Mario Tama / Getty Images / AFP Internet users, beware: new security research has revealed that 40-50 million network-enabled device can be hacked and controlled remotely, with vulnerable products including cameras, printers and routers.
By hijacking personal devices like cameras, hackers can easily watch the every move of the device’s owner and invade the privacy of millions of users. Internet routers that use a protocol called Universal Plug and Play (UPnP) allow network-connected devices such as computer and printers to make themselves easily discoverable, but new research by the security firm Rapid7 shows that this discoverability can be exploited by hackers.Many routers are set to use the UPnP by default, thereby subjecting all network-enabled devices using the router to the damage that hackers are able to inflict. As many as 50 million unique devices can be exploited and about 6,900 products are vulnerable to software bugs that have already been found in three different implementations of the protocol.Vendors including Cisco’s Linksys, Belkin, D-Link, and Netgear produce routers that make themselves and their connected devices susceptible to software bugs. At least 23 million types of connectible devices could be hijacked and permanently disabled, while others would face temporary incapacitation.Using the discoverability of the devices, hackers could invade the network itself, reg
68a
ardless of any sort of firewalls that might be in place, thereby endangering personal information. Hackers could use UPnP-enabled routers and their devices to access confidential files, steal passwords, take full control of computers and access webcams, printers and other security systems.“We never expected this much UPnP to be exposed on the Internet. The scope of the exposure just blew us away,” Rapid7’s chief security officer H.D. Moore told Forbes.“This is the most pervasive bug I’ve ever seen,” he told Reuters, referring to the software bugs that Rapid7 discovered in most of the vulnerable devices that were tested.Rapid7 recommends that Internet users check their routers for UPnP capabilities and disable the feature to protect their devices from being invaded by hackers. The new research also prompted CERT to issue a warning and Cisco to disseminate information about their susceptible products.“Linksys is aware of the industry-wide UPnP library security vulnerability announced by the US CERT on January 29th,” a spokesperson wrote on the company website. “We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted.”Unless Internet users take steps to ensure their network’s security, tens of millions could be at risk of having their information stolen, being watched through their own webcams, or having their devices destroyed. … Read More
50 million cameras exposed to hackers due to massive security breach
‘Red October’: Global cyber-spy network uncovered by Russian experts
‘Red October’: Global cyber-spy network uncovered by Russian expertsGet short URLLink copied to clipboardemail story to a friendprint versionPublished: 15 January, 2013, 05:56
TAGS:Russia,
Europe,
Internet,
Information Technology,
Security,
Hacking
Picture by Kaspersky Lab’s Global Research & Analysis TeamA sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies has been uncov
1000
ered by the Kaspersky Lab, whose experts say the malware’s complexity could rival that of the notorious Flame virus.The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines. These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which is known to be used by organizations such as NATO, the European Parliament and the European Commission since 2011.The first instance
1000
s of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, according to Kaspersky. The Kaspersky Lab worked with a number of international organizations while conducting the investigation including the US, Romanian and Belorusian Computer Emergency Readiness Teams. The EU has attempted to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.Picture by Kaspersky Lab’s Global Research & Analysis Team”);
$(“.tail_text”).show(500);
return false;
}
The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list. In addition to attacking traditional computer workstations, Rocra – a shortened name for Red October, the name given the network by the Kaspersky team – can steal data from smartphones, dump network equipment configurations, snatch files from removable disk drives, including those that had been erased, and scan through email databases and local network FTP servers. Unlike other well-known highly automated cyber-espionage campaigns like Flame and Gauss, the Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even habit of document usage.The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases. The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the “mothership” control server. That server’s location remains unknown.Experts have uncovered over 1,000 modules belonging to 30 different module categories. While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. For example, retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.The hackers’ primary objective is to gather information and documents that compromised governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups and trade and aerospace targets. No details have been given so far as to who the attackers could be. However, there is strong technical evidence to indicate that the attackers have Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries. Click to enlargeThe hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of mal
62b
icious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines. These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which is known to be used by organizations such as NATO, the European Parliament and the European Commission since 2011.The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, according to Kaspersky. The Kaspersky Lab worked with a number of international organizations while conducting the investigation including the US, Romanian and Belorusian Computer Emergency Readiness Teams. The EU has attempted to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.Picture by Kaspersky Lab’s Global Research & Analysis Team … Read More
Reddit co-founder Aaron Swartz commits suicide in midst of controversial trial
The co-founder of social news website Reddit committed suicide in New York City on Friday. Aaron Swartz was facing a controversial trial over the alleged violation of the Computer Fraud and Abuse Act. He faced decades in prison and a $1 million fine.“The tragic and heartbreaking information you received is, regrettably, true,” Swartz’ attorney, Elliot R. Peters, said in an email to The Tech. The 26-year-old was the co-founder of Reddit and executive director of Demand Progress, a website that focuses on policy changes for civil liberties, civil rights, and government reform in the US. Swartz was also a renowned programmer. By the age of 13, he created his first web application which was essentially the same idea as Wikipedia, according to his website. In 2011, Swartz was charged with allegedly stealing more than four million academic journals from JSTOR, an archive of scientific journals and academic papers, via an open connection at the Massachusetts Institute of Technology (MIT). He faced 13 felony charges, including breaching site terms and intending to share downloaded files through peer-to-peer networks, computer fraud, wire fraud, obtaining information from a protected computer, and criminal forfeiture. He was also accused of evading MIT’s attempts to kick his laptop off the network while downloading millions of documents from JSTOR.Many say the lawsuit is unfounded because MIT allows guests access to JSTOR – and Swartz, who was undertaking a fellowship at Harvard’s Safra Center for Ethics at the time of downloading, was a guest.The case has also been deemed highly controversial because it wasn’t JSTOR – the alleged victim in the case – which referred Swartz to the federal government, according to the company’s vice president of Marketing and Communications, Heidi McGregor. She says JSTOR was content once it reclaimed the works from Swartz.“We stopped this downloading activity, and the individual responsible, Mr. Swartz, was identified. We secured from Mr. Swartz the content that was taken, and received confirmation that the content was not and would not be used, copied, transferred, or distributed,” the company said in its statement on the prosecution. The statement went on to say that the investigation was directed by the United States Attorney’s Office.And while the US government was threatening Swartz with decades in prison and a hefty fine, some say the move was entirely unfounded.“This makes no sense. It’s like trying to put someone in jail for allegedly checking too many books out of the library,” Demand Progress Executive Director David Segar said in a statement, as quoted by Wired magazine.“It’s even more strange because the alleged victim has settled any claims against Aaron, explained they’ve suffered no loss or damage, and asked the government not to prosecute,” Segal said.Feeling he had no other choice, Swartz surrendered himself to authorities in July 2011 and was released on bond. In September 2012, he appeared at the hearing in court and pleaded not guilty. His trial was scheduled for February 2013. Many of the charges stemmed from Swartz allegedly breaching JSTOR’s terms of service agreement.“JSTOR authorizes users to download a limited number of journal articles at a time,” the latest indictment said. “Before being given access to JSTOR’s digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR’s computer servers with automated programs such as web robots, spiders, and scrapers.”The case would have tested the reach of the Computer Fraud and Abuse Act, which was created to reduce the cracking of computer systems a
3ff
nd federal domains-related offenses. The law, which was passed in 1984, enhances the government’s ability to prosecute hackers who accessed computers to steal information or disrupt computer functionality. But according to plaintiff attorney Max Kennerly, Swartz may not have violated the law at all. “It is by no means clear that Swartz has actually violated the Computer Fraud and Abuse Act. Recently, the Fourth Circuit joined the Ninth Circuit in alleging that violating the terms of service does not constitute a crime under the CFAA. In contrast, the Fifth, Seventh and Eleventh Circuits have held that it can be a crime. Swartz’ case is in the First Circuit. This is the classic sort of Circuit Split that prompts Supreme Court review,” Kennerly said on his blog. If he would have been convicted, Swartz would have faced up to 35 years in prison and a $1 million fine. … Read More
Information Technology Dividends Outpace All Others
FOR what appears to be the first time ever, information technology companies in the Standard & Poor’s index of 500 stocks are paying more in dividends than companies in any other sector, S.&P. reported this week. … Read More
United States ill-prepared for skyrocketing cyberattacks against critical infrastructure
Cyber security analysts work to defend a network during a drill at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho (Reuters/Jim Urquhart)Cyberattacks against the United States’ critical infrastructure are increasing, but even the Department of Homeland Security is reporting that the country is ill-prepared to respond.America’s cyberdefense situation is in need of improvement, according at least to a newsletter published by the Homeland Security Department’s Industrial Control Systems Cyber Emergency Response Team, the ICS-CERT Monitor [PDF]. In the late-2012 edition of the Monitor, cyber experts working for the United States government confirm that as attacks waged against America’s essential sectors are on the rise, the number of qualified personnel able to respond is hardly adequate. Between October 1, 2011 and September of last year, ICE-CERT claims to have received and responded to 198 cyber incidents as reported by asset owners and industry partners. In an analysis of the report by CNN, they report that the figure for Fiscal Year 2012 is 52 percent larger than the year before. Elsewhere in the Monitor, ICE-CERT quotes noted security expert Alan Paller as saying that there are no more than 20 individuals in the entire country that could counter a substantial attack against the States’ cyber infrastructure.“Paller believes there are only 18 to 20 people in the whole country qualified to protect the nation’s infrastructure from a concerted cyberattack,” the Monitor says, quoting from a Wall Street Journal article published in November. “That’s an incredible small number of people considering the hundreds of thousands of engineers working in the private, public and military sectors,” says the Journal.Of those nearly 200 incidents reported to DHS, several resulted in successful break-ins. In one example given of a power generation facility in the US, the Monitor says DHS employees identified malware installed on their systems that were so sophisticated that they posed the possibility of a very real disaster to the plant’s control environment. “Detailed analysis was conducted as these workstations had no backups, and an ineffective of failed cleanup would have significantly impaired their operations,” the report reads.While The Monitor neglects to name individual companies that found malware and other attempted cyber-intrusions, the DHS says that the nation’s energy, water, communications and transportation sectors were all subject to attack during the last year. Also at risk, the Monitor reports, is America’s nuclear infrastructure, where at least 6 incidents were identified during a 12-month span.Compared to recent years, the cyberassaults waged during 2012 demonstrate an alarming trend. While ICS-CERT identified 198 incidents last year, in 2009 that number was only nine.”I believe that people will not truly get this until they see the physical implications of a cyberattack,” former FBI cybercrime official Shawn Henry said last year, as quoted by CNN. “We knew about Osama bin Laden in the early ’90s. After 9/11, it was a worldwide name. I believe that type of thing can and will happen in the cyber environment.”Leading figures in Washington have warned just as much, equating an eventual assault on the United States’ cyber-grid as being on par with national tragedies of historic proportions. In October, Defense S
a4a
ecretary Leon Panetta said the country was at risk of facing a “Cyber Pearl Harbor.” In December, former National Security Agency Director Mike McConnel said a “Cyber 9/11” should be imminent.”We have had our 9/11 warning. Are we going to wait for the cyber equivalent of the collapse of the World Trade Centers?” McConnell told Financial Times in an interview published last month.”All of a sudden, the power doesn’t work, there’s no way you can get money, you can’t get out of town, you can’t get online, and banking, as a function to make the world work, starts to not be reliable,” McConnell said. “Now, that is a cyber-Pearl Harbor, and it is achievable.”In the latest edition of The Monitor, the DHS acknowledges that one particular power company in the US was infected with a virus as recently as this October that damaged the facility’s turbine control system and around 10 computers connected to it. By the time the country’s cyber-experts identified and treated the issue, the facility suffered from three weeks of setbacks. In another instance noted in the report, a team of DHS researchers found 98,000 organizations within the United States that had Internet-facing devices that could easily be hijacked by hackers. Cyberattacks against the United States’ energy sector accounted for 40 percent of all reported incidents last year, with the water sector targeted in around 30 separate attacks, the Monitor reports. Only one banking or financial institution contacted the DHS about a possible cyberattack last year, but skyrocketing numbers suggest that assaults are likely to increase in Fiscal Year 2013. Just in the last few months, Bank of America, Citigroup, Wells Fargo and Capital One have all been targeted by computer criminals.”These attacks are representative of the longest persistent cyberattack on an industry sector in history – in fact, nearly every major commercial bank has been affected,” Carl Herberger, vice president of security solutions at Radware, tells CSO Online. Anti-American hackers from Iran are believed responsible for the renewed series of attacks aimed at the computer of US banks, according to Washington sources. On Friday, the Washington Post reported that the National Security Agency has been approached by a number of US banks in hopes that they will be able to protect them against the increasingly sophisticated cyberattacks waged at the American financial sector. … Read More
Google starts watching what you do off the Internet too
The most powerful company on the Internet just got a whole lot creepier: a new service from Google merges offline consumer info with online intelligence, allowing advertisers to target users based on what they do at the keyboard and at the mall. Without much fanfare, Google announced news this week of a new advertising project, Conversions API, that will let businesses build all-encompassing user profiles based off of not just what users search for on the Web, but what they purchase outside of the home. In a blog post this week on Google’s DoubleClick Search site, the Silicon Valley giant says that targeting consumers based off online information only allows advertisers to learn so much. “Conversions,” tech-speak for the digital metric made by every action a user makes online, are incomplete until coupled with real life data, Google says.“We understand that online advertising also fuels offline conversions,” the blog post reads. Thus, Google says, “To capture these lost conversions and bring offline into your online world, we’re announcing the open beta of our Conversions API for uploading offline conversion automatically.”The blog goes on to explain that in-store transactions, call-tracking and other online activities can be inputted into Google to be combined with other information “to optimize your campaigns based on even more of your business data.”Google is all but certain to ensure that all user data collected off- and online will be cloaked through safeguards that will allow for complete and total anonymity for customers. When on-the-Web inter
58f
actions start mirroring real life activity, though, even a certain degree of privacy doesn’t make Conversions API any less creepy. As Jim Edwards writes for Business Insider, “If you bought a T shirt at The Gap in the mall with your credit card, you could start seeing a lot more Gap ads online later, suggesting jeans that go with that shirt.”Of course, there is always the possibility that all of this information can be unencrypted and, in some cases, obtained by third-parties that you might not want prying into your personal business. Edwards notes in his report that Google does not explicitly note that intelligence used in Conversions API will be anonymized, but the blowback from not doing as much would sure be enough to start a colossal uproar. Meanwhile, however, all of the information being collected by Google — estimated to be on millions of servers around the globe — is being handed over to more than just advertising companies. Last month Google reported that the US government requested personal information from roughly 8,000 individual users during just the first few months of 2012.“This is the sixth time we’ve released this data, and one trend has become clear: Government surveillance is on the rise,” Google admitted with their report. … Read More
Terminator Eyes: Hi-tech contact lenses show texts and maps
Terminator Eyes: Hi-tech contact lenses show texts and mapsGet short URLLink copied to clipboardemail story to a friendprint versionPublished: 09 December, 2012, 11:21
TAGS:EU,
Internet,
Information Technology
Reuters / Brian SnyderImagine texting while driving, or placing a call while showering, without holding your phone in your hands. It’s not sci-fi any more – a new technology allows information like text messages and driving directions to be projected onto a contact lens.”);
$(“.tail_text”).show(500);
return false;
}
The hardware behind this invention is a spherical curved LCD display that can fit into a contact lens, developed by Ghent University’s Centre of Microsystems Technology in Belgium.”This is not science fiction,” chief researcher for the project Jelle De Smet told the Telegraph. “This will never replace the cinema screen for films. But for specific applications it may be interesting to show images such as road directions or projecting text messages from our smart phones straight to our eye.”These lenses may hit the market within the next few years. In an upgrade from previous models, a new LCD display allows the entire curved surface of the lens to be used. Earlier versions were based on LEDs, where the display resolution would be limited to only a small number of pixels.The University of Washington has also been developing new generation of contact lenses that would receive emails and would be able to project information from the Internet, much like in the movie ‘Terminator.’Other uses of the lens include the concept of adaptable sunglasses – the contact lenses would darken on exposure to light. The lenses could also be used in the fields of medicine and cosmetics.These advances mark the push for a much wider development of the technology, with the aim of creating a fully pixelated contact lens display as detailed as a television screen. Tech giants such as Google and Apple have been working to develop similar technology. This past year, Google introduced Project Glass – frames for eyeglasses that project a small computer display into a person’s field of vision. Apple has reportedly patented similar innovations.AFP Photo / Torsten Blackwood … Read More
