Hackers Could Commandeer New Planes Through Passenger Wi-Fi

SEVEN YEARS AFTER the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.

“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.

Read More

Android Apps Vulnerable to Hijacking

Almost half of Android smartphones are vulnerable to being hacked through third-party apps downloaded from stores outside the official outlet.

Discovered over a year ago, a Time-of-Check to Time-of-Use (TOCTTOU) vulnerability was uncovered. what is being called “Android Installer Hijacking” allows an attacker to hijack the usual Android APK installation process. It does not work on the Google Play store because a Play Store app cannot be accessed by other installed apps.

“On affected platforms, we discovered that the PackageInstaller has a “Time of Check” to “Time of Use” vulnerability. In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps,” according to the blog post at Palo Alto Networks.

The PackageInstaller installs a different app than grants permissions to attackers. Legitimate apps could be replaced with malware apps.

Android version 4.4 and later versions have fixed the vulnerability. Android 4.3 and before may have the vulnerability.

A vulnerability scanner app is available in the Google Play store. For security researchers, the open source version of the app has been made available on Github.

Investigators advise users to only install apps from the Google play store on infected devices. To use Android 4.3 or later, though some 4.3 are vulnerable. Don’t give apps permission to use logcat. And don’t use a rooted device.

Read More

Even Biometric Locks Can be Picked

How can we ensure that someone is who they say they are? How can be sure that the person in our system, both digitally speaking or physically in front of us, is who whom they claim to be?

You may think that a good password is the answer, but with so many ways to break into a computer system these methods are clearly not always effective – as can be seen from the unfortunate hacked celebrities whose naked pictures were strewn across the internet recently, or the Oleg Pliss ransomware that locks iPhones until the extortioner is paid. Even a combination of a good username and password may not be enough.

An organic alternative to passwords

What about biometrics? This technology uses human physical attributes as locks and keys, such as fingerprints, iris scans or, as is now suggested, the veins in the human fingertip, making them highly individual ways to identify one user from another.

Using biometrics is not especially new. For example, while the likes of iris scanners may be familiar from sci-fi films, they’re also (or were until recently) found in real life airports too. Often mistakenly called retinal scanners, they are based on scanning the unique pattern of the iris, the coloured part of the eye.

But the technology needed to complete an effective and trusted scan is expensive and can be tricked by technologically capable hackers. These are great for entry control systems on the buildings of large organisations, or for the occasional secret bunker seen in films. But they are extremely costly – prohibitively so if a bank was to insist that every customer had one at home – and false readings become a problem as the number of people using it scales.

On the other hand, fingerprint technology has become cheaper and more available – fingerprint scanners are now sufficiently small and accurate that they started appearing in laptops 10 years ago, and are even in small devices like the iPhone 5S. This is one way that banks could allow smartphone and laptop users to access their financial services, with users presenting a finger rather than a passcode.

In fact it’s easy to obtain a range of low-cost scanners for all sorts of authentication uses. But that doesn’t mean the users will like doing so – there are ethical issues to consider, as some UK schools discovered in 2012 when their use of fingerprint scanners to monitor pupil attendance led to an outcry and a government ban without explicit consent from parents.

Read More

Phone Firewall Identifies Rogue Cell Towers Trying to Intercept Your Calls

Rogue cell phone towers can track your phone and intercept your calls, and it’s only a matter of time before they’re as ubiquitous as GPS trackers. But at least now there’s a way to spot them.

A firewall developed by the German firm GSMK for its secure CryptoPhone lets people know when a rogue cell tower is connecting to their phone. It’s the first system available that can do this, though it’s currently only available for enterprise customers using Android phones.

GSMK’s CryptoPhone 500, a high-end phone that costs more than $3,000 and combines a Samsung Galaxy S3 handset with the CryptoPhone operating system, offers strong end-to-end encryption along with a specially hardened Android operating system that offers more security than other Android phones and the patented baseband firewall that can alert customers when a rogue tower has connected to their phone or turned off the mobile network’s standard encryption.

The problem with rogue cell towers is widespread. The FCC is assembling a task force to address the illicit use of so-called IMSI catchers—the devices that pose as rogue cell towers. But the task force will only examine the use of the devices by hackers and criminals—and possibly foreign intelligence agencies—not their warrantless use by law enforcement agencies bent on deceiving judges about their deployment of the powerful surveillance technology.

IMSI catchers, stingrays or GSM interceptors as they’re also called, force a phone to connect to them by emitting a stronger signal than the legitimate towers around them. Once connected, pings from the phone can help the rogue tower identify a phone in the vicinity and track the phone’s location and movement while passing the phone signals on to a legitimate tower so the user still receives service. Some of the IMSI software and devices also intercept and decrypt calls and can be used to push malware to vulnerable phones, and they can also be used to locate air cards used with computers. The systems are designed to be portable so they can be operated from a van or on foot to track a phone as it moves. But some can be stationary and operate from, say, a military base or an embassy. The reach of a rogue tower can be up to a mile away, forcing thousands of phones in a region to connect to it without anyone knowing.

Read More

FBI and Apple Investigate Celebrity Photo Leaks

The FBI says it was addressing allegations that online accounts of several celebrities, including Oscar-winner Jennifer Lawrence, had been hacked, leading to the posting of their nude photographs online.

The agency did not say what actions it was taking to investigate who was responsible for posting naked photos of Lawrence and other stars. Apple said it was looking into whether its online photo-sharing service had been hacked to obtain the intimate images.

Lawrence, a three-time Oscar nominee who won for her role in “Silver Linings Playbook,” contacted authorities after the images began appearing Sunday.

Naked images purporting to be of other female stars were also posted, although the authenticity of many couldn’t be confirmed. The source of the leak was unclear.

“This is a flagrant violation of privacy,” Lawrence’s publicist Liz Mahoney wrote in a statement. “The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

The FBI said it was “aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.”

“Any further comment would be inappropriate at this time,” spokeswoman Laura Eimiller wrote in a statement.

Apple Inc. spokeswoman Natalie Kerris said the company was investigating whether any iCloud accounts had been tampered with, but she did not give any further details.

“We take user privacy very seriously and are actively investigating this report,” she said.

Actress Mary Elizabeth Winstead also confirmed that nude photos of her were posted online.

“To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” Winstead posted on Twitter. Winstead, who starred in “Final Destination 3″ and “Abraham Lincoln: Vampire Hunter,” wrote that she thought the images had been destroyed.

Read More

Mobile OS Weakness Allows Apps to Steal Personal Information

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” will be presented at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven’t tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

“The assumption has always been that these apps can’t interfere with each other easily,” Qian says. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel — the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

Read More

Yahoo teams up with Google on encrypted webmail

LAS VEGAS — Your webmail will be safer from prying eyes — at some point next year.

That’s the promise that Yahoo and Google are making to their mail service users, who together make up the vast majority of webmail users. More than 425 million people use Gmail, with Yahoo Mail usage estimated at 273 million.

Longtime security industry veteran Alex Stamos, who was named Yahoo’s new chief information security officer earlier this year, told attendees of the Black Hat hacker and security conference here on Thursday that at some point in 2015, Yahoo Mail would not only be encrypted end-to-end, but would be compatible with the end-to-end encryption that Google is working on for Gmail.

When that happens, it will create a secure way to email between the two services. The contents of an email protected by end-to-end encryption are hidden and much harder to tamper with. They can not be viewed by any intermediary, including the webmail provider itself.

Yahoo encrypted webmail at the data center level earlier this year, but encrypting emails sent between accounts has proven elusive so far.

Encryption in webmail is difficult to implement for a number of reasons. It’s currently extremely difficult for most people to use, and tech titans have concerns about losing customers if their services slow down because of encryption.

Similar to Google’s approach, Yahoo will be leveraging the security community to improve the encryption. Stamos said that Yahoo will release the encryption source code sometime this fall, “so that the open source community can help us refine the experience and hunt for bugs.”

“We don’t have any other providers to talk about yet, but the hope is that this is open and will be adopted by many others in the email ecosystem,” said a Yahoo spokeswoman.

How important is webmail encryption to Google and Yahoo? It’s a big enough brass ring that Stamos said they’re working together on the project.

Read More

New Facebook Scam Fools Users Into Hacking Their Own Accounts

A new Facebook scam promising users the ability to hack anyone’s account is only a guide towards hacking your own account.

The scam lures users by providing a guaranteed access to anyone’s account in three easy steps. But following the steps make users hack their own page, via a method termed as Self-XXS, which makes anyone who attempts the guide vulnerable to new scam and phishing campaigns.

The scam pops up as a Facebook post on your Timeline or an email from a friend of a victim, promising to ‘hack any account following three steps’. It then asks you to open up your Facebook in a new browser and head over to the Facebook page of the individual you want to hack. Then right-clicking anywhere on the page brings up a pop-up menu where you are asked to select ‘Inspect Element’. This presents an HTML editor at the bottom of the web browser.

In the HTML editor, the scam guides readers to copy-paste a string of code. However, the code doesn’t fulfill its promise; but grants scammers access to your account.

Read More

Hackers Can Control Your Phone Using a Tool That’s Already Built In

A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited.

Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device.

The attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off. But it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.

The vulnerabilities lie within a device management tool carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor—which the researchers will not identify until they present their findings next week at the Black Hat security conference in Las Vegas. The tool is used in some form in more than 2 billion phones worldwide, they say, including Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers. They haven’t looked at Windows Mobile devices yet.

The researchers say there’s no sign that anyone has exploited the vulnerabilities in the wild, and the company that makes the tool has issued a fix that solves the problem. But it’s now up to carriers to distribute it to users in a firmware update.

Carriers use the management tool to send over-the-air firmware upgrades, to remotely configure handsets for roaming or voice-over WiFi and to lock the devices to specific service providers. But each carrier and manufacturer has its own custom implementation of the client, and there are many that provide the carrier with an array of additional features.

To give carriers the ability to do these things, the management tool operates at the highest level of privilege on devices, which means an attacker who accesses and exploits the tool has the same abilities as the carriers.

The management tools are implemented using a core standard, developed by the Open Mobile Alliance, called OMA device management. From these guidelines, each carrier can choose a base set of features or request additional ones. Skolnik says they found that some phones have features for remotely wiping the device or conducting a factory reset, altering operating system settings and even remotely changing the PIN for the screen lock.

Read more

Your personal information just isn’t safe

When Target lost data on some 110 million customers, it recommended them to credit bureau Experian for “identity theft protection,” offering to cover the cost for a year.

Think you’re in better hands? Think again.

Sometime before the Target (TGT) hack, Experian had its own data leak — via a subsidiary. That data leak got plugged before Target sent victims to Experian. But it shows that even those entrusted with our most sensitive data don’t know how to protect it.

Experian unknowingly sold the personal data of millions of Americans — including Social Security numbers — to a fraudster in Vietnam. That guy then sold the personal information to identity thieves around the globe.

It wasn’t until U.S. Secret Service agents alerted Experian that the company stopped.

Hieu Minh Ngo, now 25, was caught and admitted to posing as a private investigator in Singapore to get exclusive access to data via Court Ventures, an Experian subsidiary. Ngo then sold access to fellow criminals.

Read more