Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

The FCC's Robocall Plan Sounds Awfully Familiar

Posted by on May 15, 2019 in Security, Security / Security News | 0 comments

FCC chairman Ajit Pai has proposed a set of rules to combat robocalls. Don’t get your hopes up quite yet.
Source: Wired

Read More

Google Will Replace Titan Security Key Over a Bluetooth Flaw

Posted by on May 15, 2019 in Security, Security / Security News | 0 comments

Google will replace any Titan BLE branded security key, after disclosing that a nearby attacker could use it to compromise your accounts.
Source: Wired

Read More

Google discloses security bug in its Bluetooth Titan Security Keys, offers free replacement

Posted by on May 15, 2019 in Bluetooth, computer security, cryptography, cybercrime, Google, key, Keys, mobile security, Password, phishing, Security, security token, TC, wireless | 0 comments

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to be within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attacker can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attacker can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including Yubico, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” Yubico founder Stina Ehrensvärd wrote when Google launched its Titan keys.


Source: The Tech Crunch

Read More

Microsoft’s First Windows XP Patch in Years Is a Very Bad Sign

Posted by on May 15, 2019 in Security, Security / Cyberattacks and Hacks | 0 comments

A very bad vulnerability in Windows XP could have serious ramifications, even with a patch.
Source: Wired

Read More

WhatsApp Was Hacked, Your Computer Was Exposed, and More News

Posted by on May 14, 2019 in Security, Security / Cyberattacks and Hacks | 0 comments

Catch up on the most important news today in 2 minutes or less.
Source: Wired

Read More

Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs

Posted by on May 14, 2019 in Security, Security / Cyberattacks and Hacks | 0 comments

Two different groups of researchers found another speculative execution attack that can steal all the data a CPU touches.
Source: Wired

Read More

How Hackers Broke WhatsApp With Just a Phone Call

Posted by on May 14, 2019 in Security, Security / Cyberattacks and Hacks | 0 comments

All it took to compromise a smartphone was a single phone call over WhatsApp. The user didn’t even have to pick up the phone.
Source: Wired

Read More

VDOO secures $32M for a platform that uses AI to detect and fix vulnerabilities on IoT devices

Posted by on Apr 24, 2019 in Artificial Intelligence, Enterprise, IoT, Security | 0 comments

Our universe of connected things is expanding by the day: the number of objects with embedded processors now exceeds the number of smartphones globally and is projected to reach some 18 billion devices by 2022. But just as that number is growing, so are the opportunities for malicious hackers to use these embedded devices to crack into networks, disrupting how these objects work and stealing information, a problem that analysts estimate will cost $18.3 billion to address by 2023. Now, an Israeli startup called VDOO has raised $32 million to address this, with a platform that identifies and fixes security vulnerabilities in IoT devices, and then tests to make sure that the fixes work.

The funding is being led by WRVI Capital and GGV Capital and also includes strategic investments from NTT DOCOMO (which works with VDOO), MS&AD Ventures (the venture arm of the global cyber insurance firm), and Avigdor Willenz (who founded both Galileo Technologies and Annapurna Labs, respectively acquired by Marvell and Amazon). 83North, Dell Technology Capital and David Strohm, who backed VDOO in its previous round of $13 million in January 2018, also participated, bringing the total raised by VDOO now to $45 million.

VDOO — a reference to the Hebrew word that sounds like “vee-doo” and means “making sure” — was cofounded by Netanel Davidi (co-CEO), Uri Alter (also co-CEO) and Asaf Karas (CTO). Davidi and Alter previously co-founded Cyvera, a pioneer in endpoint security that was acquired by Palo Alto Networks and became the basis for its own endpoint security product; Karas meanwhile has extensive experience coming to VDOO of working, among other places, for the Israeli Defense Forces.

In an interview, Davidi noted that the company was created out of one of the biggest shortfalls of IoT.

“Many embedded systems have a low threshold for security because they were not created with security in mind,” he said, noting that this is partly due to concerns of how typical security fixes might impact performance, and the fact that this has typically not been a core competency for hardware makers, but something that is considered after devices are in the market. At the same time, a lot of security solutions today in the IoT space have focused on monitoring, but not fixing, he added. “Most companies have good solutions for the visibility of their systems, and are able to identify vulnerabilities on the network, but are not sufficient at protecting devices themselves.”

The sheer number of devices on the market and their spread across a range of deployments from manufacturing and other industrial scenarios, through to in-home systems that can be vulnerable even when not connected to the internet, also makes for a complicated and uneven landscape.

VDOO’s approach was to conceive of a very lightweight implementation that sits on a small group of devices — “small” is relative here: the set was 16,000 objects — applying machine learning to “learn” how different security vulnerabilities might behave to discover adjacent hacks that hadn’t yet been identified.

“For any kind of vulnerability, using deep binary analysis capabilities, we try to understand the broader idea, to figure out how a similar vulnerability can emerge,” he said.

Part of the approach is to pare down security requirements and solutions to those pertinent to the device in question, and providing clear guidance to vendors for how to best avoid problems in the first place at the development stage. VDOO then also generates specific “tailor-made on-device micro-agents” to continue the detection and repair process. (Davidi likened it to a modern approach to some cancer care: preventive measures such as periodic monitoring checks; followed by a “tailored immunotherapy” based on prior analysis of DNA.)

It currently supports Linux- and Android-based operating systems, as well as FreeRTOS and support for more systems coming soon, Davidi said. It sells its services primarily to device makers, who can make over the air updates to their devices after they have been purchased and implemented to keep them up to date with the latest fixes. Typical devices currently secured with VDOO tech include safety and security devices such as surveillance cameras, NVRs & DVRs, fire alarm systems, access controls, routers, switches and access points, Davidi said.

It’s the focus on providing security services for hardware makers, in fact, that helps VDOO stand out from the others in the field.

“Among all startups for embedded systems, VDOO is the first to introduce a unique, holistic approach focusing on the device vendors which are the focal enabler in truly securing devices,” said Lip-Bu Tan, founding partner of WRVI Capital. “We are delighted to back VDOO’s technology, and the exceptional team that has created advanced tools to allow vendors to secure devices as much as possible without in-house security know-how, for the first time in many decades, I see a clear demand for security, as being raised constantly in many meetings with leading OEMs worldwide, as well as software giants.”

Over the last 18 months, as VDOO has continued to expand its own reach, it has picked up customers along the way after identifying vulnerabilities in their devices. Its dataset covers some 70 million embedded systems’ binaries and more than 16,000 versions of embedded systems, and it has worked with customers to identify and address 150 zero-day vulnerabilities and 100,000 security issues that would have potentially impacted 1.5 billion devices.

Interestingly, while VDOO is building its own IP, it is also working with a number of vendors to provide many of the fixes. Davidi says that VDOO and those vendors go through fairly rigorous screening processes before integrating, and the hope is that down the line there will more automation brought in for the “fixing” element using third-party solutions.

“VDOO brings a unique end-to-end security platform, answering the global connectivity trend and the emerging threats targeting embedded devices, to provide security as an essential enabler of extensive connected devices adoption. With its differentiated capabilities, VDOO has succeeded in acquiring global customers, including many top-tier brands. Moreover, VDOO’s ability to uncover and mitigate weaknesses created by external suppliers fits perfectly into our Supply Chain Security investment strategy,” said Glenn Solomon, managing partner at GGV Capital, in a statement. “This funding, together with the company’s great technology, skilled entrepreneurs and one of the best teams we have seen, will allow VDOO to maintain its leadership position in IoT security and expand geographies while continuing to develop its state-of-the-art technology.”

Valuation is currently not being disclosed.


Source: The Tech Crunch

Read More

Russian hacked ‘at least one’ Florida county prior to 2016 election

Posted by on Apr 18, 2019 in cybercrime, department of justice, election systems, fancy bear, Florida, Government, GRU, Hack, Homeland Security, phishing, presidential election, Security, Technology, United States | 0 comments

Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.

The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.

According to the findings:

In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.

The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.

Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.

Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower and Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent emails impersonating voting technology company VR Systems to state government officials.

The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.

Mueller’s report confirmed that the FBI investigated the incident.

The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”

Two years later following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.


Source: The Tech Crunch

Read More

Mueller says use of encrypted messaging stalled some lines of inquiry

Posted by on Apr 18, 2019 in Donald Trump, encryption, Government, law enforcement, Mueller report, operating systems, president, Security, Software, trump | 0 comments

A single paragraph in the Mueller report out Thursday offers an interesting look into how the Special Counsel’s investigation came head-to-head with associates of President Trump who used encrypted and ephemeral messaging to hide their activities.

From the report:

Further, the Office learned that some of the individuals we interviewed or whose conduct we investigated-including some associated with the Trump Campaign — deleted relevant communications or communicated during the relevant period using applications that feature encryption or that do not provide for long-term retention of data or communications records. In such cases, the Office was not able to corroborate witness statements through comparison to contemporaneous communications or fully question witnesses about statements that appeared inconsistent with other known facts.

The report didn’t spell out specifics of whom or why, but clearly Mueller wasn’t happy. He was talking about encrypted messaging apps that also delete conversation histories over a period of time. Apps like Signal and WhatsApp are popular for this exact reason — you can communicate securely and wipe any trace after the fact.

Clearly, some of Trump’s associates knew better.

But where prosecutors who have faced similar setbacks with individuals using encrypted messaging apps to hide their tracks have often attacked tech companies for building the secure apps, Mueller did not. He just stated a fact and left it at that.

For years, police and law enforcement have lobbied against encryption because they say it hinders investigations. More and more, apps are using end-to-end encryption — where the data is scrambled from one device to another — so that even the tech companies can’t read their users’ messages. But just as criminals use encrypted messaging for bad, ordinary people use encrypted messaging to keep their conversations private.

According to the report, it wasn’t just those on the campaign trail. The hackers associated with the Russian government and WikiLeaks, both of which were in contact following the breaches on Hillary Clinton’s campaign and the Democratic National Committee, took efforts to “hide their communications.”

Not all of Trump’s associates have fared so well over the years.

Michael Cohen, Trump’s former personal attorney, learned the hard way that encrypted messaging apps are all good and well — unless someone has your phone. Federal agents seized Cohen’s BlackBerry, allowing prosecutors to recover streams of WhatsApp and Telegram chats with Trump’s former campaign chief Paul Manafort.

Manafort, the only person jailed as part of the Mueller investigation, also tripped up after his “opsec fail” after prosecutors obtained a warrant to access his backed-up messages stored in iCloud.


Source: The Tech Crunch

Read More