Sunday, April 22, 2012

More Than Just a Bad Cable Connection


Have you ever had a problem in which your satellite dish needs to be adjusted, or your cable connection goes out? I think we've all experienced one of these. However, most of us have not experienced any television problems beyond these. It has recently come out, though, that there may be more serious problems on the horizon. These problems have to do with malware actually being used on modern televisions.

Now, these attacks aren't actually happening much now, except maybe in extremely rare cases. These flaws are being caused by the increase of TVs that are networked in some way, either to the Internet or to a local network of TVs in the home.

These attacks were discovered and disclosed on Thursday, April 19th by Italian security researcher Luigi Auriemma, who is known for his work in finding security flaws in Microsoft Windows and in various video games. He discovered a flaw in his brother's Samsung D6000 TV, in which he was able to set the TV on an endless loop where the TV would constantly restart, even after unplugging and plugging it back in. The TV was completely unusable for three days. According to Auriemma, the attack could be potentially carried out over the Internet.


Another flaw in TV security came about two weeks earlier than Auriemma's discovery. This vulnerability affects Sony Bravia TVs. Through using the hping networking tool, the TV was rendered unusable, with the volume and channels not being able to be changed, and all other functionality prevented. After a short period of the time, the TV is remotely shut off, and must be turned on at the physical location of the TV.


Apparently, TV manufacturers who were informed of these issues have offered no response about possible solutions. Auriemma discussed the issue he discovered with Samsung's response team, and reported that they have little in the way of helpful advice to offer. Reports to support@samsung.com were also unsuccessful.

Friday, April 20, 2012

More on Flashback


More information has been coming out about the Flashback trojan that has been infecting computers running Mac OSX. This story has been getting so much coverage because it will likely be remembered in history as the specific event that showed that Macs really aren't as secure as people once thought.

In my in-class presentation on Thursday, April 19th, I mentioned that Flashback was thought to have spread through malicious WordPress sites. This theory has now been confirmed. These WordPress sites would secretly redirect the visitor to a server that would determine the OS that the user was running and serve up an appropriate security exploit. This particular piece of software was not only used to spread the Flashback trojan, but to spread other malware as well.

While Apple did respond to this security flaw, they have received some criticism for their delayed response. They issued updates for the two most recent versions of Mac OSX, which did bring about the largest reported drop in the amount of computers infected by Flashback. However, this update was only released last weekend, while Flashback itself was reported as early as September 2011.

Thursday, April 19, 2012

"Computer Security" Has Never Been More Literal!

http://arstechnica.com/gadgets/news/2012/04/you-have-20-seconds-to-comply-south-korea-unleashes-robot-guards.ars


What do you think of when you hear the term "computer security?" You probably think of what most people think of, which is security to protect computers. But, in some cases, you could interpret the word differently. You could think of computer security as meaning "computers providing security." In South Korea's Pohang prison, this is certainly the case.

The Pohang prison is actually using robots... as security guards. According to the prison, it's supposed to reduce costs and make the prison safer. The robot has various sensors, such as a camera, a microphone, and a speaker, and includes software that is designed to gather, interpret, and evaluate the behavior of inmates. The robots cannot actually do anything to harm or restrain the inmates. Currently they can only alert human guards about inmate misconduct, or what they interpret as human misconduct.

The robots are also able to function as what basically amounts to "Skype on wheels." The robots fully support wireless two-way communication through audio and video between the inmates and guards. This is intended to reduce response time in the event of an emergency.

Though these robots are now very costly, following this one-month trial run (which costs $750,000), the Asian Forum of Corrections is hoping to permanently implement these robots. Eventually, after testing and tuning, these robots are supposed to carry out random weapon and contraband searches. 

Thursday, April 12, 2012

Stating The Obvious

http://www.wired.com/threatlevel/2012/04/computer-fraud-and-abuse-act/


Unless you steal something, you cannot be charged with theft. Unless you murder someone, you cannot be charged with murder. And this makes sense, and this is a good thing. So, this recent court decision makes sense. The court decision in question states that, unless you are a hacker, you cannot be charged for hacking.


Let's look at this bill a little bit more. The specific bill is the Computer Fraud and Abuse Act, enacted in 1984 (any legislation that old relating to computers is likely to outdated anyway.) This bill has been interpreted to allow people who violate terms of service on websites, and who violate computer usage policies at their places of work, to be prosecuted as criminals. Rightfully so, this bill has recently been brought into question, and ultimately has been rebuked.


There's not much more to say about this bill; the legislation and the interpretation of the legislation basically speak for themselves. It's important to note that currently this rebuke was decided by the 9th U.S. Circuit Court of Appeals, which covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington. It is likely, however, that this will reach the Supreme Court at some point in the future, and will hopefully be rebuked on the national level. 

Just Like Cockroaches, These Bugs Live Forever

http://arstechnica.com/business/news/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure.ars


This post is a follow-up to my post from last week about bugs in critical infrastructure systems, such as factories and water treatment plants. It turns out that there are much more systems that contain gaping vulnerabilities than just the one company that I mentioned last week. It also turns out that, in the case of many of these vulnerabilities, the companies do not intend to have the software patched to make it more secure.


Because the software used in these specific situations is often quite old, companies are simply refusing to have it patched. This means that, now not only are these security flaws known, but they are not even going to be fixed. This is a very bad and disturbing trend; whenever any important system has a security flaw, it should not only be patched, but it should be patched quickly.


These never-patched bugs are referred to "forever day" bugs, because they're never fixed, even when they're known and acknowledged by the software developers responsible for them. These developers usually choose to take the easy way out, and instead of patching their software, just add information in user manuals informing the user how to avoid the threat. This type of laziness should not be tolerated, and in my opinion should not even be legal, especially since this is software that is being used in situations where safety is of the utmost importance.

Thursday, April 5, 2012

It's Not That You Forgot To Pay The Electric Bill, It's Just That Your System Is Vulnerable, And Got Hacked, And Now The Power Is Gone.


So, it seems that the Schneider-Electric corporation is pretty dumb. Unfortunately, this company makes technological components that are used in some of the most critical infrastructure areas that there are. It has just been revealed by researchers that their Modicon Quantum programmable logic controller, which is used to control things such as water plants and oil refineries, has some massive, massive security flaws.

The big flaw has to do with accessing the PLC (programmable logic controller) from a remote source.The PLC does not have any security restrictions that prevent it from being remotely accessed. Because of this, any computer with the capability of communicating with the PLC is able to issue commands to the PLC. These commands can do things like take control of the system or to stop the system from operating altogether.

A researcher from Digital Bond originally created the code that allowed for these security attacks. This researcher, Reid Wightman, says that the purpose of the research was to urge or even force the companies creating these vulnerable technologies to fix these critical issues because they can turn out to have disastrous consequences. Digital Bond has continued to, and is likely to continue in the future, release new modules of code that are able to exploit other vulnerabilities in similar products and software systems.

#StopSpam


Hallelujah, thank you Twitter! As Facebook keeps getting spammier (spammier is a word I just coined), Twitter is actually taking steps to become less spammy. They are going directly to the source, and suing the companies that create software that helps propagate spam.

By doing this, Twitter is making a serious statement that spam should be stopped. This shows that Twitter really does care about its users, and wants their product to be as high-quality as possible. Twitter is going after five of the top providers of spam-related-toolery, as well as the people who buy and use these tools.

There are 340 million tweets posted to Twitter every day. That means that, even if only 1% of tweets are posted by spambots (which is probably a conservative estimate), that there are stil l340 thousand of these spam tweets, or spweets, every day. In addition to their legal actions, Twitter is also enforcing other security measures, including building in functionality to their URL-shortener that will block links to malware and other dangerous content.