Jump to content

Search the Community

Showing results for tags 'security risks'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 5 results

  1. Millions at security risk from old routers, Which? warns captionRouters need crucial software updates and secure passwords COPYRIGHTGETTY IMAGES Millions of people could be using outdated routers that put them at risk of being hacked, Which? has warned. The consumer watchdog examined 13 models provided to customers by internet-service companies such as EE, Sky and Virgin Media and found more than two-thirds had flaws. It estimated about six million people could have a device not updated since 2018 or earlier. So, in some cases, they would not have received crucial security updates. Weak passwords Problems found by its lab tests included: weak default passwords cyber-criminals could hack were found on most of the routers a lack of firmware updates, important for security and performance a network vulnerability with EE's Brightbox 2, which could give a hacker full control of the device The devices found to be lacking in updates included: Sky SR101 and SR102 Virgin Media Super Hub and Super Hub 2 TalkTalk HG635, HG523a, and HG533 Several routers from BT, including the Home Hub 3B, 4A and 5B, and Plusnet's Hub Zero 270N, passed all the security tests. The government plans to ban default passwords being preset on devices, as part of upcoming legislation covering smart devices. It is also planning to make manufacturers: tell customers for how long their device will receive security-software updates provide a public point of contact to make it simpler for anyone to report a vulnerability Which? computing editor Kate Bevan said that proposed legislation "can't come soon enough". "Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to update devices that pose security risks," she added. 'Constantly monitored' In response, Virgin said nine out of 10 of its customers were using its latest modem and it did not "recognise or accept the findings of the Which? research". BT, which owns EE, also said "the vast majority of its customers" used its latest modem. "We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed," it said. "These updates happen automatically so customers have nothing to worry about." TalkTalk said the routers looked at in the research represented a "very small proportion" of those in use - and customers could easily change their passwords at any time. And Vodafone said its HHG2500 router examined by Which? had not been supplied to customers beyond August 2019 but updates would continue "as long as the device remains on an active customer subscription". Sky engaged with the research but did not provide a comment. 'Remotely hijacked' Pen Test Partners security consultant Ken Munro said the research mirrored his own. "We have been trying to convince one of the ISPs in question to fix a critical security flaw that allows several million of their customer routers to be remotely hijacked and gain access to home networks," he said. "We reported the issue over a year ago - but they have procrastinated multiple times." Mr Munro also suggested ISPs could be "reluctant to push updates to routers in case they fail in the process". Source: Millions at security risk from old routers, Which? warns
  2. New Study Warns of Security Threats Linked to Recycled Phone Numbers A new academic study has highlighted a number of privacy and security pitfalls associated with recycling mobile phone numbers that could be abused to stage a variety of exploits, including account takeovers, conduct phishing and spam attacks, and even prevent victims from signing up for online services. Nearly 66% of the recycled numbers that were sampled were found to be tied to previous owners' online accounts at popular websites, potentially enabling account hijacks by simply recovering the accounts tied to those numbers. "An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners," the researchers said. If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login." The findings are part of an analysis of a sample of 259 phone numbers available to new subscribers of U.S. telecom majors T-Mobile and Verizon Wireless. The study was undertaken by Princeton University's Kevin Lee and Prof. Arvind Narayanan, who is one of the executive committee members at the Center for Information Technology Policy. Phone number recycling refers to the standard practice of reassigning disconnected phone numbers to other new subscribers of the carrier. According to the Federal Communications Commission (FCC), an estimated 35 million phone numbers are disconnected each year in the U.S. But this can also pose serious dangers when an attacker does a reverse lookup by randomly entering such numbers in the online interfaces offered by the two carriers, and upon encountering a recycled number, buy them and successfully log in to the victim account to which the number is linked. At the heart of the attack, strategy is the lack of query limits for available numbers imposed by the carriers on their prepaid interfaces to change numbers, in addition to displaying "full numbers, which gives an attacker the ability to discover recycled numbers before confirming a number change." What's more, 100 of the sampled phone numbers were identified as associated with email addresses that had been involved in a data breach in the past, thereby allowing account hijacks of a second kind that circumvent SMS-based multi-factor authentication. In a third attack, 171 of the 259 available numbers were listed on people search services like BeenVerified, and in the process, leaked sensitive personal information of prior owners. "Once they obtain the previous owner's number, they can perform impersonation attacks to commit fraud or amass even more PII on previous owners," the researchers explained. Beyond the aforementioned three reverse lookup attacks, five additional threats enabled by phone number recycling target both previous and future owners, permitting a malicious actor to impersonate past owners, hijack the victims' online phone account and other linked online accounts, and worse, carry out denial-of-service attacks. "Attacker obtains a number, signs up for an online service that requires a phone number, and releases the number," the researchers said. "When a victim obtains the number and tries to sign up for the same service, they will be denied due to an existing account. The attacker can contact the victim through SMS and demand payment to free up the number on the platform." In response to the findings, T-Mobile said it has updated its "Change your phone number" support page with information about reminding users to "update your contact number on any accounts that may have your number saved, such as notifications for bank accounts, social media, etc." and specify the FCC-mandated number aging period of 45 days to allow reassignment of old numbers. Verizon, likewise, has made similar revisions to its "Manage Verizon mobile service" support page. But neither of the carriers appear to have made any concrete changes that make the attacks harder to pull off. If anything, the study is another evidence of why SMS-based authentication is a risky method, as the attacks outlined above could allow an adversary to hijack an SMS 2FA-enabled account without having to know the password. "If you need to give up your number, unlink it from online services first," Narayanan said in a tweet. "Consider low-cost number 'parking' services. Use more secure alternatives to SMS-2FA such as authenticator apps." Source: New Study Warns of Security Threats Linked to Recycled Phone Numbers
  3. ENISA Highlights AI Security Risks for Autonomous Cars Automakers Should Employ Security-By-Design to Thwart Cyber Risks Localization of vehicle sensors and their main uses. Source: ENISA Autonomous vehicle manufacturers are advised to adopt security-by-design models to mitigate cybersecurity risks, as artificial intelligence is susceptible to evasion and poisoning attacks, says a new ENISA report. The study from the European Union Agency for Cybersecurity and the European Commission's Joint Research Centre warns that autonomous cars are susceptible to both unintentional harm, caused by existing vulnerabilities in the hardware and software components of the cars, and intentional misuse, where attacks can introduce new vulnerabilities for further compromise. Artificial intelligence models are also described as susceptible to evasion and poisoning attacks where attackers manipulate what is fed into the AI systems to alter the outcomes. As a result, the report notes autonomous cars are vulnerable to potential distributed denial-of-service attacks and various other threats associated with their many sensors, controls and connection mechanisms. "The growing use of AI to automate decision-making in a diversity of sectors exposes digital systems to cyberattacks that can take advantage of the flaws and vulnerabilities of AI and ML methods," the report notes. "Since AI systems tend to be involved in high-stake decisions, successful cyberattacks against them can have serious impacts. AI can also act as an enabler for cybercriminals." Perceived Threats Likely threats identified by the report include: Sensor jamming: Attackers can blind or jam sensors used in autonomous cars by altering the AI algorithms after gaining access to its systems by leveraging exploits. This way attackers can feed the algorithms with wrong data to diminish the effect of automated decision making. DDoS attacks: Hackers can disrupt the communication channels available to the vehicle to hinder operations needed for autonomous driving. Exposed data: Due to the abundance of information stored and utilized by vehicles for the purpose of autonomous driving, attackers can leverage vulnerabilities to access and expose user data. Recommendations The report provides several recommendations for automakers to implement to avoid attacks against autonomous cars; these include: Systematic security validation of AI models and data: Since autonomous cars collect large amounts of data such as input from multiple sensors, ENISA recommends that automakers should systematically monitor and conduct risk assessment processes for the AI models and their AI algorithms. Address supply chain challenges related to AI cybersecurity: Automakers should ensure compliance with AI security regulations across their supply chain by involving and sharing responsibility between stakeholders as diverse as developers, manufacturers, providers, vendors, aftermarket support operators, end users, or third-party providers of online services. They should be aware of the difficulty of tracing open source assets, with pre-trained models available online and widely used in ML systems, without guarantee of their origin. It is advised to use secure embedded components to perform the most critical AI functions. Develop incident handling and response plans: A clear and established cybersecurity incident handling and response plan should be considered, taking into account the increased number of digital components in the vehicle and, in particular, the ones based on AI. Automakers are advised to develop simulated attacks and establish mandatory standards for AI security incidents reporting. They should organize disaster drills, involving high management, so that they understand the potential impact in case a vulnerability is discovered. Build AI cybersecurity knowledge among developers and system designers: Shortage of specialist skills hampers the integration of security in the automotive sector, so it is recommended that AI cybersecurity be integrated into the whole organization policy. Also, diverse teams should be created consisting of experts from ML-related fields, cybersecurity and the automotive sector, including mentors to assist the adoption of AI security practices. For the longer term, bring industry expertise to the academic curriculum by welcoming lead people in the field to guest lectures or by defining special courses that tackle this topic. Past Attacks The extent of the challenge for the automotive sector to implement AI security by design was laid bare by the recall during February of nearly 1.3 million Mercedes-Benz cars in the U.S due to a problem in their emergency communication module software. "They had to recall cars manufactured since 2016, which means that there was no proper testing plan for this feature for almost 5 years," Wissam Al Adany, CIO of automotive company Ghabbourauto in Egypt, told Information Security Media Group. While attacks targeting physical autonomous cars remain relatively few, security researchers have successfully compromised various models of Tesla vehicles. In November 2020, researchers from Belgium's University of Leuven - aka KU Leuven - found that they could clone a Tesla Model X driver's wireless key fob, and about two minutes later drive away with the car. A demonstration video posted by the researchers also suggests such an attack could be stealthy, potentially leaving a stolen car’s owner unaware of what was happening (see: Gone in 120 Seconds: Flaws Enable Theft of Tesla Model X). In October 2020, researchers from Israel’s Ben-Gurion University of the Negev demonstrated how some autopilot systems from Tesla can be tricked into reacting after seeing split-second images or projections (see: Tesla's Autopilot Tricked by Split-Second 'Phantom' Images). In yet another case, an independent security researcher uncovered a cross-site scripting vulnerability in Tesla 3 that could enable attackers to access the model's vitals endpoint that contained information about other car (see: How a Big Rock Revealed a Tesla XSS Vulnerability). Source: ENISA Highlights AI Security Risks for Autonomous Cars
  4. The security risks of bitcoin Cryptocurrencies are having a moment. Not only is the price of one bitcoin hovering around the all-time high of nearly US$42,000 it hit in early January, but the Reserve Bank of Australia has announced that it’s researching a crypto-based digital currency, and bitcoin has been accepted as collateral by Australian courts. Advocates are confidently predicting a greater role for cryptocurrencies (shorthanded to ‘crypto’) in the public and private sectors. But those ebullient narratives don’t give a complete picture of the security risks posed by greater use of crypto in Australia. Cryptocurrencies have inherent vulnerabilities that can’t be overcome solely by Australian regulations, suggesting that continuing tight restrictions on their potential use are essential. At heart, cryptocurrencies are computer protocols that harness sophisticated cryptography to create unique digital tokens. A bitcoin, for example, is the token of the bitcoin protocol. The integrity of crypto networks depends on large numbers of independent computers continuously running each protocol, with greater numbers of such ‘validators’ providing increased security against malicious attack. The validators are incentivised to participate through rewards of each protocol’s tokens. Most of the focus on the risks of cryptocurrencies emphasises potential nefarious uses, such as sanctions evasion or purchases on darknet markets. But even legitimate uses of crypto entail significant security risks and their use in the public or private sector must be treated very cautiously. One such vector of insecurity comprises vulnerabilities inherent in any system that attempts to eliminate trust in anything but computer code. Crypto is designed to obviate the need for institutional gatekeepers like banks and governments, which means that there’s no trusted third party to undo any harm if a protocol or other software tool turns out to have bugs. Most infamously, a bug in an application designed to run a ‘smart contract’ on Ethereum—the second-largest cryptocurrency by value—was exploited to steal US$50 million worth of the ether token in 2016, causing such turmoil that the Ethereum blockchain itself ultimately split in two. Coding issues don’t just harm direct victims of attacks. Perceived security issues can lead to a catastrophic loss of confidence in a given protocol, prompting its users to move their assets elsewhere. With reduced economic activity, the reward for validators that dedicate computing power to securing that network also diminishes, making them less likely to participate. The resulting death spiral has befallen cryptocurrencies such as bitcoin gold. A second vector of insecurity hanging over even legitimate uses of cryptocurrencies is their dependence on crypto exchanges. The exchanges are the gateways to crypto ecosystems, allowing users to turn tokens such as bitcoin or ether into government-issued (or fiat) currencies, such as Australian dollars. Well-functioning exchanges are required for the secure operation of cryptocurrencies. If validators can’t ‘cash out’ their crypto tokens into a local fiat currency, they won’t be able to pay any bills that require fiat cash, such as rent, utilities and taxes. Effective regulation of exchanges is therefore essential. In Australia, crypto is treated as a form of property and exchanges are regulated by the Australian Securities and Investments Commission. Elsewhere, however, crypto exchanges are often very loosely regulated, flout the regulations that do apply, or both. Major exchanges are hacked on a near-monthly basis, are plagued by exit scams (in which operators seize users’ assets left on the exchange and disappear) and often exhibit breathtakingly poor security management. But the bigger problem is that the risks of crypto exchanges are global, and even strong Australian regulation can’t protect against turmoil elsewhere. The effects of the collapse of, or a crackdown on, exchanges in one part of the world often ripple around the globe, as validators find it impossible to translate their crypto rewards from securing a network into a fiat currency that’s more widely accepted—and so drop out of the system entirely. As validators are eliminated, protocol security declines. The sky-high price of bitcoin today shows that the concerns about crypto exchanges have certainly not tanked the market for cryptos just yet, but that doesn’t mean that all is well in the industry. Instead, it points to another vulnerability with crypto exchanges: their shallow pools of liquidity and dependence on opaque digital assets to prop up crypto prices. The small size of crypto markets makes them highly vulnerable to manipulation. Though Bitcoin’s market capitalisation recently rocketed to a notional value of more than US$770 billion, so few coins are tradeable that one recent sale of 150 bitcoin was enough to drop the spot price by 10%. And markets for all coins are plagued by pump-and-dump schemes, in which large market players exploit a lack of liquidity to artificially inflate the price of smaller coins before selling large holdings at excessive values. Similarly troubling is the curiously central role of tether coins to the crypto ecosystem. Tether is a so-called stablecoin—a cryptocurrency designed to maintain parity with a particular fiat currency (typically the US dollar). Tether Limited has admitted in court that it doesn’t have the dollar reserves to fully back all outstanding tether tokens, and is being investigated by the New York attorney general for fraud. Nevertheless, tether has become crucial to the functioning of cryptocurrency markets and has a daily trading volume greater than that of the next three cryptocurrencies combined. It also appears to be closely associated with, if not the direct cause of, bitcoin’s recent price explosion. An ecosystem that is heavily dependent upon the vagaries of an opaque asset, that trades in shallow pools of liquidity vulnerable to manipulation and that has no institutional safeguards against technical mishaps is inherently insecure. No action that Australian regulators could take on their own would be sufficient to truly defang such structural risks. Investors who choose to speculate on such a product of course remain largely free to do so, but regulators will need to strictly scrutinise any proposed use of crypto to underpin public services (as countries such as Georgia are doing) or as a central component of the financial system. Ben Power holds a PhD in political science from the University of Wisconsin—Madison. Image: Chesnot/Getty Images. Source: The security risks of bitcoin
  5. US Department of Defense (DoD) employees have bought electronics worth over $32.8 million in fiscal year 2018 that have been known to contain security vulnerabilities, a report by the Pentagon's inspector general said last week. These acquisitions were made by Army and Air Force employees using payment cards issued by the government for micro-purchases of under $10,000. As a result of these purchases, the DOD's Inspector General believes the Army and Air Force are introducing vulnerable equipment into their networks that may be exploited by US adversaries. The report specifically listed Lexmark printers, GoPro cameras, and Lenovo computers as problematic products, as examples. The Lexmark purchases "Army and Air Force GPC [government purchase card] holders purchased over 8,000 Lexmark printers, totaling more than $30 million, for use on Army and Air Force networks," the DOD Inspector General (DODIG) report said. Purchasing printers from Lexmark was a big mistake, auditors said, citing a 2018 Congressional report on supply chain vulnerabilities that warned against using Lexmark devices, claiming the China-based company had connections to the Chinese military, and the country's nuclear, and cyberespionage programs. In addition, the DODIG also pointed out that Lexmark printers have been impacted by more than 20 vulnerabilities in the past, "including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer." "These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network," the DODIG said. The GoPro purchases Furthermore, the Army and Air Force also bought 117 GoPro action cameras worth nearly $98,000. "However, the cameras have vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams," auditors said. "By exploiting these vulnerabilities, a malicious actor could view the video stream, start recording, or take pictures without the user's knowledge." The Lenovo purchases But the biggest issue was with Lenovo computers. Albeit not the most costly purchases, the DODIG highlighted several problems with buying Lenovo gear, such as the numerous security warnings issued by the US government against using these devices. For example, in 2006, the State Department banned the use of Lenovo computers on their classified networks after reports that Lenovo computers were manufactured with hidden hardware or software used for cyberespionage. The DHS issued a similar warning in 2015 about Lenovo computers containing pre-installed spyware, along with various critical vulnerabilities. In 2016, the Joint Chiefs of Staff Intelligence Directorate also issued its own alert about Lenovo, warning that handheld Lenovo devices could introduce compromised hardware into the DoD supply chain, creating a cyberespionage risk to classified and unclassified DoD networks. However, despite all these past warnings, the Army bought 195 Lenovo products in 2018, totaling just under $268,000, and the Air Force purchased another 1,378 Lenovo products for $1.9 million. DOD agencies are ignoring previous warnings The report highlighted that DOD agencies have often ignored previous cyber-security alerts when making these small micro-purchases. For example, the report stated that Lexmark printers were still available for purchase through the Navy Marine Corps Intranet COTS [commercial off-the-shelf] Catalog and have been certified for use on the Navy network as recently as February 2019 -- this despite the US government warning against using devices from this vendor. The DODIG report blamed these issues on DOD management errors. Auditors said the DOD failed to establish a department to develop a strategy for managing cybersecurity risks and which could put together a list of approved products that DOD staffers could consult before making purchases. Auditors said the DOD tried to do this in the past -- namely with the Office of the Under Secretary of Defense for Research and Engineering Joint Federated Assurance Center -- but the DOD failed to grant it operational capability, meaning the agency only existed on paper. The DODIG report, titled "Audit of the DoD's Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items," is a window in the US' biggest national security problem right now -- which is supply chain attacks. The National Counterintelligence and Security Center (NCSC), part of the Office of the Director of National Intelligence, proclaimed April 2019 as National Supply Chain Integrity Month, in an attempt to get state agencies and the private sector to review their supply chains, and take note of equipment and software they were buying from known US adversaries, such as China. Earlier this week, two US senators have also introduced a bipartisan bill named the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act, in an attempt to get the US government to pass a law for the creation of a state agency for testing hardware and software that goes into the supply chain of the US military and other federal agencies. With political tensions with China at an all-time high, US government officials fear that a potential incident between the two countries could have catastrophic effects on US IT infrastructure, which is now riddled with Chinese-made equipment. Source
×
×
  • Create New...