Stingray Use In Baltimore

Stingray’s are a device that act like a cell tower and are used to intercept phone and text signals. They are about $400,000 and are useful in helping to solve serious crimes.This article focuses on the use of stingrays in Baltimore. Previously, the FBI forced users of this device to sign a non-disclosure agreement; meaning that if police officers used it, they could not talk of its use. However, recently the FBI has stated that the police can talk about its use; this is a big deal because now all the cases in which stingrays are used are being published. Additionally, it has now come to light that stingrays are being used in petty crime cases such as theft. While the stingrays help facilitate the process of catching someone who has committed such a crime, it also interferes with innocent bystanders’ phones. In doing so, some believe that it is a violation of their rights. The devices do not discriminate when it comes to collecting information so innocent people are concerned for theirs. Some senators are also targeting stingrays by trying to pass a bill that would require warrants before their use. So far, stingrays have been used in over 4,300 cases in Baltimore alone. What does that mean for the rest of the country?

The problem that most people are concerned with is that the stingrays collect information on people who are innocent as well as guilty. This means that everyone who is connected to the stingray will have their information potentially read or used by the police. This is a huge security problem because there are no defenses for us against it currently nor are there laws to protect the citizens. In my opinion, the policies behind the use of stingray’s need reform because right now, people who are directly involved are in danger of having their valuable information exposed.

Thomas, Coburn

Stingray: http://goo.gl/rPQTPB

Article: https://ritcyberselfdefense.wordpress.com/wp-admin/

 

Chip and Pin Bank Cards

US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
emv-credit-card~126313
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt

Source: http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

Apple Releases ‘Rootpipe’ Patch

Apple released a software patch this past week to address a security hole created by a hidden backdoor API known as Rootpipe. Rootpipe was discovered in October of 2014. It leaves a vulnerability in OS X that has existed since at least release 10.7. The API can be exploited to gain root privileges.

A patch has been released this past week to address the issue. Latest updates to the OS X operating system will include this patch. However, Apple will not be releasing a patch for any system running below version 10.10. Of three billion internet users NetMarketShare data shows that around 3.1 percent of them are using Mac OS versions with the vulnerability, 10.7/8/9 that will not be patched. Forbes estimates that conservatively this will mean that two percent of three billion internet users will remain vulnerable to the exploit, around sixty million computers.

Although the vulnerability was discovered last October it has been part of Mac OS X since 2011 when version 10.7 was originally released. Mac users should update their software as soon as possible to patch this as well as around eighty other security issues.

Jacob R Hooker

Edit: An earlier version of this article misstated the world’s estimated three billion internet users as Mac users and has been updated to correct the error.

Source:

http://www.forbes.com/sites/thomasbrewster/2015/04/09/apple-leaves-rootpipe-backdoors-in-3-per-cent-of-all-pcs-on-the-planet/?ss=Security

http://www.securityweek.com/apple-finally-patches-%E2%80%9Crootpipe%E2%80%9D-privilege-escalation-flaw-os-x

 

The Importance of a Strong Password

Passwords are important to prevent unauthorized access. In some cases, a strong password might not be thought necessary due to other security measures. Many iPhones are protected with a 4 digit pin, which is trivial to crack via brute force means. For security, iPhones are set to wipe all data on the phone after too many passcode mistakes are made. However, there’s a new attack that doesn’t allow the iPhone to keep track of passcodes attempted, making a short 4 digit pin much more dangerous.

Using a simple black box, a device that sends passcodes and keeps track of failed combinations, brute forcing an iPhone suddenly became viable. By wiring the device into the iPhone’s battery, the device can cut power to the iPhone before it can be recorded that a bad passcode was attempted. After a reboot, the phone has no idea that someone tried a bad passcode, allowing for every combination to be tried.

Black Box being used to crack an iPhone passcode

The device in action

With the time it takes to reboots (~40 seconds) it would take upwards of 5 days to crack a 4 digit pin with 10,000 combinations. The issue is known and likely has been patched in iOS 8.2 (the vulnerability being in iOS 8.1). While the problem is easily fixed at the software level, the problem can also be easily avoided with a stronger password. The reason this brute force works is because of the 4 digit pin; having a character password or even a longer pin would make a brute force less viable. Even at the expense of convenience, a strong password is vital for protecting your information, as other means of security may not always be as secure as you think.

Sources:

The researchers who discovered and tested the device – http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html

Sophos blog with more details on the device and pin security – https://nakedsecurity.sophos.com/2015/03/17/black-box-brouhaha-breaks-out-over-brute-forcing-of-iphone-pin-lock/

One retailer with the device in question – http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/

More about the device:

The actual device works via a usb connection to the iPhone and a separate connection to the battery. It sends virtual input to the iPhone, and measures the iPhone’s screen brightness for certain levels of intensity, so that it is known if a pin was good, cutting power if it wasn’t. It’s called an “IP Box”, and isn’t hard to get online, though it isn’t easy finding the original developer for this specific device. Devices like this that hook into phones for virtual input is not a new concept, so the same kind of exploit is theoretically possible for other types of phones (e.g. Android). However, it’s unknown whether this specific exploit to brute force without data being wiped is also on other phone platforms.

 

-Maximillian McMullen

Hackers Use an Android App for Sex Extortion

Trend Micro, a cybersecurity firm based in Texas, has discovered an Android app that hackers are using to extort victims.

The app would essentially turn a victim’s device into a recorder, and intercept all messages and phone calls that went through. First, the hackers would attempt to lure their victims through the use of chatting tools like Skype. They would then fake audio and messaging issues to try and fool a potential victim into downloading a malicious Android app, which has the ability to steal phone numbers, as well as passwords and address books.

plan

Many of the hackers have used the stolen information in an attempt to extort and blackmail victims. Trend Micro traced the email, social media, and bank accounts of the Android app developers to China, and discovered that multiple bank accounts were opened for several extortion campaigns. It is believed that hackers are mostly preying on victims in China and Korea.

maliciouspackage1

maliciouspackage2

Benny Tan


Sources:

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-the-far-east.pdf

http://bits.blogs.nytimes.com/2015/03/24/hackers-use-an-android-app-for-sex-extortion/?_r=0

http://timesofindia.indiatimes.com/tech/tech-news/Hackers-use-an-Android-app-for-sex-extortion/articleshow/46681750.cms