Pakistan Bans BES

Pakistan is set to ban the BlackBerry Enterprise Service (BES) over government concerns that state spooks can't tap conversations made over the corporate communications platform.

The Ministry of Interior told regulator the Pakistan Telecommunication Authority (PTA) on Friday to co-ordinate the block – instructing mobile phone companies to ensure there are no BES services available in the country from 30 November.

`The decision to block the BES was taken on the directives of the interior ministry due to security reasons,` PTA spokesperson, Khurram Mehran, told The Express Tribune.

`There was a challenge that the BlackBerry email service could not be tracked or decoded, which leads to the security reasons.`

Mehran claimed that there are fewer than 5000 BES users in Pakistan, so the decision would not cause widespread business disruption.

The more consumer-oriented BlackBerry Internet Service (BIS), however, will not be touched by the authorities, presumable because carriers can already be instructed to allow law enforcers to monitor communications made via the platform.

BES has been suspended in Pakistan before for vague `security reasons` but never banned permanently, although the PTA tried back in 2011.

The move comes as governments around the world become increasingly intolerant to strong encryption in communications products and services.

Intelligence services in the US and UK in particular are lobbying hard to force providers to build backdoors into their products so law enforcers can gain access if it is deemed necessary by a court.

Rights groups are unsurprisingly strongly opposed to such moves, and security experts have pointed out that were such backdoors built into platforms, they would eventually find their way onto the cybercrime underground, exposing businesses to the black hats.

There's also little evidence to suggest that being able to request such access would give law enforcers a vital pre-warning in the case of attacks such as those perpetrated on Charlie Hebdo.

Read original article

Fiat Chrysler recalls

In the wake of the demonstration of a vulnerability in the `connected car` software used in a large number of Chrysler and Dodge vehicles in the United States, Fiat Chrysler NV announced today that it was recalling approximately 1.4 million vehicles for emergency security patches.

The company has already issued a patch on its website for drivers, and on Thursday it performed an over-the-air update of some vehicles to block unauthorized remote access, Bloomberg Business reports. The vulnerability, revealed in a report by Wired earlier this week, allowed security researchers Charlie Miller and Chris Valasek to take remote control of a Jeep Cherokee`s onboard computer and entertainment system, remotely controlling the throttle of the vehicle while a Wired reporter was driving it at 70mph on a St. Louis-area interstate highway. Miller and Valasek also demonstrated that they could take control of the vehicle`s brakes and (in some cases) even its steering, as well as the vehicle`s windshield wipers, navigation, and entertainment systems.

The vehicles covered by the recall include the 2015 model year Dodge Ram pickup, Dodge`s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs. While Fiat Chrysler officials said that there was no known real-world use of the vulnerablity (outside Miller`s and Valasek`s proof of concept), they were taking the recall step out of `an abundance of caution.`

There isn`t a read-only CAN bus. There could be, if a hardware CAN firewall were made...

Basically the CAN bus is how all car systems talk to each other. It`s just one bus for the car and it`s kind of neat in its implementation: each message contains its own priority and that`s used for bus conflicts. MessageIDs are either 11 or 29-bit numbers and lower numbers are higher priority. AIRBAG_WLAMP is 0x12 so it`s quite high priority, to light up an airbag malfunction. 0s on the bus take priority and transmitting devices also listen at the same time, and if what they see on the bus isn`t what they are transmitting they stop for the higher priority message to go through.

What makes this function is that per the standards, only one device is allowed to send any given message ID. Your brake system can`t send an AIRBAG_WLAMP, and your entertainment system sure as hell can`t tell the brakes that the radar detects an imminent collision please press the brakes hard as hell. This is normally fine because yeah, the uConnect doesn`t know how to send those messages so no problem, right?

The remotely accessible nature of the system combined with a vulnerability in the system combine to allow the attacker to overwrite the firmware of the entertainment system, teaching it how to send all these nifty CAN bus messages, thus allowing this.

I doubt that the recall will involve this, but having a hardware firewall between the CAN bus and the remotely accessible portions would be a real solution - the hardware would have to have two transceivers, allow all CAN traffic through to the entertainment system, but only allow some specific messages back through (with potential sanity checks on the content of said messages). That way you get the nifty remote-start features without the ability to remotely disable the brakes because the system thinks it`s trying to park for you

Read original article

Better Faster Tor

Tor, the world`s largest and most well-known `onion router` network, offers a degree of anonymity that has made it a popular tool of journalists, dissidents, and everyday Internet users who are trying to avoid government or corporate censorship (as well as Internet drug lords and child pornographers). But one thing that it doesn`t offer is speed—its complex encrypted `circuits` bring Web browsing and other tasks to a crawl. That means that users seeking to move larger amounts of data have had to rely on virtual private networks—which while they are anonymous, are much less protected than Tor (since VPN providers—and anyone who has access to their logs—can see who users are).

A group of researchers—Chen Chen, Daniele Enrico Asoni, David Barrera, and Adrian Perrig of the Swiss Federal Institute of Technology (ETH) in Zürich and George Danezis of University College London—may have found a new balance between privacy and performance. In a paper published this week, the group described an anonymizing network called HORNET (High-speed Onion Routing at the NETwork layer), an onion-routing network that could become the next generation of Tor. According to the researchers, HORNET moves anonymized Internet traffic at speeds of up to 93 gigabits per second. And because it sheds parts of Tor`s network routing management, it can be scaled to support large numbers of users with minimal overhead, they claim.

Like Tor, HORNET encrypts encapsulated network requests in `onions`—with each layer being decrypted by each node passing the traffic along to retrieve instructions on where to next send the data. But HORNET uses two different onion protocols for protecting anonymity of requests to the open internet and a modified version of Tor`s `rendezvous point` negotiation for communication with a site concealed within the HORNET network.

When sending a request to a site that isn`t protected by HORNET, a more Tor-like `Sphinx` onion protocol is first used to set up the channel. `Each Sphinx packet allows a source node to establish a set of symmetric keys, one for each node on the path through which packets are routed,` the researchers explained. Those keys, created via a Diffie-Helman exchange, are used to encrypt the `Forwarding Segment`—the chain of session state information for the stream of data packets that follow. `The Forwarding Segment allows its creating node to dynamically retrieve the embedded information (i.e., next hop, shared key, session expiration time), while hiding this information from unauthorized third parties,` Chen et al wrote.

For the actual data packets, the sending system collects all of the forwarding segments from each node on the channel to the destination and combines them into what the researchers call an anonymous header (AHDR). `An AHDR grants each node on the path access to the forwarding segment it created, without divulging any information about the path except for a node's previous and next nodes,` they explained. The data itself is `onioned`, encrypted with the keys for each of the nodes in the channel, until it reaches its destination. The upside of this approach, Chen et al said, is that it drastically reduces the cryptography work required for each packet, as well as the amount of session flow information the network has to manage.

For communications between two nodes that are both anonymized by HORNET—a scenario like Tor`s method of connecting users` requests to `hidden services`—the researchers propose an approach that lets any node on the network act as a rendezvous point for communication to keep both the source and destination of traffic hidden from each other. Hidden services select a rendezvous point and set up a session using the Sphinx protocol, then publish an AHDR to a directory that has the encrypted information about how to get from the rendezvous point to the service. When a client goes to connect to a service, it finds the rendezvous point in the directory, along with the AHDR for the trip to the service, and then builds its own connection to the rendezvous point—adding the AHDR provided to get to the service to its own and a header with information for the return trip back.

The upsides of this scheme—in addition to the fact that any node can act as a rendezvous point without having to maintain state information about the connection—are that a service can advertise multiple rendezvous points in a directory, and a client can pick one that is closest in terms of network time. The two ends can also re-negotiate the route traffic takes through a better rendezvous point to improve performance as channels are expired. On the downside, the size of the headers used to communicate between the two is doubled in size,

As implemented in its testing, HORNET`s routing nodes can actually be embedded in network routers. The researchers build HORNET infrastructure code into Intel software routers using the Data Plane Development Kit (DPDK). HORNET client code, which included hidden services, was built in Python. `To our knowledge, no other anonymity protocols have been implemented in a router SDK,` the researchers wrote.

HORNET, like Tor, is not immune to targeted attacks on anonymity. If an attacker, such as a government agency or law enforcement organization, could control more than one of the nodes along a path selected for a HORNET channel, they would be able to perform `confirmation attacks`—the sort of timing analysis, flow analysis, and packet tagging that other security researchers have demonstrated could be used against Tor. `HORNET cannot prevent such confirmation attacks targeting individual users,` the researchers concluded. `However, HORNET raises the bar of deploying such attacks for secretive mass surveillance: the adversary must be capable of controlling a significant percentage of ISPs often residing in multiple geopolitical boundaries, not to mention keeping such massive activity confidential.`

Read original article

ID Theft Case

A lawsuit seeking class-action status filed against information services firm Experian alleges the company failed to detect that a customer of its data aggregator unit was a fraudster.

The customer allegedly provided false business information to mask his intent to use the information purchased to commit fraud.

The Experian subsidiary involved in the case, Court Ventures, an aggregator of electronically available U.S. public records data, accepted the business of this customer, Vietnamese national Hieu Minh Ngo, years before Experian acquired Court Ventures in March 2012. It wasn`t until well after Experian had taken Court Ventures under its belt that the sale of PII to Ngo was called into question.

Ngo was sentenced July 14 to 13 years in prison for selling to other cybercriminals fraudulently obtained PII. The lawsuit against Experian was filed July 17.

Vetting Customers

Cybersecurity and privacy attorney Ron Raether, who is not involved in the case, says the lawsuit against Experian is far from cut-and-dry. `The big question here is related credentialing,` says Raether, a partner at law firm Faruki Ireland & Cox. `What was Experian doing to ensure its business customers were legitimate?`

Experian should have conducted due diligence research into Court Ventures` credentialing/client verification process before it acquired the firm, Raether contends. `Firms want to make sure that the processes and procedures used by companies they acquire are on par with their own policies, processes and procedures,` he says.

ChoicePoint Case Was Similar

Cybersecurity attorney Chris Pierson, who is not involved in the Experian case, says the Experian lawsuit raises issues similar to those raised by the Federal Trade Commission in its complaint against data aggregation firm ChoicePoint, which eventually agreed to a $15 million settlement.

The FTC in 2006 cited ChoicePoint for failing to protect consumers` personal information. The FTC claimed that ChoicePoint sold PII about some 163,000 consumers to an alleged crime ring that provided fraudulent business information when it signed on to be a ChoicePoint customer. ChoicePoint was acquired in February 2008 by legal research firm LexisNexis Risk Solutions.

ChoicePoint settled the case with the FTC, agreeing to pay $10 million in civil penalties and $5 million in consumer redress. The settlement requires ChoicePoint, now part of LexisNexis, to obtain audits by an independent third-party security professional every other year until 2026.

Pierson contends that if plaintiffs in the Experian case can prove the company was negligent in its customer verification processes and procedures, they could have a solid case.

`The situation of alleged improper access is similar to ... ChoicePoint,` says Pierson, who serves as chief security officer at an invoicing and payments provider. `A person was able to gain approved access to the credit information of consumers based on false pretenses and use this data to help in the commission of other identity crimes.`

Ensuring that know-your-customer reviews are completed before giving a customer access to sensitive consumer information is critical, he adds.

`When dealing with identity thieves, advanced controls are needed that are more sophisticated, because the ability of these persons to `fake` a real company are really good,` Pierson says.

Plaintiffs` Claims

In the lawsuit against Experian, plaintiffs claim that Ngo was a Court Ventures customer who feigned to be a private investigator, but was actually an identity thief who sold the PII he purchased to other criminals on the Superget.info and findget.me fraudster websites he owned and managed.

Last week, the Department of Justice announced that Ngo had been sentenced to 13 years in prison after pleading guilty to illegitimately buying, and in some cases stealing, U.S. consumers` PII from numerous U.S. companies and then selling it on his websites (see Breached PII: Why KBA Has to Go).

The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo`s websites, have been victimized through the filing of $65 million in fraudulent tax returns.

In the lawsuit, plaintiffs` attorneys name specific individuals who say their PII data sold to Ngo through Experian was used to file fraudulent federal tax returns and commit `other acts of identity theft and/or identity fraud.`

Experian declined to comment about the pending class-action litigation, as did attorneys for the plaintiffs. But last year, Experian issued a statement about the Court Ventures incident, noting that `no Experian database was accessed.`

Authentication is Key

Had Court Ventures and Experian done more to authenticate and verify the validity of their customers, Ngo never would have been granted access to so much sensitive information, contends Tom Kellermann, chief cybersecurity officer at threat intelligence firm Trend Micro.

Data-aggregation firms should be required to put limits on the kind of information customers are allowed to access, he argues.

`This case is all about information supply chain management,` Kellermann says. `It`s ironic to me that there are contracts written to manage these types of risks, but there is no mandate for more stringent security controls.`

Compensating Consumers

The lawsuit claims that Experian violated the Fair Credit Reporting Act, which regulates the collection, dissemination and use of consumer information, including consumer credit information. Plaintiffs are seeking to recover unspecified statutory damages, and they are asking the court to require Experian to notify each U.S. citizen whose PII was accessed by Ngo, or sold to him or one of his fraudster customers.

The suit also asks that Experian be required to provide credit monitoring and `substantial` ID theft coverage to each affected consumer and establish a fund to provide consumers with reimbursement for expenses and losses they`ve had to pay for ID fraud or ID theft remediation.

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, predicts that more lawsuits will ask that funds be established to provide consumers a means of monetary compensation.

`Maybe these cases will have an impact on shedding light on the limitation of much of these credit monitoring services and how they do very little to help consumers whose information or payment data has been compromised,` she says.

Read original article

Terror on Wheels

Hacks of the IT used to run cars have been a story for years—but a new approach using simple radio waves should, well, make waves for automakers.

NCC Group says that it has developed an exploit that infiltrates a car's `infotainment` system via everyday digital audio broadcasting (DAB) radio signals. A remote attacker from there could take control of various critical control systems—including the brakes, and the steering. And yes, that's terrifying.

NCC research director Andy Davis explained to the BBC that network sequestration is the issue here—taking over the fun and colorful (did we/should we say `distracting?`) radio display in the dash is one thing—but once a hacker is in, he or she or they can simply pivot to gain control of critical systems, including steering and braking.

Worse, the security firm said that it was able to transmit the malignant DAB signal using a laptop and a box made from cheap, easily accessible parts—no specialized equipment required. And, the bigger the signal booster, the larger the affective radius. In other words, it's called `broadcast` for a reason, and in theory, the signal could be sent to many cars at once.

`As this is a broadcast medium, if you had a vulnerability within a certain infotainment system in a certain manufacturer`s vehicle, by sending one stream of data, you could attack many cars simultaneously,` he said. `An attacker would probably choose a common radio station to broadcast over the top of to make sure they reached the maximum number of target vehicles.`

All together now: `Aiiiiiggggggggggghhhhhhhhh!!! Aiiiggghhhhhhhhhhhhhh!!!!!`

OK, now that we have that out of our system…it's important to remember that clearly, it would take some doing to actually execute this kind of attack. The car couldn't be moving very fast, for one, unless the attackers had a whole radio station tower to use to transmit the malicious airwaves.

Davis didn't say which cars featured the flaw. According to the BBC, which first reported the story, the UK`s Society of Motor Manufacturers and Traders has responded by saying that car companies `invest billions of pounds to keep vehicles secure as possible.`

Does that sound a little defensive to you? Me too.

But, one could get around that by using the mobile phone network. Chris Valasek, director of vehicle security research at IOActive, and Charlie Miller, the renowned white hat and Twitter researcher that has made mobile hacks a specialty, have done just that, and are prepping a similar exploit to show off at Black Hat 2015 in August.

They were able to remotely take control of a Jeep Cherokee`s air-conditioning system, radio and windshield wipers, using the mobile phone network and the car's internal 4G connection. They demonstrated this to an unaware journalist at 70 MPH as well. And even uploaded a picture of themselves to the affected car's dash display, just to ratchet up the poor guy's terror.

Using the mobile network improves reach, but requires specialized know-how and equipment, unlike the NCC hack. `We took over the infotainment system and from there reprogrammed certain pieces of the vehicle so we could send control commands,` Valasek said. `It takes a lot of time skill and money. That isn`t to say that there aren`t large organizations interested in it.`

But someday—won't someone be able to achieve BOTH ease-of-exploit and effectiveness?

Read original article

Alfa Insurance Breach

Alfa Specialty Insurance Corporation and Alfa Vision Insurance Corporation are notifying around 86,000 individuals that their personal information was inadvertently made accessible to the internet.

How many victims? Around 86,000.

What type of personal information? Names, addresses, dates of birth, driver`s license numbers and Social Security numbers.

What happened? Information stored on one of Alfa`s computer servers at a Tennessee location was inadvertently accessible to the internet.

What was the response? Alfa secured the computer server so that the information is no longer accessible to the internet, and removed data cached on the internet. All potentially impacted individuals are being notified, and offered free identity protection and credit monitoring services.

Details: Alfa learned of the issue on May 4.

Quote: `While we are not aware of any attempted or actual misuse of your information, this notice is being provided so you may take steps to monitor your identity,` a notification letter said.

Read original article

Password Strength Meters

I've spent a depressingly large proportion of the last few years writing about the fact that so few people recognize that they're using poor password and PIN selection strategies. This is unsurprising, perhaps. After all, this issue is not just technological, but psychological and even ergonomic. If you're not confident of your ability to create a sound password, you might use a password strength meter like Microsoft's. I can't vouch for how good it is, but a lot of people seem to find it helpful to have some guidance.

However, an article by Mark Stockley for Sophos suggests that a poor meter may be worse than useless. He took five of the 10,000 most common passwords, according to xato.net, all of which the cracking software John The Ripper cracked more or less instantly, and then ran them against five plug-in strength meters. One meter categorized all five as good, another classified two of them as good. Ten were classified as weak by various meters, six as medium, and two as 'norm' (normal, presumably).

Stockley's contention is that:

A password strength meter that doesn't reject all five out of hand is not up to the job of measuring password strength.

They all failed. And not only that, they don't agree.

Well, I won't disagree: the results are inconsistent between meters and the classifications are misleading, unless you believe that 'iloveyou!' or even 'abc123' are good passwords. Why did they fail so spectacularly? The answer lies in the fact that the harshest categorization is 'weak'.

There are a number of characteristics you can use to assess the strength and entropy (randomness or unpredictability) of a password or, preferably, passphrase, such as:
Number of characters
Variety of characters – a very long password consisting of the same repeated character is not resistant to password cracking software
The types of character used: alphabetical, numeric, symbols and special characters, and where they're placed in relation to the other characters. (To take a simple example, when people append a number to their password which is augmented every time they're required to change it, that offers no effective barrier to password-cracking software.)

There are any number of algorithms that might be used to assess the effectiveness of a given string used as a passphrase. Obviously, some are better than others and you have to expect some variation in categorization. I tried the same passwords against the Microsoft checker, which wasn't one of those tested by Stockley

Clearly, there isn't a separate category for 'Don't use this password because an awful lot of other people already do so hackers will find it quickly'. And the fact that trustno1, confirmed by at least one other list to be far more common than ncc1701, is categorized as medium, suggests that ranking (or appearing at all) on such lists is not one of the categorization criteria applied by the Microsoft meter or, apparently, any of the five tested by Stockley.

That's not to say that the lists are only used by password crackers. At one time, Twitter used a script to check passwords created by its users against a list of strings: if someone tried to set a password that was found on the list, it would not be allowed. And yes, abc123, trustno1, and ncc1701 could be found there (the list was very trivially obfuscated). iloveyou! wasn't included, though iloveyou was. Nor was primetime21 or anything close to it.

So how do these meters reach their conclusions? Well, one of them considered all five of those passwords 'good', so maybe it doesn't have any negative criteria. All the others considered abc123 weak, even though it consists of a mix of letters and numbers, perhaps because it features two strictly serial sequences (abc and 123).

Perhaps ncc1701 fares better according to some meters because it doesn't include a dictionary word (though it is, of course, the instantly recognizable number of the Starship Enterprise, which is why so many people use it). iloveyou! probably gains favor because strength meters like passwords that include punctuation characters.

Read original article