While updating its Phone Breaker software for iOS 10, Elcomsoft, a Russian cybersecurity firm, discovered a security flaw where encrypted backups can be hacked fairly easily. Apple’s chosen password verification method contains a flaw that makes it possible to bypass some security checks. In the past, iOS 9 limited the amount of password attempts that could be made even when with GPU acceleration at 150k times a second. With iOS10, the flaw allows 6 million times a second. By allowing more attempts in a second, the risk of hackers successfully entering the phone has increased tremendously. Elcomsoft says at that speed “hackers would only need to leave their software running for 2 days until the odds of success approached 90 percent”. But, the real risk is the local encrypted backup done through iTunes. With a full backup, a user’s keychain, Apple’s storage system for passwords,cc numbers and other personal info, is encrypted and stored on the local PC/machine. With the possibility of being able to retrieve the password fairly easy, hackers can gain access to the PC/machine containing the backup and decrypt it as well the keychain to gain access to personal information.
http://www.techrepublic.com/article/beware-ios-10-security-flaw-makes-cracking-encrypted-backups-2500-times-easier/
iOS 10 Security Flaw makes cracking encrypted backups easier
“FAA Advisory Body Recommends Cybersecurity Measures”
Recently, the RCTA developed drafting guidelines for the security performance standards in the aviation industry. With the guidelines, the Federal Aviation Administration aimed to ensure that cybersecurity protections will be incorporated into routine activities and day-to-day operation from the air to the ground on manufacturers, carriers, maintenance facilities and airports. Cyber issues in aviation industry ware elevated to such a high priority for the first time. I think it is important that the FAA pay attention on the cyber security in aviation industry. It will be super dangerous if terrorists hacked into a flying plane or airport control tower. From the articles I found through the past 5 weeks, I realized that cyber security is not only about confidential information to business to privacy to individuals, it also relates to our safety.
Article: http://www.wsj.com/articles/faa-advisory-body-recommends-cybersecurity-measures-1474587049
F.B.I. Impersonate Journalist and media organizations call foul
This article is about the F.B.I. impersonating a journalist in 2007 and using a tracking software to locate the individual. The media organizations did not approve of these methods that were used stating that it would taint the media’s credibility. The D.O.J. Office of the Inspector General report that was released stated that the F.B.I. did not violate any policies that were in place at the time ,but now as of June 2016 an agent has to get high-level approval pose as a journalist.
Yahoo Confirms 500 Million Accounts Were Hacked by ‘State Sponsored” Hackers
Article Link: http://thehackernews.com/2016/09/yahoo-data-breach.html
The following article discusses a data breach at Yahoo that happened back in 2014. Account information for over 200 Million Yahoo accounts was being sold on the Dark Web. An estimate claims that 500 Million accounts could have been effected. N credit card information was obtained, but user logins, passwords, security question answers and questions were stolen.
Yahoo claims that it was a state sponsored attack, but have not revealed any proof of that comment.
Yahoo users are urged to change their password.
In reviewing this article, it’s scary. From the teen in the basement to the state sponsored hacker, there is so much to watch out for! I think about my own life. All the information that is put out there in things like Google Mail and Docs. It’s scary to know that we can take the best precautions to protect our information, but once it leaves our hands, it’s out there. We have no accountability for the safety of our information that we put out in Cyberspace! But yet, we continue to do it more and more, at an alarming rate!
Biometric Skimmers Pose Emerging Threat To ATMs
I came across this article today that discussed how banks are aggressively moving towards bio-metric authentication methods while cyber criminals are already coming up and testing ways to defeat these. For the last few years banks have been trying to find another authentication method to protect their pin authenticated ATMs from skimmers. The banks have started to install fingerprint, facial, and palm nerve scanners on ATMs to provide an additional layer of security. Criminals are already implementing ways to fool these scanners. It can be very concerning if your bio-metric security is compromised since you cannot just change it like a password.
It’s a perfect example of how difficult it is to stay ahead of the cyber crime. Bio-metrics technology has been around for quite some time but is just beginning to be rolled out for this use and we already have to determine what’s next from here.
Reconnaissance Report: Trillium Technologies Inc.
SWIFT Moves to Combat Inter-Bank Fraud
I posted an article about how SWIFT was going to start punishing their customer banks by disclosing the bank’s security gap in order to get them to comply. Well it looks like SWIFT is now trying to provide these banks with data reports to “supplement its customers’ existing fraud reports.” These reports include an Activity Report and Risk Reports. It will contain “a snapshot view” of the day’s “messaging activity against which to detect unusual pattern.” Basically, these reports will contain the “messaging activity” data for the bank, and it will be compared to the data currently in the bank’s system. If there is a large discrepancy between the bank’s data and the report that SWIFT sends them, their might have been a cyber attack that altered that banks data. I don’t know if these reports will be any effective, but I guess its a start. By the time the reports show any abnormal pattern, the bank could have already lost millions of dollars due to a hack.
http://www.securityweek.com/swift-moves-combat-inter-bank-fraud
How Hacked Cameras Are Helping Launch The Biggest Attacks The Internet Has Ever Seen
Brian Krebs is a reporter who does stories on cyber attackers that attack for profit. In his line of work, he is often subject to several threats. He has had SWAT teams show up at his house before, and death threats in the form of flowers. Most recently, his website was the subject of a DDoS attack, sending 600-700 gigabits per second of internet traffic. The security company protecting his site, Prolexic, had to stop supporting his website because it was the subject of so many attacks. His site is now back up and running with Google’s Project Shield. It is meant to protect activists from DDoS attacks. Hackers are using unsecured devices from the Internet of Things, (IoTs) to launch this attacks. A botnet of 25,000 CCTV cameras was being used to launch attacks across the world.
97% of Top 1,000 Orgs Suffer Credential Compromise
Digital Shadows has found that, for the largest 1,000 organizations in the world, there are more than 5 million leaked credentials. The company said in blog-for companies that were the victims of breaches, there are clear reputational, brand and financial implications. The breaches impacting the global 1,000 companies that most were heists at LinkedIn and Adobe-both services that employees can be expected to sign up to with their work accounts. The high level of corporate credentials in the 360 million stolen from MySpace. Gaming sites and dating sites also affected organizations.
The report also found that the UK is one of the most affected regions in the world-with an average of 9,000 average leaked credentials per company. Whilst many claimed breaches are often simply copies and reposts of previously leaked database this number is lower than expected-only around 10% of claimed breached credentials are duplicated.
Social media and BYOD are the biggest internal security threats for every organization because it is hard to control and monitor every employee. For LinkedIn and Adobe, I can understand why there is a high chance to get your work account from it. I was surprised that dating and gaming sites also threat organizations. One thing that I can think to mitigate the risk of leakage is warning your employees not to use their work account and email in any other website, not even for LinkedIn. Other than this, social media is still a great external threat for any organizations.
link: http://www.infosecurity-magazine.com/news/97-of-top-1000-orgs-suffer/
Portal Down, Quiz 4 Delayed
With the TU Portal being down until Sunday afternoon, the quiz will be setup for Monday and Tuesday.
Wade