15.9 C
London
Thursday, August 24, 2017
Home Tags Spoof

Tag: Spoof

After finding software flaw, Uber reportedly spoofed Lyft accounts to find drivers.
System doesn't encrypt commands used to set off signals, official admitted.
Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references.
Apple today released new versions of iOS and macOS Sierra and addressed some overlapping code execution vulnerabilities in both its mobile and desktop operating systems. The updates were part of a bigger release of security updates from Apple that also included Safari, iCloud for Windows, and watchOS. The most critical of the bugs were a pair of kernel vulnerabilities, CVE-2017-2370 and CVE-2017-2360, which could allow a malicious application to execute code with the highest kernel privileges.

The two bugs, a buffer overflow and use-after-free vulnerability, were reported by Google Project Zero’s Ian Beer and were patched in iOS 10.2.1 and macOS Sierra 10.12.3. A critical libarchive buffer overflow vulnerability, CVE-2016-8687, was also patched in iOS and macOS Sierra. “Unpacking a maliciously crafted archive may lead to arbitrary code execution,” Apple said. Apple also patched 11 vulnerabilities in the iOS implementation of WebKit, a half-dozen of which lead to arbitrary code execution, while three others attackers could abuse with crafted web content to exfiltrate data cross-origin. Many of the same Webkit vulnerabilities were also patched in Safari, which was updated to version 10.0.3. Rounding out the iOS update, Apple patched a flaw in Auto Unlock that could unlock when Apple Watch is off the user’s wrist, along with an issue that could crash the Contacts application, and another Wi-Fi issue that could show a user’s home screen even if the device is locked. The macOS Sierra update also patched code execution vulnerabilities in other components, including its Bluetooth implementation and Graphics Drivers (code execution with kernel privileges), Help Viewer, and the Vim text editor. The Safari update also patched a vulnerability in the address bar, CVE-2017-2359, that could be exploited if visiting a malicious website, allowing an attacker to spoof the URL. tvOS was updated to version 10.1.1, and the same kernel, libarchive and webkit vulnerabilities present in iOS were patched in the Apple TV OS (4th generation). The watchOS update, 3.1.3, was a sizable one as well with patches for 33 CVEs, including 17 code execution vulnerability. The iCloud for Windows 6.1.1 update, for Windows 7 and later, also patched four Webkit vulnerabilities addressed in other product updates, all off which lead to arbitrary code execution.
EnlargeOwn Work reader comments 16 Share this story A security researcher has unearthed evidence showing that three browser-trusted certificate authorities owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates.
In some cases, those certificates made it possible to spoof protected HTTPS-protected websites. One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate.

These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners.

The remaining 99 certificates were issued without proper validation of the company information in the certificate. Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.
Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing. Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site.

The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials.

There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is. "Chrome doesn't [immediately] check certificate revocation, so a revoked certificate can be used in an attack just as easily as an unrevoked certificate," Ayer told Ars. "By default, other browsers fail open and accept a revoked certificate as legitimate if the attacker can successfully block the browser from contacting the revocation server." ("Fail open" is a term that means the browser automatically accepts the certificate in the event the browser can't access the revocation list.) The nine certificates issued without the domain name owners' permission affected 15 separate domains, with names including wps.itsskin.com, example.com, test.com, test1.com, test2.com, and others.

Three Symantec-owned CAs—known as Symantec Trust Network, GeoTrust Inc., and Thawte Inc.—issued the credentials on July 14, October 26, and November 15.

The other 99 certificates were issued on many dates between October 21 and January 18.
In an e-mail, a Symantec spokeswoman wrote: "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information." This is the second major violation of the so-called baseline requirements over the past four months.

Those requirements were mandated by the CA/Browser Forum, an industry group made up of CAs and the developers of major browsers that trust them.
In November, Firefox recommended the blocking of China-based WoSign for 12 months after that CA was caught falsifying the issuance date of certificates to get around a prohibition against use of the weak SHA1 cryptographic hashing algorithm. Other browser makers quickly agreed. Ayer discovered the unauthorized certificates by analyzing the publicly available certificate transparency log, a project started by Google for auditing the issuance of Chrome-trusted credentials. Normally, Google requires CAs to report only the issuance of so-called extended validation certificates, which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.

Following Symantec's previously mentioned 2015 mishap, however, Google required Symantec to log all certificates issued by its CAs. Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.

Passwords: A long goodbye

The campaign to eliminate passwords has been ongoing, and growing, for close to a decade.

There are even some declarations that this might be the year, or at least ought to be the year, that it happens. Don’t hold your breath.

Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology. The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication. But McDowell said last fall, and said again this past week that passwords will, “have a long tail,” that is unlikely to disappear anytime soon – certainly not this year. There are a number of reasons for that, even though the security problems with passwords are well known and well documented.

As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken.
It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “ Brett McDowell, executive director, FIDO Alliance And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well.

They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc.

They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks. Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear. Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.” Joe Fantuzzi, CEO, RiskVision Beyond that, there are at least some in the security community who say we should be careful what we wish for.

They note that cyber criminals have always found a way around every advance in security.
So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet.

And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password. Indeed, there have already been multiple reports of biometric spoofing.

FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.” The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen. Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a ”contact lens” of the iris that would pass as the real thing for authentication. And there have already been demonstrations that a manipulated recording of a person’s voice can trick authentication systems. Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID.

As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user. Zohar Alon, Co-Founder and CEO of Dome9 According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords. Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.” James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint.

This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said. “But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.” Of course, not all biometrics remain only on the user device.
Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers. Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said. But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication. In other words, they are not trying to mandate that biometrics be the sole replacement for passwords.

Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.” McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.” It is implementers, he said, who decide what mechanisms it will support.
It could be, “a local PIN code for user verification vs. biometrics if you prefer.” He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.” The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice.

At the very least fingerprint plus a long, randomized PIN would be good.” He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.” Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications.

The more time and resources you require attackers to expend, the lower the chances of a successful breach.” Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it. “Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.” All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are. Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.” But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them.

At some point, new technology will win.” This story, "Passwords: A long goodbye" was originally published by CSO.
Web injection attacks There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case. A malicious app masquerades as a Kaspersky Lab product in an MITB attack Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil. Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools. Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible. Web injection on Android Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page. Overlaying apps with phishing windows This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng. Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details. The Marcher malware Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them. The Acecard malware However, mobile banking Trojans typically target financial applications, mostly banking apps. Three methods of MITB attacks for mobile OS can be singled out: 1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans. Acecard phishing windows 2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans. Marcher phishing page 3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps. FakeToken phishing page It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges. Redirecting the user from the bank’s page to a phishing page We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016. Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans. However, two points need to be raised: All new modifications of the Marcher Trojan that we were able to detect no longer use this technology. Those modifications that used this technology also used a method of overlaying other apps with their phishing window. Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons: In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version; The technology only worked on a limited number of mobile browsers; The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed. Attacks launched using root privileges With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted: Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information. The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites. Conclusions We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software. So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users. Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.
'Panic Button' could be pressed by miscreants, repeatedly The Rave Panic Button app, designed to allow businesses to summon emergency services, allows miscreants to easily 'swat' targets by making false reports of emergencies says security researcher Randy Westergren. The app, which has a small install base of up to 10,000 users, has shuttered the holes Westergren identified. The vulnerabilities allowed businesses to place a series of rapid 911 calls reporting active shooters, fires and other threats. Because it's aimed at businesses, the app also sends emergency services building plans and alerts staff to threats. Westergren says the app could therefore cause plans to be sent to unknown parties, and staff spooked by phantom emergencies. Westergren found serious holes in the app that allowed external attackers to lodge false emergency call outs, an act similar to swatting - maliciously summoning SWAT teams - if attackers were to select the app's active shooter option. "As I reviewed the code, I began to realise the product had been designed without a fundamental concern for security — an extremely concerning issue given the nature of the app and how easily attackers could abuse it," Westergren says. "Not only were bad actors able to view and collect sensitive data about users and facilities, they would also be able to impersonate users and make requests on their behalf. "An attacker would be able to spoof panic calls to legitimate facility locations; he could even interfere with real-life emergency panic calls." Westergren found hardcoded plaintext authentication values that gave rise to easy spoofing attacks. Developers fixed the flaws in about six weeks, but Westergren still recommends users uninstall the app citing suspicions that the software could have similar security shortfalls. "... it remains highly concerning that the software was released in this condition at all," the hacker says. "Since it’s probable that other components of the system have been designed with similarly insufficient security measures, I would recommend customers of Rave’s Panic Button immediately suspend its use." ® Sponsored: Customer Identity and Access Management

Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot

The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.

Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.

But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.

There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.

Risks from unprotected Wi-Fi:

Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.

Eavesdropping
Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.

Rogue Hotspots
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.

Planting Malware
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.

A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.

Data Theft
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.

Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.

Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.

Bad Neighbours
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.

Best practices
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.

Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.

Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.

The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.

WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.

While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.

This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.

Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.

Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.

For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.

And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.

It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.

ENDS

About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.

The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.

Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.

This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.

For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com Wick Hill https://www.wickhill.com

In-flight entertainment systems create hacker risk, say researchers Vulnerabilities in Panasonic in-flight entertainment systems create a possible mechanism for attackers to control in-flight displays, PA systems and lighting, say researchers. Ruben Santamarta, principal security consultant at IOActive, said it had found vulnerabilities in Panasonic Avionic In-Flight Entertainment (IFE) systems that it claims could allow hackers to "hijack" passengers’ in-flight displays and, in some instances, potentially access their credit card information.

The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain. “I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display.

A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.” IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed.

For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.

An attacker might also compromise the "CrewApp" unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers.

Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher. Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control.

Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen.

This means that as long as there is a physical path that connects both domains, there is potential for attack.

The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not.
Santamarta urged airlines to steer towards a cautious course. “I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.” IOActive reported these findings to Panasonic Avionics in March 2015.
It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”. Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines. El Reg asked Panasonic Avionic to comment on IOActive's research but we’ve yet to hear back. We’ll update this story as and when we learn more. The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit. Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important.

As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. “This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s 'experience' while flying, but have yet to prove they could impact flight control systems,” he added. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
Consumers are shopping online more than ever before. Holiday season has e-commerce marketing and sales teams working overtime to churn out attractive holiday campaigns. With holiday come a flurry of fraudulent transaction with fraudster lurking in the dark ready to spoil the spirit of the season.

As sales increase, so will the total dollar amount of fraud transactions. "Retailers need to constantly improve their level of fraud prevention by incorporating consumer purchasing behavior analytics and originating IP addresses for online orders.

This should help minimize a spike in online orders," said Max Silber, Director of Mobility at MetTel, a B2B communications and IT firm in New York. Know thy past According to enterprise e-commerce fraud prevention solution Riskified, retailers see a 100% rise in the number of purchases made using international credit cards and therefore advise merchants to scour past data to understand and dissect successful orders and transactions from fraudulent ones. "Most merchants are likely to discover that they've been overly risk averse during the holidays. Our analysts have determined that top holiday sales days are actually far safer than average shopping days, and that any given order placed during the holidays is 55% less likely to be fraudulent. Partially because merchants were unaware of this, 4 out of 5 orders rejected during last year's holidays were, in fact, legitimate," wrote Riskified's Ephraim Rinsky in a blog post. Rinsky writes that it's crucial for e-commerce merchants to understand the difference between customer profiles to understand future behavior. "The fraud rate among returning customers is about half that of new customers: 1.4% compared to 2.6%.

This means that returning customers should be treated very differently than new ones.

This distinction is especially critical during the holidays, when order volume is so much greater." As e-commerce platforms keep accumulating consumer data, these businesses become even more valuable targets to cyber-criminals looking for economic gains. "In addition to hacking into companies' customer databases, cyber-criminals can also spoof companies' identities to trick customers into divulging their personal information by sending emails with misleading subject lines such as "Click to track your transaction," said Gus Anagnos, VP, Global Alliances of crowdsourced cybersecurity firm Synack. The problem with same-day delivery The interesting question fraud isn't only about the increase in the sheer volume of transactions, but also about the improvement in logistics. Many retailers, namely Amazon, are offering same day delivery services, which opens up another front in the fight against cyber hacks. "The increasing demand for same-day delivery will raise the bar for fraud detection service providers.

The faster the turnaround from order to shipment, the more sophisticated the tool to give a go/no-go assessment for each transaction.
It will be increasingly difficult for brands of any size to manually handle fraud detection on their own," said Thom O'Leary from Fixergroup. Same-day delivery decreases the amount of time between the transaction and the time your purchase takes to show up at your door.

This means consumers have less time to take notice of the problem and then contact the merchant or their bank regarding the fraudulent transaction.

This is important because after the item ships, there is little to be done to recover it.

To complicate matters, most consumers contact their bank first which adds lead time to how long it takes the merchant to be notified of the issue, which can take weeks on occasion. "There are solutions that can help mitigate this by analyzing the order information, such as the billing address, shipping address, and IP address of the purchaser to determine if there is a higher risk for fraud.
In which case you can choose to hold the shipment until the transaction can be verified," said ExpandLab's Eddie Spradley. As the holiday season shopping is in full swing, it's clear that e-commerce merchants need to do a better job tracking past data to understand future customer behavior and the consequent threats.

This understanding becomes even more important with new and improved methods of delivery, such as same-day delivery, which poses a whole new dilemma for merchants. This article is published as part of the IDG Contributor Network. Want to Join?
McAfee VirusScan for Linux contains multiple vulnerabilities.