USB Devices and Malware Attacks

New Flaws in USB Devices Let Attackers Install Malware: Black Hat

[...] In a blog post providing more insight into the talk, Nohl and Lell reveal that the root trigger for their USB exploitation technique is by abusing and reprogramming the USB controller chips, which are used to define the device type. USB is widely used for all manner of computer peripherals as well as in storage devices. The researchers alleged that the USB controller chips in most common flash drives have no protection against reprogramming.

"Once reprogrammed, benign devices can turn malicious in many ways," the researchers stated.

Some examples they provide include having an arbitrary USB device pretend to be a keyboard and then issue commands with the same privileges as the logged-in user. The researchers contend that detecting the malicious USB is hard and malware scanner similarly won't detect the issue.

I'm not surprised, and no one else should be, either. After all, this isn't the first time researchers at a Black Hat USA security conference demonstrated how USB can be used to exploit users.

Last year, at the Black Hat USA 2013 event, security researchers demonstrated the MACTANS attack against iOS devices. With MACTANS, an Apple iOS user simply plugs in a USB plug in order to infect Apple devices. Apple has since patched that flaw.

In the MACTANS case, USB was simply used as the transport cable for the malware, but the point is the same. Anything you plug into a device, whether it's a USB charger, keyboard or thumb drive has the potential to do something malicious. A USB thumb drive is widely speculated to be the way that the Stuxnet virus attacked Iran's nuclear centrifuges back in 2010. The U.S. National Security Agency (NSA) allegedly has similar USB exploitation capabilities in its catalog of exploits, leaked by whistleblower Edward Snowden.

While the Security Research Labs researchers claim there are few defenses, the truth is somewhat different.

A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user's screen to install a driver, or that an unsigned driver is present, that should be a cause for concern.

As a matter of best practice, don't plug unknown USB devices into your computing equipment. It's just common sense, much like users should not open attachments that look suspicious or click on unknown links. The BadUSB research at this year's Black Hat USA conference is not as much a wake-up call for USB security as it is a reminder of risks that have been known for years

     

The Next Level of Cyber Terrorism?

Are we there yet? See what you think:

Science fiction-style sabotage a fear in new hacks

[...] For years, ill-intentioned hackers have dreamed of plaguing the world's infrastructure with a brand of sabotage reserved for Hollywood. They've mused about wreaking havoc in industrial settings by burning out power plants, bursting oil and gas pipelines, or stalling manufacturing plants.

But a key roadblock has prevented them from causing widespread destruction: they've lacked a way to take remote control of the electronic "controller" boxes that serve as the nerve centers for heavy machinery.

The attack on Iran changed all that. Now, security experts — and presumably, malicious hackers — are racing to find weaknesses. They've found a slew of vulnerabilities.

Think of the new findings as the hacking equivalent of Moore's Law, the famous rule about computing power that it roughly doubles every couple of years. Just as better computer chips have accelerated the spread of PCs and consumer electronics over the past 40 years, new hacking techniques are making all kinds of critical infrastructure — even prisons — more vulnerable to attacks.

One thing all of the findings have in common is that mitigating the threat requires organizations to bridge a cultural divide that exists in many facilities. Among other things, separate teams responsible for computer and physical security need to start talking to each other and coordinate efforts.

Many of the threats at these facilities involve electronic equipment known as controllers. These devices take computer commands and send instructions to physical machinery, such as regulating how fast a conveyor belt moves.

They function as bridges between the computer and physical worlds. Computer hackers can exploit them to take over physical infrastructure. Stuxnet, for example, was designed to damage centrifuges in the nuclear plant being built in Iran by affecting how fast the controllers instructed the centrifuges to spin. Iran has blamed the U.S. and Israel for trying to sabotage what it says is a peaceful program.

Security researcher Dillon Beresford said it took him just two months and $20,000 in equipment to find more than a dozen vulnerabilities in the same type of electronic controllers used in Iran. The vulnerabilities, which included weak password protections, allowed him to take remote control of the devices and reprogram them.

"What all this is saying is you don't have to be a nation-state to do this stuff. That's very scary," said Joe Weiss, an industrial control system expert. "There's a perception barrier, and I think Dillon crashed that barrier."

One of the biggest makers of industrial controllers is Siemens AG, which made the controllers in question. The company said it has alerted customers, fixed some of the problems and is working closely with CERT, the cybersecurity arm of the U.S. Department of Homeland Security.

Siemens said the issue largely affects older models of controllers. Even with those, the company said, a hacker would have to bypass passwords and other security measures that operators should have in place. Siemens said it knows of no actual break-ins using the techniques identified by Beresford, who works in Austin, Texas, for NSS Labs Inc.,

Yet because the devices are designed to last for decades, replacing or updating them isn't always easy. And the more research that comes out, the more likely attacks become.

One of the foremost Stuxnet experts, Ralph Langner, a security consultant in Hamburg, Germany, has come up with what he calls a "time bomb" of just four lines of programming code. He called it the most basic copycat attack that a Stuxnet-inspired prankster, criminal or terrorist could come up with.

"As low-level as these results may be, they will spread through the hacker community and will attract others who continue digging," Langer said in an email.

The threat isn't limited to power plants. Even prisons and jails are vulnerable. [...]

The complications of the modern age. Our Brave New World.
     

DIY home security systems. Whatzagoodone?

I've been looking at security systems on Amazon.com. Something we could install ourselves, and not have to pay monthly fees. This one looked like one of the better ones:


AAS-V700 Wireless Home Security Alarm System Kit DIY (R)

Product Features

* Comes with 3 horns which is essential for any alarm system (one outdoor for your neighbours to hear and two indoor for yourself)

* 99 Zone Display Wireless Security System (Supports an unlimited number of sensors per zone),provides the most extensive coverage.

* Two type passwords. administrative password allow to program and operate the system. user's password only allows to operating the system .

* Four types of defense zones that offers enhanced accuracy and alarm capacity: emergency, arm, home arm

* Auto-Dials up to 6 phone numbers when alarm is tripped w/redial ( plays personal recorded outgoing message). self monitoring. no monthly fees

Technical Details

* Comes with 3 horns which is essential for any alarm system (one outdoor for your neighbours to hear and two indoor for yourself)

* 99 Zone Display Wireless Security System (Supports an unlimited number of sensors per zone),provides the most extensive coverage.

* Two type passwords. administrative password allow to program and operate the system. user's password only allows to operating the system .

* Four types of defense zones that offers enhanced accuracy and alarm capacity: emergency, arm, home arm, door chime and specially engineered false-alarm preventing mechanism.

* Auto-Dials up to 6 phone numbers when alarm is tripped w/redial ( plays personal recorded outgoing message). self monitoring. no monthly fees

* Multiple sensors to meet your home and business security need. you can always add more sensors to your system.

* Phone Line Anti-Cut Monitoring (Alarm sounds if phone line is cut)

* Rechargeable Backup Battery (Built into the keypad/control panel)

* Programmable Entry Delay (0 to 30 minutes)

* Programmable Exit Delay (0 to 30 minutes)

* Programmable siren time(0 to 30 minutes)

* Audible or Silent Alarm Mode

* Power & Armed LED Light Indicators

* Zone LED Light Indicators

* Remote Access By Phone Features ( Arm, Disarm, Monitor Mode)

* Easy install, no professional required. no installation charge.

* Reset to Factory Settings

[...]

This brand has high ratings on Amazon. But then I saw this in the comments:

[...] The seller is rebating $20 to everyone who posts a 5 star rating. Not ethical. I have not considered the rebate when I posted a high rating - the product is worth the money.

I had noticed that a lot of the five star reviews did list complaints or criticisms, which made me wonder why they gave it 5 stars anyway. Now I know why.

So is it worth the money? Who knows. So far it sounds like the best thing I've looked at. But buying electronics is so tricky nowadays, you just have to wonder about the quality and if it's going to last.
     

Smoke Detectors: Photoelectric VS Ionization

Our smoke detectors are over 10 years old now, and should be replaced. One of them has been "chirping" in the early hours of the morning, when the temperature gets cold, which led me to investigate why. So I've ordered two of these as replacements:


First Alert SA720CN Smoke Alarm Photoelectric Sensor with Escape Light

[...] The SA720CN alarm uses photoelectric sensing technology, which is generally more sensitive than commonly used ionization technology, to detect large smoke particles. Large smoke particles tend to be produced in greater amounts by slow-to-burn fires (often caused by cigarettes burning in couches or bedding), which may smolder for hours before bursting into flame.

An added bonus, photoelectric sensing technology reduces false alarms like those caused by cooking smoke and shower steam.

As easy to operate as it is effective, the SA720CN boasts patented OptiPath technology, which provides 360-degrees of direct access to the smoke sensor. Additionally, a mute button quickly silences false alarms for up to 15 minutes and also doubles as an alarm test button. [...]

Most of the smoke detectors nowadays have both photoelectric and ionization technology. But I bought this one, which only uses photoelectric, because of this customer comment:

Ionization detectors DO NOT WORK

Folks,
Ionization detectors DO NOT protect you. The results and test methods are false due to the fire industy's cozy relationship with smoke detector manufacturers (yes, direct kick backs, look it up) and money for lobbyists in Sacramento and Washington DC. The profit margin on ionization detectors is much higher than photoelectric. Only photoelectric (required in commercial buildings - why not residential?) WORK. 75% of ionization detectors did not sound AT ALL in smoke filled rooms lethal to humans and have failed repeated independent tests.

I'm a 20 year veteran of the fire service and a paramedic. I can guarantee you will DIE from smoke inhalation before an ionization alarm EVER goes off. No one dies from being burnt, you die from asphyxiation due to smoke and poisonous gases. Read this and only buy photoelectric. There's too much information for me to go into it here. Be sure and follow the World Safety Fire Foundation link. If that doesn't convince you to go photoelectric you're playing with death. Email [...] and if you send a SASE I will send you a dvd proving much of these assertions to you. It includes a show from Canadian TV that is ILLEGAL to show in the US as well as other information. BE SAFE! My dept's Chief's message is below:
BD

Chief's Message
Warning: Your smoke alarm may not detect smoke

Currently, there is great confusion regarding the topic of smoke alarms. There are two types of smoke alarms used to protect residents in the event of a fire; photoelectric and ionization smoke alarms- both respond differently to smoke and flame.

Ionization smoke alarms react poorly to deadly smoke but faster to flames while photoelectric alarms react much faster to smoke. Ionization alarms are present in over 95% of homes in America and have a high failure rate when it comes to detecting smoke. The problem is, most deadly fires are smoldering fires and not fast flaming fires. By now, most people understand it is deadly smoke and heat that kills you before the flames even reach you. Ionization alarms should be labeled flame alarms and not smoke alarms.

An example of a fast flaming fire would be a Christmas tree fire, which certainly have claimed their share of resident's lives, but nowhere near the number of lives claimed by smoldering fires. Other fast flaming fires would be kitchen fires, which are the leading cause of residential fires, but rarely do they claim lives. I implore you to watch the following videos and audio clips: video 1, video 2, video 3, video 4 (University of Cincinnati presentation), audio clip 1.

Arguably, a greater problem with the ionization alarm is the number of false alarms it renders, thus leading to residents disconnecting the alarm all together. I must include an interesting story - a couple of years ago, with my infinite knowledge, I installed a combination ionization/photoelectric smoke alarm in my living room. Because my home is not large, the house is heated by a wood burning stove. After numerous false alarms (initiated by the invisible smoke) started by my stove, I gave up using the hush button (as it did not silence long enough) and disconnected the battery and remained disconnected until I went to bed.

Finally after one season, I placed the combination alarm in my bedroom (replacing the older alarm) and placed a new photoelectric alarm in my living room. Do I need to tell you the results? Not one false alarm. So my point is, how many residents (worldwide) give up and just permanently disconnect the ionization alarm and expose themselves to a potential lethal smoldering fire? Moreover, there have been many fire deaths worldwide with working ionization smoke alarms present but failed to detect smoke. Regrettably, the fire industry has yet to take an official stand to eliminate ionization smoke alarms once and for all.

Sincerely,

Marc McGinn

Albany Fire Chief

P.S. I urge you to immediately replace your current ionization smoke alarms that do not detect smoke, with photoelectric smoke alarms, and for more extensive information please visit [...]. If you have any additional questions or need assistance I welcome your phone call at [...].

[...]

I've read that ionization detection is supposed to be good for detecting flash fires, like Christmas trees and waste paper baskets, that flare up suddenly with lots of flame an little smoke. The ionization supposedly detects invisible particles that these kinds of fires generate.

Perhaps they do. Unfortunately, they also detect dinner cooking, steam from the shower, your wood stove working normally, etc. The result can be too many false alarms.

I'm one of those people who pulls the battery out when the alarm goes off too often. So IMO, it stands to reason that, a properly sensitized smoke detector with the battery in it is going to be more effective than an overly sensitive one with the battery removed. So I've opted for the photoelectric ONLY model (Actually it's also the only one like it that I saw on Amazon.com; the rest all seem to be "duel" technology).

So that's how I came to make that choice. And just in case, we have another back-up system, too... DOGS.
     

"Linux is the only safe option for Windows users interested in online banking"

Is it true? Computerworld's Michael Horowitz seems to think so:

Being safe with Ubuntu on a USB flash drive

One of the best things a Windows user can do for Defensive Computing is to have a bootable copy of Linux on hand. The classic reason being to rescue a broken copy of the operating system, but the much more important reason is for on-line banking.

Anyone that does online banking on a Windows machine is taking a huge risk. Most likely they don't understand how sophisticated the bad guys are at writing malware. For example, man-in-the-browser attacks even defeat two factor authentication schemes.

No amount of Defensive Computing for Windows can ever be close to perfect. Linux is the only safe option for Windows users interested in online banking.

[...]

My USB flash drive with Linux was getting a bit old, so I set out to create a new one with the latest version (10.10) of Ubuntu.

I was pleasantly surprised that the Ubuntu download page now includes instructions for installing the system onto a USB flash from Windows, OS X and, of course, Ubuntu. In the old days, I used to create a CD, boot to it and then use the included Startup Disk Creator from within Ubuntu to create a bootable copy on a USB flash drive. This was documented poorly and failed as often as it succeeded.

Thankfully, Canonical, the company behind Ubuntu, now seems to have endorsed the Universal USB Linux Installer available at Pendrivelinux.com. I've used it in the past, from within Windows, with good success.

The bad news is that Canonical's documentation is far from complete. You are much better off reading about the Universal USB Installer from the source.

In brief, this is what you need to know. [...]

Read the whole thing, for the embedded links and more. In the comments after the article, are some suggestions for hardening your Windows system for security with on-line banking.

I've tried other USB installers for Linux, but not this Universal USB Installer. I will try it next. I'm just about start using on-line banking, so this subject interests me. The installer works with just about any Linux distribution you chose, so I will be experimenting with it.
     

Britain's Con-Dems and the Islamists

The UK and Islamist Terror: Conservatives Putting the Nation at Risk?

[...] The Conservative-led coalition government faces serious challenges, perhaps most especially in regard to Islamist extremism, which it seems intellectually ill-equipped to combat.

Pundits suggest that the coalition ("Con-Dem") government will collapse, possibly within a year or two, and that the Labour party might even be swept back into office. With the Conservatives having abandoned their defining values, and having aligned themselves with the left-wing Liberal Democrats, another threat comes from the right, both from within and from without the party.

Three days before the election, the Conservatives issued their A Contract for Equalities - arguably their real manifesto – articulating how the party would make anti-discrimination "central" to a Conservative government. The problem is not that the Conservatives want people to be judged by their character rather than by the skin color, etc. That is entirely right and proper – as virtually everyone in Britain recognizes.

The problem is that this sort of "anti-discrimination" is ideological: those who openly reject cultural relativism, believe in Britishness, democracy, etc., constitute an oppressor class, that has, and that is, dominating various oppressed classes. This is not an ideology in which Whites are regarded as the exclusive oppressors of non-Whites, but, rather, one in which the West oppresses the non-Western. The Sikh that champions democracy and inveighs against radical Islam is also certain to be deemed a "racist" and lumped in with neo-Nazis.

Cameron believes that people become Islamists – and, perhaps eventually commit acts of terror – not because they are attracted to, and eventually believe in, Islamist ideology per se, but because they have been oppressed. Islamist ideology is not a factor, as attraction to it must be preceded by discrimination. The nation is to blame.

This was perfectly clear from his statements and actions in the lead-up to the election.

By pushing female, gay, ethnic and religious minorities into safe seats, and thus into government, Cameron asserted, other members of these groups would realize that they were equal citizens in Britain, with equal rights and opportunities. By merely seeing more "minority" MPs, the rifts in society would magically repair themselves.

According to the party's pre-election statement on national security, "Government cannot provide security without the trust and support of its citizens." In other words, if Muslims do not trust or support the government, then they might drift into extremism. The Conservatives thus promised to "review and consolidate […] counter-terrorism and security laws introduced by Labour," and especially to review the "Prevent" scheme, "supposed to stop vulnerable people from becoming terrorists but which has been accused of spying on innocent Muslims." (Prevent was set up by the previous government, specifically to combat the growth of Islamist extremism and terrorism, by working with Imams, and so on.)

Cameron shares his "anti-discrimination" worldview with coalition partners, the uncompromisingly left-wing, LibDems. Of greater consequence, though, it has also now become the defining ideology of most of those at the top of the "progressive" Conservative party. [...]

The full article gives examples of what the dangers are, and where this appears to be going.

Regardless of what anyone may think of "identity politics", one can argue that this strategy of the Brits has had some success in politically co-opting and placating some groups that might otherwise be more hostile. It may even work with some Muslims. But with the hard-core Islamists, who actually implement terrorist attacks? Will they not just see it as more appeasement and weakness, and cause them to attack even more furiously and intently? That's what the author of the article seems to think. That Cameron and the Con-Dems are putting themselves and the country in harms way. In any case, regardless of what any of us thinks, we shall see what happens.


Meanwhile, we have a similar dynamic at work in our own government:

The Alien in the White House
The author goes on about the President in particular, but also about people in his administration and their views, which on matters of terrorism, are similar to Great Britain's government:

[...] And who can forget the exhortations on jihad by John Brennan, Mr. Obama's chief adviser on counterterrorism? Mr. Brennan has in the past charged that Americans lack sensitivity to the Muslim world, and that we have particularly failed to credit its peace-loving disposition. In a May 26 speech at the Center for Strategic and International Studies, Mr. Brennan held forth fervently, if not quite comprehensibly, on who our enemy was not: "Our enemy is not terrorism because terrorism is just a tactic. Our enemy is not terror because terror is a state of mind, and as Americans we refuse to live in fear."

He went on to announce, sternly, that we do not refer to our enemies as Islamists or jihadists because jihad is a holy struggle, a legitimate tenet of Islam. How then might we be permitted to describe our enemies? One hint comes from another of Mr. Brennan's pronouncements in that speech: That "violent extremists are victims of political, economic and social forces."

Yes, that would work. Consider the news bulletins we could have read: "Police have arrested Faisal Shahzad, victim of political, economic and social forces living in Connecticut, for efforts to set off a car bomb explosion in Times Square." Plotters in Afghanistan and Yemen, preparing for their next attempt at mass murder in America, could only have listened in wonderment. They must have marvelled in particular on learning that this was the chief counterterrorism adviser to the president of the United States. [...]

Can you say "Dhimmitude"? You can be sure that Muslim extremists can.
     

Is internet security approaching a crisis?

According to this, yes:

Intel Chief: U.S. at Risk of Crippling Cyber Attack

The United States is at risk of a crippling cyber attack that could "wreak havoc" on the country because the "technological balance" makes it much easier to launch a cyber strike than defend against it, Director of National Intelligence Dennis Blair said Tuesday.

Blair, speaking to the House Intelligence Committee, said U.S. tools are not yet up to the task to fully protect against such an attack.

"What we don't quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication," Blair said. "And the dynamic of cyberspace, when you look at the technological balance, right now it favors those who want to use the Internet for malicious purposes over those who want to use it for legal and lawful purposes."

Blair said the United States must "deal with that reality," and warned of the catastrophic consequences of a major attack.

"Attacks against networks that control the critical infrastructure in this country ... could wreak havoc," Blair said. "Cyber defenders right now, it's simply the facts of the matter, have to spend more and work harder than the attackers do, and our efforts frankly are not strong enough to recognize, deal with that reality."

He said one critical "factor" is that more and more foreign companies are supplying software and hardware for government and private sector networks.

"This increases the potential for subversion of the information in ... those systems," Blair said.

Blair also told Congress Tuesday that the Internet is providing the fuel for the growing problem of "homegrown radicalization." [...]

It goes on to talk about how the internet is also being used organize attacks and communicate instructions and arrange financing, by the very people who would destroy it. It also reports that senior intelligence officials told Congress Tuesday that Al Qaeda could try to carry out an attack in the United States in the next three to six months. Read the rest for details of what that could mean.

Our business, government and utilities have become increasingly dependent on the internet, for day to day functioning. I doubt people are going to realize how much so, until a major attack occurs, and things we all take for granted no longer work, and we see how many functions of things and systems are affected, directly and indirectly.

I've posted about this before. I would much rather post about solutions to these problems, but I've not seen any. I'm really hoping that some great minds are working on solutions for this situation, and that we see some real defenses created, to halt this growing imbalance. Right now it's looking bleak.

This is one of the reasons I'm learning about Ham Radio. It's not dependent on 3rd party networks or infrastructure, and may be one of the few things that works when nothing else does.
     

Napolitano should step down ... now

From Neal Boortz: THE REPORT

[...] After much delay, Barack Obama finally made his speech on the crotch bomber and the failure of our intelligence community to stop him from boarding a plane to the United States. If you would like to read the report in its entirety, you can click here. After reading the report, it seems to boil down to this: We had the intelligence, but we got lazy. Or comfortable. Whatever adjective you want to use, the fact is that we had the information but no one put it together.

Actually ... I really think Obama has paid heed to his wakeup call. He's serious about this. Health care is one thing .. but negligently allowing a terrorist attack on our soil would do much more to doom his presidency than would the failure of ObamaCare. He's not yet at the point where he's willing to abandon a lot of the political correctness that goes hand-in-hand with our anti-terrorism efforts (at least not in the open) but hopefully that will come.

Are you upset that no heads rolled yesterday? Yeah .. me too. But in retrospect maybe it is a good idea to concentrate on the mission right now and deal with those not mission-capable down the road. Just bypass them for the time being. My guess is that Napolitano's influence as Homeland Security Director is quite a bit less than it was .. and that she's brushing up her resume as we speak.

You did hear what she said yesterday, didn't you? She said that she was really surprised by the dedication of these Islamic terrorists .. and then she indicated her surprise that they were using individual operatives in their efforts to kill non-believers. Come on now. That guy in the dump truck who cut you off this morning knew this ... and our Homeland Security Director is surprised?

This particularly Obama appointment could cost American lives. She needs to go .. as soon as possible.

Bold emphasis mine. I have to agree. The more Napolitano speaks, the more incompetent she sounds. Keeping her there will only make things worse.
     

FireFox: more vulnerable, or just a bigger target?

Firefox Tops Vulnerability List
New study places Firefox at the top of vulnerability list for for the first half of 2009.

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."

[...]

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable. [...]

It goes on to explain how the study was done, what they found and what it actually means. Higher usage means more vulnerabilities found more quickly. But how quickly the vulnerabilities are patched also counts toward the browsers overall security. I'm not worried about Firefox, I just find the report interesting.