SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones

Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there’s still one part of your mobile phone that remains safe and un-hackable: your SIM card.

Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud.

Nohl, who will be presenting his findings at the Black Hat security conference in Las Vegas on July 31, says his is the first hack of its kind in a decade, and comes after he and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS. The two-part flaw, based on an old security standard and badly configured code, could allow hackers to remotely infect a SIM with a virus that sends premium text messages (draining a mobile phone bill), surreptitiously re-direct and record calls, and — with the right combination of bugs — carry out payment system fraud.

Payment fraud could be a particular problem for mobile phone users in Africa, where SIM-card based payments are widespread. The deployment of so-called NFC payment technology, already slow to take off, could also be at risk, Nohl says, as well as the ability for carriers to track charges to each caller’s account.

There’s no obvious pattern to the flaw beyond the premise of an older encryption standard. “Different shipments of SIM cards either have [the bug] or not,” says Nohl, who is chief scientist at risk management firm Security Research Labs. “It’s very random.”

In his study, Nohl says just under a quarter of all the SIM cards he tested could be hacked, but given that encryption standards vary widely between countries, he estimates an eighth of the world’s SIM cards could be vulnerable, or about half a billion mobile devices.

Source:
http://www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flaw-could-affect-millions-of-phones/

Posted in Hardware, Internet, Privacy, Security | No Comments

1.82m affected by Ubuntu Forums data breach; passwords stolen

The Ubuntu forums are the latest to suffer a data breach, from a hacker, taking place last night. An estimated 1.82 million accounts have been affected and at the time of writing the site is still down for maintenance.

According to the placeholder page currently on the Ubuntu site, only the forums were affected with Ubuntu One, Launchpad and other Ubuntu/Canonical services escaping the breach. The page also asks that although passwords were not stored in plain text, users who use the same password for multiple services such as email are “strongly encouraged to change the password on the other service ASAP.” They also specifically admit that the hacker going by the name of @Sputn1k_ managed to grab “every user’s local username, password, and email address from the Ubuntu Forums database.”

Source:
http://www.neowin.net/news/182m-affected-by-ubuntu-forums-data-breach-passwords-stolen

Posted in Internet, Linux, Privacy, Security | No Comments

Major vulnerabilities in office security and RFID systems

At the Black Hat conference in Las Vegas, researchers will reveal critical vulnerabilities in many of the world’s most widely-used building security systems and RFID‑based badging systems.

Bishop Fox Senior Security Analysts Drew Porter and Stephen Smith and Partner Fran Brown will be presenting two separate talks that showcase methods of bypassing physical security systems used by millions in buildings all over the globe. They’ll reveal vulnerabilities in badging systems widely used to control access to buildings and secured areas.

In their talk, Porter and Smith demonstrate flaws in the digital systems and sensors used by more than 36 million office, building, and home security systems in the United States. Both researchers will give a detailed description of methods that can be used to prevent the tripping of commonly-used building security sensors, enabling an attacker to bypass electronic alarms and surveillance systems to access secure doors without setting off an alarm.

Using these methods and tools, an attacker could easily break into any home and many businesses without triggering the alarm systems installed within.

Source:
https://www.net-security.org/secworld.php?id=15252

Posted in Hardware, Privacy, Security | No Comments

Bank security breaches destroy customer trust

85 percent of U.S. adults with banking accounts are at least somewhat concerned about online banking fraud, according to Entersekt. Such fraud can include phishing, malware, man-in-the-browser and brute force attacks.

While concern is worth noting, it is action that impacts the ultimate health of a financial institution. Seventy-one percent of U.S. adults would be at least somewhat likely to switch to a different bank if they became a victim of online banking fraud at their current bank.

“According to RSA’s 2013 report The Year in Phishing, online banking fraud is a nationwide epidemic in which banks, who lost $1.5 billion in revenue last year from phishing attacks, are simply accepting losses instead of proactively adapting their defense,” said Christiaan Brand, CTO at Entersekt. “What makes the issue complicated is the increased sophistication of hackers, but technology aimed at thwarting attacks has evolving too.”

According to the poll, almost six in ten (58%) U.S. adults would be at least somewhat willing to take an active role in securing their online banking transactions if this meant using their mobile phones to authenticate activities, such as purchases, logins, transfers or bill payments.

Source:
https://www.net-security.org/secworld.php?id=15249

Posted in Internet, Privacy, Security | No Comments

New backdoor in HP server products

Computer manufacturer HP has admitted that its StoreVirtual servers also contain an undocumented backdoor. The security vulnerability risks allowing attackers to gain unauthorised access to the storage systems. The backdoor provides users with direct access to the holy of holies, “LeftHand” (the operating system for the StoreVirtual server). HP has previously marketed its StoreVirtual systems as LeftHand Storage and P4000 SAN. LeftHand OS was originally called SAN/iQ.

In a security advisory, HP stresses that, although the backdoor provides root access to the server, it does not provide access to the user data stored on the server system. HP is planning to provide a patch to permanently deactivate the backdoor by 17 July.

Late June saw the disclosure of the presence of a similar backdoor in HP backup servers. As with the company’s StoreOnce systems, this case revolves around undocumented administrator access. In an emergency – such as a need to reset the main password – this enabled HP staff to offer users the option of carrying out remote maintenance. As with StoreOnce, disclosure of the vulnerability is once again down to security researcher Joshua Small (known by his online pseudonym Technion).

The backdoor in StoreOnce systems only affected devices that had not yet been updated to version 3.x of the software, released in November 2012. According to HP, all second generation StoreOnce devices can be updated to StoreOnce 3.x – only the early StorageWorks D2D devices are unable to run this software. A list of affected systems can be found in the official advisory from HP.

Source:
http://www.h-online.com/security/news/item/New-backdoor-in-HP-server-products-1916506.html

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments