Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#hacking’

ethereum-11-796x431

Researcher demonstrates how vulnerable Ledger Nano S wallets are to hacking

March 21, 2018

Cryptocurrency hardware wallet manufacturer Ledger can’t seem to catch a break.

Weeks after the company confirmed a flaw in its wallets which makes them susceptible to man-in-the-middle-attacks, independent security researcher Saleem Rashid has demonstrated a new attack vector hackers can employ to break your Ledger Nano S and steal your precious coins – both physically and remotely.
“The vulnerability arose due to Ledger’s use of a custom architecture to work around many of the limitations of their Secure Element,” Rashid explains in a blog post. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely.”

The researcher has outlined at least three separate attack vectors, but his report focuses on the case of “supply chain attacks” which do not require infecting target computers with additional malware, nor do they insist on the user to confirm any transactions.

As Rashid notes, the Nano S is equipped with two separate microcontroller units. One of the microcontrollers stores the private key and other confidential data, while the other one acts as its proxy to support its display function, buttons, and USB interface.

In the current setup, the former microcontroller can only communicate directly to the second unit, but the latter unit can communicate with peripherals on behalf of the former.

The problem, according to Rashid, is that unlike the former microcontroller which can perform cryptographic attestation to determine whether the device is running genuine Ledger firmware, the latter microcontroller has no way of confirming such information since it is non-secure.

The researcher points out the company has indeed implemented some mechanisms against hardware and software spoofing, but is quick to note that due to the non-secure nature of the latter microcontroller, the verification process is practically futile from the start.

This means that non-technical users are stuck with a device susceptible to attacks, but have no easy way of confirming their device hasn’t been tampered with. What is worse is that Ledger does not provide tamper-proof packaging because its devices are built to prevent any such interception or spoofing.

“Since the attacker controls the trusted display and hardware buttons, it is astonishingly difficult to detect and remove a well-written exploit from the device,” he wrote.

While CEO Eric Larchevêque has downplayed the severity of the vulnerability in comments on Reddit, Ledger has since released a firmware update (1.4.1) that mitigates the architecture shortcomings of the Nano S. You can grab the patch here.

In fact, Rashid himself has urged users to get the update as soon as possible.
Rashid further warns that the new Ledger Blue, which functions identically to the Nano S, has yet to get a firmware update. For what it’s worth, the researcher is first to admit that he hasn’t had a chance to look into Blue’s architecture in depth – so there is a chance the device is not vulnerable to this exploit.

This is at least the second time the French cryptocurrency wallet manufacturer has come under fire for the deficient security of its devices. A few weeks back we wrote about a flaw in Ledger hardware wallets which makes it possible to infect the devices with malware designed to trick users into unknowingly sending their cryptocurrency to hackers.

While the company ultimately confirmed the issue, it added there is “no evidence that anyone in the Ledger community was impacted by this issue.”

It then went on to downplay the severity of the attack vector, arguing that the issue “is an industry wide issue.”

“All hardware wallets are affected,” a Ledger spokesperson told TNW over email back then. “This is not a vulnerability of the device, but a reminder about the fact you cannot trust what you see on the screen of your computer.”

We reached out to Ledger for further comment, but the company could not provide us with a written statement at the time of writing. We will update this piece with their statement as soon as we hear back from them.

In the meantime, those curious about all the little technical details behind the vulnerability disclosure can peruse the full report on Rashid’s official blog here.

Tags: , ,

pr

Data-hucksters beware – online privacy is making a comeback

August 22, 2017

Next year, 25 May looks like being a significant date. That’s because it’s the day that the European Union’s general data protection regulation (GDPR) comes into force. This may not seem like a big deal to you, but it’s a date that is already keeping many corporate executives awake at night. And for those who are still sleeping soundly, perhaps it would be worth checking that their organisations are ready for what’s coming down the line.

First things first. Unlike much of the legislation that emerges from Brussels, the GDPR is a regulation rather than a directive. This means that it becomes law in all EU countries at the same time; a directive, in contrast, allows each country to decide how its requirements are to be incorporated in national laws.

Second, the purpose of the new regulation is to strengthen and rationalise data protection for all individuals within the EU. It also covers the export of personal data to outside the bloc. Its aims are to give control back to EU residents over their personal data and to simplify the regulatory environment for international business by unifying regulation, so that instead of having to deal with a range of data-protection issues in different jurisdictions, companies will effectively be able to obtain a “passport” for the entire region, much as financial services firms have been able to acquire.

Given that the use, abuse and exploitation of personal data has become the core business of the internet, anything that affects this is going to be a big deal. The GDPR extends EU data-protection law to all foreign companies that process the data of EU residents. So even if a company has no premises or presence within the EU, if it processes EU data it will be bound by the regulation. And the penalties for non-compliance or infringement are eye-watering, even by internet standards: fines up to €20m and/or 4% of global turnover.

Advertising Age concludes that the new regulation will ‘rip the global digital ecosystem apart’
The GDPR applies both to data “controllers” (who determine how and why personal data is processed) and “processors” (who handle the data on the controller’s behalf). The obligations on controllers are broadly similar to those imposed by current data-protection law. But if you’re a processor, then the regulation imposes specific legal obligations on you to maintain records of personal data and processing activities and you will have significantly more legal liability if you are responsible for a data breach. And any breach, no matter how small, has to be reported to the authorities within 72 hours.

More significantly, the GDPR extends the concept of “personal data” to bring it into line with the online world. The regulation stipulates, for example, that an online identifier, such as a device’s IP address, can now be personal data. So next year, a wide range of identifiers that had hitherto lain outside the law will be regarded as personal data, reflecting changes in technology and the way organisations collect information about people.

The regulation gives important new rights to citizens over the use of their personal information. They have the right, for example, to contest and fight decisions that have been made about them by algorithms processing their data. Valid consent has to be explicitly obtained for any data collected and for the uses to which it will be put. Consent for children’s data must be given by parents or guardians and data controllers must be able to prove that consent has been obtained.

Citizens will now have the right to request the deletion of personal information related to them – and companies will have to be able to prove that the offending data has been properly wiped (which may be more difficult than it sounds). And so on.

For many traditional companies – the ones that keep HR records, customer lists, contact details etc – the GDPR will probably make little practical difference, except for more onerous compliance requirements. But for organisations that have hitherto operated outside the reach of data-protection law, for example the hidden multitudes of data-hucksters, trackers, data-auctioneers and ad-targeters that operate behind the facade of websites, social media and Google, the GDPR represents an existential threat.

Facebook and Google should be OK, because they claim to have the “consent” of their users. But the data-broking crowd do not have that consent. As Advertising Age puts it: “Targeting and tracking companies will need to get user consent somehow. Everything that invisibly follows a user across the internet will, from May 2018, have to pop up and make itself known in order to seek express permission from individuals.” The new regulation will, it concludes, “rip the global digital ecosystem apart”.

Not before time, IMHO. In the meantime, three cheers for the EU. And – since you ask – the UK government has decided that the GDPR will apply here even after Brexit.

Tags: , , ,

hacker-coder-developer-software-programmer-alphanumeric-matrix

Hacking capture-the-flag event coming to rAge 2017

February 21, 2017

SecureConekt has announced it is organising a hacking competition for the rAge Johannesburg event in October.

The hacking event’s organiser, Errol Enslin, said rAge has partnered with them to establish the competition for hackers.

Enslin said they are assessing what interest there is for such a competition, which will determine the type of capture-the-flag (CTF) events:

Jeopardy-style CTF: Teams complete tasks in range of categories, such as web, forensic, crypto, and binary. Points are awarded for solving tasks, with complex tasks worth more points. Once a task is complete, the team may progress to the next one.
Attack-Defence: Teams must defend their vulnerable host, or hosts, while attacking the other team.
Mixed competitions: A combination of task-based and versus competitions, with a weighted total score determining the winner.
“CTF games often touch on many other aspects of information security: cryptography, steganography, binary analysis, reverse engineering, mobile security, and others,” said Enslin.

“We will set up a decent prize, so competing will be worth it.”

He said the competition will give South African hackers a way to measure their skill and will help grow the local community.

“Hackathons are a good way for the administrators to witness what [hackers] are facing day to day.”

It will also give corporate security employees a tool to test their abilities within a controlled environment, he said.

Tags: ,

pp

WhatsApp scams: Gold, free money, spying apps and everything else you should worry about

November 4, 2016

Almost everybody uses WhatsApp. That’s what makes it so useful – but it’s also what makes it so dangerous.

As WhatsApp and other chat apps have grown, they’ve also picked up their unfair share of scams. They come in many different forms, and are often very convincing.

But the advice for steering clear and staying safe is the same as it is everywhere else on the internet, really. Just make sure that you stay vigilant and don’t fall for anything that seems too good or too worrying to be true.

Here’s some of the things you should be looking out for.

Voucher scams

This is a tale at least as old as text messages. But it’s lived on into the WhatsApp age and is showing no sign of dying.

It works like this: a message arrives in your WhatsApp from someone who looks like your friend, recommending a deal they’ve found. The deal will usually be good – a voucher for £100 off at Sainsbury’s or TopShop, for instance, usually justified by the fact that the company is changing one of its systems or something.
But it’s barely ever real. The messages usually come with a link that actually takes you to another website and tricks you into giving your personal information over.

Staying safe from these is fairly simple: don’t ever click a link you’re not sure about and certainly don’t ever hand over personal information to a website you haven’t checked.

WhatsApp ending

Other fake messages claim that WhatsApp is going to end, unless enough people share a certain message. It isn’t happening.

The messages often look convincing, claiming to come from the CEO or another official. And they’re written using the right words and phrases, looking like an official statement.

But any official statement wouldn’t need users to send it to everyone like a round robin. If WhatsApp does actually shut down, you’ll either see it in the news or it’ll come up as a proper notification in the app from the actual WhatsApp team.

Or it’s shutting down your account

This is very similar – and a similarly old trick. They will usually say something that looks like an official message that claims that people’s WhatsApp accounts are being shut down for being out of use. Sending the message on will prove that it’s actually being used and

It’s not true. This is the kind of thing that’s been going round the internet for years – and has never actually been the case.

It works very well because it feels like the kind of thing that might happen, and instructs people to share it along.

Or making you pay

This, again, is the same. The only difference is that the message supposedly exempts you from having to pay for your account. It doesn’t, because the company isn’t ever going to force people to pay (and, if it does, it’ll announce it in the normal way).

As with all of these, ignore them and don’t forward them on.

WhatsApp Gold or WhatsApp Premium

This, unlike the other scams, is specific to WhatsApp. But it’s just as wrong.

The claim suggests that people pay for or download a special version of WhatsApp, usually called Gold or Premium. It offers a range of exciting-sounding features, like the ability to send more pictures, use new emoji or add extra security features.

The problem is that it’s far from secure – and is actually entirely made up. Downloading the app infects people’s phones with malware and helps them get used for crime. And sometimes it will force people to pay for something that not only is dangerous, but certainly won’t actually help make WhatsApp any better at all.

Emails from WhatsApp

Emails are dodgy enough. Emails plus WhatsApp are even dodgier.

There’s a range of scams out there that send people emails that look like they’ve come from WhatsApp, usually looking like a notification for a missed voice call or voicemail. But when people click through, they end up getting scammed – either by being tricked into giving over their information or through other means.

Don’t ever click on an email from a questionable sender. And WhatsApp will never send you emails including information about missed calls or voicemails.

Any you do get should be ignored and send to the junk.

Fake WhatsApp spying apps

It’s just not possible to let people spy on other’s conversations on WhatsApp – or at least it shouldn’t be – because the company has end-to-end encryption enabled, which makes sure that messages can only be read by the phones that send and receive them. But the possibility of reading other people’s chats seems very exciting – so exciting that it’s being used for scams.

The apps at their best encourage people to download something that isn’t actually real. At their worst they encourage people to pay money for fake users, install malware, or actually do read your chats once they’ve got onto your phone.

You won’t be able to read anyone else’s chats, unless you actually have their phone. But the makers of spy apps might be able to read yours.

Intruders on your conversations

And this isn’t so much a hoax as a continual worry. WhatsApp is in fact a very secure platform – that’s why many of these things come as messages rather than viruses or anything else – but there are issues.
Last month, when Amnesty said that the app was the safest chat app, security experts rushed to point out that there is actually a range of security problems. Those include the fact that the company is getting increasingly trigger happy about handing data over to its users, and also that its encryption can be got around in various ways.

Tags: , , ,

pp

Drone-hacking cybersecurity boot camp launched in UK

November 3, 2016

Budding cyberspies will learn how to hack into drones and crack codes at a new cybersecurity boot camp backed by the government.
Matt Hancock, the minister for digital and culture, said students would gain the skills needed to “fight cyber-attacks” and help keep the UK safe.
The 10-week course has been “certified” by UK spy agency GCHQ.
But some security experts raised questions about the need for the course and the intent behind it.
“If I were a company, I would not hire security consultants who had been approved by GCHQ,” said Prof Ross Anderson, who leads the security group at Cambridge University’s Computer Laboratory.
“I would simply not be able trust them. GCHQ’s goal is that no-one should be able to shield themselves from surveillance, ever,” he told the BBC.
‘Skills gap’
The Cyber Retraining Academy will be operated by cybersecurity training firm Sans Institute. It will be funded as part of the government’s £1.9bn National Cybersecurity Strategy.
Sans Institute said “leading cybersecurity employers” would be able to track students’ performance throughout the course, with a view to recruiting talented individuals.
Would-be recruits must pass a series of competency tests to be considered for the boot camp, including a multiple-choice quiz before they can even submit an application.
The successful 50 candidates will attend the academy in London in 2017, and will receive two years of training condensed into 10 weeks.
Rik Ferguson of cybersecurity firm Trend Micro said the scheme could help people learn the skills to “hit the ground running” in a security-related role, but questioned why the scheme was needed.
“Employers often complain about the ‘cybersecurity skills gap’ – a gap that I would argue doesn’t exist,” he told the BBC.
“The problem is rather that employers are not looking beyond very narrowly specified certifications or degree courses in security-related subjects.
“If advertising a cyber-retraining programme as ‘drone hacking’ is going to get individuals with the right character and curiosity applying for this course, then it can only be a good thing.
“But obviously it takes more than 10 weeks, however intense, to create a well-rounded security professional.”

Tags: , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
venmo
What’s Wrong With Your Venmo Account, and How to Fix It
December 4, 2018

ILLUSTRATION: RICHARD BORGE By Katherine Bindley Dec. 4, 2018 9:02 a.m. ET Few social-media e...

Read more
private
Private Blockchains Could Be Compatible with EU Privacy Rules, Research Shows
November 12, 2018

Private blockchains, such as interbanking platforms set to share information on customers, could be...

Read more
apple
Apple launches privacy portal, initiatives
October 18, 2018

Apple (NASDAQ:AAPL) launches a new privacy website letting users find personal data the company has ...

Read more
private
Just Don’t Call It Privacy
September 23, 2018

What do you call it when employers use Facebook’s advertising platform to show certain job ads onl...

Read more
static2.politico.com
Privacy and security: no simple solution, warns Rachel Dixon
September 18, 2018

The tide is turning when it comes to privacy and security, with Australians gradually becoming more ...

Read more