Evidence Shows the Capability to Hack Via Sound Waves

Standard

Computer security researchers from the University of Michigan and the University of South Carolina proved, yesterday, they have discovered a way to hack into a device using sound ways. This newly found weakness allows them to control or influence devices through tiny accelerometers. Accelerometers are instruments that measure acceleration and are manufactured as dynamic silicon chip-based devices used to sense movement or vibrations known as microelectromechanical systems, or MEMS. They are used for navigating, determining the orientation of a tablet and calculating distance in fitness monitors. Accelerometers are standard in consumer products such as smartphones, Fitbits and automobiles.

In the paper highlighting the research, they demonstrate how they were able to add additional steps to a Fitbit monitor, as well as, play a “malicious” music file from a smartphone, demonstrating they can control the phone’s accelerometer. Kevin Fu, one author of the paper, stated, “It’s like the opera singer who hits the note to break a wine glass, only in our case, we can spell out words.” He went on to say, “You can think of it as a musical virus.”

In addition, research from the paper shows that with the toy car, they did not infiltrate the car’s microprocessor, but rather controlled the car by forcing the accelerometer to generate fake readings.

Vinny Troia, CEO of NightLion Security commented, “as we see a heightened push to develop self-driving vehicles from numerous companies, undetected vulnerabilities, such as this one, that could allow an attacker to remotely control a self-driving vehicle is disturbing, but a reality that should be seriously considered.”

Computer security researchers remarked that this is new insight into cybersecurity challenges in complex systems, which show how analog and digital components can interact in unpredictable ways.

The computer security researchers will be presenting their findings at the IEEE European Symposium on Security and Privacy in Paris next month.

Advertisements

Smart Device Manufacturers Effected by WikiLeaks’ Vault 7 Remark on Security Flaws

Standard

WikiLeaks published “Vault 7”, a collection of about 10,000 CIA documents created between 2014 and 2016, this past Tuesday. These documents contain the CIA’s collection on specific software vulnerabilities.

Tech companies such as, Apple, Microsoft and Samsung were specifically mentioned in the documents, in regard to, security holes the CIA uses to hack into their specific smart devices. For example, The CIA can use Samsung’s Smart TV to listen to people even when the TV appears to be off. All three of these companies have addressed the security flaws mentioned and state that they are “looking into” them.

Apple commented late Tuesday, “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.” They went on to say, “We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

The Vault 7 leak has brought to light new criticism of the CIA and other intelligence agencies’ practice of discovering security flaws in popular hardware and software, and failing to disclose the flaws to the manufacturers. Both the CIA and Trump administration have denied any comment on the authenticity of these files.

Cybersecurity expert, Vinny Troia commented, “The CIA hiding the security holes in these devices from the manufacturers is frowned upon, but what I really find to be irresponsible is what Wikileaks did. In one breath, they are saying ‘look at all of this technology that the CIA has to spy and harm everyone’, and on the other hand they are saying ‘here it is. Enjoy!’ Just proves the importance of detecting security weaknesses within your own network before they can be used by cyber criminals.”

IoT Teddy Bear Leaks Millions of Voice Recordings from Children and Parents

Standard

CloudPets’ connected stuffed animals leaked more than 2 million voice recordings of parents and children because of their poor database security. This is only the latest compromise happening with children’s toys.

The breach was first reported on Tuesday in a blog post by Troy Hunt, a Microsoft guru who specializes in cloud and online security. Hunt informs that CloudPets’ data was saved to a MongoDB database on an Amazon-hosted service that was publicly available and required no authentication, not even a password. Hunt goes on to say that the database was filed by Shodan, a search engine known for finding connected things, and evidence shows that since December 25, 2016 the stored data had been accessed multiple times by multiple people. CloudPets’ parent company, Spiral Toys, was notified at least four times about the breach, however, Hunt explains that some attempts to contact the company failed due to dead email addresses. In any event, there is no way Spiral Toys was not aware of the leak due to evidence left from criminal ransom demands.

Although this is a wake-up call to parents, businesses can take a lot away from the CloudPets breach, explains cybersecurity expert, Vinny Troia, CEO of NightLion Security. “Many businesses have not taken cybersecurity as seriously as they should be, until it’s too late,” Troia continues, “they take shortcuts that do not properly protect them against cyber criminals, and then are floored when their system becomes compromised.” Troia goes onto to explain that today cybersecurity needs to be at the forefront of businesses’ minds or they are going to be the next Spiral Toys.

The CloudPets incident is only the most recent compromise involving IoT toys, but they are certainly not the last. Both businesses and parents need to take the proper steps to protect the user data and their children from the darker side of the cyber world.

2017 Phishing Scam is the Most Dangerous the IRS has Seen in Years

Standard

Tax season is upon, which means time for the Internal Revenue Service (IRS) to release its “Dirty Dozen” scam list for 2017. This annual list features numerous schemes taxpayers may encounter throughout the year, but mostly occur during tax season.

It is no surprise that phishing scams are at the top of the list. Earlier this month, the IRS warned about a very refined and evolving W-2 scam that is targeting school districts, corporations, hospitals, nonprofits and regular taxpayers. According to the IRS, this particular phishing scam is not an IRS impersonation, but instead scammers are sending an email to a company’s payroll department as a company executive. The email requests a list of employees and their W-2 information, which gives the scammer access to the employees’ personal and tax information.

IRS Commissioner, John Koskinen, commented, “this is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

To view the rest of the “Dirty Dozen”, click here.

Koskinen advises people to avoid opening emails or clicking on websites stating to be from the IRS. He goes on to remind that if it sounds too good to be true it probably is. In addition to Koskinen’s advice, cybersecurity expert, Vinny Troia, CEO of NightLion Security adds, “cyber criminals are getting smarter. Make sure you’re using strong, tricky passwords to protect your personal information and networks. All sensitive information should be backed up with two-step authentication, which helps prevent cyber criminals from hacking into a system. Be completely sure your network has no vulnerabilities these hackers can exploit; my team offers 24/7 emergency service to companies who have been exploited.”

Being aware of the latest scams is half the battle, good luck out there.

Banks Infected with Invisible Malware, World-Wide

Standard

Banks around the world are being infected with a new form of fileless malware. This type of malware is invisible, as it lies undetected within the memory of a bank’s network gathering passwords and administrative information. The malware then feeds this data back to the hackers, who use it to control the bank’s computer system remotely.

According to Kaspersky Lab, who discovered the new form of malware, there have been reports of this malware at 140 different enterprises in 40 different countries throughout the globe, including: banks, telecoms and government institutions. The United States being hit the hardest with 21 reported incidents.

“What is interesting here is that these attacks are ongoing globally against banks themselves,” said Kaspersky Lab expert Kurt Baumgartner to Ars Technica late last week. Baumgartner went on to explain, “the banks have not been adequately prepared in many cases to deal with this.”

Kaspersky Lab is unsure who is behind the attack or if it is more than one group using the same tools. They plan on releasing their findings later today.

Whoever is behind these attacks is focusing on computers that run automatic teller machines and “pushing money out of the banks from within the banks,” explains Baumgartner. He goes on to say that many of these attacks varied in the way they were executed, which is why they think numerous groups could be involved.

Fileless malware attacks are becoming more common than anyone imagined, which is why cyber security has become such an important tool. Digital Forensic Firms, such as, NightLion Security, offer malware detection and removal with 24/7 service. Vinny Troia, CEO of the St. Louis Digital Forensics Firm, commented that banks are being targeted because they do not have the proper security in place to protect them against this type of invisible malware distribution.

Google Blocks all JavaScript Files from Gmail

Standard

On February 13, Gmail is no longer allowing emails to be sent with a JavaScript attachment. Gmail restricts numerous file attachments for security purposes and now .js files have been added to the list.

Google has begun forbidding .js attachments because of the increase in malware found in them.”JavaScript files have been the main source of malware viruses within the past few years”, says NighLion Security CEO Vinny Troia.

That being said, Gmail users should keep in mind that malware can be found within other file attachments that are not yet a part of Gmail’s restricted list. According to iTech Post, Malware is being reported to have switched from using JavaScript to SVG attachments and malicious LNK. The malware is being embedded into ZIP archives with malicious PowerShell scripts attached.

Per security experts, PowerShell is a scripting language in the Windows system used for automated administration tasks. These scripts have been used to download malware in the past, and some malware programs are written entirely in PowerShell.

Regardless of this malware switch, by blocking emails with JavaScript attachments Gmail is eliminating one of the main sources of malware transportation. Nonetheless, if you need to send a .js file for a legitimate purpose, you can do so using Google Drive, Google Cloud Storage or other types of storage solutions.

Generally, if you don’t know a file type or what it does, do not ever open it.

 

U.S. Steel Blames China of Hacking

Standard

U.S. Steel Corp. in Pittsburgh is accusing the Chinese government hackers of stealing private methods for creating a lightweight steel. The complaint filed with the International Trade Commission said a Pittsburgh researcher’s computer was hacked in 2011. The ITC is deciding whether they need to investigate the matter further.

China’s Commerce Ministry advised U.S. to discard the complaint since they are “completely without factual basis.”

The plans that were apparently stolen included the chemistry for the alloy and its coating, the temperature for heating and cooling the metal, and the layout of the production lines. The hackers stole designs that were made for U.S. Steel’s most valuable products, a metal called Dual-Phase 980. After the hacking occurred, according to the World Steel Association, a Chinese steel company called Baosteel Group Corp. had a new line of products, including the Dual-Phase 980. Baosteel explains these accusations as “complete nonsense.”

Visit Security Services Provider to learn how you can prevent hacking.