Ars Technica - Risk Assessment

Subscribe to Ars Technica - Risk Assessment feed Ars Technica - Risk Assessment
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Updated: 1 hour 26 min ago

Radio-controlled pacemakers aren’t as hard to hack as you (may) think

Fri, 05/26/2017 - 07:55

Enlarge (credit: US Food and Drug Administration)

Pacemakers are devices that are implanted in the chest or abdomen to control life-threatening heartbeat abnormalities. Once they're in place, doctors use radio signals to adjust the pacemakers so that additional major surgeries aren't required. A study recently found that pacemakers from the four major manufacturers contain security weaknesses that make it possible for the devices to be stopped or adjusted in ways that could have dire effects on patients.

Chief among the concerns: radio frequency-enabled pacemaker programmers don't authenticate themselves to the implanted cardiac devices, making it possible for someone to remotely tamper with them.

"Any pacemaker programmer can reprogram any pacemaker from the same manufacturer," researchers from medical device security consultancy WhiteScope wrote in a summary of their findings. "This shows one of the areas where patient care influenced cybersecurity posture."

Read 4 remaining paragraphs | Comments

Trump has an iPhone with one app: Twitter

Fri, 05/26/2017 - 05:10

Enlarge (credit: Andrew Harrer/Bloomberg via Getty Images)

Early in March, President Donald Trump surrendered his personal Android phone—the phone from which scores of controversial Twitter posts had been launched. Based on Twitter metadata, Trump retired the Android device after expressing outrage over the DNC's failure to let the FBI search its servers and taunting Arnold Schwarzenegger on March 5. The next day, he replaced it with an iPhone.

According to a report from Axios' Mike Allen, Twitter is the only application running on Trump's new iPhone. And on his current overseas trip, staff have tried to limit his screen time in order to reduce the volume of his 140-character missives, Allen wrote:

Read 3 remaining paragraphs | Comments

How to build your own VPN if you’re (rightfully) wary of commercial options

Fri, 05/26/2017 - 02:00

Enlarge (credit: Aurich / Thinkstock)

In the wake of this spring's Senate ruling nixing FCC privacy regulations imposed on ISPs, you may be (even more) worried about how your data is used, misused, and abused. There have been a lot of opinions on this topic since, ranging from "the sky is falling" to "move along, citizen, nothing to see here." The fact is, ISPs tend to be pretty unscrupulous, sometimes even ruthless, about how they gather and use their customers' data. You may not be sure how it's a problem if your ISP gives advertisers more info to serve ads you'd like to see—but what about when your ISP literally edits your HTTP traffic, inserting more ads and possibly breaking webpages?

With a Congress that has demonstrated its lack of interest in protecting you from your ISP, and ISPs that have repeatedly demonstrated a "whatever-we-can-get-away-with" attitude toward customers' data privacy and integrity, it may be time to look into how to get your data out from under your ISP's prying eyes and grubby fingers intact. To do that, you'll need a VPN.

The scope of the problem (and of the solution)

Before you can fix this problem, you need to understand it. That means knowing what your ISP can (and cannot) detect (and modify) in your traffic. HTTPS traffic is already relatively secure—or, at least, its content is. Your ISP can't actually read the encrypted traffic that goes between you and an HTTPS website (at least, they can't unless they convince you to install a MITM certificate, like Lenovo did to unsuspecting users of its consumer laptops in 2015). However, ISPs do know that you visited that website, when you visited it, how long you stayed there, and how much data went back and forth.

Read 81 remaining paragraphs | Comments

E-mails phished from Russian critic were “tainted” before being leaked

Thu, 05/25/2017 - 14:05

Enlarge / This fraudulent e-mail was sent in a successful attempt to phish the Gmail password for reporter David Satter. (credit: Citizen Lab)

E-mails stolen in a phishing attack on a prominent critic of Russian President Vladimir Putin were manipulated before being published on the Internet. That's according to a report published Thursday, which also asserts that the e-mails were manipulated in order to discredit a steady stream of unfavorable articles.

The phishing attack on journalist David Satter's Gmail account was strikingly similar to the one that hit Hillary Clinton presidential campaign chairman John Podesta last year. The attack on Satter looked almost identical to the security warnings Google sends when attackers obtain a subscriber's password. Code embedded inside led Satter to a credential-harvesting site that was disguised to look like Google's password-reset page. With that, the site automatically downloaded all of Satter's private correspondence.

Thursday's report from the University of Toronto's Citizen Lab stopped short of saying Russia's government was behind the phishing attack and subsequent manipulation of Satter's e-mail. US intelligence officials, however, have determined that Russia was behind the attacks on Podesta and other Democratic officials. Thursday's report also said the same attack on Satter targeted 218 other individuals, including a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, and CEOs of energy companies.

Read 4 remaining paragraphs | Comments

Florida GOP consultant admits he worked with Guccifer 2.0, analyzing hacked data

Thu, 05/25/2017 - 12:29

(credit: DonkeyHotey)

A Florida GOP campaign consultant who runs a blog under a pseudonym directly contacted the hackers behind the breach of the Democratic National Committee and the Democratic Congressional Campaign Committee, and he solicited material from them. The Wall Street Journal reports that Aaron Nevins set up a Dropbox account specifically for “Guccifer 2.0” to drop files into, and he received 2.5 GB of data from the Democratic Party breaches—including the “get out the vote” strategy for congressional candidates in Florida.

Nevins analyzed the data and posted his analysis on his blog, HelloFLA.com. Guccifer 2.0 sent a link to the blog to Trump backer Roger Stone, who told the paper he was also in communication with the hackers. Nevins told the Journal that the hackers didn't understand what they had until he explained the data's value.

Some of the most valuable data, Nevins said, was the Democratic Party's voter turnout models. “Basically, if this was a war, this is the map to where all the troops are deployed,” Nevins told the person or persons behind the Guccifer 2.0 account via Twitter. He also told them, “This is probably worth millions of dollars."

Read 3 remaining paragraphs | Comments

A wormable code-execution bug has lurked in Samba for 7 years. Patch now!

Wed, 05/24/2017 - 13:30

Enlarge (credit: Guido Sorarù)

Maintainers of the Samba networking utility just patched a critical code-execution vulnerability that could pose a severe threat to users until the fix is widely installed.

The seven-year-old flaw, indexed as CVE-2017-7494, can be reliably exploited with just one line of code to execute malicious code, as long as a few conditions are met. Those requirements include vulnerable computers that (a) make file- and printer-sharing port 445 reachable on the Internet, (b) configure shared files to have write privileges, and (c) use known or guessable server paths for those files. When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges depending on the vulnerable platform.

"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba maintainers wrote in an advisory published Wednesday. They urged anyone using a vulnerable version to install a patch as soon as possible.

Read 9 remaining paragraphs | Comments

Breaking the iris scanner locking Samsung’s Galaxy S8 is laughably easy

Tue, 05/23/2017 - 11:10

Enlarge (credit: Chaos Computer Club)

Hackers have broken the iris-based authentication in Samsung's Galaxy S8 smartphone in an easy-to-execute attack that's at odds with the manufacturer's claim that the mechanism is "one of the safest ways to keep your phone locked."

The cost of the hack is less than the $725 price for an unlocked Galaxy S8 phone, hackers with the Chaos Computer Club in Germany said Tuesday. All that was required was a digital camera, a laser printer (ironically, models made by Samsung provided the best results), and a contact lens. The hack required taking a picture of the subject's face, printing it on paper, superimposing the contact lens, and holding the image in front of the locked Galaxy S8. The photo need not be a close up, although using night-shot mode or removing the infrared filter helps. The hackers provided a video demonstration of the bypass.

Starbug, the moniker used by one of the principal researchers behind the hack, told Ars he singled out the Samsung Galaxy S8 because it's among the first flagship phones to offer iris recognition as an alternative to passwords and PINs. He said he suspects future mobile devices that offer iris recognition may be equally easy to hack. Despite the ease, both Samsung and Princeton Identity, the manufacturer of the iris-recognition technology used in the Galaxy S8, say iris recognition provides "airtight security" that allows consumers to "finally trust that their phones are protected." Princeton Identity also said the Samsung partnership "brings us one step closer to making iris recognition the standard for user authentication."

Read 4 remaining paragraphs | Comments

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Tue, 05/23/2017 - 09:00

Enlarge (credit: Getty Images | Valery Brozhinsky)

On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai's plan to gut net neutrality rules, and it appeared that the site just couldn't handle the sudden influx of comments.

But when the FCC released a statement explaining the website's downtime, the commission didn't mention the Oliver show or people submitting comments opposing Pai's plan. Instead, the FCC attributed the downtime solely to "multiple distributed denial-of-service attacks (DDoS)." These were "deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host," performed by "actors" who "were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC."

The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai's plan. The FCC is taking comments until August 16, and will make a final decision sometime after that.

Read 36 remaining paragraphs | Comments

There’s new evidence tying WCry ransomware worm to prolific hacking group

Mon, 05/22/2017 - 17:34

Enlarge (credit: Health Service Journal)

Researchers have found more digital fingerprints tying this month's WCry ransomware worm to the same prolific hacking group that attacked Sony Pictures in 2014 and the Bangladesh Central Bank last year.

Last week, a researcher at Google identified identical code found in a WCry sample from February and an early 2015 version of Contopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Additional fingerprints linked Lazarus Group to hacks that wiped almost a terabyte's worth of data from Sony Pictures and siphoned a reported $81 million from the Bangladesh Central Bank last year. Researchers say Lazarus Group carries out hacks on behalf of North Korea.

On Monday, researchers from security firm Symantec presented additional evidence that further builds the case that WCry, which is also known as WannaCry, is closely linked to Lazarus Group. The evidence includes:

Read 3 remaining paragraphs | Comments

“Yahoobleed” flaw leaked private e-mail attachments and credentials

Mon, 05/22/2017 - 09:51

Enlarge (credit: BenGrantham)

For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.

Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans.

The vulnerability discovered by Evans could be exploited by e-mailing a maliciously manipulated image file to a Yahoo Mail address. After opening the 18-byte file, chunks of Yahoo server memory began leaking to the end user. Evans called this version of the attack "Yahoobleed1." "Yahoobleed2" worked by using a hacking tool known as "Strings" to exploit the vulnerability fixed in January 2015.

Read 4 remaining paragraphs | Comments

Windows 7, not XP, was the reason last week’s WCry worm spread so widely

Sat, 05/20/2017 - 07:00

Enlarge (credit: Kaspersky Lab)

Eight days ago, the WCry ransomware worm attacked more than 200,000 computers in 150 countries. The outbreak prompted infected hospitals to turn away patients and shut down computers in banks and telecoms. Now that researchers have had time to analyze the self-replicating attack, they're learning details that shed new and sometimes surprising light on the world's biggest ransomware attack.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That's according to Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there's little question Windows 7 was overwhelmingly affected by WCry, which is also known as "WannaCry" and "WannaCrypt." Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

Read 11 remaining paragraphs | Comments

More people infected by recent WCry worm can unlock PCs without paying ransom

Fri, 05/19/2017 - 06:20

Enlarge (credit: Ed Westcott / American Museum of Science and Energy)

New hope glimmered on Friday for people hit by last week's virulent ransomware worm after researchers showed that a broader range of PCs infected by WCry can be unlocked without owners making the $300 to $600 payment demand.

A new publicly available tool is able to decrypt infected PCs running Windows XP and 7, and 2003, and one of the researchers behind the decryptor said it likely works for other Windows versions, including Vista, Server 2008, and 2008 R2. The tool, known as wanakiwi, builds off a key discovery implemented in a different tool released Thursday. Dubbed Wannakey, the previous tool provided the means to extract key material from infected Windows XP PCs but required a separate app to transform those bits into the secret key required to decrypt files.

Matt Suiche, cofounder of security firm Comae Technologies, helped develop and test wanakiwi and reports that it works. Europol the European Union's law-enforcement agency, has also validated the tool. Suiche has published technical details here, and provided the following screenshot of the tool in action:

Read 6 remaining paragraphs | Comments

BostonGlobe.com disables articles when your browser’s in private mode

Fri, 05/19/2017 - 06:02

BostonGlobe.com has a new message for visitors using private mode.

The Boston Globe website is closing off a hole in its paywall by preventing visitors who aren't logged in from reading articles in a browser's private mode.

"You're using a browser set to private or incognito mode" is the message given to BostonGlobe.com visitors who click on articles in private mode. "To continue reading articles in this mode, please log in to your Globe account." People who aren't already Globe subscribers are urged to subscribe.

Like other news sites, the Globe limits the number of articles people can read without a subscription. Until the recent change, Globe website visitors could read more articles for free by switching to private or incognito mode. (You can still get a new supply of free articles by clearing the Globe's cookies from your browser.)

Read 9 remaining paragraphs | Comments

Something about Trump cybersecurity executive order seems awfully familiar

Thu, 05/18/2017 - 11:53

Enlarge / President Trump’s executive order on cybersecurity is built on the orders and policies of his predecessor, and is almost entirely apolitical. (credit: Jabin Botsford/The Washington Post via Getty Images)

Last week, amidst the whirlwind surrounding the firing of FBI Director James Comey, President Donald Trump signed his long-promised executive order on federal government cybersecurity. While many of the other orders issued by Trump have been politically fraught, this one is not; it's possibly the least controversial document to be adorned with the president's signature since his inauguration.

In fact, aside from some of the more Trumpian language in the order, this Executive Order could have easily been issued by the Obama administration. That's because it largely is based on policies and procedures that were spearheaded by President Obama's staff.

"My initial reaction to the order is, 'this is great,'" former National Security Council Director for Cybersecurity Policy Ben Flatgard told Ars. "Trump just endorsed Barack Obama's cybersecurity policy." Flatgard was one of the principal authors of the Obama administration's Cyber National Action Plan (CNAP), published in February of 2016.

Read 29 remaining paragraphs | Comments

Windows XP PCs infected by WCry can be decrypted without paying ransom

Thu, 05/18/2017 - 07:32

Enlarge (credit: Adrien Guinet)

Owners of some Windows XP computers infected by the WCry ransomware may be able to decrypt their data without making the $300 to $600 payment demand, a researcher said Thursday.

Adrien Guinet, a researcher with France-based Quarkslab, has released software that he said allowed him to recover the secret decryption key required to restore an infected XP computer in his lab. The software has not yet been tested to see if it works reliably on a large variety of XP computers, and even when it does work, there are limitations. The recovery technique is also of limited value because Windows XP computers weren't affected by last week's major outbreak of WCry. Still, it may be helpful to XP users hit in other campaigns.

"This software has only been tested and known to work under Windows XP," he wrote in a readme note accompanying his app, which he calls Wannakey. "In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!"

Read 7 remaining paragraphs | Comments

Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft

Wed, 05/17/2017 - 09:41

Enlarge / An aerial view of the NSA. (credit: nsa.gov)

After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.

Those same NSA officials, according to Tuesday's report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.

"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: "This one is very serious, and we need to protect ourselves."

Read 9 remaining paragraphs | Comments

WCry ransomware worm’s Bitcoin take tops $70k as its spread continues

Tue, 05/16/2017 - 08:09

(credit: fdecomite)

WCry, the National Security Agency exploit-powered ransomware worm that began spreading worldwide on Friday, had reportedly affected hundreds of thousands of computers before the weekend, but the malware had only brought in about $20,000 in ransom payments. However, as the world returned to the office on Monday, those payments have been rapidly mounting, based on tracking data for the three Bitcoin wallets tied by researchers to the malware. As of noon Eastern Time on Monday, payments had reached an estimated $71,000 since May 12. So far, 263 payments have been made to the three wallets linked to the code in the malware.

The payment history for each wallet shows individual transactions ranging mostly between 0.16 and 0.34 Bitcoin (approximately $300 and $600, respectively), with the number of larger payments increasing over time. Different ransom amounts have been presented to victims, and the price of Bitcoin has climbed dramatically over the past week, causing some variation in the payment sizes.

According to researchers at Symantec Security Response, tracking ransom transactions would have been much more difficult if not for a bug in code that was supposed to create an individual bitcoin wallet for each victim:

Read 1 remaining paragraphs | Comments

Trump confirms he shared intel with Russia’s foreign minister

Tue, 05/16/2017 - 04:43

Enlarge / WASHINGTON, DC - MAY 15: National Security Adviser Army Lt. Gen. H.R. McMaster preparing to make a statement to reporters on May 15 regarding President Trump's sharing of intelligence with Russian officials. (credit: Photo by Jabin Botsford/The Washington Post via Getty Images)

In an Oval Office meeting the day after firing FBI Director James Comey, President Donald Trump reportedly shared intelligence from an allied nation's sources on an Islamic State plot to bring down passenger airplanes with laptop computers turned into bombs. The intelligence, which was apparently behind reports that the US will extend a ban on laptops to include flights from Europe, had been highly classified because of the sensitivity of its source.

Statements from President Trump on Twitter and from White House National Security Advisor Lt. Gen. H.R. McMaster did not directly contradict details initially reported by the Washington Post late on Monday. McMaster said that no sources or methods were exposed in the conversation. However, the unnamed officials cited in the Post report were concerned that Trump's citing of the exact location "in the Islamic State’s territory where the US intelligence partner detected the threat" could expose the source. Tuesday morning, Trump tweeted:

As President I wanted to share with Russia (at an openly scheduled W.H. meeting) which I have the absolute right to do, facts pertaining....

— Donald J. Trump (@realDonaldTrump) May 16, 2017

...to terrorism and airline flight safety. Humanitarian reasons, plus I want Russia to greatly step up their fight against ISIS & terrorism.

— Donald J. Trump (@realDonaldTrump) May 16, 2017

Trump also lashed out at the intelligence community for leaking about his actions:

Read 4 remaining paragraphs | Comments

Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry

Mon, 05/15/2017 - 19:38

Enlarge / A cryptocurrency mining farm. (credit: Marco Krohn)

On Friday, Ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon Kafeine wrote:

Read 4 remaining paragraphs | Comments

Virulent WCry ransomware worm may have North Korea’s fingerprints on it

Mon, 05/15/2017 - 11:21

Enlarge / Identical code found in WCry and 2015 malicious backdoor could be a smoking gun that provides crucial clues about the origin of Friday's ransomware worm. (credit: Jo Christian Oterhals)

A researcher has found digital fingerprints that tie the WCry ransomware worm that menaced the world on Friday to a prolific hacking operation that previously generated headlines by attacking Sony Pictures, the Bangladesh Central Bank, and South Korean banks.

The link came in a cryptic Twitter message from Neel Mehta, a security researcher at Google. The tweet referenced identical code found in a WCry sample from February and an early 2015 version of Cantopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped almost a terabyte's worth of data from Sony Pictures in 2014, and siphoned almost $1 billion from the Bangladesh Central Bank last year by compromising the SWIFT network used to transfer funds.

Red highlights show identical code shared between a February version of WCry and a 2015 backdoor used by Lazarus Group.

Red highlights show identical code shared between a February version of WCry and a 2015 backdoor used by Lazarus Group.

Over a matter of hours on Friday, Wcry used leaked National Security Agency-developed code to attack an estimated 200,000 computers in 150 countries. Also known as WannaCry, the self-replicating malware encrypted hard drives until victims paid ransoms ranging from $300 to $600. Infected hospitals soon responded by turning away patients and rerouting ambulances. Businesses and government agencies all over the world quickly disconnected computers from the Internet, either because they were no longer working or to prevent them from being hit. The outbreak was largely contained because the attackers failed to secure a domain name hard-coded into their exploit.

Read 10 remaining paragraphs | Comments

Pages