How to Hack an iPhone With a USB Charger

When it comes to threats to mobile devices, most people don’t think of chargers as a likely point of attack. But plugging in an iPhone — or any smartphone or tablet — could come at a price.

At next month’s Black Hat security conference in Las Vegas, three Georgia Institute of Technology researchers will show how a USB-connected charger can silently install malicious code onto an iOS device. It’s a concept referred to in computer-security circles as “juice jacking.”

Boston-based security expert Jonathan Zdziarski, who designs iOS hacking tools for law enforcement, said he’s long been aware that Apple devices are vulnerable to such attacks — and that the exploit the Georgia Tech researchers will show may be just the tip of the iOS-weakness iceberg.

Source:
http://news.hitb.org/content/how-hack-iphone-usb-charger

Posted in Hardware, Privacy, Security | No Comments

How to Secure USB Drives and Other Portable Storage Devices

As individuals and organizations digitize more data, they become more susceptible to major data breaches. Though convenient, inexpensive USB flash memory sticks and other portable storage devices certainly don’t help the cause, because workers use them transport databases and other confidential information. On top of the real danger of misused data, major data breaches also cause damaging negative publicity.

It may seem inherently complex, but securing portable storage devices is within reach for small businesses. Here’s what organizations can do to secure their data.

Above All, Encrypt Your Data

Before discussing common methods of securing portable storage devices, it’s worth highlighting an often-underappreciated advantage of encrypting data on portable storage devices. Specifically, properly encrypted data offers a safety net against potentially embarrassing or damaging data surfacing from storage devices that were discarded or sold off.

Many businesses don’t realize how easily deleted files can be retrieved with off-the-shelf recovery software from mechanical storage devices such as hard disk drives (HDD) or USB drives. Reconstituting previously encrypted data, on the other hand, is far more involved, as it that requires the original credentials or even a copy of the decryption key.

An encrypted storage device with a decryption key that’s been erased, or one with a good authentication passphrase, offers a good safeguard against malicious data recovery. A thoroughly wiped or physically destroyed storage device remains the most secure defense against data leakage, though.

Source:
http://www.cio.com/article/734016/How_to_Secure_USB_Drives_and_Other_Portable_Storage_Devices

Posted in Hardware, Privacy, Security | No Comments

New Malware Can Bypass BIOS Security

As more hardware vendors seek to implement the new NIST 800-155 specification that was designed to make the start-up BIOS firmware on our PCs and laptops more secure, they may need to rethink the security assumptions upon which the standard depends. A trio of researchers from The MITRE Corp. say that the current approach relies too heavily on access control mechanisms that can easily be bypassed.

The researchers are taking their message to Black Hat USA later this summer in a talk where they plan to unveil new malware proofs-of-concept that can trick an endpoint’s Trusted Platform Module (TPM) chip into thinking the BIOS firmware is clean and can persist infecting the BIOS after it has been flashed, or reset, or even after it has been updated.

“The NIST document is sort of emphasizing access control mechanisms as a way to protect firmware,” says Corey Kallenberg, security researcher with MITRE. “Whereas our stance is, look, access control mechanisms are going to fail, you have to assume that the attacker is going to find a way to get into your firmware.”

His colleague, John Butterworth, says there already has been an established history of researchers who have managed to bypass access controls in the BIOS.

“For example, Invisible Things Lab showed in 2009 how firmware signing could be bypassed to arbitrarily modify the BIOS,” he says. “We believe that this trend will continue in the future.

Together with Xeno Kovah, lead infosec engineer at MITRE, Butterworth and Kallenberg are taking these bypass methods a step further with the research they’ll unveil at Black Hat, which support their claims about the insecurity of the current methods used to assure the integrity of the BIOS.

Currently, system TPM chips depend on code stored on the BIOS flash chip to perform a BIOS measurement and send that platform configuration register (PCR) value to the TPM chip as an assurance that the BIOS remains unmolested. In most cases, if the BIOS is manipulated, then the PCR value will change and will break the chain of trust with the TPM.

Source:
http://www.darkreading.com/vulnerability/bios-bummer-new-malware-can-bypass-bios/240155473

Posted in Hardware, Security | No Comments

Twitter Gets Two-Factor Authentication

Today we’re introducing a new security feature to better protect your Twitter account: login verification.

This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address. To get started, follow these steps:

1. Visit your account settings page.
2. Select “Require a verification code when I sign in.”
3. Click on the link to “add a phone” and follow the prompts.
4. After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com.

Source:
https://blog.twitter.com/2013/getting-started-login-verification

Posted in Internet, Privacy, Security | No Comments

Why Email is a Key to Your Castle

Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.

Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things as private photos that were uploaded to the account. There have been a few cases where attackers broke into email accounts and found sensitive pictures, like naked photos, and then blackmailed the owner of the account. While most people are smart enough not to upload such pictures, with the integrated cloud storage that is available with many services now there may be all kinds of files stored in those accounts, such as password files, license files, tax records, passport scans, company documents, and more.

The power of an email can be even larger than this, as its scope is much greater. Many online services use the email address as a user name. Therefore, knowing the email address and the email account password can give the attacker access to many different accounts besides the email provider as many services offer to reset a forgotten password through email, even if the user does not use the same password on different services. Controlling the email account means controlling the password reset emails of other services and therefore giving access to many different services regardless of what password it uses.

Every time there is a data breach and email and passwords are publicly posted, other attackers will take this information and start new attacks with it. The first thing they usually try is to check whether the same password also accesses the email account.

Source:
http://www.symantec.com/connect/blogs/why-email-key-your-castle

Posted in Internet, Privacy, Security | No Comments