A new security hole has opened up in Apple Inc.'s iPhone, iPad and iPod Touch devices, raising alarms about the susceptibility of some of the world's hottest tech gadgets to hacker attacks.
Flaws in the software running those devices came to light after a German security agency warned that criminals could use them to steal confidential data off the devices. Apple, the world's largest technology company by market value, said Thursday that it is working on a fix that will be distributed in an upcoming software upgrade. This has increased the sales of Aruba Access Points.
With the security hole, an attacker can get malicious software onto a device by tricking its owner into clicking an infected PDF file. Germany's Federal Office for Information Security called the flaws critical weaknesses in Apple's iOS operating system.
Internet-connected mobile devices are still subject to fewer attacks than personal computer, but they could eventually prove a juicy target for hackers because they are warehouses of confidential banking, e-mail, calendar, contact and other data.
Software vulnerabilities are discovered all the time. What makes the latest discovery alarming is that the weaknesses are already being actively exploited — albeit in a consensual way.
The latest concerns were prompted by the emergence of a new version of a program to allow Apple devices to run any software and circumvent the restrictions that Apple notoriously retains over software distributed through its online store. There are security risks of doing so, but many people find it liberating to install their own software.
Although this program is something people would seek out, the weaknesses that its authors discovered could easily be used for malice, security experts say who use Dell memory Modules.
There is an irony in the controversy: The site distributing the program offers a fix for the problem, but to get the fix, a user has to first install the program in question. So a user must defy Apple's restrictions to get the protection until Apple comes up with a fix of its own.
A prominent hacker of Apple products, said it likely took months to develop the program to break Apple's restrictions, but a criminal might need only a day or two to modify it for nefarious purposes.
Apple Inc. spokeswoman said Thursday the company is aware of this reported issue and developing a fix. She would not say when the update will be available.
One reason for gadget owners to take heart: Attacks on smartphones and other Internet gadgets are still relatively rare. One reason is PC-based attacks are still highly lucrative. Still, vulnerabilities such as the ones Apple is confronting show that consumers should take care of securing their mobile devices as they would their home computer with HP Memory Upgrades.
People need to realize that phones are computers — they're just small, portable computers that happen to have a phone tacked onto them.
Showing posts with label Hackers. Show all posts
Showing posts with label Hackers. Show all posts
Thursday, July 14, 2011
Thursday, July 7, 2011
OBAMA'S DEATH IS REPORTED ON FOX NEWS
Hackers broke into Fox's political Twitter account early Monday, posting updates saying President Barack Obama had been assassinated. Some are saying this came from someone using an IBM as400 Server.
A series of six tweets coming from the Fox News Politics account reported that Obama had been shot to death in Iowa and the shooter was unknown.
In a statement posted on its website later Monday morning, Fox News called the tweets malicious and false. It said the hacking is being investigated.
Obama plans to spend the July Fourth holiday at a barbecue at the White House with military families and administration staffers.
Secret Service spokesman says the agency wouldn't comment on the tweets.
Fox's political Twitter account has more than 34,000 followers.
A series of six tweets coming from the Fox News Politics account reported that Obama had been shot to death in Iowa and the shooter was unknown.
In a statement posted on its website later Monday morning, Fox News called the tweets malicious and false. It said the hacking is being investigated.
Obama plans to spend the July Fourth holiday at a barbecue at the White House with military families and administration staffers.
Secret Service spokesman says the agency wouldn't comment on the tweets.
Fox's political Twitter account has more than 34,000 followers.
Sunday, October 17, 2010
US studying Australian Internet security program
Associated Press
The government is reviewing an Australian program that will allow Internet service providers to alert customers if their computers are taken over by hackers and could limit online access if people don't fix the problem.
Obama administration officials have met with industry leaders and experts to find ways to increase online safety while trying to balance securing the Internet and guarding people's privacy and civil liberties.
Experts and U.S. officials are interested in portions of the plan, set to go into effect in Australia in December. But any move toward Internet regulation or monitoring by the U.S. government or industry could trigger fierce opposition from the public.
The discussions come as private, corporate and government computers across the U.S. are increasingly being taken over and exploited by hackers and other computer criminals.
White House cybercoordinator Howard Schmidt told The Associated Press that the U.S. is looking at a number of voluntary ways to help the public and small businesses better protect themselves online.
Possibilities include provisions in the Australia plan that enable customers to get warnings from their Internet providers if their computer gets taken over by hackers through a botnet.
A botnet is a network of infected computers that can number in the thousands and that network is usually controlled by hackers through a small number of scattered PCs. Computer owners are often unaware that their machine is linked to a botnet and is being used to shut down targeted websites, distribute malicious code or spread spam.
If a company is willing to give its customers better online security, the American public will go along with that, Schmidt said.
"Without security you have no privacy. And many of us that care deeply about our privacy look to make sure our systems are secure," Schmidt said in an interview. Internet service providers, he added, can help "make sure our systems are cleaned up if they're infected and keep them clean."
But officials are stopping short of advocating an option in the Australian plan that allows Internet providers to wall off or limit online usage by customers who fail to clean their infected computers, saying this would be technically difficult and likely run into opposition.
"In my view, the United States is probably going to be well behind other nations in stepping into a lot of these new areas," said Prescott Winter, former chief technology officer for the National Security Agency, who is now at the California-based cybersecurity firm, ArcSight.
In the U.S., he said, the Internet is viewed as a technological wild west that should remain unfenced and unfettered. But he said this open range isn't secure, so "we need to take steps to make it safe, reliable and resilient."
"I think that, quite frankly, there will be other governments who will finally say, at least for their parts of the Internet, as the Australians have apparently done, we think we can do better."
Cybersecurity expert James Lewis, a senior fellow at the Center for Strategic and International Studies, said that Internet providers are nervous about any increase in regulations, and they worry about consumer reaction to monitoring or other security controls.
Online customers, he said, may not want their service provider to cut off their Internet access if their computer is infected. And they may balk at being forced to keep their computers free of botnets or infections.
But they may be amenable to having their Internet provider warn them of cyberattacks and help them clear the malicious software off their computers by providing instructions, patches or anti-virus programs.
They may even be willing to pay a small price each month for the service - much like telephone customers used to pay a minimal monthly charge to cover repairs.
Lewis, who has been studying the issue for CSIS, said it is inevitable that one day carriers will play a role in defending online customers from computer attack.
Comcast Corp. is expanding a Denver pilot program that alerts customers whose computers are controlled through a botnet. The carrier provides free antivirus software and other assistance to clean the malware off the machine, said Cathy Avgiris, senior vice president at Comcast.
The program does not require customers to fix their computers or limit the online usage of people who refuse to do the repairs.
Avgiris said that the program will roll out across the country over the next three months. "We don't want to panic customers. We want to make sure they are comfortable. Beyond that, I hope that we pave the way for others to take these steps."
Voluntary programs will not be enough, said Dale Meyerrose, vice president and general manager of Cyber Integrated Solutions at Harris Corporation.
"There are people starting to make the point that we've gone about as far as we can with voluntary kinds of things, we need to have things that have more teeth in them, like standards," said Meyerrose.
For example, he said, coffee shops or airports might limit their wireless services to laptops equipped with certain protective technology. Internet providers might qualify for specific tax benefits if they put programs in place, he said.
Unfortunately, he said, it may take a serious attack before the government or industry impose such standards and programs.
In Australia, Internet providers will be able to take a range of actions to limit the damage from infected computers, from issuing warnings to restricting outbound e-mail. They could also temporarily quarantine compromised machines while providing customers with links to help fix the problem.
Obama administration officials have met with industry leaders and experts to find ways to increase online safety while trying to balance securing the Internet and guarding people's privacy and civil liberties.
Experts and U.S. officials are interested in portions of the plan, set to go into effect in Australia in December. But any move toward Internet regulation or monitoring by the U.S. government or industry could trigger fierce opposition from the public.
The discussions come as private, corporate and government computers across the U.S. are increasingly being taken over and exploited by hackers and other computer criminals.
White House cybercoordinator Howard Schmidt told The Associated Press that the U.S. is looking at a number of voluntary ways to help the public and small businesses better protect themselves online.
Possibilities include provisions in the Australia plan that enable customers to get warnings from their Internet providers if their computer gets taken over by hackers through a botnet.
A botnet is a network of infected computers that can number in the thousands and that network is usually controlled by hackers through a small number of scattered PCs. Computer owners are often unaware that their machine is linked to a botnet and is being used to shut down targeted websites, distribute malicious code or spread spam.
If a company is willing to give its customers better online security, the American public will go along with that, Schmidt said.
"Without security you have no privacy. And many of us that care deeply about our privacy look to make sure our systems are secure," Schmidt said in an interview. Internet service providers, he added, can help "make sure our systems are cleaned up if they're infected and keep them clean."
But officials are stopping short of advocating an option in the Australian plan that allows Internet providers to wall off or limit online usage by customers who fail to clean their infected computers, saying this would be technically difficult and likely run into opposition.
"In my view, the United States is probably going to be well behind other nations in stepping into a lot of these new areas," said Prescott Winter, former chief technology officer for the National Security Agency, who is now at the California-based cybersecurity firm, ArcSight.
In the U.S., he said, the Internet is viewed as a technological wild west that should remain unfenced and unfettered. But he said this open range isn't secure, so "we need to take steps to make it safe, reliable and resilient."
"I think that, quite frankly, there will be other governments who will finally say, at least for their parts of the Internet, as the Australians have apparently done, we think we can do better."
Cybersecurity expert James Lewis, a senior fellow at the Center for Strategic and International Studies, said that Internet providers are nervous about any increase in regulations, and they worry about consumer reaction to monitoring or other security controls.
Online customers, he said, may not want their service provider to cut off their Internet access if their computer is infected. And they may balk at being forced to keep their computers free of botnets or infections.
But they may be amenable to having their Internet provider warn them of cyberattacks and help them clear the malicious software off their computers by providing instructions, patches or anti-virus programs.
They may even be willing to pay a small price each month for the service - much like telephone customers used to pay a minimal monthly charge to cover repairs.
Lewis, who has been studying the issue for CSIS, said it is inevitable that one day carriers will play a role in defending online customers from computer attack.
Comcast Corp. is expanding a Denver pilot program that alerts customers whose computers are controlled through a botnet. The carrier provides free antivirus software and other assistance to clean the malware off the machine, said Cathy Avgiris, senior vice president at Comcast.
The program does not require customers to fix their computers or limit the online usage of people who refuse to do the repairs.
Avgiris said that the program will roll out across the country over the next three months. "We don't want to panic customers. We want to make sure they are comfortable. Beyond that, I hope that we pave the way for others to take these steps."
Voluntary programs will not be enough, said Dale Meyerrose, vice president and general manager of Cyber Integrated Solutions at Harris Corporation.
"There are people starting to make the point that we've gone about as far as we can with voluntary kinds of things, we need to have things that have more teeth in them, like standards," said Meyerrose.
For example, he said, coffee shops or airports might limit their wireless services to laptops equipped with certain protective technology. Internet providers might qualify for specific tax benefits if they put programs in place, he said.
Unfortunately, he said, it may take a serious attack before the government or industry impose such standards and programs.
In Australia, Internet providers will be able to take a range of actions to limit the damage from infected computers, from issuing warnings to restricting outbound e-mail. They could also temporarily quarantine compromised machines while providing customers with links to help fix the problem.
Sunday, March 28, 2010
Vulnerabilities of 'Smart' Meters Exposed
SAN FRANCISCO (AP) - Computer-security researchers say new "smart" meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.
At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.
The attacks could be pulled off by stealing meters - which can be situated outside of a home - and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters' resistance to attack.
These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press.
There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.
Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.
Unlike traditional electric meters that merely record power use - and then must be read in person once a month by a meter reader - smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.
But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.
There are few public studies on the meters' resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.
Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright's work with InGuardians, said it proved that hacking smart meters is a serious concern.
"We weren't sure it was possible," Paller said. "He actually verified it's possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh's work is really important."
SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other "critical infrastructure."
Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.
"We know that automation will bring new vulnerabilities, and our task - which we tackle on a daily basis - is making sure the system is secure," said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.
But many security researchers say the technology is being deployed without enough security probing.
Wright said his firm found "egregious" errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. "Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years," Wright said.
He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.
One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities' computers.
Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone's power. Or someone could impersonate meters to the power company, to inflate victims' bills or lower his own. A criminal could even sneak into the utilities' computer networks to steal data or stage bigger attacks on the grid.
Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.
For instance, the meters encrypt their data - scrambling the information to hide it from outsiders. But the digital "keys" needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities' networks, where they would be safer.
"That lesson seems to be lost on these meter vendors," he said. That speaks to the "relative immaturity" of the meter technology, Wright added.
At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.
The attacks could be pulled off by stealing meters - which can be situated outside of a home - and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters' resistance to attack.
These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press.
There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.
Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.
Unlike traditional electric meters that merely record power use - and then must be read in person once a month by a meter reader - smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.
But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.
There are few public studies on the meters' resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.
Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright's work with InGuardians, said it proved that hacking smart meters is a serious concern.
"We weren't sure it was possible," Paller said. "He actually verified it's possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh's work is really important."
SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other "critical infrastructure."
Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.
"We know that automation will bring new vulnerabilities, and our task - which we tackle on a daily basis - is making sure the system is secure," said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.
But many security researchers say the technology is being deployed without enough security probing.
Wright said his firm found "egregious" errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. "Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years," Wright said.
He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.
One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities' computers.
Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone's power. Or someone could impersonate meters to the power company, to inflate victims' bills or lower his own. A criminal could even sneak into the utilities' computer networks to steal data or stage bigger attacks on the grid.
Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.
For instance, the meters encrypt their data - scrambling the information to hide it from outsiders. But the digital "keys" needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities' networks, where they would be safer.
"That lesson seems to be lost on these meter vendors," he said. That speaks to the "relative immaturity" of the meter technology, Wright added.
Thursday, February 11, 2010
PC Encryption Chip Hacked
SAN FRANCISCO (AP) - Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks.
The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google Inc.
The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.
Jeff Moss, founder of the Black Hat security conference and a member of the U.S. Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."
"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"
Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation. Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.
When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.
Many desktops sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it. If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.
"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, Calif., and demonstrated his hack last week at the Black Hat security conference in Arlington, Va.
The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft Corp.'s Xbox 360 game console and smart phones.
That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorized accessories that circumvent security protocols are not certified to meet our safety and compliance standards."
The technique can also be used to tap text messages and e-mail belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.
Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.
"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than unprotected computers without encryption."
The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialized equipment, know-how and money - was impossible. No form of security can ever be held to that standard."
It stood by TPM chips as the most cost-effective way to secure PCs.
It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.
Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.
Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.
The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory. Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.
Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defense.
"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.
Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio Inc., saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.
"His work is the next generation of hardware hacking," Grand said.
The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google Inc.
The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.
Jeff Moss, founder of the Black Hat security conference and a member of the U.S. Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."
"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"
Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation. Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.
When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.
Many desktops sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it. If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.
"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, Calif., and demonstrated his hack last week at the Black Hat security conference in Arlington, Va.
The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft Corp.'s Xbox 360 game console and smart phones.
That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorized accessories that circumvent security protocols are not certified to meet our safety and compliance standards."
The technique can also be used to tap text messages and e-mail belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.
Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.
"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than unprotected computers without encryption."
The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialized equipment, know-how and money - was impossible. No form of security can ever be held to that standard."
It stood by TPM chips as the most cost-effective way to secure PCs.
It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.
Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.
Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.
The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory. Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.
Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defense.
"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.
Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio Inc., saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.
"His work is the next generation of hardware hacking," Grand said.
Monday, February 8, 2010
China Heralds Bust of Major Hacker Ring
The Wall Street Journal
SHANGHAI—China heralded a major bust of computer hackers to underscore its pledge to help enhance global online security, with state media saying officials had shut what they called the country's largest distributor of tools used in malicious Internet attacks.
Three people were arrested on suspicion of making hacking tools available online, the state-run Xinhua news agency said on Monday. Their business, known as Black Hawk Safety Net, operated through the now-shuttered Web site 3800cc.com and generated around $1 million in income from its over 12,000 subscribers, the report said.
The arrests took place in late November as part of a police investigation that spanned three Chinese provinces and resulted in part from Black Hawk's role in domestic cyberattacks, according to Xinhua.
The delay in announcing the case wasn't explained. China in recent weeks has waged an aggressive public-relations campaign on the issue of hacking, apparently at least in part aimed at discrediting allegations from Google Inc. and others last month that China was the source of sophisticated cyberattacks against the Internet search giant and a number of other foreign companies. After U.S. Secretary of State Hillary Clinton also raised concerns about hacking from China, Chinese state media said her comments were hypocritical and said Google had become a pawn in an American "ideology war."
State-media reports described Black Hawk as offering hacking "training," which is a euphemism for selling malicious software. Xinhua said the site helped disseminate a computer virus in 2007 that wreaked havoc on private and government computers in the city of Macheng, in the central province of Hubei.
The Macheng prosecutor's office, in a statement, identified two men formally arrested in the case on Dec. 31 as 29-year-old Li Qiang and 28-year-old Zhang Lei. The statement said they were founders of Black Hawk Safety Net. The men couldn't be reached for comment. A man answering phones at an office of Black Hawk in the Henan province city of Xuchang said its servers had been shut down but that he couldn't elaborate.
Chinese hackers have described the Black Hawk operation, which also included the site 3800hk.com, as important, but just among the many on the Internet. Increasingly, they say, programs designed to break into Internet-connected computers, known as hacking tools, are available on Chinese-language sites that are located outside the country.
China's closure of Black Hawk Safety Net reflects the use of a new clause in its criminal law that makes it illegal to offer others online attack programs. Xinhua said some 1.7 million yuan in assets, or about $249,000, were also seized, including cash, nine servers, five computers and a car.
Numerous reports have fingered Chinese sources as the suspects in various cyberattacks, including ones that targeted the offices of the Tibetan spiritual leader Dalai Lama and the German chancellor's office. Within China, various attacks over the years have involved theft of user accounts and whole Web site source code.
Determining the origin of Internet attacks is difficult, however. While Google alleged that the hacking attempts it faced originated China, for instance, outside experts briefed on the attacks say they were actually traced to servers in Taiwan, which some experts say Chinese hackers could have used as a cover.
Some reports say that China hosts far less malicious software on its servers than is held on U.S. systems and is less of a spy threat than the U.S. Other experts point out China is a less-than-ideal location to launch overseas attacks because the Internet's international links are slowed by limited bandwidth and heavy content filtering.
China has described itself as the largest global victim of Internet hackers. According to a report released by the National Computer Network Emergency Response Coordination Center of China, Xinhua said, the hacker industry in China caused losses of 7.6 billion yuan ($1.11 billion) in 2009.
Three people were arrested on suspicion of making hacking tools available online, the state-run Xinhua news agency said on Monday. Their business, known as Black Hawk Safety Net, operated through the now-shuttered Web site 3800cc.com and generated around $1 million in income from its over 12,000 subscribers, the report said.
The arrests took place in late November as part of a police investigation that spanned three Chinese provinces and resulted in part from Black Hawk's role in domestic cyberattacks, according to Xinhua.
The delay in announcing the case wasn't explained. China in recent weeks has waged an aggressive public-relations campaign on the issue of hacking, apparently at least in part aimed at discrediting allegations from Google Inc. and others last month that China was the source of sophisticated cyberattacks against the Internet search giant and a number of other foreign companies. After U.S. Secretary of State Hillary Clinton also raised concerns about hacking from China, Chinese state media said her comments were hypocritical and said Google had become a pawn in an American "ideology war."
State-media reports described Black Hawk as offering hacking "training," which is a euphemism for selling malicious software. Xinhua said the site helped disseminate a computer virus in 2007 that wreaked havoc on private and government computers in the city of Macheng, in the central province of Hubei.
The Macheng prosecutor's office, in a statement, identified two men formally arrested in the case on Dec. 31 as 29-year-old Li Qiang and 28-year-old Zhang Lei. The statement said they were founders of Black Hawk Safety Net. The men couldn't be reached for comment. A man answering phones at an office of Black Hawk in the Henan province city of Xuchang said its servers had been shut down but that he couldn't elaborate.
Chinese hackers have described the Black Hawk operation, which also included the site 3800hk.com, as important, but just among the many on the Internet. Increasingly, they say, programs designed to break into Internet-connected computers, known as hacking tools, are available on Chinese-language sites that are located outside the country.
China's closure of Black Hawk Safety Net reflects the use of a new clause in its criminal law that makes it illegal to offer others online attack programs. Xinhua said some 1.7 million yuan in assets, or about $249,000, were also seized, including cash, nine servers, five computers and a car.
Numerous reports have fingered Chinese sources as the suspects in various cyberattacks, including ones that targeted the offices of the Tibetan spiritual leader Dalai Lama and the German chancellor's office. Within China, various attacks over the years have involved theft of user accounts and whole Web site source code.
Determining the origin of Internet attacks is difficult, however. While Google alleged that the hacking attempts it faced originated China, for instance, outside experts briefed on the attacks say they were actually traced to servers in Taiwan, which some experts say Chinese hackers could have used as a cover.
Some reports say that China hosts far less malicious software on its servers than is held on U.S. systems and is less of a spy threat than the U.S. Other experts point out China is a less-than-ideal location to launch overseas attacks because the Internet's international links are slowed by limited bandwidth and heavy content filtering.
China has described itself as the largest global victim of Internet hackers. According to a report released by the National Computer Network Emergency Response Coordination Center of China, Xinhua said, the hacker industry in China caused losses of 7.6 billion yuan ($1.11 billion) in 2009.
Thursday, January 28, 2010
Nebraska Man to Plead Guilty in Scientology Site Hack
USA Today
Federal prosecutors in California say a Nebraska man will plead guilty to participating in a cyber attack on Church of Scientology websites in January 2008.
Thom Mrozek, a spokesman for the U.S. attorney's office in Los Angeles, says Brian Thomas Mettenbrink agreed to plead guilty Monday to the misdemeanor charge of unauthorized access of a protected computer. He faces a year in federal prison.
Court records say Mettenbrink attacked Scientology websites as part of Anonymous, an underground group that protests the Church of Scientology, accusing it of Internet censorship.
Prosecutors say hackers conducted a "denial of service" attack, in which computers flood a target website with malicious Internet traffic, making it unavailable to legitimate users.
Prosecutors say Mettenbrink, of Grand Island, Nebraska, is expected to enter his plea next week in Los Angeles, where the Church of Scientology is based.
Thom Mrozek, a spokesman for the U.S. attorney's office in Los Angeles, says Brian Thomas Mettenbrink agreed to plead guilty Monday to the misdemeanor charge of unauthorized access of a protected computer. He faces a year in federal prison.
Court records say Mettenbrink attacked Scientology websites as part of Anonymous, an underground group that protests the Church of Scientology, accusing it of Internet censorship.
Prosecutors say hackers conducted a "denial of service" attack, in which computers flood a target website with malicious Internet traffic, making it unavailable to legitimate users.
Prosecutors say Mettenbrink, of Grand Island, Nebraska, is expected to enter his plea next week in Los Angeles, where the Church of Scientology is based.
Tuesday, January 5, 2010
Hackers Mimic Huffington Post's Twitter Feed
AP
A Huffington Post spokesman says the left-leaning news and opinion Web site was not hacked when a Twitter social network feed emerged in its name and began issuing insults with a conservative bent.
Mario Ruiz tells The Associated Press in an e-mail Saturday that the account isn't operated by The Huffington Post, but was set up to appear as though it was. He followed up later Saturday to say that Twitter had suspended the account.
Some Twitter subscribers earlier Saturday mistook the mimicked feed for The Huffington Post's own commentary when they were alerted to it by other Twitter users. The feed included mostly unpublishable insults about political and media figures, including President Barack Obama and MSNBC commentator Keith Olbermann.
There also was an admonition to "Vote McCain" in 2012.
Mario Ruiz tells The Associated Press in an e-mail Saturday that the account isn't operated by The Huffington Post, but was set up to appear as though it was. He followed up later Saturday to say that Twitter had suspended the account.
Some Twitter subscribers earlier Saturday mistook the mimicked feed for The Huffington Post's own commentary when they were alerted to it by other Twitter users. The feed included mostly unpublishable insults about political and media figures, including President Barack Obama and MSNBC commentator Keith Olbermann.
There also was an admonition to "Vote McCain" in 2012.
Subscribe to:
Posts (Atom)
