, mobile devices, Password, password manager, Security, security token, Yubico, Yubikey | No Comments

Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for iPhones, Macs and other USB-C compatible devices.

Yubico’s newest YubiKey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad and MacBooks, in a single device. Announced in June, the company said the security keys would cater to cross-platform users — particularly Apple device owners.

These security keys are small enough to sit on a keyring. When you want to log in to an online account, you plug in the key to your device and it authenticates you. Your Gmail, Twitter and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.

Powered by WPeMatico