Wednesday, 3 February 2010

Researchers Uncover Security Vulnerabilities in Femtocell Technology

By Brian Prince
eWEEK.com
2010-02-01

Two Trustwave security consultants report they have uncovered hardware and software vulnerabilities in femtocell devices that can be used to take over the device. The duo will present their findings at the ShmooCon conference in Washington.

Researchers with Trustwave have discovered flaws in the hardware and software of femtocell devices that can allow an attacker to take full control of the miniature cell towers without the user's knowledge.

Zack Fasel and Matthew Jakubowski, security consultants with Trustwave's SpiderLabs, will present their findings at ShmooCon, held Feb. 5 to 7 in Washington.

"Our original [area of] curiosity was whether these devices could be utilized to supplement cellular deployment in third-world countries (such as the OpenBTS+Asterisk project) in a much cheaper package ($250 compared to over $1,200 for a USRP hardware device plus server costs),"
Fasel explained. "After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications."

Femtocell devices are small cellular base stations used to increase wireless coverage in areas with limited service. Because a cell phone does not have business logic to prevent it from connecting to a wireless device acting as a tower that has been tampered with, it is possible for malicious users to abuse that trust and sniff traffic as it traverses the network.

"Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device," Fasel said. "As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network."

Hacking for Fun and Profit in China's Underworld

By David Barboza
The New York Times
February 1, 2010

CHANGSHA, China -- With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims.

"Here's a list of the people who've been infected with my Trojan horse,"
he says, working from a dingy apartment on the outskirts of this city in central China. "They don't even know what's happened."

As he explains it, an online "trapdoor" he created just over a week ago has already lured 2,000 people from China and overseas -- people who clicked on something they should not have, inadvertently spreading a virus that allows him to take control of their computers and steal bank account passwords.

Majia, a soft-spoken college graduate in his early 20s, is a cyberthief.

He operates secretly and illegally, as part of a community of hackers who exploit flaws in computer software to break into Web sites, steal valuable data and sell it for a profit.

Homeland Security Plans Cybersecurity, Data Center Investments

By Elizabeth Montalbano
InformationWeek
February 2, 2010

The Department of Homeland Security is looking to invest nearly $900 million in fiscal 2011 on technology projects that include bolstering cyber security and continued work on a data center consolidation project that's already underway.

Other IT priorities listed as part of the department's proposed $56.3 billion budget, unveiled Monday, include improvements to an existing Internet-based verification program that lets employers check that someone is legally allowed to work in the United States and technology for airport security.

Overall, DHS said that protecting the United States against terrorism and other threats and promoting fiscal responsibility and efficiency within the department are its top priorities for fiscal 2011 funding.

DHS is asking for $379 million to go to its National Cyber Security Division (NCSD) to develop capabilities for preventing and responding to cyber attacks. The department plans to use the money to identify and reduce vulnerabilities within both its .gov and .com Internet domains, officials said on a conference call.

NCSD is a division within DHS that's meant to work collaboratively with public, private, and international organizations to secure cyberspace and the U.S. government's cyber infrastructure. At the same time that it's investing in cybersecurity, the Obama administration has made several key appointments to oversee such efforts, including cybersecurity coordinator Howard Schmidt.

Cheap Antivirus Suites with iRemove Amsterdam

iRemove Amsterdam, AVG Internet Security Licenses Available, Reduced Price.

Contact infected@iremove.nl for more prices and deals.

Other offers include :

AVG 9.0 Antivirus

SurfRight Hitman Pro 3.0 Yearly License

SurfRight Caretaker Anti-Spam Assasin, cleans 99% of all spam before it hits your inbox.

Prevx 3.0 AntiMalware Realtime protection + Safe Online Secure Bank Browsing . Yearly License.

Oracle Hacker Gets The Last Word

By Andy Greenberg
Forbes.com
02.02.10

ARLINGTON, Va. -- In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was "unbreakable." David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle's 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level.
"Anything that God can do on that database, you can do," Litchfield told Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat's audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle's software. Two sections of code within the company's database application--one that allows data to be moved between servers and another that allows management of Oracle's implementation of java--are left open to any user, rather than only to privileged administrators.
Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database's contents.

Litchfield says he warned Oracle about the flaws in November, but they haven't been patched. Oracle didn't immediately respond to a request for comment.

The bug is far from the first that 34-year-old Litchfield has outed on Oracle's behalf. As a cybersecurity researcher and penetration tester, Litchfield has exposed more than a thousand database software security flaws, mostly in Oracle's code.

[...]

At Black Hat, a search for the best response to China

By Patrick Thibodeau
Computerworld
February 2, 2010

ARLINGTON, Va. -- Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference here over what can be done to the villains.

Cyberattacks give rise to anger and a very human desire to strike back, but pursuing attackers in ways that matter isn't accomplishing much. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny.

Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a nonprofit group, and a former special agent at the U.S. Treasury Department. "The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today.

After an attack, such as the China-Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. Moss also serves on the Department of Homeland Security's security advisory council.

"We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack."

Accusations Fly Over Voice Encryption Hack

By John E. Dunn
CSO Online
February 02, 2010

German encryption firm SecurStar has strenuously denied being behind an apparently independent test of voice encryption products that found many of its rivals could be hacked using a $100 phone-tapping program.

In a blog on the subject, Fabio Pietrosanti, founder and CTO of Swiss encryption startup Khamsa, alleges that a supposedly independent test of
15 encryption products was in fact a marketing exercise designed to publicise one of only three products to pass the hacking test, SecurStar's PhoneCrypt.

The tests by an anonymous researcher, 'Notrax', found that all but three programs and hardware products looked at could be bypassed by installing a simple wiretapping Trojan called FlexiSPY to record voice output without the programs giving the user any indication that security had been compromised.

Khamsa's own GSM security software was not part of the test but the encryption technology it uses, ZRTP, came in for criticism. The moving force behind that system and its implementation in a program called Zfone is encryption pioneer and inventor of Pretty Good Privacy, Phil Zimmermann, who is also listed as being on Khamsa's scientific board.

According to Pietrosanti, the unnamed 'Notrax' was subsequently traced to an IP address connected to SecurStar after the individual followed a link embedded in a blog Pietrosanti had posted.

Cyber threat growing at unprecedented rate, intell chief says

By Ben Bain
FCW.com
Feb 02, 2010

Malicious cyber activity is growing at an unprecedented rate, severely threatening the nation's public and private information infrastructure, the government's top intelligence official said today.

Dennis Blair, the director of national intelligence, told members of the Senate Select Intelligence Committee, that "in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time."

Sensitive information is stolen daily from government and private-sector networks and intelligence officials often find persistent, unauthorized, and sometimes unattributable presences on exploited networks, Blair said in prepared remarks about intelligence agencies' annual threat assessment.

"We cannot be certain that our cyberspace infrastructure will remain available and reliable during a time of crisis," he testified.

Most consumers reuse banking passwords on other sites

By John Leyden
The Register
2nd February 2010

The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity.

Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.

This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.

Trusteer's findings are pulled from a sample of users of its Rapport browser security service. This is offered through online banks in Europe and North America to their customers as a defence against phishing attacks. Web users outfitted with Trusteer's Rapport browser security plug-in are prevented from sending login details to fraudsters, even if they visit and attempt to enter data into a known phishing site.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News